D-Link will not patch newly exploited NAS vulnerabilities

92,000 devices vulnerable

Vulnerabilities in D-Link network-attached storage devices which were discovered a fortnight ago are now being exploited.

Hackers have already started to exploit a pair of newly discovered vulnerabilities to remotely take control of the D-Link NAS devices, researchers said yesterday.

The problem affects around 92,000 D-Link devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325.

The vulnerabilities lie in the CGI script. The first is a backdoor tracked as CVE-2024-3272 and is rated 9.8 out of a possible 10 in terms of severity. The second flaw is a command-injection tracked as CVE-2024-3273 and is rated 7.3. It can be activated via HTTP.

The vulnerabilities together allow attackers to remotely access devices and execute arbitrary commands on the system via HTTP. This can lead wherever an attacker wants it to – access to data, system configuration modifications are a denial-of-service attack.

The researcher has gone public with the threat because D-Link have stated that they won't patch the vulnerabilities given that they are end-of-life and therefore no longer supported anyway.

Active attempts to exploit the vulnerabilities began over the weekend. Multiple security researchers spotted seeing scanning and attempts to download malware on vulnerable devices.

Of course, the optimal course of action is to make sure that hardware doesn't fall out of support, but in the real world this isn't always possible. Users should at least ensure they are running the last known firmware.

Another option is to disable UPnP and connections from remote web addresses unless absolutely critical.

The Taiwanese networking equipment manufacturer also disclosed a data breach last Autumn, but stated that it was old, inactive accounts that were exposed and that the attackers tampered with timestamps to exaggerate the recency and impact of their activity.