Summary: A researcher has discovered an arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) device models, which could allow attackers to execute arbitrary commands on the system and gain unauthorized access to sensitive information or modify system configurations.
Threat Actor: Netsecfish | Netsecfish
Victim: D-Link NAS device owners | D-Link
Key Point :
- A new arbitrary command injection and hardcoded backdoor flaw, tracked as CVE-2024-3273, has been discovered in multiple end-of-life D-Link NAS device models.
- The vulnerability allows attackers to execute arbitrary commands on the affected devices, potentially leading to unauthorized access, system configuration alteration, or denial of service.
- Over 92,000 Internet-facing devices are vulnerable to this flaw.
- The flaw affects D-Link NAS models DNS-340L, DNS-320L, DNS-327L, and DNS-325.
- Owners of the affected device models are advised to replace them as the vendor will not release security updates for these end-of-life devices.
- NAS devices should never be exposed to the internet to prevent data theft or ransomware attacks.
A researcher who goes online with the moniker ‘Netsecfish’ disclosed a new arbitrary command injection and hardcoded backdoor flaw, tracked as , tracked as CVE-2024-3273, that impacts multiple end-of-life D-Link Network Attached Storage (NAS) device models.
The flaw affects multiple D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325.
The vulnerability resides in the nas_sharing.cgi uri, the researcher discovered a backdoor facilitated by hardcoded credentials and a command injection vulnerability via the system parameter. An attacker can exploit the flaw to achieve command execution on the affected D-Link NAS devices, gain access to potential access to sensitive information, system configuration alteration, or denial of service.
Netsecfish reported that over 92,000 Internet-facing devices are vulnerable.
The request includes parameters for a username (user=messagebus) and an empty field for the password (passwd=
). This trick allows attackers to obtain bypass authentication. The command Injection issue is achieved by adding a base64 encoded command to the system
parameter in an HTTP GET request. The command is decoded and executed.
“Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions.” wrote Netsecfish.
The flaw impacts the following devices:
- DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013
- DNS-325 Version 1.01
- DNS-327L Version 1.09, Version 1.00.0409.2013
- DNS-340L Version 1.08
The bad news is that owners of the device models have to replace them because the vendor will not release security updates for these NASs because they have reached the end of life (EOL).
“This exploit affects a legacy D-Link products and all hardware revisions, which have reached their End of Life (“EOL”)/End of Service Life (“EOS”) Life-Cycle. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link.” reads the advisory published by the vendor. “D-Link US recommends that D-Link devices that have reached EOL/EOS be retired and replaced.“
Furthermore, NAS devices should never be exposed to the internet as they are commonly targeted to steal data or encrypt in ransomware attacks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NAS)
Source: https://securityaffairs.com/161549/hacking/d-link-nas-flaw.html
“An interesting youtube video that may be related to the article above”