A risk researcher has disclosed a brand new arbitrary command injection and hardcoded backdoor flaw in a number of end-of-life D-Hyperlink Community Connected Storage (NAS) gadget fashions.
The researcher who found the flaw, ‘Netsecfish,’ explains that the difficulty resides throughout the’/cgi-bin/nas_sharing.cgi’ script, impacting its HTTP GET Request Handler element.
The 2 fundamental points contributing to the flaw, tracked as CVE-2024-3273, are a backdoor facilitated by a hardcoded account (username: “messagebus” and empty password) and a command injection drawback through the “system” parameter.
When chained collectively, any attacker can remotely execute instructions on the gadget.
The command injection flaw arises from including a base64-encoded command to the “system” parameter through an HTTP GET request, which is then executed.
“Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions,” warns the researcher.
The gadget fashions impacted by CVE-2024-3273 are:
- DNS-320L Model 1.11, Model 1.03.0904.2013, Model 1.01.0702.2013
- DNS-325 Model 1.01
- DNS-327L Model 1.09, Model 1.00.0409.2013
- DNS-340L Model 1.08
Netsecfish says community scans present over 92,000 susceptible D-Hyperlink NAS units uncovered on-line and vulnerable to assaults by these flaws.
No patches out there
After contacting D-Hyperlink in regards to the flaw and whether or not a patch could be launched, the seller informed us that these NAS units had reached the tip of life (EOL) and are not supported.
“All D-Link Network Attached storage has been End of Life and of Service Life for many years [and] the resources associated with these products have ceased their development and are no longer supported,” acknowledged the spokesperson.
“D-Link recommends retiring these products and replacing them with products that receive firmware updates.”
The spokesperson additionally informed BleepingComputer that the impacted units should not have automated on-line updating capabilities or buyer outreach options to ship notifications, like present fashions.
Therefore, the seller was restricted to a safety bulletin printed yesterday to boost consciousness in regards to the flaw and the necessity to retire or exchange these units instantly.
D-Hyperlink has arrange a devoted help web page for legacy units the place homeowners can navigate archives to search out the most recent safety and firmware updates.
Those that insist on utilizing outdated {hardware} ought to at the least apply the most recent out there updates, even when these will not handle newly found issues like CVE-2024-3273.
Moreover, NAS units ought to by no means be uncovered to the web as they’re generally focused to steal knowledge or encrypt in ransomware assaults.
