DIVD-2024-00049 - Vulnerabilities in D-Link NAS: Backdoor and Command Injection Exploits

Our reference DIVD-2024-00049
Case lead Koen Schagen
Author Stan Plasmeijer
Researcher(s)
  • Koen Schagen
CVE(s)
Products
  • D-Link NAS
Versions
  • DNS-120
  • DNR-202L
  • DNS-315L
  • DNS-320
  • DNS-320L
  • DNS-320LW
  • DNS-321
  • DNR-322L
  • DNS-323
  • DNS-325
  • DNS-326
  • DNS-327L
  • DNR-326
  • DNS-340L
  • DNS-343
  • DNS-345
  • DNS-726-4
  • DNS-1100-4
  • DNS-1200-05
  • DNS-1550-04
Recommendation Phase out the D-Link device or place it behind a VPN or an IP allowlist
Patch status None
Workaround None
Status Open
Last modified 02 Dec 2024 23:18 CET

Summary

Certain legacy D-Link NAS models are affected by two critical vulnerabilities: a backdoor facilitated by hardcoded credentials and a command injection vulnerability. The backdoor account, with the username “messagebus,” does not require a password, allowing attackers to easily gain unauthorized access. Additionally, the command injection vulnerability lies in the account_mgr.cgi URI, where the argument name can be manipulated to execute arbitrary shell commands. Attackers who successfully exploit these vulnerabilities could execute arbitrary commands on the vulnerable devices, potentially gaining access to sensitive information, modifying system configurations, and more.

Recommendations

These vulnerabilities impact legacy D-Link products that have reached their end-of-life (“EOL”) or end-of-service-life (“EOS”) status, meaning they no longer receive software updates or security patches from D-Link. As there is no patch available, it is recommended to either phase out these devices or place them behind a VPN or an IP allowlist to prevent unauthorized access. Additionally, users should ensure that these devices have the latest available firmware, update passwords frequently, and enable Wi-Fi encryption with unique passwords. It is also advised not to expose management interfaces to the internet.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of D-Link and to notify these parties.

Timeline

Date Description
02 Dec 2024 DIVD starts researching the vulnerability.
02 Dec 2024 DIVD finds fingerprint, preparing to scan.
02 Dec 2024 DIVD starts scanning the internet for vulnerable instances.
02 Dec 2024 DIVD starts notifying network owners with a vulnerable devices in their network.
gantt title DIVD-2024-00049 - Vulnerabilities in D-Link NAS: Backdoor and Command Injection Exploits dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00049 - Vulnerabilities in D-Link NAS Backdoor and Command Injection Exploits (still open) :2024-12-02, 2024-12-10 section Events DIVD starts researching the vulnerability. : milestone, 2024-12-02, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-12-02, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-12-02, 0d DIVD starts notifying network owners with a vulnerable devices in their network. : milestone, 2024-12-02, 0d

More information