April 15, 2014

NSA denies it knew about Heartbleed, says it is in the national interest for it to disclose vulnerabilities

odniIt looks like the ramifications of the Heartbleed bug in OpenSSL will be felt for quite a while to come. While security analysts are asking if the NSA had prior knowledge of the bug, cyber criminals are at work stealing data from sites which haven’t patched their servers and changed their SSL certificates. The Canadian Revenue Agency has said that the Heartbleed bug was the reason why an attacker was able to steal 900 social insurance numbers, and British parenting website Mumsnet said that username and password data used to authenticate users during log in was accessed before the site was able to patch its servers.

As for the NSA, the Director of National Intelligence has issued a statement saying that the NSA was not aware of the Heartbleed vulnerability until it was made public. The statement went on to say that the Federal government relies on OpenSSL the same as everyone else to protect the privacy of users of government websites and other online services.

However, what is even more important is that the statement categorically says that had the NSA, or any other of the agencies and organizations which make up the U.S. intelligence community, found the bug they would have reported it to the OpenSSL project.

“If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” said the statement issued by the ODNI Public Affairs Office. The statement also said that when Federal agencies discover a new vulnerability “it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.”

The Office of the Director of National Intelligence also said that in response to the President’s Review Group on Intelligence and Communications Technologies report that it had reinvigorated an interagency process for deciding when to share vulnerabilities.  According to the report, “The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of  encryption technology for data in transit, at rest, in the cloud, and in storage.” Such a statement is important following the accusations that the NSA tried (and succeeded) in weakening certain encryption standards.

The report also says that, “US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In  rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.”

This “rare” use of zero-day vulnerabilities was reiterated by the ODIN statement. “Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.”

Heartbleed bug exposes OpenSSL’s secrets, patches available

heartbleedA serious security bug has been found in the ubiquitous OpenSSL encryption library that allows data to be stolen in its unencrypted form. According to the heartbleed.com website, which was set up expressly to inform system admins about the potential dangers, the Heartbleed bug can be exploited from the Internet and it allows an attacker to read up to 64k of the server’s memory at one time. By reading the memory an attacker can gain access to “the secret keys used to identify the service providers and to encrypt the traffic” along with “the names and passwords of the users and the actual content.” It means that attackers can eavesdrop communications that should have been otherwise encrypted.

A patched version of OpenSSL has already been published. According to the release notes, “a missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory” on a connected client or server. The OpenSSL project publicly thanked Neel Mehta of Google Security for discovering this bug and Adam Langley with Bodo Moeller for preparing the fix. It is recommended that all OpenSSL 1.0.1 users should upgrade to OpenSSL 1.0.1g. Those unable to immediately upgrade should recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. OpenSSL 1.0.0 and OpenSSL 0.9.8 are not vulnerable.

Heartbleed isn’t a design flaw in the SSL/TLS protocol specification but rather a bug in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).

Because the bug can expose the keys used for encrypting the connection, attackers are able to decrypt any past and future traffic to the encrypted connection since the primary keys have been exposed. Unfortunately to remedy the problem, not only does the server require patching but all the compromised keys need to be revoked and new keys reissued. It also means that users who have used an encrypted service (say a web mail service, online shopping or cloud service) will need to change their passwords as potentially the connection used to log in was not secure.

One very worrying aspect of this bug is not only the widespread use of OpenSSL, but also that the first vulnerable version was published two years ago. If this bug has been previously found (but not disclosed) by cyber criminals or government run security agencies then the last two years worth of encrypted traffic should be deemed as exposed. Even if it wasn’t found but the traffic was recorded then there are probably lots of state level agencies working right now to siphon off keys from around the net before things are revoked and changed.

Microsoft releases details of zero-day vulnerability in Word

Microsoft has published information about a new zero-day vulnerability in its Word product. There is a real-world exploit for the vulnerability and it is currently being exploited in the wild. Microsoft says it is “aware of limited, targeted attacks directed at Microsoft Word 2010.”

According to Microsoft’s Dustin Childs, the vulnerability can be exploited by an attacker and allow “remote code execution if someone was convinced to open a specially crafted Rich Text Format (RTF) file or a specially crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer.”

Microsoft-Word-LogoMicrosoft’s immediate response has been to publish a one-click Fix it  which basically disables support for RTF in Microsoft Word. Although Microsoft wants to “encourage all customers using Microsoft Word” to apply the Fix it, disabling RTF support could be troublesome for those who rely on this document format.

