Notebookcheck Logo

D-Link's solution to critical NAS vulnerability: Buy new hardware

D-Link not in a hurry to patch a critical NAS vulnerability (Image source: D-Link)
D-Link not in a hurry to patch a critical NAS vulnerability (Image source: D-Link)
A critical command injection vulnerability has been discovered in several D-Link NAS devices, posing a high-security risk due to lack of authentication safeguards. D-Link has declined to issue security patches for the affected models, which reached end-of-life status in 2020, instead recommending users replace their devices entirely. Experts recommend isolating these devices from public networks and implementing strict access controls.

Security researcher Netsecfish has uncovered a severe command injection vulnerability affecting thousands of older D-Link network-attached storage (NAS) devices. The flaw, tracked as CVE-2024-10914 in the National Vulnerability Database (NVD), carries a critical severity score of 9.2 and poses a significant risk to users still relying on these end-of-life devices.

The vulnerability resides in the 'cgi_user_add' command functionality, specifically within the 'name' parameter, which lacks proper input sanitization. What makes this flaw particularly dangerous is that it can be exploited without authentication, allowing attackers to inject arbitrary shell commands through crafted HTTP GET requests.

The following D-Link models are affected by the issue:

  • D-Link DNS-320 Version 1.00
  • D-Link DNS-320LW Version 1.01.0914.2012
  • D-Link DNS-325 Versions 1.01 and 1.02
  • D-Link DNS-340L Version 1.08

Netsecfish’s FOFA scan of the affected NAS models revealed 61,147 results with 41,097 unique IP addresses. Though the NVD suggests the attack complexity is high, skilled attackers could potentially exploit these vulnerable devices if exposed to the public internet.

Unfortunately, D-Link has stated it will not issue a patch, citing that these models have all reached their end-of-life/end-of-service (EOL/EOS) as of 2020. In a statement, D-Link recommended that users retire or replace these devices, as no further software updates or security patches will be provided.

Security experts have outlined several interim measures for users who cannot immediately replace their affected D-Link NAS devices. First and foremost, they strongly advise isolating these devices from public internet access to minimize exposure to potential attacks. Additionally, organizations should implement strict access control measures, limiting device access to only trusted IP addresses and authorized users. For those seeking alternative solutions, experts suggest exploring third-party firmware options, though they emphasize the importance of obtaining such firmware only from trusted and verified sources. However, these measures should be considered temporary solutions, and users are urged to develop and execute plans for replacing these vulnerable devices as soon as feasible.

Read all 2 comments / answer
static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
Mail Logo
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2024 11 > D-Link's solution to critical NAS vulnerability: Buy new hardware
Andrew Sozinov, 2024-11-10 (Update: 2024-11-10)