Facepalm: Microsoft sometimes releases uncommon, out-of-band safety updates for its older working programs when a vulnerability is especially extreme. In distinction, firms like D-Hyperlink appear content material to go away former customers uncovered to probably disastrous community safety dangers.
A lately disclosed safety vulnerability impacting D-Hyperlink NAS units will stay unpatched, because the Taiwanese producer confirmed these fashions have reached their end-of-life / end-of-service standing. This implies they’re prone to keep completely susceptible, a scenario that has raised considerations amongst safety analysts.
The vulnerability, tracked as CVE-2024-10914, impacts the DNS-320, DNS-320LW, DNS-325, and DNS-340L NAS programs with firmware as much as model 20241028. This crucial flaw is positioned within the “cgi_user_add” command and will be triggered by way of a specifically crafted HTTP GET request. The command fails to correctly sanitize the “title” parameter, permitting an attacker to inject shell instructions.
Whereas the Nationwide Institute of Requirements and Know-how famous that the assault complexity is “excessive,” exploitation is feasible, as researchers have already disclosed a working exploit on-line. These NAS units have been as soon as in style amongst small companies, however D-Hyperlink has since discontinued this line of community storage merchandise.
The corporate lately revealed a safety bulletin concerning the matter, acknowledging the “Command Injection Vulnerability” found by NetSecFish within the DNS-320, DNS-325, DNS-340L, and different NAS fashions. D-Hyperlink suggested homeowners of those affected units to retire them and contemplate changing them with newer alternate options.
Within the bulletin, D-Hyperlink reiterated its coverage that end-of-life and end-of-service merchandise are not supported and that firmware growth for these fashions has ceased. NetSecFish estimated that over 61,000 susceptible units stay linked to the web, placing them liable to exploitation via malicious HTTP GET requests, which may end in information breaches or botnet exercise.
D-Hyperlink supplied some common recommendation for customers who proceed to attach these critically susceptible NAS units to the web. They beneficial guaranteeing the newest firmware is put in, utilizing a singular password, and enabling Wi-Fi encryption. Whereas these steps present some primary safety, they do little to mitigate the CVE-2024-10914 vulnerability itself.
Earlier this yr, the identical researcher recognized a further command injection vulnerability and a hardcoded backdoor in the identical NAS fashions (CVE-2024-3273). D-Hyperlink didn’t difficulty a repair or firmware replace for that vulnerability, both.