Over 92,000 D-Link NAS Devices Vulnerable to Backdoor Exploitation

April 6, 2024

A security researcher known as 'Netsecfish' has revealed a new security vulnerability in multiple discontinued models of D-Link Network Attached Storage (NAS) devices. The flaw, identified as CVE-2024-3273, involves a hardcoded backdoor account (with username 'messagebus' and no password) and an arbitrary command injection issue via the 'system' parameter. When combined, these vulnerabilities could allow a cybercriminal to remotely execute commands on the device.

The command injection flaw originates from the addition of a base64-encoded command to the 'system' parameter through an HTTP GET request, which is subsequently executed. 'Netsecfish' warns, 'Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions.'

The NAS device models affected by CVE-2024-3273 are not specified in the original article. However, according to network scans, over 92,000 such devices are exposed online and vulnerable to attacks via these flaws.

Upon reaching out to D-Link about the vulnerability and the possibility of a patch release, the company responded that these NAS devices have reached their end of life (EOL) and are no longer supported. A spokesperson stated, 'All D-Link Network Attached storage has been End of Life and of Service Life for many years [and] the resources associated with these products have ceased their development and are no longer supported.' D-Link recommends that users retire these products and replace them with devices that receive firmware updates.

The affected devices lack automatic online updating capabilities or customer outreach features to deliver notifications, unlike current models. Therefore, D-Link has limited its response to publishing a security bulletin to raise awareness about the flaw and the need to immediately retire or replace the affected devices. D-Link has also established a dedicated support page for legacy devices, where device owners can find the most recent security and firmware updates.

Despite these devices reaching their end of life, users who continue to use outdated hardware should apply the latest available updates, even though these will not address newly discovered issues such as CVE-2024-3273. Additionally, it is advised that NAS devices should not be exposed to the internet as they are frequently targeted for data theft or ransomware attacks.

Latest News

• Cisco Alerts on Unpatched Vulnerability in Obsolete Small Business Routers
• Magento Flaw Exploited to Inject Persistent Backdoor into Ecommerce Sites
• Ivanti Patches High-Risk Vulnerabilities in VPN Gateways
• Google Addresses Additional Chrome Zero-Day Exploited at Pwn2Own
• Google Patches Two Zero-Day Vulnerabilities in Pixel Phones Exploited by Forensic Firms