A critical flaw in several end-of-life (EOL) models of D Link Network-attached storage (NAS) devices can allow attackers to place backdoors on the device and gain access to sensitive information, among other nefarious activities.
More than 92,000 devices currently connected to the Internet are affected by a flaw identified as CVE-2024-3273 in D-Link NAS devices, including the DNS-340L, DNS-320L, DNS-327L and DNS-325 models, according to D-Link. As a result, the company is asking customers to deactivate all affected devices, which will remain vulnerable as the devices will no longer receive updates or support from the vendor.
A researcher known online by the name “netsecfish” identified the flaw and he detailed it on GitHub and subsequently notified D-Link, which released it your own consultancy. The researcher also released an exploit of the flaw, in which attackers have already shown interest a post about X (formerly Twitter) by Shadowserver.
“We have started seeing scans/exploits from multiple IPs for CVE-2024-3273,” the post reads. “This involves chaining a backdoor and injecting commands to achieve RCE.”
Flaws inside NAS devices I am serious businessas their exploitation has great potential to affect not only the device itself but myriad devices that connect to it, constituting a dangerous threat that can expose corporate networks to risk.
Data theft, denial of service and more
The vulnerability exists in the CGI script nas_sharing.cgi and leads to backdooring through exposure of username and password, as well as command injection through system parameter, netsecfish explained.
“This affects an unknown function of the /cgi-bin/nas_sharing.cgi file of the HTTP GET Request Handler component,” according to the list for the flaw in the National Institute of Standards and Technology (NIST) national vulnerability database. “Manipulation of the argument system leads to command injection.”
To be more granular, in terms of username and password exposure, the problem lies in the request, which “includes parameters for a username (user=messagebus) and an empty password field (passwd=),” according to netsecfish. “This indicates a backdoor that allows unauthorized access without proper authentication.”
For command injection, attackers can exploit the “system” parameter within the request, “which carries a base64 encoded value that, when decoded, appears to be a command,” according to netsecfish.
Attackers we can link the two questions to gain arbitrary command execution on affected D-Link NAS devices, potentially granting attackers access to sensitive information, alteration of system configuration, or denial of service.
The Netsecfish exploit involves creating malicious HTTP requests by preparing an HTTP GET–GET request /cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=
Replace and retire vulnerable D-Link devices
A relationship published last year found that companies in every industry continue to do so leave backup and storage platforms unprotectedmaking it vital for them to ensure that cybercriminals cannot exploit vulnerable individuals to enter corporate networks.
Without an imminent patch for CVE-2024-3273, the only real remedy is to not use the affected devices at all, so anyone who has one still connected to a network should retreat and replace the product immediately, according to D-Link. A full list of devices can be found in D-Link’s advisory.
Indeed, the company remained adamant that it has no plans to support or update the affected products as per its typical device EOL strategy. “Regardless of product type or sales channel, it is D-Link’s general policy that when products reach EOS/EOL, they can no longer be supported and all firmware development for these products ceases,” according to D-Link .
If consumers in the United States continue to use the device against the company’s recommendations, they should “ensure the device has the latest known firmware,” which can be found on the legacy website links included in the advisory, according to D- Links.
Anyone who wishes to continue using the device should also ensure that they frequently update the device’s unique password to access its web setup, as well as enable Wi-Fi encryption with a unique password.