To be fair, CVE scores generally don't seem very useful in assessing the real impact of a security vulnerability. The CUPS thing was a 9.9 and that was completely irrelevant for a large swath of people.
Same as the NPM warnings. It’s always screaming that there are a billion super critical vulnerabilities, but when I look in to them it ends up being stuff like “if you put a malicious regex in to your own config file, your js linter will get stuck”
This is a command injection through a basic GET giving instant root access. Definitely worth a high score. These days I'm pretty sure browsers won't let you put a private IP in an <img> URL anymore but for the past 10-13 years there have definitely been browsers where visiting a web page is all you needed to do to get your NAS hooked up to a botnet.
Agreed (having read up properly), hence my other reply (https://news.ycombinator.com/item?id=42252807). But a headline that succinctly and accurately explains a worst-case scenario would be much better than one that just points at a CVE score. (The submission has since been re-titled according to a less clickbaity source.)
I'm pretty sure a 9.8 CVE for something connected directly to WAN is a very bad thing.
The point is that the title puts the number up there to sensationalize. It doesn't concretely explain the scope or magnitude of the vulnerability.
The 9.8 CVE was for their NAS. Exposing any NAS directly to the open Internet is a Bad Idea.
For that matter, nearly every shit-tier NAS vendor (WD, QNAP) has had some critical remote vulnerability in recent years. Some were notable for mass data loss incidents.
That aside, these companies are all very good at making very, very nice hardware at a price point consumers can afford. Some corners have to be cut and it's often software.
The dirty secret is many Internet of Shit device vendors outsource the software development, often to the lowest bidder in some offshore sweatshop. In some cases it's just a repackage of an ODM design from some no-name company in Shenzhen.
None of which are known for secure coding or good software practices.
Criticize all you want but this is a textbook example of getting what you paid for.
It's unreasonable to pay $100 for a D-Link box and expect it's Cisco ASA quality with free indefinite support.
Cisco, Juniper, and Palo Alto would all tell you to pound sand if you expect support after EOL or if you let your maintenance contract (aka protection racket) lapse.
The problem is the way those specifics are handled. The Complexity metric is intended to handle the "specific configuration required" scenario but nobody is really incentivized to properly score their stuff.
Ok I get it, but if anything, people pay way less attention to security than they should. So I personally don't mind. I would prefer living in a world where people spend too much time caring for security