News D-Link refuses to patch a security flaw on over 60,000 NAS devices — the company instead recommends replacing legacy NAS with newer models

[Admin]

Over 60,000 D-Link NAS machines are affected by a critical vulnerability, but the company refuses to issue a fix, citing end-of-life for the affected NAS devices.

D-Link refuses to patch a security flaw on over 60,000 NAS devices — the company instead recommends replacing legacy NAS with newer models : Read more

 

[Alvar "Miles" Udell]

These units are over 10 years old, with the DNS-320 going on 15 years. Even the relatively inexpensive Synology DS423 vs the DNS-340L (both 4 bay units) is immensely more powerful for $370. Time to upgrade.

 

[sharpless78]

These units are over 10 years old, with the DNS-320 going on 15 years. Even the relatively inexpensive Synology DS423 vs the DNS-340L (both 4 bay units) is immensely more powerful for $370. Time to upgrade.

If they still work, why should someone be forced to update them?

 

[USAFRet]

If they still work, why should someone be forced to update them?

Because there is a security vulnerability, which won't be patched by the manufacturer.

 

[Alvar "Miles" Udell]

If they still work, why should someone be forced to update them?

I'm all for keeping things going if they perform to the task they are designed for, but if you get 10 or even 15 years of use out of the same piece of technology, it's out of support, and a modern replacement is both far more capable and quite affordable, then it's exceeded its useful life and is time to be repurposed and replaced. In the case of these NAS's, it could easily be repurposed to a local only backups machine or a media server, something which doesn't require internet access, while a replacement NAS was procured to handle open internet access.

Think about a mobile phone. Your iPhone 6 or Galaxy S20 may still be plenty fast for the tasks you use it for, but would you really trust an out of support device with handling your sensitive data?

 

[TechieTwo]

IME people need to seriously investigate the true security of any network devices they are looking to purchase prior to purchase. Personal and SOHO hardware seems to be the most vulnerable because the mfgs. are negligent in provided a secure product. Naturally most personal/SOHO use is by people who do not work in network security daily so they are the easiest to exploit. For those who don't know it almost ALL personal internet modems and routers regardless of brand have major security issues. It's so prevalent that Congress has requested that all Chinese mfgs. of Wi-Fi modems sold in the U.S. be investigated for backdoor reporting to China on U.S. citizen's activity. In addition, router hacks are on the rise. https://www.microsoft.com/en-us/sec...password-spray-attacks-from-a-covert-network/

 

[JustinZ]

Just your usual capitalism. Do not get rid of your device. Remove it from the Internet, access it only via a VPN, firewall it, put it behind a reverse proxy with authentication, put it on it's own VLAN, install Linux on it. So many options instead of giving in to capitalism and replacing a working device.

 

[nrdwka]

I'm all for keeping things going if they perform to the task they are designed for, but if you get 10 or even 15 years of use out of the same piece of technology, it's out of support, and a modern replacement is both far more capable and quite affordable, then it's exceeded its useful life and is time to be repurposed and replaced. In the case of these NAS's, it could easily be repurposed to a local only backups machine or a media server, something which doesn't require internet access, while a replacement NAS was procured to handle open internet access.

Think about a mobile phone. Your iPhone 6 or Galaxy S20 may still be plenty fast for the tasks you use it for, but would you really trust an out of support device with handling your sensitive data?

There is text on "reach" language, that newer nas device are not cheap, 200$ is an expensive device.
S20... New Phones are expensive, I cannot afford someting newer than my s9 what work just fine.

 

[thestryker]

This is the inherent danger of buying any piece of hardware you do not have control over. I can't say I particularly fault the company for not updating devices of this age. It sounds like there are ways to limit vulnerability so at least they don't have to be tossed. Personally speaking I'd never connect a NAS device to the internet directly as you're relying on the device manufacturer for security.

 

[ekio]

I know what company to never buy from now!

 

[AlienDarkCat]

Just turn off the internet access on the NAS and use it on your LAN only, and block access to it with your router's firewall. There's no need to buy a new device. Of course, if you need to access the data on it outside your LAN, I suggest buying a new NAS other than D-Link.

 

[DSIRT]

Over 60,000 D-Link NAS machines are affected by a critical vulnerability, but the company refuses to issue a fix, citing end-of-life for the affected NAS devices.

D-Link refuses to patch a security flaw on over 60,000 NAS devices — the company instead recommends replacing legacy NAS with newer models : Read more

For accurate information regarding this security issue for the owner's of the D-Link product please goto: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413

D-Link SIRT US
security@dlink.com

 

[syadnom]

It's EOL, the expectation to update such old hardware shouldn't be there. However, DLink saying this in such a way sorta says 'Hey, it's old, just go get a synology already'

 

[booberry]

Just turn off the internet access on the NAS and use it on your LAN only, and block access to it with your router's firewall. There's no need to buy a new device. Of course, if you need to access the data on it outside your LAN, I suggest buying a new NAS other than D-Link.

That may work but The user should still take precautions on the D-Link NAS device itself right? Because if only the firewall is protecting the NAS, that's only one layer defense, and the firewall are big targets for hackers for that reason. (Sonicwall, tenable, sophos, etc. It's the unspoken rule of security appliances, they are often targets themselves for vulnerabilities, and Sophos just posted a movie level story of themselves spying on a Chinese state hacker group experimenting on Sophos firewalls)

 

[8086]

I will buy a new NAS, but it won't be a D-LINK. And my future purchases for networking gear will more than likely come from their competitors. Now if D-LINK patches this issue in their NAS, then that's great customer service and they will likely keep me and many others coming back for more.

 

[ezst036]

It's time to buy a new NAS.

Not really.

It's time to requisition your old computer, install a Linux NAS distro, and never buy from one of these companies again.

Note, 10 years is an extremely long time, however what is being requested is not a feature upgrade. To its credit, Microsoft has offered patches well outside the EOL window for big enough security risks. DLink would do well to emulate this especially as these can be publicly accessed.

 

[ezst036]

Just your usual capitalism. Do not get rid of your device. Remove it from the Internet, access it only via a VPN, firewall it, put it behind a reverse proxy with authentication, put it on it's own VLAN, install Linux on it. So many options instead of giving in to capitalism and replacing a working device.

That is capitalism, silly. (italics, underline)

Maintenance and longevity are important capitalist aspects, unless you are trying to promote the Fallacy of Broken Windows.

https://en.wikipedia.org/wiki/Parable_of_the_broken_window

 

[dimar]

Why would anyone buy D-Link NAS in the first place.

 

[Amdlova]

Never buy a d-link product again...

 

[Misgar]

Why would anyone buy D-Link NAS in the first place.

Perhaps that's a purely rhetorical question, but the answer might be that some D-Link NAS are less expensive than their QNAP and Synology counterparts. For some people, price is the overriding factor when making a purchase, regardless of any other factors. They might not be able to afford "better" products. They might be blissfully unaware of the weaknesses or just not care.

 

[bill001g]

This all comes down to poor network design by the users to begin with.

Does not matter if the NAS is brand new you must assume someone will attack it if you expose it to the internet. To many people just hook stuff up and click boxes with no clue what or why they are doing it.

I guess the first question is why you would expose a nas to the internet in the first place especially now that there are many very secure cloud based option.

Most consumer routers have firewall or vpn options that can greatly reduce any exposure to attack. Problem is it is not one magic button and can not be explained in a 30 second tictoc video so your modern consumer ignores it.

 

[erdnuesse]

your arguments miss the point.
If the customer is a business, I accept the business decision to upgrade. If the software was open source, the issue wouldn't exist.
Also, Forcing users to upgrade if the tech still solves the customer need is just plain wrong in times of needing to reduce waste. we either need a foss-ready NAS in that price segment or media outlets that advocate for DIY solutions because of exactly that. first WD, now D-link, there's a plethora of nas OSes plagued by EOL announcements that should justify a change in customer behavior \ recommendations.
again: home users are no businessses. stop making business arguments for them.

 

[RedRonin]

I know what company to never buy from now!

lolll well as many others ....

 

[RedRonin]

More E-Waste

 

[Loadedaxe]

EOL means eol.

Anytime you buy technology, especially in the US, dont expect to get any more than 5 years out of it. You may get that and more, but unlikely.

While I dont agree, it could probably be patched very easy and save some face for customers to consider products in the future from DLink. But we do not live in that world anymore.