An online threat researcher have recently discovered that many end-of-life D-Link NAS devices have a backdoor account, meaning that there is a secret account installed on these devices that allows users, potential hackers, to access your private resources and data, by simply overlooking your devices’ authentication process. According to the latest research as many as 92,000 D-Link Network Attached Storage devices have this backdoor flaw. The researcher has stated that the flaw is residing within the script ‘/cgi-bin/nas_sharing.cgi’ and that it’s affecting the HTTP GET Request Handler element. The backdoor has been formed by a hardcoded account with the username “messagebus” and an empty password. This vulnerability is found in many NAS devices and has been tracked as CVE-2024-3273. Another major flaw found on NAS devices is the newly disclosed command injection problem. A command injection is basically an online attack where the attacker executes arbitrary command on the user’s operating system. When these two issues are combined together, any attacker or hacker will have access to execute commands on the device, even remotely.
The detailed research found out that the command injection issue is being executed by adding a base64-encoded command with the help of an HTTP GET request to the “system” parameter. This is a dangerous vulnerability which when exploited by cybercriminals and high-end attackers can allow them to execute arbitrary commands on your system. This action leads to a number of anomalies such as unauthorized access to sensitive data, modification of system configurations, as well as denial of service conditions.
The infected NAS devices:
The network has scanned over 92,000 D-Link NAS devices that are vulnerable and susceptible to cyberattacks due to the above-mentioned flaws. Check out the list of NAS device models that are affected by the CVE-2024-3273:
- DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.07-2.2013
- DNS-325 Version 1.01
- DNS-327L Version 1.09, Version 1.00.0409.2013
- DNS-340L Version 1.08
No patches are available:
The investigators have also reached out to D-Link to ask for a patch to resolve this issue, but the vendors unfortunately informed them that these NAS models have already reached end of life (EOL) and thereby can no longer be supported. In fact, all the D-Link Network Attached Storage has been End of Service Life for many years now, while the resources linked with these products have been ceased and are no longer available to be supported. Furthermore, the D-Link spokesperson has advised users to get rid of these products and replace them with models that can support regular firmware updates. Also, the devices that have been impacted neither possess any automatic updating abilities nor do they have customer outreach features to generate notifications unlike the current models. All they could do was release a security bulletin with a motive to raise awareness to the D-Link NAS device users about this serious flaw so that they can replace them as soon as possible for the sake of data security.
Conclusion:
There is a support page for legacy devices, made by D-Link where users can find all the latest security and firmware updates. Those users who still want to keep using their outdated models can at least update their system with the latest security features. Although, it’s noteworthy to mention that these available updates won’t solve issues like CVE-2024-3273. It’s important to draw the users’ attention to the fact that NAS devices must not be exposed to the internet as they have become an easy target for cyberattacks.