An array of D-Link NAS devices are vulnerable to arbitrary command injection attacks, according to a recent disclosure, prompting warnings from security experts.
A security researcher by the name of Netsecfish published their analysis of the attack chain, and how at risk businesses are on GitHub at the beginning of April 2024. Netsecfish’s research found over 92,000 NAS devices were affected by the incident while being publicly exposed to the internet.
Rated as 7.3 on the CVSS scale, the vulnerability combines hard-coded credentials to create a backdoor account on the device through which they could execute random code on the target system.
Hidden in the ‘nas_sharing.cgi’ uri, the vulnerability creates a backdoor that would give an attacker unauthorized access without the proper authentication, and the flaws could result in serious security breaches, according to Netsecfish
“Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions,” Netsecfish wrote.
D-Link has since confirmed the flaws, noting that they are limited to a specific set of devices that had reached their end-of-life cycle and were no longer receiving security patches.
The security announcement issued by D-Link acknowledging the flaws stated the DNS-340L, DNS-320L, and DNS-325 NAS models have all reached End of Support or End Of Life.
As a result, D-Link customers running any of the affected products are faced with the choice of replacing their NAS devices or running the risk of hackers exploiting the weakness and compromising their network.
The networking hardware specialists have set up a dedicated support page for customers to get help mitigating the potential damage these vulnerabilities could have on their business.
Flaws in D-Link NAS devices could haunt unprepared firms
Speaking to ITPro, Pieter Arntz, malware intelligence researcher at Malwarebytes, warned this combination of vulnerabilities - as well as the lack of continued security updates – could spell danger for unprepared organizations.
“This looks like it could be very impactful for a few reasons. Firstly, because there is no patch to be expected since the devices are end of life and because a PoS is available,” he said. “Secondly, given the large number of exposed devices and that no login details are needed because of the hard-coded credentials, the option to execute code on the device could provide an entrance to the network.”
Arntz said the first thing businesses need to do is ensure these devices are no longer exposed to the public internet, emphasizing the importance of reducing the wealth of opportunities attackers can choose to exploit.
The particular risk associated with vulnerabilities of this nature, according to Arntz, is that threat actors can use lists of hard-coded credentials available online to potentially bypass authentication systems with relative ease.
“The urgent advice, especially for organizations, would be to take them offline, or at least no longer internet-facing, and assume all credentials stored on the device as compromised. Employee, or even network administrator credentials could provide an entrance for ransomware access brokers,” he explained.
“There are lists of hard-coded device credentials online and you should assume that if your device comes with a standard, default password, that cybercriminals can find your device and already know what the password is.”
