Man
Professional
- Messages
- 3,070
- Reaction score
- 603
- Points
- 113
Forgotten devices turn into easy prey for cybercriminals.
More than 60,000 D-Link storage devices that have reached the end of their life cycle (EoL) have been exposed to security flaws such as Command Injection. The vulnerability, designated CVE-2024-10914, has a critical CVSS score of 9.2 and is due to insufficient cleanup of the name parameter in the "cgi_user_add" command.
An unauthorized attacker could exploit this vulnerability to execute arbitrary commands by sending specially crafted HTTP requests to devices. The vulnerability affects several D-Link NAS models popular with small businesses: DNS-320 (version 1.00), DNS-320LW (version 1.01.0914.2012), DNS-325 (versions 1.01 and 1.02), and DNS-340L (version 1.08).
A cybersecurity researcher at Netsecfish has published details on how to exploit this vulnerability. To do this, you need to send a special HTTP request to the NAS device with malicious commands embedded in the name parameter. An example of the cURL command demonstrating the operation process is also provided by the researcher.
In its analysis, Netsecfish detected more than 61,000 vulnerable D-Link devices on 41,097 unique IP addresses. As a result, a huge amount of data on all these devices was at risk due to the presence of public access.
In a recent security bulletin, D-Link confirmed that there are no plans to patch CVE-2024-10914 and recommended that users either take devices out of service or limit their access from the internet.
In April of this year, the same researcher identified a similar vulnerability – CVE-2024-3273 – related to Command Injection and a built-in backdoor, affecting the same D-Link NAS models. At that time, the results of online scans showed more than 92,000 vulnerable devices. D-Link has previously confirmed that it has discontinued NAS devices and will not provide further support for them.
Source
More than 60,000 D-Link storage devices that have reached the end of their life cycle (EoL) have been exposed to security flaws such as Command Injection. The vulnerability, designated CVE-2024-10914, has a critical CVSS score of 9.2 and is due to insufficient cleanup of the name parameter in the "cgi_user_add" command.
An unauthorized attacker could exploit this vulnerability to execute arbitrary commands by sending specially crafted HTTP requests to devices. The vulnerability affects several D-Link NAS models popular with small businesses: DNS-320 (version 1.00), DNS-320LW (version 1.01.0914.2012), DNS-325 (versions 1.01 and 1.02), and DNS-340L (version 1.08).
A cybersecurity researcher at Netsecfish has published details on how to exploit this vulnerability. To do this, you need to send a special HTTP request to the NAS device with malicious commands embedded in the name parameter. An example of the cURL command demonstrating the operation process is also provided by the researcher.
In its analysis, Netsecfish detected more than 61,000 vulnerable D-Link devices on 41,097 unique IP addresses. As a result, a huge amount of data on all these devices was at risk due to the presence of public access.
In a recent security bulletin, D-Link confirmed that there are no plans to patch CVE-2024-10914 and recommended that users either take devices out of service or limit their access from the internet.
In April of this year, the same researcher identified a similar vulnerability – CVE-2024-3273 – related to Command Injection and a built-in backdoor, affecting the same D-Link NAS models. At that time, the results of online scans showed more than 92,000 vulnerable devices. D-Link has previously confirmed that it has discontinued NAS devices and will not provide further support for them.
Source
