Critical Vulnerability Discovered in D-Link NAS Devices

A critical vulnerability, classified as CVE-2024-3273, has been discovered in multiple D-Link Network Attached Storage (NAS) devices1. This vulnerability affects models including DNS-340L, DNS-320L, DNS-327L, and DNS-325. The vulnerability lies within the nas_sharing.cgi URI and is due to two main issues: a backdoor facilitated by hardcoded credentials, and a command injection vulnerability via the system parameter.

The backdoor is facilitated through a hardcoded account with the username messagebus and an empty password field. The command injection flaw arises from adding a base64-encoded command to the system parameter via an HTTP GET request, which is then executed. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions.

Attackers are now actively targeting over 92,000 end-of-life D-Link NAS devices exposed online and unpatched against this critical remote code execution (RCE) zero-day flaw. Threat actors are now chaining these two security flaws to deploy a variant of the Mirai malware. Mirai variants are usually designed to add infected devices to a botnet that can be used in large-scale distributed denial-of-service (DDoS) attacks.

D-Link has confirmed that these NAS devices have reached their End of Life (EOL) and are no longer supported. “All D-Link Network Attached storage has been End of Life and of Service Life for many years [and] the resources associated with these products have ceased their development and are no longer supported,” a D-Link spokesperson told BleepingComputer. D-Link recommends retiring these products and replacing them with products that receive firmware updates.

This incident serves as a reminder of the importance of maintaining up-to-date systems and retiring end-of-life devices. Users of D-Link NAS devices are strongly advised to retire and replace their devices as soon as possible to mitigate the risk of exploitation.

1. NVD – CVE-2024-3273 – https://nvd.nist.gov/vuln/detail/CVE-2024-3273
2. D-Link Technical Support – https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
3. Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks – https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-92-000-d-link-nas-devices-now-exploited-in-attacks/
4. GitHub – netsecfish/dlink – https://github.com/netsecfish/dlink
5. BleepingComputer – https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/