Backdoor Account Found on Over 92,000 Exposed D-Link NAS Devices


New Flaw Disclosed in End-of-Life D-Link NAS Devices: Arbitrary Command Injection and Backdoor Account

A threat researcher named 'Netsecfish' has uncovered a critical security vulnerability affecting several end-of-life D-Link Network Attached Storage (NAS) device models. The flaw, tracked as CVE-2024-3273, revolves around an arbitrary command injection and a hardcoded backdoor within the '/cgi-bin/nas_sharing.cgi' script's HTTP GET Request Handler component.

Key details of the vulnerability include:

  • Backdoor Account: The flaw includes a hardcoded account ('messagebus' with an empty password) that serves as a backdoor into the affected NAS devices.
  • Command Injection: Attackers can exploit the vulnerability by injecting base64-encoded commands into the "system" parameter via an HTTP GET request, allowing remote execution of arbitrary commands on the device.

Netsecfish warns that exploiting this vulnerability could lead to unauthorized access, modification of system settings, or denial of service.

The affected D-Link NAS device models include:

  • DNS-320L (Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013)
  • DNS-325 (Version 1.01)
  • DNS-327L (Version 1.09, Version 1.00.0409.2013)
  • DNS-340L (Version 1.08)

According to Netsecfish's network scans, over 92,000 vulnerable D-Link NAS devices are exposed online and susceptible to exploitation through these security flaws.

No patches are available for these vulnerabilities as D-Link has declared these NAS devices as end-of-life (EOL) and no longer supported. The vendor advises users to retire these devices and replace them with supported products that receive firmware updates.

D-Link has released a security bulletin to raise awareness about the flaw and recommends immediate retirement or replacement of these legacy devices. Users who continue to use outdated hardware should visit D-Link's dedicated support page for legacy devices to access archived firmware and security updates.

It's crucial to note that NAS devices should never be exposed to the internet to minimize the risk of data theft or ransomware attacks targeting these devices.