D-Link will not fix a critical vulnerability in discontinued NAS devices
Facepalm: Microsoft occasionally releases rare, out-of-band security updates for its older operating systems when a vulnerability is particularly severe. In contrast, companies like D-Link seem content to leave former users exposed to potentially disastrous network security risks.
A recently disclosed security vulnerability impacting D-Link NAS devices will remain unpatched, as the Taiwanese manufacturer confirmed these models have reached their end-of-life / end-of-service status. This means they are likely to stay permanently vulnerable, a situation that has raised concerns among security analysts.
The vulnerability, tracked as CVE-2024-10914, affects the DNS-320, DNS-320LW, DNS-325, and DNS-340L NAS systems with firmware up to version 20241028. This critical flaw is located in the “cgi_user_add” command and can be triggered via a specially crafted HTTP GET request. The command fails to properly sanitize the “name” parameter, allowing an attacker to inject shell commands.
While the National Institute of Standards and Technology noted that the attack complexity is “high,” exploitation is possible, as researchers have already disclosed a working exploit online. These NAS devices were once popular among small businesses, but D-Link has since discontinued this line of network storage products.
The company recently published a security bulletin regarding the matter, acknowledging the “Command Injection Vulnerability” discovered by NetSecFish in the DNS-320, DNS-325, DNS-340L, and other NAS models. D-Link advised owners of these affected devices to retire them and consider replacing them with newer alternatives.
In the bulletin, D-Link reiterated its policy that end-of-life and end-of-service products are no longer supported and that firmware development for these models has ceased. NetSecFish estimated that over 61,000 vulnerable devices remain connected to the internet, putting them at risk of exploitation through malicious HTTP GET requests, which could result in data breaches or botnet activity.
D-Link offered some general advice for users who continue to connect these critically vulnerable NAS devices to the internet. They recommended ensuring the latest firmware is installed, using a unique password, and enabling Wi-Fi encryption. While these steps provide some basic security, they do little to mitigate the CVE-2024-10914 vulnerability itself.
Earlier this year, the same researcher identified an additional command injection vulnerability and a hardcoded backdoor in the same NAS models (CVE-2024-3273). D-Link did not issue a fix or firmware update for that vulnerability, either.