A critical security flaw has been identified in over 60,000 D-Link network-attached storage (NAS) devices that have reached end-of-life. This vulnerability, tracked as CVE-2024-10914, has a severity score of 9.2 and allows unauthenticated attackers to inject arbitrary shell commands by sending specially crafted HTTP GET requests to the devices.
The flaw affects various models of D-Link NAS devices commonly used by small businesses, including the DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 Version 1.01 and Version 1.02, and DNS-340L Version 1.08. Security researcher Netsecfish provided details on how the vulnerability can be exploited by sending a crafted HTTP GET request with malicious input in the name parameter.
A search conducted by Netsecfish on the FOFA platform revealed over 61,000 D-Link devices vulnerable to CVE-2024-10914. Despite this, D-Link has stated that a fix for this vulnerability will not be released, and users are advised to retire the affected products. If retiring the devices is not possible immediately, users should isolate them from the public internet or implement stricter access controls.
Earlier this year, the same researcher discovered another flaw, tracked as CVE-2024-3273, affecting similar D-Link NAS models. This flaw allowed for arbitrary command injection and hardcoded backdoor access. In response to this discovery, D-Link clarified that they no longer produce NAS devices, and affected products that have reached end-of-life will not receive security updates.
It is essential for users of D-Link NAS devices to be aware of these vulnerabilities and take appropriate measures to secure their systems. Implementing network segmentation, restricting access to vulnerable devices, and regularly monitoring for unauthorized activity can help mitigate the risk of exploitation. Additionally, users should consider upgrading to newer, supported devices to ensure ongoing security protection for their network-attached storage systems.
