Severe D-Link Security Vulnerability Discovered – CVE-2024-3273 and CVE-2024-3274 Hard-Coded Credential Backdoor
The cybersecurity landscape has been significantly impacted by the discovery of two vulnerabilities in D-Link NAS devices, designated as CVE-2024-3273 and CVE-2024-3274. These vulnerabilities affect multiple (approx 92,000 internet facing devices, the bulk of which are UK based) D-Link NAS models that are no longer supported by the manufacturer due to their end-of-life (EOL) status. This detailed analysis aims to unpack the complexities of these vulnerabilities, their operational implications, and the necessary user responses.
Impact and Affected D-Link NAS Model:
The confirmed list of affected D-Link NAS models includes:
Model | Region | Hardware Revision | End of Service Life |
Fixed Firmware | Conclusion | Last Updated |
DNS-320L | All Regions | All H/W Revisions | 05/31/2020 | Not Available | Retire & Replace Device |
04/01/2024 |
DNS-325 | All Regions | All H/W Revisions | 09/01/2017 | Not Available | Retire & Replace Device | 04/01/2024 |
DNS-327L | All Regions | All H/W Revisions | 05/31/2020 | Not Available | Retire & Replace Device | 04/01/2024 |
DNS-340L | All Regions | All H/W Revisions | 07/31/2019 | Not Available | Retire & Replace Device | 04/01/2024 |
These devices, pivotal in small office/home office (SOHO) environments for data storage and management, are now susceptible to remote attacks that could compromise sensitive data integrity, availability, and confidentiality.
CVE-2024-3273: Command Injection Vulnerability Explained
CVE-2024-3273 exposes a command injection flaw within the web interface of affected D-Link NAS devices. The vulnerability is located in the handling of the system
parameter within the nas_sharing.cgi
script, which improperly sanitizes user-supplied input. This oversight allows authenticated remote attackers to inject and execute arbitrary shell commands encoded in base64. The execution context of these commands is particularly concerning, as it typically runs under the web server’s privileges, potentially leading to unauthorized access to the system, modification of system settings, or initiation of a denial of service (DoS) attack.
Technical Dive into CVE-2024-3274: Hardcoded Credentials
CVE-2024-3274 reveals a hardcoded credential vulnerability, manifesting as a backdoor account (messagebus
) embedded within the device firmware. This account, notably lacking a password, permits unauthenticated remote access to the device’s administrative interface. The presence of such hardcoded credentials significantly lowers the complexity of unauthorized device access, making it a critical vulnerability. This backdoor could be exploited in tandem with CVE-2024-3273 to elevate privileges or gain persistent access to the compromised device.
Who Found the D-Link Vulnerability?
The vulnerabilities were disclosed by a security researcher operating under the pseudonym “netsecfish,” who provided detailed technical insights and proof-of-concept (PoC) code. This disclosure highlighted the risk of widespread exploitation, given the estimated 92,000 devices exposed online across various regions, including the UK, Thailand, Italy, and Germany. The timing of the disclosure, subsequent to the affected models reaching their EOL, exacerbated concerns around feasible mitigation strategies.
You can find the full and very detailed outlining of the Vulnerability and Potential attack vector HERE on Netsecfish’s github listing
Mitigation Strategies for Users Who Are Still Using A D-LInk NAS
In light of D-Link’s stance on not providing firmware updates for EOL products, affected users are faced with limited mitigation options. The primary recommendation is the retirement and replacement of vulnerable devices. Interim measures, for those unable to immediately replace their devices, include isolating the NAS devices from the internet, implementing strict network segmentation, and employing firewall rules to restrict access to the management interface. Additionally, monitoring for unusual network activity can provide early detection of exploitation attempts.
D-Link Official Response
D-Link has acknowledged the vulnerabilities but emphasized the EOL status of the affected models, which precludes official firmware updates or patches. The company has issued advisories urging users to replace outdated devices with supported models. This situation underscores the importance of adhering to device lifecycle policies and maintaining an updated infrastructure to mitigate security risks.
You can see the full official D-Link Response HERE
At the time of writing, there is no mention of this on their social media pages. Hopefully this changes, as the potential 82,000 internet facing units in the wild need to be addressed.
