Organizations using D-Link network attached storage (NAS) hardware should check their devices following the disclosure of a security vulnerability.
A command injection flaw designated CVE-2024-10914 could potentially allow an attacker to remotely hijack network-connected storage boxes and take total control to either access stored data or use the device as a springboard to break into other systems on the local network.
The vulnerability has been given a CVSS score of 9.2, marking it as a critical security risk. The affected units are the DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 Version 1.01, Version 1.02, and DNS-340L Version 1.08.
According to NetSecFish, the researchers who found and reported the vulnerability, the flaw is down to the way certain D-Link devices handle CGI commands that are sent via GET commands.
“Specifically, the vulnerability exists in the handling of the name parameter used within the CGI script cgi_user_add command,” NetSecFish explained.
“This flaw allows an unauthenticated attacker to inject arbitrary shell commands through crafted HTTP GET requests, affecting over 61,000 devices on the Internet.”
In short, a threat actor could send the vulnerable NAS device a GET command that includes arbitrary commands as part of the “name” parameter and, failing to properly check the input, the device would then execute those instructions, resulting in remote code execution, or as some people prefer to put it “total pwnage.”
Fortunately, NIST says that while the vulnerability can be remotely targeted, actually pulling off a successful exploit is difficult, meaning a simple drive-by exploit attempt would likely not result in said pwnage.
Further complicating matters, the vulnerable devices are all considered by D-Link to be obsolete hardware. D-Link lists the vulnerable units as being end-of-service or end-of-life and advises organizations to phase them out in favor of newer storage units sold by D-Link.
“From time to time, D-Link decides that some of its products have reached the End of Support ("EOS") or End of Life (“EOL”),” the vendor said.
“D-Link may choose to use EOS/EOL as a product due to technological evolution, market demands, innovations, and efficiencies based on the latest technologies, or the product may mature over time.”
This will likely not be of solace to organizations that still rely on those units and will have to make do with vulnerable hardware between now and migration. NetSecFish recommends that administrators minimize network access to the NAS hardware in order to limit the scope of possible attack.