The vulnerability, which was reported to Microsoft by members of the Google Security Team, can be exploited via email or via the web. In the email scenario, the attacker sends a specially crafted RTF document as the contents of the message. The vulnerability is exploited when the message is previewed or opened in Outlook where Microsoft Word is the email viewer. An attacker could also exploit the vulnerability by sending a specially crafted RTF document as an attachment. In the web scenario, the attacker would need to trick the user into downloading the document and then opening it.

This remote code execution vulnerability exists because of bugs in the way that Word parses maliciously crafted RTF documents. The bugs cause a memory corruption and give the attacker a way to execute arbitrary code. The vulnerability can also be exploited through Microsoft Outlook if Word is used as the email viewer, which it is by default in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.

Microsoft is working on a full fix but it isn’t known if the Redmond company will be able to develop and test the fix by April 8th, the date of the company’s next Patch Tuesday. Patch Tuesday is the name given to Microsoft’s monthly security updates which patch Microsoft’s products to fix security issues.

Interestingly, support for Office 2003 ends April 8th and Microsoft has included Word 2003 Service Pack 3 in its list of affected products. If Microsoft doesn’t manage to release a full patch by April 8th then Office 2003 could remain vulnerable without any hope of a solution. Even if Microsoft does release a patch now, this incident highlights the dangers of using Microsoft products which have reached their end-of-life.

Apple fixes security vulnerabilities with release of iOS 7.1 and Apple TV 6.1

iosApple has released a new version of its popular iOS platform for the iPhone 4 and later, the iPod touch (5th generation) and later, and iPad 2 and later. It has also released a new version of the Apple TV platform for Apple TV 2nd generation units and later.

iOS 7.1 adds a range of new features  but crucially it also fixes a wide variety of security issues including fixes to the WebKit HTML rendering engine used by Safari. In a ironic twist Apple has credited four of the fixes to the evad3rs jailbreak team. According to Apple the following fixes were made to tackle the jailbreakers techniques:

  • A symbolic link in a backup would be restored, allowing subsequent operations during the restore to write to the rest of the filesystem. This issue was addressed by checking for symbolic links during the restore process. CVE-2013-5133 : evad3rs
  • CrashHouseKeeping followed symbolic links while changing permissions on files. This issue was addressed by not following symbolic links when changing permissions on files. CVE-2014-1272 : evad3rs
  • Text relocation instructions in dynamic libraries may be loaded by dyld without code signature validation. This issue was addressed by ignoring text relocation instructions. CVE-2014-1273 : evad3rs
  • An out of bounds memory access issue existed in the ARM ptmx_get_ioctl function. This issue was addressed through improved bounds checking. CVE-2014-1278 : evad3rs

The oldest bug fixed was CVE-2012-2088 which was fixed in OS X in March 2013. Because of a buffer overflow in libtiff’s handling of TIFF images, viewing a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution. This issue was fix through additional validation of TIFF images. Other fixed bugs which could lead to arbitrary code execution include: a buffer overflow that existed in the handling of JPEG2000 images in PDF files, CVE-2014-1275 : Felix Groebert of the Google Security Team; a double free issue that existed in the handling of Microsoft Word documents, CVE-2014-1252 : Felix Groebert of the Google Security Team; and a memory corruption issue that existed in the handling of USB messages, CVE-2014-1287 : Andy Davis of NCC Group.

Apple has posted a document online describing the full security content of iOS 7.1.

Apple TV

Simultaneously with the iOS 7.1 release, Apple also released Apple TV 6.1. Many of the same bugs are addressed including three by the evad3rs jailbreak team along with the other arbitrary code execution vulnerabilities. One specific Apple TV vulnerability allowed an attacker with access to an Apple TV to access sensitive user information from the log files. The problem was that this sensitive user information was being logged by the system. This issue was fixed by altering the logging output.

Apple’s website contains more information about the security content of Apple TV 6.1.

Adobe releases out-of-band security update to fix zero-day exploit

adobe-logoAdobe has released an out-of-band security patch for Flash Player to fix a critical zero-day vulnerability that is being exploited in the wild. The vulnerability allows attackers to remotely take control of the affected system. Once they have control the attackers can install malware and recruit the affected PC into a botnet. Adobe was forced into issuing an immediate patch to the problem as an exploit for this vulnerability exists in the wild and is being used by attackers. Adobe recommends that users update Flash Player on their PCs immediately.