Exploitation in the Wild of the hard-code credential D-Link Vulnerability
GreyNoise, a cybersecurity firm specializing in analyzing internet-wide scan traffic to identify threats, has provided valuable insights into the exploitation attempts of the D-Link NAS vulnerabilities. According to their analysis, a significant uptick in scan activity targeting the specific vulnerabilities CVE-2024-3273 and CVE-2024-3274 was observed shortly after their disclosure. This activity suggests that attackers are actively seeking out vulnerable D-Link NAS devices for exploitation. GreyNoise’s findings indicate that the exploitation attempts are not isolated incidents but part of a broader effort by malicious actors to identify and compromise affected devices. The data collected by GreyNoise highlights the real-world implications of these vulnerabilities and serves as a critical alert for organizations and individuals to take immediate protective actions against potential unauthorized access and exploitation of their D-Link NAS devices.
You can learn more about this on Greynoise’s official page on this matter HERE
The D-Link NAS Series is Still For Sale (Technically)
Despite the end-of-life status and known vulnerabilities of D-Link NAS models DNS-340L, DNS-320L, DNS-327L, and DNS-325, these devices continue to find a marketplace on platforms such as eBay and other online resale venues. This ongoing sale of used units poses a significant cybersecurity risk, as many sellers and buyers may not be fully aware of the devices’ vulnerability to exploits. Alarmingly, at the time of writing, it is reported that over 80,000 of these units remain actively internet-facing, directly exposing them to potential exploitation by attackers leveraging the CVE-2024-3273 and CVE-2024-3274 vulnerabilities. The persistence of these devices in active operational environments underscores the critical need for heightened awareness and proactive measures among current users. Potential buyers should be cautioned against acquiring these models, and existing users are strongly advised to consider secure alternatives that receive current manufacturer support and updates, mitigating the risk of compromise.
I own a Synology/QNAP NAS, Should I Care? How to Automatically Get Updated When Synology and QNAP NAS Vulnerabilities are Reported
Pretty much ALL of the brands in NAS, Data Storage and Cloud services have these security advisory pages, but the idea of checking these pages manually (i.e. bookmark etc) every day, week or month is too much of a hassle for many. On the other hand, they all arrive with an RSS feed link that allows users to subscribe to updates BUT many users are not even aware of how to apply an RSS feed (it’s a complex XML feed of text that needs to be injected into an appropriate RSS feed client/agent – so yeah, hardly noob friendly). So, in order to make this 1000x easier, I have (and by me, I mean Eddie the Web Guy spent time on it and I made this article!) made this page that will be constantly updated with the latest vulnerabilities reported on the popular NAS brands and storage-related manufacturers. It is still being built (so more brands are being added) but it will allow you to just chuck your email address below (will not be used for profit or spamming etc) and then you will get an alter EVERY TIME a new security vulnerability is updated by the brands (this is automated, so it will appear here as soon as it appears on the respective security advisory page). Additionally, there will be links back to the brand/manufacturer site so you can find out more about individual exploits and vulnerabilities, how they work, what they do and (most importantly) give you a better idea of whether you should update your NAS/Storage system or not. I hope you find it helpful and if you have any recommendations or idea of what we should add to this page/service to make it even better – let us know in the comments or directing here – https://nascompares.com/contact-us
Sign Up Below to Get Updates as New Vulnerabilities Are Reported
Get an alert every time something gets added to this specific article!
Find an updated vulnerability list here:
Comprehensive User Recommendations
Beyond immediate mitigation, users should consider several best practices for network device security:
- Conduct regular security audits of network devices.
- Update all devices to the latest firmware versions where possible.
- Employ network firewalls and intrusion detection systems to monitor and control inbound and outbound traffic.
- Practice the principle of least privilege by restricting device access to necessary personnel.
Conclusion
The vulnerabilities identified as CVE-2024-3273 and CVE-2024-3274 in D-Link NAS devices present significant security challenges. The absence of official firmware updates for these EOL products necessitates proactive user measures to mitigate risks. This analysis serves as a call to action for users to evaluate their network security posture critically, implement robust security measures, and ensure that all network-attached storage devices operate within their supported lifecycle.
📧 SUBSCRIBE TO OUR NEWSLETTER 🔔
🔒 Join Inner Circle
Get an alert every time something gets added to this specific article!
This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below
Need Advice on Data Storage from an Expert?
Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you.(Early Access) My Favourite NAS Releases of 2024
(Inner Circle) Recommended ATX NAS Motherboard Guide - 6 GREAT NAS MOBOs!
(Early Access) Flashstor Gen 2 NAS - SHOULD YOU BUY? (Short Review)
(Early Access) The DREAM Video Editor NAS - Flashstor Gen 2 Review (FS6806X)
(Early Access) A $230 10GbE and i3 6 Bay NAS Mobo - HOW? Any Good? (MW-N305-NAS)
(Early Access) CWWK Q670 8-Bay Gen5 NAS Mobo Review (UPGRADED VERSION)
Access content via Patreon or KO-FI