Embarrassing is an understatement.
- Open-source firmware vuln exposes wireless routers
- Open-source firmware flaw exposes wireless routers – DD-WRT
Tomato users are not affected. No idea regarding HyperWRT or Thibor.
Sebastian Gottschall’s statement, “consider that this exploit was released without any report to us”, is a miserable attempt at taking responsibility for the mistake. I have personally reviewed the DD-WRT source many times while working with WRT* routers — and like Busybox, it’s all duct tape and Bondo. The same applies to HyperWRT, though most of the trashy code there comes from the base source which is the responsibility of Linksys and their third-party vendor.
With regards to DD-WRT, I really don’t care if the exploit was released without any prior report — consider doing security audits of your own code, and stop allowing patches with hacked-up solutions. Instead, stop and think about the change in its entirety before committing.