92K D-Link NAS Devices Open to Critical Command-Injection Bug

The company is asking users to retire several network-attached storage (NAS) models to avoid compromise through a publicly available exploit that results in backdooring.

Lines of code on a screen with the word "exploit" magnified by a circle-shaped glass
Source: Tiny Ivan via Alamy Stock Photo

A critical flaw in several end-of-life (EOL) models of D-Link network-attached storage (NAS) devices can allow attackers to backdoor the device and gain access to sensitive information, among other nefarious activities.

More than 92,000 devices currently connected to the Internet are affected by a flaw tracked as CVE-2024-3273 in D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325, according to D-Link. As a result, the company is asking customers to sunset any and all affected devices, which will remain vulnerable as the devices no longer receive updates or support from the vendor.

A researcher who goes by the online name "netsecfish" identified the flaw and detailed it on GitHub and subsequently informed D-Link about it, which released its own advisory. The researcher also released an exploit for the flaw, in which attackers already are showing interest, according to a post on X (formerly Twitter) by Shadowserver.

"We have started to see scans/exploits from multiple IPs for CVE-2024-3273," according to the post. "This involves chaining of a backdoor and command injection to achieve RCE."

Flaws in NAS devices are serious business, as exploiting them has great potential to affect not only the device itself but myriad devices that connect to it, posing a dangerous threat that can expose enterprise networks to risk.

Data Theft, Denial of Service & More

The vulnerability exists in the nas_sharing.cgi CGI script, leading to backdooring through username and password exposure as well as command injection through the system parameter, explained netsecfish.

"Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler," according to the listing for the flaw in the National Institute of Standards and Technology's (NIST's) National Vulnerability Database. "The manipulation of the argument system leads to command injection."

To get more granular, in terms of username and password exposure, the problem lies in the request, which "includes parameters for a username (user=messagebus) and an empty password field (passwd=)," according to netsecfish. "This indicates a backdoor allowing unauthorized access without proper authentication."

For command injection, attackers can exploit the "system" parameter within the request, "which carries a base64 encoded value that, when decoded, appears to be a command," according to netsecfish.

Attackers can chain the two issues together to obtain arbitrary command execution on the affected D-Link NAS devices, granting attackers potential access to sensitive information, system configuration alteration, or denial of service.

Netsecfish's exploit entails crafting malicious HTTP requests by preparing an HTTP GET request–GET /cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=<BASE64_ENCODED_COMMAND_TO_BE_EXECUTED>–targeting the /cgi-bin/nas_sharing.cgi endpoint.

A report published last year found that companies in every industry continue to leave backup and storage platforms unsecured, making it crucial for them to ensure cybercriminals can't exploit vulnerable ones to enter corporate networks.

With no forthcoming patch for CVE-2024-3273, the only true remedy is not to use affected devices at all, so anyone with one still connected to a network should retire and replace the product immediately, according to D-Link. A complete list of devices can be found in D-Link's advisory.

Indeed, the company remained adamant that it has no plans to support or update the affected products as per its typical device EOL strategy. "Regardless of product type or sales channel, D-Link's general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease," according to D-Link.

If consumers in the US continue to use the device against the company's recommendation, they should "please make sure the device has the last know firmware," which can be located on a Legacy Website links included in the advisory, according to D-Link.

Anyone who wants to continue using the device also should ensure frequent updating of the device's unique password to access its Web configuration, as well enable Wi-Fi encryption with a unique password.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights