Critical RCE Vulnerability in 92,000 D-Link NAS Devices

Cyber attacks have become increasingly prevalent. This has caused significant adverse impacts on businesses of all sizes. According to the latest Ponemon Institute’s State of Cybersecurity Report, 66% of respondents reported experiencing a cyber attack within the last 12 months. This underscores the critical need for robust cybersecurity measures. It is across various domains such as network security, cloud systems, D-Link NAS devices, and more. 

Critical security flaws have been discovered in an unexpected 92000 D-Link NAS (Network-Attached Storage) device. This made them vulnerable to Remote Code Execution (RCE) attacks. This means that malicious actors can potentially take full control of compromised devices. Additionally, this jeopardized sensitive data and disrupted important processes. In this blog, we will look at the scope of the threat, how the vulnerability occurred, mitigating measures, the necessity of VAPT. We will also learn about how regular network security testing is critical for securing D-Link NAS devices.

Scope of the Threat

The vulnerabilities, identified as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), impacted legacy D-Link products that have reached their end-of-life (EoL) status. D-Link regrettably announced that they will not be issuing a patch. This left users with the unsettling choice of either replacing their NAS entirely or continuing with an unsecured device.

Thousands of D-Link NAS Devices Exposed to Attacks

A serious vulnerability in D-Link’s software makes approx 90000 NAS devices vulnerable to remote attacks. These devices, which include models DNS-340L, DNS-320L, DNS-327L, and DNS-325, are vulnerable due to a backdoor with hardcoded credentials and a command injection attack.

This collection of flaws allows attackers to steal important information, change system configurations, or completely disable the devices. There is no patch available since D-Link no longer supports these outdated devices. The recommended course of action is to replace the affected NAS devices.

How did this Vulnerability occur?

These vulnerabilities stem from flaws within the nas_sharing.cgi URI. Hackers exploited these flaws through:

• Hardcoded Credentials: A backdoor facilitated by pre-programmed login information within the device itself.
• Command Injection Vulnerability: Exploiting a system parameter to inject and execute malicious malware code on the NAS.

Successful exploitation granted attackers unrestricted access to:

Sensitive Data: This included personal files, financial information, and other confidential documents stored on the NAS.

System Manipulation: Hackers could modify the configurations, install malware, or disrupt NAS functionality entirely.

Denial-of-Service (DoS): Attackers can render the NAS inaccessible to legitimate users, causing significant downtime and disruption.

How to Mitigate the Risk of NAS Vulnerability?

If you are using a vulnerable D-Link NAS device, here’s what you should do immediately:

Disconnect the NAS from the internet: This severs the primary attack vector for these vulnerabilities.

Back up your Sensitive Data: While this won’t prevent an attack, it ensures you have a copy of your data in case the NAS is compromised.
Consider Replacing the NAS: Due to the lack of a security patch, replacing the device with a more up-to-date model is the most secure option.

Importance of Vulnerability Scanning in NAS Devices

The significant RCE vulnerabilities indicated in D-Link NAS devices emphasize the need for vulnerability scanning and network security testing, especially for network-attached storage (NAS) systems. These vulnerabilities (CVE-2024-3272 & CVE-2024-3273) targeted legacy D-Link NAS devices, which are appealing among attackers due to their widespread use. This emphasizes the importance of regular network security testing.

These vulnerabilities arise from defects in the nas_sharing.cgi URI, showing how attackers can exploit gaps in NAS devices. This is consistent with the concept of vulnerability scans, which identify security flaws in routers and web application frameworks because both NAS devices and routers are network-connected components.

By including vulnerability scanning in your security approach, you may proactively identify comparable flaws in your NAS systems before they are exploited. Regular vulnerability scans can help prevent incidents like the D-Link NAS breach, protecting your sensitive data and ensuring the smooth operation of your NAS devices.

Why Regular Network Security Testing is Crucial?

In the case of D-Link NAS devices, regular network security testing could have identified these vulnerabilities before they were publicly known. This allowed users to take preventative measures. The recent critical RCE vulnerabilities discovered in legacy D-Link NAS devices serve as a reminder of the importance of regular network security testing. These vulnerabilities (CVE-2024-3272 & CVE-2024-3273) left a staggering 92,000 devices susceptible to complete takeover by malicious actors.

Here’s why Regular Network Security Testing is vital for D-Link NAS security:

End-of-Life (EOL) Status: D-Link won’t issue security patches for these affected models, leaving them chronically vulnerable to future exploits.

Limited Mitigation Options: Disconnecting the NAS from the internet hinders its core functionality. Regular testing can help identify alternative security measures before vulnerabilities are discovered.

Hidden Flaws: Unpatched vulnerabilities often remain undetected. Pentesting exposes these flaws before attackers can exploit them.

Proactive Defense: Regular pentesting(VAPT) allows you to identify and address security gaps before a breach occurs, preventing data loss, operational disruptions, and financial repercussions.

In the case of D-Link NAS devices, regular penetration testing could have identified these vulnerabilities before they were publicly known, allowing users to take preventative action. By incorporating vulnerability scanning into your security strategy, you can proactively safeguard your NAS devices and the sensitive data they store.

Securing Your Network Devices with Kratikal

Kratikal, a CERT-In empaneled auditor, provides network and cloud security services. Our comprehensive Vulnerability Assessment and Penetration Testing (VAPT) services empower you to proactively identify and address security flaws before they can be exploited. Our team of security experts will:

• Conduct a thorough VAPT assessment of your networks and NAS devices, pinpointing potential vulnerabilities.

• Provide remediation strategies to address identified vulnerabilities, including patching, configuration adjustments, or replacement recommendations.

• Implement robust network and cloud security measures to secure your data and infrastructure from evolving cyber threats.

Don’t wait until it’s too late – secure your network devices today with network security testing!

Reference Source: https://www.keepersecurity.com/ponemon2020.html

FAQ

About The Author