⚡ TL;DR | Go Straight to the D-Link Vulnerability Audit Report
In an advisory released last week, D-Link has confirmed that they will not be issuing any fixes for a critical vulnerability affecting over 60,000 NAS devices. The affected devices are all past their end-of-life date and will thus no longer receive any updates or fixes, as per D-Link’s policy. It concerns a command injection vulnerability that already has a publicly available exploit. D-Link advises anyone still using any of the affected products to retire and replace them as soon as possible.
D-Link Vulnerability CVE-2024-10914
The vulnerability tracked as CVE-2024-10914 is a command injection vulnerability with a critical CVSS score of 9.2. It occurs in the cgi_user_add command. The name parameter in this script does not adequately sanitize input, allowing command execution. A malicious actor could use this to inject arbitrary shell commands by sending specially crafted HTTP GET requests to an affected device. This could in turn result in privilege escalation that could put connected devices at risk. You can read more in D-Link’s security bulletin.
No Fix Is Coming
While it concerns a critical vulnerability, it only affects devices that have already reached their end of life or end of support. As per D-Link’s policy, these devices will not receive any updates or security fixes, despite the fact that some of these devices are still widely used. Over 60,000 network-attached storage devices are estimated to be vulnerable. The affected models are:
- DNS-320 Version 1.00
- DNS-320LW Version 1.01.0914.2012
- DNS-325 Version 1.01, Version 1.02
- DNS-340L Version 1.08
In their bulletin, D-Link advises its users to retire any vulnerable NAS products as further use could put connected devices at risk. If that is not immediately possible, you should at the very least make sure that the device has the latest version of its firmware and isolate them from the public internet or place them under stricter access conditions.
Discover Vulnerable D-Link NAS Devices
We have added a new report to Lansweeper to help you find any vulnerable D-Link devices in your network. This will give you an actionable list of devices that are at risk and you can go to work removing them from your network. You can get the report via the link below.