Jump to content
  • D-Link won’t fix critical flaw affecting 60,000 older NAS devices


    Karlston

    • 243 views
    • 2 minutes
     Share


    • 243 views
    • 2 minutes

    More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit.

     

    The flaw, tracked as CVE-2024-10914, has a critical 9.2 severity score and is present in the ‘cgi_user_add’ command where the name parameter is insufficiently sanitized.

     

    An unauthenticated attacker could exploit it to inject arbitrary shell commands by sending specially crafted HTTP GET requests to the devices.

     

    The flaw impacts multiple models of D-Link network-attached storage (NAS) devices that are commonly used by small businesses:

     

    • DNS-320 Version 1.00
    • DNS-320LW Version 1.01.0914.2012
    • DNS-325 Version 1.01,  Version 1.02
    • DNS-340L Version 1.08

     

    In a technical write-up that provides exploit details, security researcher Netsecfish says that leveraging the vulnerability requires sending "a crafted HTTP GET request to the NAS device with malicious input in the name parameter.”

     

    curl "http://[Target-IP]/cgi-bin/account_mgr.cgi cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27" 

     

    “This curl request constructs a URL that triggers the cgi_user_add command with a name parameter that includes an injected shell command,” the researcher explains.

     

    A search that Netsecfish conducted on the FOFA platform returned 61,147 results at 41,097 unique IP addresses for D-Link devices vulnerable to CVE-2024-10914.

     

    FOFA scan results for exposed D-Link NAS devices
    FOFA scan results for exposed D-Link NAS devices
    Source: Netsecfish

    In a security bulletin today, D-Link has confirmed that a fix for CVE-2024-10914 is not coming and the vendor recommends that users retire vulnerable products.

     

    If that is not possible at the moment, users should at least isolate them from the public internet or place them under stricter access conditions.

     

    The same researcher discovered in April this year an arbitrary command injection and hardcoded backdoor flaw, tracked as CVE-2024-3273, impacting mostly the same D-Link NAS models as the latest flaw.

     

    Back then, FOFA internet scans returned 92,589 results.

     

    Responding to the situation at the time, a D-Link spokesperson told BleepingComputer that the networking firm no longer makes NAS devices, and the impacted products had reached EoL and will not be receiving security updates.

     

    Source


    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    2023: Over 5,800 news posts | 2024 (till end of October): 4,832 news posts

    RIP Matrix | Farewell my friend  :sadbye:


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...