November 8, 2024 at 02:23PM
Over 60,000 D-Link NAS devices are vulnerable to a critical command injection flaw (CVE-2024-10914). An attacker can exploit it via crafted HTTP GET requests. D-Link confirmed no fix will be provided and recommends retiring the affected devices or isolating them from the internet due to their end-of-life status.
### Meeting Takeaways:
1. **Vulnerability Overview**:
– A critical command injection vulnerability (CVE-2024-10914) has been discovered affecting over 60,000 D-Link network-attached storage (NAS) devices that have reached end-of-life (EoL).
– The vulnerability has a severity score of 9.2 and is related to insufficient sanitization in the ‘cgi_user_add’ command’s name parameter.
2. **Exploit Details**:
– An attacker can exploit this flaw by sending specially crafted HTTP GET requests without authentication to execute arbitrary shell commands.
– Example exploit command:
“`
curl “http://[Target-IP]/cgi-bin/account_mgr.cgi cmd=cgi_user_add&name=%27;
“`
3. **Affected Models**:
– The following D-Link NAS models are impacted:
– DNS-320 Version 1.00
– DNS-320LW Version 1.01.0914.2012
– DNS-325 Versions 1.01 and 1.02
– DNS-340L Version 1.08
4. **Device Exposure**:
– A scan by security researcher Netsecfish identified 61,147 instances of vulnerable D-Link devices across 41,097 unique IP addresses.
5. **D-Link’s Response**:
– D-Link has stated that there will be no fix for CVE-2024-10914 and recommends that users retire these vulnerable devices.
– If immediate retirement is not feasible, users should isolate the devices from the public internet or enforce stricter access controls.
6. **Related Vulnerabilities**:
– Earlier this year, another vulnerability (CVE-2024-3273) was reported, which also impacted many of the same D-Link NAS models.
– Previous scans returned 92,589 results indicating vulnerable devices at that time.
7. **Vendor Statement**:
– D-Link acknowledged that it no longer manufactures NAS devices and that the affected models have reached their end of life, hence no further security updates will be provided.
### Action Items:
– Users of the affected D-Link NAS devices need to consider alternatives or ensure proper isolation and access controls to mitigate risks associated with the identified vulnerabilities.