Security researcher Netsecfish has uncovered a severe command injection vulnerability affecting thousands of older D-Link network-attached storage (NAS) devices. The flaw, tracked as CVE-2024-10914 in the National Vulnerability Database (NVD), carries a critical severity score of 9.2 and poses a significant risk to users still relying on these end-of-life devices.
The vulnerability resides in the 'cgi_user_add' command functionality, specifically within the 'name' parameter, which lacks proper input sanitization. What makes this flaw particularly dangerous is that it can be exploited without authentication, allowing attackers to inject arbitrary shell commands through crafted HTTP GET requests.
The following D-Link models are affected by the issue:
- D-Link DNS-320 Version 1.00
- D-Link DNS-320LW Version 1.01.0914.2012
- D-Link DNS-325 Versions 1.01 and 1.02
- D-Link DNS-340L Version 1.08
Netsecfish’s FOFA scan of the affected NAS models revealed 61,147 results with 41,097 unique IP addresses. Though the NVD suggests the attack complexity is high, skilled attackers could potentially exploit these vulnerable devices if exposed to the public internet.
Unfortunately, D-Link has stated it will not issue a patch, citing that these models have all reached their end-of-life/end-of-service (EOL/EOS) as of 2020. In a statement, D-Link recommended that users retire or replace these devices, as no further software updates or security patches will be provided.
Security experts have outlined several interim measures for users who cannot immediately replace their affected D-Link NAS devices. First and foremost, they strongly advise isolating these devices from public internet access to minimize exposure to potential attacks. Additionally, organizations should implement strict access control measures, limiting device access to only trusted IP addresses and authorized users. For those seeking alternative solutions, experts suggest exploring third-party firmware options, though they emphasize the importance of obtaining such firmware only from trusted and verified sources. However, these measures should be considered temporary solutions, and users are urged to develop and execute plans for replacing these vulnerable devices as soon as feasible.
Are you a techie who knows how to write? Then join our Team! Wanted:
- News Writer (Romania based)
Details here