A critical vulnerability has been discovered in end-of-life (EOL) models of D-Link network-attached storage (NAS) devices, potentially exposing sensitive information to attackers.
Description
A flaw, tracked as CVE-2024-3272 and CVE-2024-3273 [3] [7], allows attackers to create a backdoor into the devices, potentially accessing sensitive information. The vulnerability, found in the nas_sharing.cgi CGI script [4], exposes hardcoded credentials and allows command injection through the system parameter [8]. By exploiting this flaw, threat actors can achieve remote code execution (RCE) by combining backdooring and command injection techniques [4]. Exploitation can result in unauthorized access [3], system modification [3] [7], or denial of service [3] [7]. Hackers are actively exploiting these vulnerabilities [3], affecting over 92,000 devices exposed to the internet. D-Link advises users to retire and replace affected devices immediately, as no patches are available for these EOL products. It is essential for users to update their passwords regularly and enable Wi-Fi encryption on their devices to enhance security measures. Other malware is being installed on vulnerable devices [3], and the best defense is to disable UPnP and remote connections unless necessary [3]. Reports of exploitation have surfaced following public disclosure [1], with a proof-of-concept exploit available [1]. Security researchers have warned of the potential for arbitrary command execution and denial-of-service attacks [1]. The exploitability of CVE-2024-3273 is considered easy [1], and internet scans have detected exploitation activity from multiple IPs [1]. D-Link vulnerabilities are frequently exploited in botnets [6], and the company suffered a data breach last fall [6]. The flaw, discovered by cybersecurity researcher Netsecfish [2], involves an arbitrary command injection flaw in the “system” parameter and a hardcoded account for device access [2]. Multiple D-Link NAS models are affected [2], including DNS-320L [2] [6], DNS-325 [1] [2] [4] [5] [6] [8], DNS-327L [1] [2] [4] [5] [6] [8], and DNS-340L [2] [5] [8]. Unfortunately, D-Link has confirmed that these devices are past their end of life and will not be patched [2]. The company recommends replacing them with newer versions to mitigate the risk of unauthorized access [2], data theft [2], and denial-of-service attacks [1] [2]. Further information on this vulnerability can be found on D-Link’s support announcement.
Conclusion
The impact of these vulnerabilities is significant, with active exploitation and potential for unauthorized access and data theft. Users are advised to replace affected devices immediately and take necessary security measures to protect their systems. The future implications of these vulnerabilities highlight the importance of timely updates and retirement of EOL devices to prevent security breaches.
References
[1] https://www.techtarget.com/searchSecurity/news/366580153/Flaws-in-legacy-D-Link-NAS-devices-under-attack
[2] https://www.techradar.com/pro/security/thousands-of-d-link-nas-devices-have-serious-backdoor-security-issues
[3] https://arstechnica.com/security/2024/04/hackers-actively-exploit-critical-remote-takeover-vulnerabilities-in-d-link-devices/
[4] https://www.darkreading.com/cloud-security/92k-dlink-nas-critical-command-injection-bug
[5] https://www.helpnetsecurity.com/2024/04/08/cve-2024-3273/
[6] https://www.scmagazine.com/news/d-link-nas-device-vulnerabilities-exploited-no-patch-available
[7] https://www.inforisktoday.com/aged-d-link-nas-devices-are-being-exploited-by-hackers-a-24812
[8] https://www.infosecurity-magazine.com/news/over-90000-dlink-nas-devices-attack/
