If you are using a D-Link NAS device, please disconnect it from the Internet. D-Link NAS devices are vulnerable to remote takeover and arbitrary code execution. This issue will never be resolved, as D-Link stopped supporting its NAS devices “many years ago.”
The D-Link NAS flaw is tracked as CVE-2024-3273 and was discovered by cybersecurity researcher Netsecfish. The researchers explained that two different vulnerabilities, if exploited simultaneously, could lead to the arbitrary code execution described in this CVE.
The vulnerability behind this CVE is very simple – your D-Link NAS has a hardcoded account (username “messagebus”, no password) that acts as a backdoor, and a command injection flaw in its “system” parameter (encoded by base64 HTTP GET request for the command).
“Successful exploitation of this vulnerability could allow the attacker to execute arbitrary commands on the system, which could result in unauthorized access to sensitive information, modification of system configuration, or a denial of service condition.”
Netsecfish performs network scans to see how many D-Link NAS devices are exposed to the Internet. The total number of employees is approximately 92,000. Researchers at Greynoise say hackers are now trying to exploit the CVE, and D-Link has issued an advisory for affected customers.
The following device models are affected by this CVE:
- DNS-320L version 1.11, version 1.03.0904.2013, version 1.01.0702.2013
- DNS-325 version 1.01
- DNS-327L version 1.09, version 1.00.0409.2013
- DNS-340L version 1.08
D-Link no longer manufactures NAS devices. Its NAS product reached end-of-life and end-of-service a few years ago. This security flaw will not be fixed and anyone still using a D-Link NAS should consider upgrading.
As for why Netsecfish chose to disclose this vulnerability, it’s standard practice in situations like this. D-Link will not fix this issue, so D-Link NAS users need to be aware of the issue immediately rather than waiting for hackers to fix it (and perform stealthy attacks). The unfortunate side effect is that hackers are now aware of the problem as well.
If you refuse to buy a new NAS, you should at least update the firmware of your D-Link NAS, disable UPnP, and disable remote access. Note that you can install an alternate operating system on these D-Link NAS devices, but this is a difficult process.
Source: Netsecfish via Bleeping Computer