D-Link apologizes for ongoing security issues with its routers

D-Link issued an apology for the poor security of many of its routers. An ongoing security issue allows attackers to exploit a bug in the Home Network Administration Protocol (HNAP) to bypass authorization and run commands with escalated privileges. D-Link recently issued one patch which didn't work and is now working on a firmware patch for a total of 17 routers.

In a statement on its website, D-Link explains it "is deeply apologetic to any users affected by this issue" and advised users to change their admin password and implement a strong password policy.

The HNAP issue affects DIR-890L (A1), DIR-880L (A1), DIR-868L (A1), DIR-865L (A1), DIR-860L (B1), DIR-860L (A1), DIR-850L (B1), DIR-850L (A1), DIR-820LW (B1), DIR-818LW (A1), DIR-817LW (B1), DIR-816L (A1), DIR-815 (B1), DIR-600 (B1), DIR-300 (B1), DIR-629 (A1), and DAP-1522 (B1). The problem is listed on D-Link's support pages where it is described thusly:

All any attacker needs to do to gain access to the router sends an unprivileged HNAP command such as GetDeviceSettings, they append to the command an additional command separated with an "/", which is used as a separator between commands.

Any command(s) after the first will be executed unauthenticated. Additionally, additional commands will be passed directly to the underlying Linux system, allowing the injection of arbitrary system commands. The GetDeviceSettings HNAP Command is used to indicate some very common parameters (e.g. the domain name of the HNAP device), as well as to define which HNAP commands are available.

Via: FUD Zilla