If you’re using a D-Link NAS device, disconnect it from the internet. D-Link NAS devices are vulnerable to remote takeover and arbitrary code execution. This problem will never be fixed, as D-Link stopped supporting its NAS devices “many years” ago.
The D-Link NAS flaw, tracked as CVE-2024-3273, was discovered by cybersecurity researcher Netsecfish. The researcher explains that two distinct vulnerabilities, when exploited in tandem, could lead to the arbitrary code execution described in this CVE.
The vulnerabilities behind this CVE are extremely straightforward—your D-Link NAS has a hardcoded account (username “messagebus,” no password) that can serve as a backdoor, and it has a command injection flaw in its “system” parameter (triggered by an HTTP GET request with a base64-encoded command).
“Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions.”
Netsecfish performed a network scan to see how many D-Link NAS devices are exposed to the internet. The headcount is approximately 92,000. Researchers at Greynoise say that hackers are now attempting to exploit the CVE, and D-Link has published an advisory for affected customers.
The following device models are affected by this CVE:
- DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013
- DNS-325 Version 1.01
- DNS-327L Version 1.09, Version 1.00.0409.2013
- DNS-340L Version 1.08
D-Link doesn’t manufacture NAS devices anymore. Its NAS products reached End-of-Life and End-of-Service several years ago. There will not be a fix for this security flaw, and anyone who still uses a D-Link NAS should consider upgrading.
As for why Netsecfish chose to publicize this vulnerability—well, in this case, it’s standard practice. D-Link isn’t going to solve the problem, so instead of waiting for hackers to figure this out (and perform covert attacks), D-Link NAS users need to be made aware of the issue immediately. The unfortunate side effect is that hackers are now aware of this issue, too.
If you refuse to buy a new NAS, you should at least update your D-Link NAS’ firmware, disable UPnP, and disable remote access. Note that you can install alternate operating systems on these D-Link NAS devices, but it’s a difficult process.
Source: Netsecfish via Bleeping Computer