More than 92,000 internet-facing D-Link NAS devices are vulnerable to hackers
Pierluigi Paganini
April 7, 2024
A researcher has disclosed the existence of arbitrary command injection and hard-coded backdoors in multiple obsolete D-Link NAS models.
A researcher named “Netsecfish” disclosed a new arbitrary command injection and hard-coded backdoor flaw online, tracked as CVE-2024-3273, which affects multiple end-of-life D-Link network-attached storage ( NAS) device model.
The flaw affects multiple D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325.
The vulnerability is located in the nas_sharing.cgi uri, and researchers discovered a backdoor facilitated by hardcoded credentials and a command injection vulnerability via system parameters. An attacker could exploit this flaw to execute commands on affected D-Link NAS devices, gain potential access to sensitive information, change system configuration, or deny service.
Netsecfish reports that more than 92,000 Internet-facing devices are vulnerable to attack.
The request contains a username parameter (user=messagebus) and an empty password field (passwd=). This trick allows an attacker to bypass authentication.The command injection issue is achieved by adding base64 encoded commands system Parameters in HTTP GET requests. The command is decoded and executed.
“Successful exploitation of this vulnerability could allow the attacker to execute arbitrary commands on the system, which could lead to unauthorized access to sensitive information, modification of system configuration, or a denial of service condition,” Netsecfish wrote.
The flaw affects the following devices:
- DNS-320L version 1.11, version 1.03.0904.2013, version 1.01.0702.2013
- DNS-325 version 1.01
- DNS-327L version 1.09, version 1.00.0409.2013
- DNS-340L version 1.08
The bad news is that owners of device models will have to replace them because the vendor will not release security updates for these NAS because they have reached end of life (EOL).
“This vulnerability affects older D-Link products and all hardware versions that have reached the End of Life (“EOL”)/End of Service (“EOS”) life cycle. Products that have reached EOL/EOS will no longer Receive device software updates and security patches, and are no longer supported by D-Link.” Read the announcement posted by the vendor. “D-Link US recommends decommissioning and replacing D-Link devices that have reached EOL/EOS.“
Additionally, NAS devices should never be exposed to the internet, as they are often targets for data theft or encryption in ransomware attacks.
Follow me on Twitter: @Security Affairs and Facebook and Mastodon
Pierluigi Paganini
(security matters – hacker attack, NAS)