-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
73 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
--- | ||
layout: case | ||
title: "Vulnerabilities in D-Link Routers: Backdoor and Command Injection Exploits" | ||
author: Stan Plasmeijer | ||
lead: Koen Schagen | ||
excerpt: "D-Link routers are affected by a backdoor vulnerability facilitated by hardcoded credentials and a command injection vulnerability." | ||
researchers: | ||
- Koen Schagen | ||
cves: | ||
- CVE-2024-3273 | ||
- CVE-2024-10914 | ||
product: | ||
- D-Link Routers | ||
versions: | ||
- DNS-120 | ||
- DNR-202L | ||
- DNS-315L | ||
- DNS-320 | ||
- DNS-320L | ||
- DNS-320LW | ||
- DNS-321 | ||
- DNR-322L | ||
- DNS-323 | ||
- DNS-325 | ||
- DNS-326 | ||
- DNS-327L | ||
- DNR-326 | ||
- DNS-340L | ||
- DNS-343 | ||
- DNS-345 | ||
- DNS-726-4 | ||
- DNS-1100-4 | ||
- DNS-1200-05 | ||
- DNS-1550-04 | ||
recommendation: "Install the update as soon as possible" | ||
workaround: "None" | ||
patch_status: "None" | ||
status : Open | ||
start: 2024-12-02 | ||
#end: | ||
timeline: | ||
- start: 2024-12-02 | ||
end: | ||
event: "DIVD starts researching the vulnerability." | ||
- start: 2024-12-02 | ||
end: | ||
event: "DIVD finds fingerprint, preparing to scan." | ||
- start: 2024-12-02 | ||
end: | ||
event: "DIVD starts scanning the internet for vulnerable instances." | ||
#ips: | ||
--- | ||
|
||
## Summary | ||
|
||
Certain legacy D-Link NAS models are affected by two critical vulnerabilities: a backdoor facilitated by hardcoded credentials and a command injection vulnerability. The backdoor account, with the username "messagebus," does not require a password, allowing attackers to easily gain unauthorized access. Additionally, the command injection vulnerability lies in the nas_sharing.cgi URI, where a system parameter containing a base64-encoded command can be exploited through a specially crafted HTTP GET request. Attackers who successfully exploit these vulnerabilities could execute arbitrary commands on the vulnerable devices, potentially gaining access to sensitive information, modifying system configurations, and more. | ||
|
||
## Recommendations | ||
|
||
These vulnerabilities impact legacy D-Link products that have reached their end-of-life ("EOL") or end-of-service-life ("EOS") status, meaning they no longer receive software updates or security patches from D-Link. As there is no patch available, it is recommended to either phase out these devices or place them behind a VPN or an IP allowlist to prevent unauthorized access. Additionally, users should ensure that these devices have the latest available firmware, update passwords frequently, and enable Wi-Fi encryption with unique passwords. It is also advised not to expose management interfaces to the internet. | ||
|
||
## What we are doing | ||
|
||
DIVD is currently working to identify parties that are running a vulnerable version of D-Link and to notify these parties. | ||
|
||
{% include timeline.html %} | ||
|
||
## More information | ||
|
||
* {% cve CVE-2024-3273 %} | ||
* {% cve CVE-2024-10914 %} | ||
* [D-Link Advisory CVE-2024-3273](https://supportannouncement.us.dlink.com/security/publication.aspx?name=sap10383) | ||
* [D-Link advisory CVE-2024-10914](https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413) |