Cybersecurity Threat Advisory: Two vulnerabilities found in D-Link NAS devices

Two vulnerabilities were found in legacy D-Link products that have reached end-of-life (EoL) status. The vulnerabilities can cause command injection and backdoor account to these devices. This Cybersecurity Threat Advisory discusses the impact of the threat, as well as recommendations to mitigate risks these vulnerabilities may cause.

What is the threat?

The identified critical vulnerability, CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273, affects D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L models up to 20240403. It pertains to an undisclosed function within the file /cgi-bin/nas_sharing.cgi of the HTTP GET Request Handler component. Exploitation involves manipulation of the system argument, resulting in command injection. Remote exploitation is possible, as the exploit has been publicly disclosed (VDB-259284).

The vulnerability in nas_sharing.cgi script entails:

• Backdoor via username and password exposure: The request includes parameters for a username (user=messagebus) and an empty password field (passwd=), indicating a backdoor that allows unauthorized access without proper authentication.
• Command injection through the system parameter: The request’s system parameter carries a base64 encoded value, which upon decoding, reveals a command.

Why is it noteworthy?

Successful exploitation of these flaws could lead to arbitrary command execution on affected D-Link NAS devices, granting threat actors access to sensitive information, enabling alterations to system configurations, or triggering denial-of-service (DoS) conditions.

What is the exposure or risk?

The vulnerabilities affect the following models:

• DNS-320L: Versions 1.11, 1.03.0904.2013, 1.01.0702.2013
• DNS-325: Version 1.01
• DNS-327L: Versions 1.09, 1.00.0409.2013
• DNS-340L: Version 1.08

What are the recommendations?

Barracuda MSP suggests the following measures to ensure the security of your environment in light of this vulnerability:

• • Remove the affected versions from your environment and replace them with supported D-Link versions to receive firmware updates.
  • If replacing the affected product is not possible, it is recommended to apply the latest available updates, even if it may not address newly discovered issues.
  • Visit D-Link’s dedicated support page for legacy devices to navigate archives for the latest security and firmware updates.

References

Refer to the links below for more information about this threat:

• https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/
• https://thehackernews.com/2024/04/critical-flaws-leave-92000-d-link-nas.html
• https://nvd.nist.gov/vuln/detail/CVE-2024-3273
• https://github.com/netsecfish/dlink
• https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383

If you have any questions regarding this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.