Hackers are scanning and actively exploiting an unpatched vulnerability discovered in four older D-Link Network Area Storage (NAS) devices that allows them to perform an arbitrary command execution on the affected device and gain access to sensitive information.
D-Link confirmed the flaw in an advisory last week. It has urged its users to retire and replace its End of Support (“EOS”) / End of Life (“EOL”) products, as it does not plan to send out a patch. In other words, users need to buy one of D-Link’s newer NAS systems.
The vulnerability affects around 92,000 D-Link devices, which include models: DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013, DNS-325 Version 1.01, DNS-327L Version 1.09, Version 1.00.0409.2013, and DNS-340L Version 1.08.
Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the former flaw involves a hard-coded “backdoor” account that lacks a password, and the latter is a command-injection flaw that allows any command to be run on the device by performing an HTTP GET request.
“The vulnerability lies in the nas_sharing.cgi URI, which is vulnerable due to two main issues: a backdoor enabled by hard-coded credentials and a command injection vulnerability via the system parameter,” said the security researcher, who discovered and publicly disclosed the vulnerability on March 26 and goes by the name “netsecfish”.
“This exploitation could lead to arbitrary command execution on the affected D-Link NAS devices, granting attackers potential access to sensitive information, system configuration alteration, or denial of service, by specifying a command, affecting over 92,000 devices on the internet.”
Threat intelligence company GreyNoise said it noticed attackers attempting to weaponize the flaws to deploy a variant of the Mirai malware (skid.x86), which can remotely commandeer the D-Link devices. Mirai variants are normally designed to add infected devices to a botnet for use in large-scale distributed denial-of-service (DDoS) attacks.
Further, ShadowServer Foundation, a non-profit threat research organization, has also detected active exploitation attempts of the vulnerability in the wild, with them seeing “scans/exploits from multiple IPs.”
“We have started to see scans/exploits from multiple IPs for CVE-2024-3273 (vulnerability in end-of-life D-Link Network Area Storage devices). This involves chaining of a backdoor & command injection to achieve RCE,” it said in a post on X (formerly Twitter).
In the absence of a fix, the Shadowserver Foundation recommends users either take their device offline or replace it or at least have their remote access firewalled to block potential threats.
The vulnerability in D-Link NAS devices poses a significant threat to users and emphasizes the need to remain vigilant about cybersecurity, as well as underscores the importance of regular cybersecurity updates. To prevent exploitation by malicious actors, users can follow the recommended precautionary measures to safeguard their devices and protect their data.
