Unaddressed Security Risk Looming Over Tens of Thousands of D-Link NAS Devices
The renowned technology firm, D-Link, has come under fire for opting not to resolve a serious security vulnerability in numerous older models of its network-attached storage (NAS) devices. This decision leaves over 60,000 of its products exposed to potential unauthenticated command injection attacks. The discovery of the critical flaw, identified as CVE-2024-10914, was credited to security researcher Netsecfish. The vulnerability can be exploited through an HTTP GET request, sent to the account_mgr.cgi script, one of the integral elements of the NAS system's functionality.
Specific D-Link Models Identified as Vulnerable
A range of older D-Link NAS models have been called out as vulnerable due to this issue, namely DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 Version 1.01 and Version 1.02, and DNS-340L Version 1.08. Risk managers at D-Link have decided these models have outlived their life cycle, choosing not to dispatch any security updates or patches to the enumerated devices. Citing the end-of-life/end-of-service (EOL/EOS) status of these models, D-Link has recommended customers retire and replace their older NAS devices with newer models.
Current Threat Assessment and Advisories
Netsecfish carried out an in-depth vulnerability analysis of the affected D-Link devices, with the findings suggesting over 61,000 threats detected across 41,097 unique IP addresses. Despite the National Vulnerability Database assessing the complexity of the attack as high, making exploiting the vulnerability rather challenging, the risk level cannot be dismissed. Individuals with the necessary skills and knowledge could feasibly target any publicly accessible D-Link NAS device.
If you are an end-user of the affected models, it is imperative to either replace your current system with a newer version promptly or adopt protective measures. According to Netsecfish, your NAS settings menu or interface should be accessible only to verified IP addresses. It's also advised to disconnect your NAS device from the public network, guaranteeing authorized access only.
Alternative options include sourcing third-party firmware compatible with your D-Link model, but be aware of the sources' integrity to avoid further security breaches..
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now