D-Hyperlink gained’t repair essential flaw affecting 60,000 older NAS gadgets

Greater than 60,000 D-Hyperlink network-attached storage gadgets which have reached end-of-life are weak to a command injection vulnerability with a publicly obtainable exploit.

The flaw, tracked as CVE-2024-10914, has a essential 9.2 severity rating and is current within the ‘cgi_user_add’ command the place the title parameter is insufficiently sanitized.

An unauthenticated attacker may exploit it to inject arbitrary shell instructions by sending specifically crafted HTTP GET requests to the gadgets.

The flaw impacts a number of fashions of D-Hyperlink network-attached storage (NAS) gadgets which are generally utilized by small companies:

  • DNS-320 Model 1.00
  • DNS-320LW Model 1.01.0914.2012
  • DNS-325 Model 1.01,  Model 1.02
  • DNS-340L Model 1.08

In a technical write-up that gives exploit particulars, safety researcher Netsecfish says that leveraging the vulnerability requires sending “a crafted HTTP GET request to the NAS gadget with malicious enter within the title parameter.”

curl "http://[Target-IP]/cgi-bin/account_mgr.cgi cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27" 

“This curl request constructs a URL that triggers the cgi_user_add command with a name parameter that includes an injected shell command,” the researcher explains.

A search that Netsecfish performed on the FOFA platform returned 61,147 outcomes at 41,097 distinctive IP addresses for D-Hyperlink gadgets weak to CVE-2024-10914.

FOFA scan results for exposed D-Link NAS devices
FOFA scan outcomes for uncovered D-Hyperlink NAS gadgets
Supply: Netsecfish

In a safety bulletin right now, D-Hyperlink has confirmed {that a} repair for CVE-2024-10914 just isn’t coming and the seller recommends that customers retire weak merchandise.

If that’s not attainable in the intervening time, customers ought to at the very least isolate them from the general public web or place them below stricter entry situations.

The identical researcher found in April this 12 months an arbitrary command injection and hardcoded backdoor flaw, tracked as CVE-2024-3273, impacting principally the identical D-Hyperlink NAS fashions as the newest flaw.

Again then, FOFA web scans returned 92,589 outcomes.

Responding to the state of affairs on the time, a D-Hyperlink spokesperson informed BleepingComputer that the networking agency now not makes NAS gadgets, and the impacted merchandise had reached EoL and won’t be receiving safety updates.

Recent articles