This article is more than 1 year old
D-Link: sorry we're SOHOpeless
PS. Most products don't have a fix yet
D-Link's SOHOpeless HNAP vulnerability hasn't been fixed, but readers will be pleased to know that the company is very, very, very sorry that it exists.
The company issued a patch on April 10 for its design-over-substance AC3200 series routers, but that "fix" blew a hole in the device's authentication routines.
Tactical Network Solutions' Craig Heffner called out the error, saying that “this patch does nothing to prevent unauthenticated users from executing completely valid administrative HNAP actions, because all it does is ensure that the HNAP action is valid”.
After briefly hiding under the blanket, the vendor has now told users it's sorry for the “inconvenience”.
The company has told BetaNews it's got the patch working right for two products, the DIR-880L and DIR-890L, and promises that between 21 April and 24 April, all the patches will be issued.
Along with the usual “security is important to us” boilerplate, D-Link asks users to watch its Support News page to get their updates.
The company optimistically assumes that customers know they need to pop back to the support page daily between now and Friday, and will know what to do when they get there: Vulture South would guess it's a safe bet that a skilled scanner will discover thousands of un-patched units six months from now.
There's also the usual advice about strong passwords (to defeat a bug that can be exploited using “normally unprivileged HNAP commands”?), and a promise that the company is “deeply apologetic” to “any users affected by the issue”. ®