Because of an Integer underflow, that is present in Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, remote attackers can execute arbitrary code on a victim’s PC. However Adobe did not include any details about how the vulnerability is being exploited.

Adobe did however thank two researchers from Kaspersky Lab for reporting the vulnerability. There is speculation that the vulnerability could be related to “The Mask” an Advanced Persistent Threat (APT) that a Kaspersky Lab Expert wrote about recently. The Kaspersky post references Adobe Flash in the context of a long-running cyber espionage campaign that Kaspersky says it will present more about during the next week at the Kaspersky Security Analyst Summit 2014.

In response to Adobe’s update Google has released Chrome 32.0.1700.107 for Windows, Mac and Linux with an updated version of the embedded Flash Player. Microsoft likewise has updated Internet Explorer 10 and 11 on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Apple has released an update to its web plug-in blocking mechanism to disable all versions prior to Flash Player 12.0.0.44. If OS X users try to view Flash content in Safari they will see a “Blocked Plug-in” alert unless they have updated to the latest version of Flash Player.

Apple releases new versions of Safari to fix critical vulnerabilities

safari-logoApple has released new versions of Safari 6.1 and Safari 7.0 for Mac OS X to fix critical vulnerabilities. If exploited these vulnerabilities could lead to arbitrary code execution. The bugs fixed fall into two categories, those with Safari itself and those in the WebKit HTML rendering engine.

In Safari itself Apple has fixed one vulnerability which allowed hackers to create a site where Safari autofilled various user credentials unexpectedly. This could have led to unwanted information disclosure. According to Apple, “ Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking.”

The other fixes where for WebKit. Because of the vulnerabilities, a visit to a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution. This was due to multiple memory corruption issues which were addressed through improved memory handling.

More details of the security content of Safari 6.1.1 and Safari 7.0.1 can be found here. Safari 6.1.1 and Safari 7.0.1 are available for OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, and OS X Mavericks v10.9.

Apple has also released an update to its latest iteration of OS X.

Apple recommends that all 10.9 users apply the OS X Mavericks v10.9.1 update. The update includes Safari 7.0.1 but doesn’t fix any other security issues in OS X. There are other bug fixes and enhancements which include:

  • Improved support for Gmail in OS X Mail, and fixes for users with custom Gmail settings Improves the reliability of Smart Mailboxes and search in Mail
  • Fixes an issue that prevented contact groups from working properly in Mail
  • Fixes an issue that prevented iLife and iWork apps from updating on non-English systems
  • Addresses an issue that may cause multiple prompts to unlock “Local items” keychain

More details about the security content of OS X Mavericks v10.9.1 can be found here.

Microsoft releases 11 bulletins including a patch for Vista zero-day exploit, but XP still under attack

microsoft logoMicrosoft has released 11 security bulletins to address 24 vulnerabilities in Windows, Internet Explorer, Office and Exchange. Among them is the fix for the TIFF file vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync. However a fix for the zero-day vulnerability in Windows XP, which is being actively exploited in the wild via a malicious PDF file, is missing.

MS13-096 fixes the publicly disclosed vulnerability that can allow remote code execution if a user views content that contains specially crafted TIFF files. According to Microsoft an attacker who successfully exploits this vulnerability can execute arbitrary code with the privileges of the user who viewed the TIFF file.

The vulnerability is currently being exploited in the wild and targeting PC users mainly in the Middle East and South Asia. The attack uses an email with a specially crafted Word attachment.  However the security bulletin points out that this isn’t the only possible attack vector. The vulnerability can be exploited in a web-based attack scenario, where an attacker creates a website that is designed to exploit this vulnerability and then convinces a user to view the website, or via email.

Another Critical rated fix is MS13-097, a cumulative update for Internet Explorer. The patch resolves seven privately reported vulnerabilities in IE, the most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage. The update affects Internet Explorer 6 through to Internet Explorer 11.

MS13-099 resolves a vulnerability in Microsoft Scripting Runtime Object Library that could allow remote code execution if a user visits a specially crafted website. The update is rated as Critical for Windows Script 5.6, Windows Script 5.7, and Windows Script 5.8 where affected on all supported releases of Microsoft Windows.

Security Bulletin MS13-106 fixes a publicly disclosed vulnerability in a Microsoft Office shared component that is currently being exploited in the wild. The problem exists because hxds.dll in Microsoft Office 2007 SP3 and 2010 SP1 and SP2 do not implement the ASLR protection mechanism, which makes it easier for remote attackers to execute arbitrary code via a crafted COM component on a web site that is visited with IE. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.

patch.tuesday.dec.2013.deployment

The other Critical bulletins are:

  • MS13-098 - Resolves a privately reported vulnerability in Microsoft Windows that could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.
  • MS13-105  – Resolves three publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server.

