Advisory ID: ngCERT-2024-0010
Summary:
A threat researcher uncovered a new arbitrary command injection vulnerability and a backdoor account flaw vulnerability in four old D-Link NAS models that could be exploited to compromise internet-facing devices. Reports further indicate that over 92,000 devices globally have been affected. Cyber criminals could exploit these flaws to perform an arbitrary command execution, system configuration alteration or Denial of Service (DoS), while gaining access to sensitive information on the affected system.
Damage/Probability: CRTICAL/HIGH
Platform(s): D-Link CVE-2024-3273
Description:
The vulnerabilities tracked as (CVE-2024-3273) include a backdoor facilitated through a hardcoded account (username: "messagebus" and empty password) and a command injection problem via the "system" parameter. When chained together, any attacker can remotely execute commands on the device. A threat actor could craft a malicious HTTP request targeting the nas_sharing.cgi (Common Gateway Interface) script that has a hardcoded account which could be used as a backdoor through username and password exposure. The resulting response of this HTTP request contains the decoded system parameter value sent in the request, which includes a username (user=messagebus) and an empty password (passwd=). These further grants unauthorized access to threat actors without any proper authentication. Additionally, command injection can be performed through the System command parameter to execute system configuration alteration or denial of service. Some of the device models impacted by CVE-2024-3273 are:
- DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013
- DNS-325 Version 1.01
- DNS-327L Version 1.09, Version 1.00.0409.2013
- DNS-340L Version 1.08
Consequences:
Successful exploitation of this vulnerability could lead to the following:
- Unauthorized access to sensitive information.
- Data exfiltration.
- Modification of system configurations.
- Denial of Service (DoS).
Solution:
There will be no patches for this flaw. This exploit affects a legacy D-Link products and all hardware revisions, which have reached their End of Life ("EOL")/End of Service Life ("EOS") Life-Cycle. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link. It is therefore recommended that:
- D-Link devices that have reached EOL/EOS be retired and replaced.
- If consumers continue to use these devices against D-Link's recommendation, please make sure the device has the last known firmware which can be located on the Legacy Website link (https://legacy.us.dlink.com/).
- Make sure you frequently update the device's unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.
- Users are also advised not to expose management interfaces to the internet.
- Users should disable UPnP (Universal Plug and Play) and connections from remote Internet addresses unless they’re absolutely necessary and configured correctly.
References:
- https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
- https://cybersecuritynews.com/d-link-nas-command-injection-impact/
- https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/amp/