News D-Link refuses to patch a security flaw on over 60,000 NAS devices — the company instead recommends replacing legacy NAS with newer models

[dhomas]

To be fair, D-Link already stopped caring about these devices years ago when they refused to provide firmware to enable SMB2, even though they are fully capable of supporting it. For anyone still using these devices, there is an open source OS called Alt-F that gives SMB2 support and likely mitigates the security vulnerability in this article (I don't think the affected CGI script exists in Alt-F).

Source: I own a DNS-320 and have changed the firmware long ago.

 

[SomeoneElse23]

10 years is a long time. They may not even have the capability of fixing it, even if they wanted to?

And, as others have rightly said, these things should not be directly accessible on the internet.

Unraid FTW. NAS and soooooo much more.

 

[ATensor]

I'm fine with a company choosing to discontinue software support for a product, but they should define an end of life cycle beforehand that way their customers can prepare for alternatives when the time comes.

My nas uses open source firmware so this would never be an issue for me. It also can't hit the Internet.

 

[USAFRet]

I'm fine with a company choosing to discontinue software support for a product, but they should define an end of life cycle beforehand that way their customers can prepare for alternatives when the time comes.

They did.
https://supportannouncement.us.dlink.com/security/publication.aspx?name=sap10383

One of the named systems, DNS-320, was EOL on Dec 1 2018.

 

[jbroome]

So does this actually mean that all of these devices have actually been susceptible for the past decade or longer? That D-Link has not found and fixed this vulnerability for over ten years is utterly irresponsible at this point.

(Yes, my own NAS is not Internet-connected, so fortunately I personally have not been vulnerable in this way.)

 

[Alvar "Miles" Udell]

So does this actually mean that all of these devices have actually been susceptible for the past decade or longer? That D-Link has not found and fixed this vulnerability for over ten years is utterly irresponsible at this point.

(Yes, my own NAS is not Internet-connected, so fortunately I personally have not been vulnerable in this way.)

It means since the vulnerability was officially disclosed to D-Link earlier this year and the advisory posted in April, this vulnerability has been present for almost 15 years (going by the earliest EOL product in 2009) and hasn't been exploited yet, so much like Spectre and Meltdown it's potentially very critical, but unlikely to be exploited.

 

[Ogotai]

install Linux on it.

, install a Linux NAS distro,

yes, because the answer is always to install linux on every thing.. yea right..

sorry, and this may be hard to believe but for some, if not quite a few, linux, might be too complicated to use..

 

[Alvar "Miles" Udell]

yes, because the answer is always to install linux on every thing.. yea right..

sorry, and this may be hard to believe but for some, if not quite a few, linux, might be too complicated to use..

Linux is as new user friendly or antagonistic as the developer(s) make it. Synology's DSM, for example, is a very new user friendly Linux based NAS OS.

 

[Ogotai]

Linux is as new user friendly or antagonistic as the developer(s) make it. Synology's DSM, for example, is a very new user friendly Linux based NAS OS.

even then, i know a few people who would get lost in a linux distro that was self installed.. but would be ok with the DSM that is installed on the synology NASs, as i have 2 of those NAS's, a DS1511+ and a DS1621+

either way, seeing the " for get ( insert OS here ) and just switch to linux, is NOT the end all be all OS that some make it to be... there is a reason why linux has such a small market share vs windows..... usability linux, is just not there yet....

 

[Daniel15]

even then, i know a few people who would get lost in a linux distro that was self installed.. but would be ok with the DSM that is installed on the synology NASs

For what it's worth, Synology DSM is open-source, but they don't provide any instructions or support for running it on non-Synology hardware. There's a project called XPEnology that aims to bridge that gap and make it easier to install on non-Synology hardware.

 

[Daniel15]

install Linux on it

These devices are likely already Linux-based. The issue you'll hit is that it's likely the drivers for the hardware only work with a custom kernel, based on a a very old version of the Linux kernel, that won't work at all with newer distros.

 

[Ogotai]

hmm might have to look into that, just for fun, maybe use it as a back for both my synology nas's...

 

[mitch074]

even then, i know a few people who would get lost in a linux distro that was self installed.. but would be ok with the DSM that is installed on the synology NASs, as i have 2 of those NAS's, a DS1511+ and a DS1621+

either way, seeing the " for get ( insert OS here ) and just switch to linux, is NOT the end all be all OS that some make it to be... there is a reason why linux has such a small market share vs windows..... usability linux, is just not there yet....

Well, that's the crux : usability is a service you pay for. You buy a device because it's easy to use, you get 10 years of support - period.
You want to extend its usage ? You either replace it with a new, supported model (which, for a NAS, isn't a bad idea because the existing disks must be getting old and it probably won't support recent 12 Tb HDDs) or you pull up your big boy's pants and you support it yourself - which, incidentally, mostly means you install your own OS on it.
And that OS will most likely be Linux based.

 

[USAFRet]

The OS in my QNAP is Linux based, but unless you delve deep, you'd never know.

Yes, the UI is "different" than Windows, but still, very very easy and simple.

 

[mitch074]

The OS in my QNAP is Linux based, but unless you delve deep, you'd never know.

Yes, the UI is "different" than Windows, but still, very very easy and simple.

And that ease of use requires support. When you buy a NAS you get 10 years of "free" support, but past that you're on your own : you keep the ease of use but forget about security, or you do it on your own and the ease of use goes out the window.
I'm all for keeping stuff past the official support time, and I commend all companies that do 10 years of support or more, but it's unreasonable to think that a technological product sold for $400 or less can get life-long support.

 

[USAFRet]

And that ease of use requires support. When you buy a NAS you get 10 years of "free" support, but past that you're on your own : you keep the ease of use but forget about security, or you do it on your own and the ease of use goes out the window.
I'm all for keeping stuff past the official support time, and I commend all companies that do 10 years of support or more, but it's unreasonable to think that a technological product sold for $400 or less can get life-long support.

Very true.

But at 10 years, it likely needs replacing anyway.

 

[mitch074]

Very true.

But at 10 years, it likely needs replacing anyway.

I think I said it in a previous comment (or maybe I scrapped it before posting), so yeah. Still, if you get yourself an old NAS and a couple of second-hand HDDs, storing stuff like an old DivX collection or your MP3s and making it available through your house's broadband adapter as a UPnP streamer is a perfectly valid, non-critical use for such an old and potentially unsafe, unsecure machine.
If you intend to use it to stream outside of your home, There Be Dragons. Me, I personally wouldn't.
While you have it running, it's great ! If it breaks down, it's not too bad - you ain't worse off than if you hadn't had it.