A number of D-Link NAS devices are vulnerable to arbitrary command injection attacks, according to a recent disclosure, prompting warnings from security experts.
A security researcher named Netsecfish published its analysis of the attack chain and the risk to businesses on GitHub as of early April 2024. Netsecfish research found that more than 92,000 NAS devices were affected by the incident while publicly exposed to the Internet.
Rated 7.3 on the CVSS scale, the vulnerability combines encrypted credentials to create a backdoor account on the device through which random code could be executed on the target system.
Hidden in the 'nas_sharing.cgi' uri, the vulnerability creates a backdoor that would give an attacker unauthorized access without proper authentication, and flaws could result in serious security breaches, according to Netsecfish.
“Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, which could lead to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions,” Netsecfish wrote.
D-Link has since confirmed the flaws, noting that they are limited to a specific set of devices that had reached the end of their life cycle and were no longer receiving security patches.
Safety advertisement issued by D-Link acknowledging the indicated failures, the NAS models DNS-340L, DNS-320L and DNS-325 have reached end of support or end of life.
As a result, D-Link customers running any of the affected products are faced with the choice of replacing their NAS devices or risking hackers exploiting the weakness and compromising their network.
Networking hardware specialists have created a dedicated support page for customers to get help mitigating the potential damage these vulnerabilities could have on their businesses.
D-Link NAS device failures could impact unprepared businesses
speaking to ITProPieter Arntz, malware intelligence researcher at Malwarebytes, warned that this combination of vulnerabilities, as well as the lack of continuous security updates, could pose a danger to unprepared organizations.
“It seems like this could have a big impact for several reasons. First of all, because no patch is expected since the devices are at the end of their useful life and because a PoS is available,” he said. “Second, given the large number of exposed devices and no login details needed due to encrypted credentials, the option to run code on the device could provide an entry into the network.”
Arntz said the first thing companies should do is ensure that these devices are no longer exposed to the public Internet, and he emphasized the importance of reducing the large number of opportunities that attackers can choose to exploit.
The particular risk associated with vulnerabilities of this nature, according to Arntz, is that threat actors can use lists of encrypted credentials available online to potentially bypass authentication systems with relative ease.
“The urgent advice, especially for organizations, would be to disconnect them, or at least stop connecting them to the Internet, and assume that all credentials stored on the device are compromised. “Employee credentials, or even network administrator credentials, could provide an entry for agents to access the ransomware,” he explained.
“There are lists of encrypted device credentials online and you should assume that if your device comes with a standard default password, cybercriminals can find your device and already know what the password is.”