April 12, 2024 at 07:36AM
The recently disclosed D-Link NAS device vulnerabilities, assigned 2 identifiers, are being exploited, prompting D-Link to urge customers to replace affected devices. Exploitation attempts increased to 140 unique IPs, and Shadowserver Foundation reported seeing over 150 IPs attempting to exploit the vulnerabilities. GreyNoise reported roughly 5,500 impacted devices, while Shadowserver saw around 2,400.
After reviewing the meeting notes, here are the key takeaways:
– A second identifier (CVE-2024-3272) has been assigned to the recently disclosed D-Link network-attached storage (NAS) device vulnerabilities in addition to CVE-2024-3273.
– The vulnerabilities allow unauthenticated attackers to exploit hardcoded credentials and a command injection bug, resulting in remote access to the device’s web management interface.
– D-Link has published an advisory, but as the affected products have reached end of life, the vendor is not releasing patches and is urging customers to replace impacted NAS appliances.
– Initially, D-Link’s advisory listed four impacted NAS device models, but the company has since added 16 other DNS-series device models.
– Exploitation attempts targeting the vulnerabilities have increased, with GreyNoise observing attacks from 140 unique IPs and the Shadowserver Foundation reporting over 150 IPs attempting exploitation as of April 10.
– Additionally, some of the attacks are associated with Mirai-like botnets, and the researcher who disclosed the vulnerabilities reported seeing over 92,000 affected devices connected to the internet. However, actual vulnerable devices appear to be smaller in number, with GreyNoise reporting roughly 5,500 impacted devices and Shadowserver seeing approximately 2,400 devices.
– Other related vulnerabilities in NAS devices have been exposed, including those of Western Digital, Synology, and QNAP, affecting millions of users’ files.
Let me know if you need any further information or clarification.