Two vulnerabilities in D-Link network-attached storage (NAS) devices are being actively exploited, with no patches available due to the end-of-life (EOL) status of the affected products.
The bugs, tracked as CVE-2024-3273 and CVE-2024-3274, were discovered by an individual known as “netsecfish,” who published an explanation and proof-of-concept (PoC) exploit for the vulnerabilities on GitHub.
CVE-2024-3274 is described as a hardcoded “backdoor account” in the devices with the username “messagebus” and no password required, which could be used by an attacker to gain unauthorized, remote access. CVE-2024-3273 is a command injection vulnerability that allows an attacker to execute arbitrary base 64-encoded commands on the devices.
Chained together in an HTTP GET request to a device’s “nas_saring.cgi” common gateway interface, which would include the “messagebus” username parameter, an empty password parameter and a base 64-encoded command as the “system” parameter, the vulnerabilities can lead to the compromise of sensitive data, modification of system configuration and a denial-of-service (DoS).
The flaws impact the DNS-340L, DNS-320L, DNS-327 and DNS-315 NAS models, “among others,” according to netsecfish. In an advisory, D-Link listed these same models as being affected, and recommended users discontinue use of the products as they are no longer supported or receiving updates. The DNS-325 reached EOL in 2017, the DNS-340L in 2019 and the DNS-320L and DNS-327L in 2020.
A D-Link spokesperson told SC Media that all of its consumer storage products have reached EOL and end-of-service (EOS) and that it recommends retiring all of these products but did not say whether any other models other than the four listed were affected by CVE-2024-3273/CVE-2024-3274.
Netsecfish estimated more than 92,000 vulnerable D-Link NAS devices were exposed to the internet, based on a FOFA search performed on March 26.
Active exploitation of the D-Link NAS vulnerabilities were first detected on April 7 by GreyNoise, when one known malicious IP was spotted attempting remote code execution (RCE). So far, three IPs tagged as malicious by GreyNoise have attempted to exploit the bugs. A 24-hour view of GreyNoise’s CVE-2024-3273 dashboard shows a spike in attempts Tuesday afternoon, with 47 unique IPs detected at 18:00 UTC.
Shadowserver also began detecting scans and exploitations of the D-Link flaws from “multiple IPs” on Monday.
D-Link device vulnerabilities are frequently exploited to be leveraged in botnets, such as Mirai, Zerobot and Moobot. There are currently 16 D-Link vulnerabilities listed in the U.S. Cybersecurity & Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog.
D-Link, which is based in Taiwan, also suffered a data breach last fall due to a compromise of a test lab system running EOL software and successful phishing of a D-Link employee. Data from the company, allegedly including “3 million lines” of customer information and the source code of the D-View network management software, were advertised for sale on a cybercrime forum on Oct. 1, 2023.
D-Link stated that only about 700 records were compromised and that the records mostly “consisted of low-sensitivity and semi-public information.”