The Important bulletins from Microsoft are:

  • MS13-100 - Resolves multiple privately reported vulnerabilities in Microsoft Office server software. These vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a SharePoint server.
  • MS13-101 - Resolves five privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
  • MS13-102 - Addresses a privately reported vulnerability in Microsoft Windows that could allow elevation of privilege if an attacker spoofs an LRPC server and sends a specially crafted LPC port message to any LRPC client.
  • MS13-103 - Fixes a privately reported vulnerability in ASP.NET SignalR. The vulnerability could allow elevation of privilege if an attacker reflects specially crafted JavaScript back to the browser of a targeted user.
  • MS13-104 - Resolves a privately reported vulnerability in Microsoft Office that could allow information disclosure if a user attempts to open an Office file hosted on a malicious website.

Zero-day vulnerability in Windows XP being exploited via a malicious PDF file

microsoft logoMicrosoft has issued a warning to all users of its aging Windows XP operating system about a zero-day vulnerability that allows attackers to gain elevated privileges. Once the attackers have system level privileges they can install programs; view, change, or delete data; or create new accounts with full administrative rights.

The vulnerability is in the Windows kernel and affects Windows Server 2003 as well as XP. Once exploited an attacker can run arbitrary code in kernel mode which automatically gives them full administrative rights.

According to CVE-2013-5065 NDProxy.sys in the kernel of Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application. The vulnerability is being exploited in the wild.

Microsoft has issued a workaround for the vulnerability however by implementing it services that rely on the Windows Telephony Application Programming Interfaces (TAPI) to not function, this includes Remote Access Service (RAS), dial-up networking, and virtual private networking (VPN). Full details of the workaround, which disables NDProxy.sys and reroute all calls to Null.sys, can be found in Microsoft’s security advisory.

According to Symantec there have been a “small number” of in-the-wild attacks happening since early November. Users in the U.S., India, Australia, Saudi Arabia and throughout Europe were targeted.

This is the second zero-day vulnerability to be recently exposed in Windows. At the beginning of November Microsoft released  a security advisory about a vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync, that is being exploited in the wild and targeting PC users mainly in the Middle East and South Asia.

Apple releases huge set of updates on back of new iPad announcements

Apple-logoApple has released a new slew of products in the run up to the holiday season including the new iPad Air, the iPad mini with a Retina display, the radically designed Mac Pro and an updated MacBook Pro. Along with these products Apple also released OS X 10.9 Mavericks which addresses some significant security vulnerabilities in OS X. Apple also released updates for iOS, OS X Server, Safari and iTunes.

OS X

Over 50 different security related bugs (with individual CVE designations) have been fixed. The most interesting of these include:

  • A fix to enable TLS 1.2 for CIFS networking as SSLv3 and TLS 1.0 are subject to a protocol weakness when using block ciphers. According to Apple, a man-in-the-middle attacker could have injected invalid data, causing the connection to close but revealing some information about the previous data. If the same connection was attempted repeatedly the attacker may eventually have been able to decrypt the data being sent, such as a password.
  • Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This was due to a buffer underflow in the handling of PDF files.
  • A malicious local application could cause a crash in the Bluetooth subsystem which could potentially be exploited. The problem was that the Bluetooth USB host controller was deleting interfaces too early.
  •  By registering for a hotkey event, an unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled.

The Darwin kernel was also updated to fix a variety of problems that in some cases could force a kernel panic. These included:

  • Use of SHA-2 digest functions in the kernel may result in an unexpected system termination. This bug revolved around an incorrect output length that was used for the SHA-2 family of digest functions. It resulted in a kernel panic when these functions were used, primarily during IPSec connections.
  • The kernel random number generator would hold a lock while satisfying a request from userspace, allowing a local user to make a large request and hold the lock for long periods of time, denying service to other users of the random number generator. This issue was addressed by releasing and reacquiring the lock for large requests more frequently.
  • The kernel would panic when an invalid user-supplied iovec structure was detected. This issue was addressed through improved validation of iovec structures.
  • Unprivileged processes may be able to cause an unexpected system termination or arbitrary code execution in the kernel.
  • Source specific multicast program may cause an unexpected system termination when using Wi-Fi network
  • An attacker on a local network can send specially crafted IPv6 ICMP packets and cause high CPU load. The issue was addressed by rate limiting ICMP packets before verifying their
  • checksum.
  • An integer truncation issue existed in the kernel socket interface, which could be leveraged to force the CPU into an infinite loop. The issue was addressed by using a larger sized variable.

