Facepalm: Microsoft sometimes releases uncommon, out-of-band safety updates for its older working techniques when a vulnerability is especially extreme. In distinction, corporations like D-Hyperlink appear content material to go away former customers uncovered to doubtlessly disastrous community safety dangers.
A not too long ago disclosed safety vulnerability impacting D-Hyperlink NAS units will stay unpatched, because the Taiwanese producer confirmed these fashions have reached their end-of-life / end-of-service standing. This implies they’re prone to keep completely weak, a state of affairs that has raised considerations amongst safety analysts.
The vulnerability, tracked as CVE-2024-10914, impacts the DNS-320, DNS-320LW, DNS-325, and DNS-340L NAS techniques with firmware as much as model 20241028. This essential flaw is situated within the “cgi_user_add” command and could be triggered by way of a specifically crafted HTTP GET request. The command fails to correctly sanitize the “title” parameter, permitting an attacker to inject shell instructions.
Whereas the Nationwide Institute of Requirements and Expertise famous that the assault complexity is “excessive,” exploitation is feasible, as researchers have already disclosed a working exploit on-line. These NAS units had been as soon as widespread amongst small companies, however D-Hyperlink has since discontinued this line of community storage merchandise.
The corporate not too long ago revealed a safety bulletin relating to the matter, acknowledging the “Command Injection Vulnerability” found by NetSecFish within the DNS-320, DNS-325, DNS-340L, and different NAS fashions. D-Hyperlink suggested house owners of those affected units to retire them and contemplate changing them with newer options.
Within the bulletin, D-Hyperlink reiterated its coverage that end-of-life and end-of-service merchandise are not supported and that firmware growth for these fashions has ceased. NetSecFish estimated that over 61,000 weak units stay linked to the web, placing them susceptible to exploitation by means of malicious HTTP GET requests, which may end in information breaches or botnet exercise.
D-Hyperlink provided some normal recommendation for customers who proceed to attach these critically weak NAS units to the web. They really useful guaranteeing the newest firmware is put in, utilizing a singular password, and enabling Wi-Fi encryption. Whereas these steps present some primary safety, they do little to mitigate the CVE-2024-10914 vulnerability itself.
Earlier this 12 months, the identical researcher recognized an extra command injection vulnerability and a hardcoded backdoor in the identical NAS fashions (CVE-2024-3273). D-Hyperlink didn’t problem a repair or firmware replace for that vulnerability, both.