Threat update

Two vulnerabilities were found in legacy D-Link products that have reached end-of-life (EoL) status. The vulnerabilities can cause command injection and backdoor account to these devices. This Cybersecurity Threat Advisory discusses the impact of the threat, as well as recommendations to mitigate risks these vulnerabilities may cause.

Technical Detail and Additional Info

What is the threat?

The identified critical vulnerability, CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273, affects D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L models up to 20240403. It pertains to an undisclosed function within the file /cgi-bin/nas_sharing.cgi of the HTTP GET Request Handler component. Exploitation involves manipulation of the system argument, resulting in command injection. Remote exploitation is possible, as the exploit has been publicly disclosed (VDB-259284). 

The vulnerability in nas_sharing.cgi script entails:

• Backdoor via username and password exposure: The request includes parameters for a username (user=messagebus) and an empty password field (passwd=), indicating a backdoor that allows unauthorized access without proper authentication.
• Command injection through the system parameter: The request's system parameter carries a base64 encoded value, which upon decoding, reveals a command.

Why is it noteworthy?

Successful exploitation of these flaws could lead to arbitrary command execution on affected D-Link NAS devices, granting threat actors access to sensitive information, enabling alterations to system configurations, or triggering denial-of-service (DoS) conditions. 

What is the exposure or risk?

The vulnerabilities affect the following models:

• DNS-320L: Versions 1.11, 1.03.0904.2013, 1.01.0702.2013
• DNS-325: Version 1.01
• DNS-327L: Versions 1.09, 1.00.0409.2013
• DNS-340L: Version 1.08

What are the recommendations?

 LBT Technology Group, LLC. suggests the following measures to ensure the security of your environment in light of this vulnerability:

• Remove the affected versions from your environment and replace them with supported D-Link versions to receive firmware updates.
• If replacing the affected product is not possible, it is recommended to apply the latest available updates, even if it may not address newly discovered issues.
• Visit D-Link's dedicated support page for legacy devices to navigate archives for the latest security and firmware updates

References

 For more in-depth information about the recommendations, please visit the following links:

• https://lbttechgroup.com/index.php/blog/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account
  
• https://thehackernews.com/2024/04/critical-flaws-leave-92000-d-link-nas.html
• https://nvd.nist.gov/vuln/detail/CVE-2024-3273
• https://github.com/netsecfish/dlink
• https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383

If you have any questions, please contact LBT's Sales Engineer.