Lots of third party applications where also updated including Curl, dyld, OpenLDAP, Perl, Python and Ruby.

iOS 7

iOS 7.0.3 is also now available and addresses more passcode and lock screen related problems:

  • A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped while a notification was being swiped and while the camera pane was partly visible. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed.
  • When returning to the passcode lock from the Phone app, the passcode entry view is sometimes visible when it should not be, and so may be accessed even if the iPhone has been disabled due to many incorrect passcode attempts.
  • A person with physical access to the device may be able to call arbitrary contacts because of a race conditions in the Phone app at the lock screen. Under various circumstances, the Phone app may allow access to the Contacts pane.

Safari 6.1

While OS X 10.9 includes the latest iteration of Apple’s web browser (Safari 7), Apple has also updated Safari 6 for OS X Lion v10.7.5, OS X Lion Server v10.7.5, and OS X Mountain Lion v10.8.5. Safari 6.1 fixes a number of problems most of them within WebKit, the rendering engine used by Apple and Google. Many of the bugs listed were previously fixed by Google in Chrome.

  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This was due to a memory corruption in the handling of
  • XML files.
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution, this time due to multiple memory corruption in WebKit.
  • An information disclosure issue existed in XSSAuditor. This issue was addressed through improved handling of URLs.
  • Dragging or pasting a selection may lead to a cross-site scripting attack. By dragging or pasting a selection from one site to another a user could allow scripts contained in the selection to be executed in the context of the new site. This issue is addressed through additional validation of content before a paste or a drag and drop operation.
  • Using the Web Inspector disabled Private Browsing.
  • A cross-site scripting issue existed in the handling of URLs. This issue was addressed through improved origin tracking.

OS X Server 3.0, iTunes and Apple Remote Desktop

Apple also released OS X Server 3.0 which addressed a number of security vulnerabilities including  a buffer overflow that existed in FreeRADIUS when parsing the ‘not after’ timestamp in a client certificate, when using TLS-based EAP methods. As a result of this, a remote attacker may have been able to cause a denial of service or arbitrary code execution.

Apple released two new versions of it Remote Desktop software, v3.7 and v3.5.4. Both versions fix the same security related bugs, the most severe of which could allow a remote attacker to execute arbitrary code because of a format string vulnerability in the handling of the VNC username.

Windows users also get an update in the form of iTunes 11.1.2. Several different errors are fixed, most are related to WebKit and are similar to the ones fixed in Safari 6.1.

More information about all of Apple’s security related updates can be found at http://support.apple.com/kb/HT1222

Backdoor found for several D-Link routers

d-link-dir-615An intentional backdoor designed into some of D-Links home routers has been found by security researcher Craig Heffner. Having reversed engineered the firmware used in a D-Link DIR-100 router Craig discovered that by setting a browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (without the quotes) he could gain full access to the router without entering a username and password.

If exploited an attacker would be able to change any of the settings on the router and gain access to the network. During his research Craig discovered that the browser string was only mentioned once on the Internet in a Russian forum post from a few years ago that noted that the string was probably significant. As such there are no reports of this backdoor being used in the wild, D-Link has acknowledged the existence of the backdoor and said a fix would be available by the end of October.

“Various media reports have recently been published relating to vulnerabilities in network routers, including D-Link devices. Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards,” said D-Link in a statement. “We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.”

It is thought that the backdoor was intentionally programmed into the web server so that the router could be automatically configured when used with services like dynamic DNS. Since the web server contained all the code necessary to alter the routers settings, the programmers by-passed the authentication mechanism with the hard-coded browser string. This in turn allowed them to set the parameters for legitimate reason. It was likely they didn’t think that the string would ever be discovered.

Based on string searches Heffner says it can be reasonably concluded that the following D-Link devices are affected:

  • DIR-100
  • DIR-120
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

Additionally, several Planex routers also appear to use the same firmware:

  • BRL-04UR
  • BRL-04CW

D-Link already has new firmware available for several of the affected models, some of which aren’t listed in Heffner’s original list:

  • DIR-300
  • DIR-600
  • DIR-615
  • DIR-645
  • DIR-815
  • DIR-845L
  • DIR-865L
  • DSL-320B
  • DSL-321B