Merge pull request #882 from DIVD-NL/DIVD-2024-00049

Case DIVD-2024-00049

_cases/2024/DIVD-2024-00049.md

@@ -0,0 +1,73 @@
+---
+layout: case
+title: "Vulnerabilities in D-Link NAS: Backdoor and Command Injection Exploits"
+author: Stan Plasmeijer
+lead: Koen Schagen
+excerpt: "D-Link NAS are affected by a backdoor vulnerability facilitated by hardcoded credentials and a command injection vulnerability."
+researchers:
+- Koen Schagen
+cves:
+- CVE-2024-3273
+- CVE-2024-10914
+product:
+- D-Link NAS
+versions: 
+- DNS-120
+- DNR-202L
+- DNS-315L
+- DNS-320
+- DNS-320L
+- DNS-320LW
+- DNS-321
+- DNR-322L
+- DNS-323
+- DNS-325
+- DNS-326
+- DNS-327L
+- DNR-326
+- DNS-340L
+- DNS-343
+- DNS-345
+- DNS-726-4
+- DNS-1100-4
+- DNS-1200-05
+- DNS-1550-04
+recommendation: "Phase out the D-Link device or place it behind a VPN or an IP allowlist"
+workaround: "None"
+patch_status: "None"
+status : Open
+start: 2024-12-02
+#end: 
+timeline:
+- start: 2024-12-02
+  end:
+  event: "DIVD starts researching the vulnerability."
+- start: 2024-12-02
+  end:
+  event: "DIVD finds fingerprint, preparing to scan."
+- start: 2024-12-02
+  end:
+  event: "DIVD starts scanning the internet for vulnerable instances."
+#ips:
+---
+
+## Summary
+
+Certain legacy D-Link NAS models are affected by two critical vulnerabilities: a backdoor facilitated by hardcoded credentials and a command injection vulnerability. The backdoor account, with the username "messagebus," does not require a password, allowing attackers to easily gain unauthorized access. Additionally, the command injection vulnerability lies in the nas_sharing.cgi URI, where a system parameter containing a base64-encoded command can be exploited through a specially crafted HTTP GET request. Attackers who successfully exploit these vulnerabilities could execute arbitrary commands on the vulnerable devices, potentially gaining access to sensitive information, modifying system configurations, and more.
+
+## Recommendations
+
+These vulnerabilities impact legacy D-Link products that have reached their end-of-life ("EOL") or end-of-service-life ("EOS") status, meaning they no longer receive software updates or security patches from D-Link. As there is no patch available, it is recommended to either phase out these devices or place them behind a VPN or an IP allowlist to prevent unauthorized access. Additionally, users should ensure that these devices have the latest available firmware, update passwords frequently, and enable Wi-Fi encryption with unique passwords. It is also advised not to expose management interfaces to the internet.
+
+## What we are doing
+
+DIVD is currently working to identify parties that are running a vulnerable version of D-Link and to notify these parties. 
+
+{% include timeline.html %}
+
+## More information
+
+* {% cve CVE-2024-3273 %}
+* {% cve CVE-2024-10914 %}
+* [D-Link Advisory CVE-2024-3273](https://supportannouncement.us.dlink.com/security/publication.aspx?name=sap10383)
+* [D-Link advisory CVE-2024-10914](https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413)