D-Link patches yet more vulns
Consumers rise up to ignore firmware update en masse
D-Link is moving to patch a bunch of vulnerabilities in consumer products, which almost certainly means that most users either won't know the patch is happening or won't run the update.
The first CERT advisory, here, covers DCS-93 series network cameras (models 930L, 931L, 932L and 933L using version 1.04 2014-04-21 of the company's firmware). Vulnerable devices allow remote attackers to upload arbitrary files to locations of their own choice on the device, as well as remotely executing arbitrary code.
DAP-1320 wireless range extenders are subject to an ancient vulnerability, CWE-78 (here), allowing attackers to execute “dangerous commands directly on the operating system”.
The CERT advisory notes the exploit uses the firmware update mechanism, and while the vuln is only confirmed on version 1.11 released in December 2013, “other firmware versions prior to version 1.21b05 may also be vulnerable”.
The vulnerabilities were turned up by Tangible Security.
Earlier this month, the company rolled out a mass-patch for a bunch of networking boxen.
It would be unfair of The Register to single out D-Link for criticism on this point. As we have recently noted, the security of home-grade equipment has been atrocious practically forever. ®