From 464d1d65c808b6366e1f9ee9a6ea30605b91eaea Mon Sep 17 00:00:00 2001
From: Stan Plasmeijer <111912052+JstRelax@users.noreply.github.com>
Date: Mon, 2 Dec 2024 16:24:33 +0100
Subject: [PATCH 1/2] DIVD-2024-00049

---
 _cases/2024/DIVD-2024-00049.md | 73 ++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 _cases/2024/DIVD-2024-00049.md

diff --git a/_cases/2024/DIVD-2024-00049.md b/_cases/2024/DIVD-2024-00049.md
new file mode 100644
index 00000000..94607382
--- /dev/null
+++ b/_cases/2024/DIVD-2024-00049.md
@@ -0,0 +1,73 @@
+---
+layout: case
+title: "Vulnerabilities in D-Link Routers: Backdoor and Command Injection Exploits"
+author: Stan Plasmeijer
+lead: Koen Schagen
+excerpt: "D-Link routers are affected by a backdoor vulnerability facilitated by hardcoded credentials and a command injection vulnerability."
+researchers:
+- Koen Schagen
+cves:
+- CVE-2024-3273
+- CVE-2024-10914
+product:
+- D-Link Routers
+versions: 
+- DNS-120
+- DNR-202L
+- DNS-315L
+- DNS-320
+- DNS-320L
+- DNS-320LW
+- DNS-321
+- DNR-322L
+- DNS-323
+- DNS-325
+- DNS-326
+- DNS-327L
+- DNR-326
+- DNS-340L
+- DNS-343
+- DNS-345
+- DNS-726-4
+- DNS-1100-4
+- DNS-1200-05
+- DNS-1550-04
+recommendation: "Install the update as soon as possible"
+workaround: "None"
+patch_status: "None"
+status : Open
+start: 2024-12-02
+#end: 
+timeline:
+- start: 2024-12-02
+  end:
+  event: "DIVD starts researching the vulnerability."
+- start: 2024-12-02
+  end:
+  event: "DIVD finds fingerprint, preparing to scan."
+- start: 2024-12-02
+  end:
+  event: "DIVD starts scanning the internet for vulnerable instances."
+#ips:
+---
+
+## Summary
+
+Certain legacy D-Link NAS models are affected by two critical vulnerabilities: a backdoor facilitated by hardcoded credentials and a command injection vulnerability. The backdoor account, with the username "messagebus," does not require a password, allowing attackers to easily gain unauthorized access. Additionally, the command injection vulnerability lies in the nas_sharing.cgi URI, where a system parameter containing a base64-encoded command can be exploited through a specially crafted HTTP GET request. Attackers who successfully exploit these vulnerabilities could execute arbitrary commands on the vulnerable devices, potentially gaining access to sensitive information, modifying system configurations, and more.
+
+## Recommendations
+
+These vulnerabilities impact legacy D-Link products that have reached their end-of-life ("EOL") or end-of-service-life ("EOS") status, meaning they no longer receive software updates or security patches from D-Link. As there is no patch available, it is recommended to either phase out these devices or place them behind a VPN or an IP allowlist to prevent unauthorized access. Additionally, users should ensure that these devices have the latest available firmware, update passwords frequently, and enable Wi-Fi encryption with unique passwords. It is also advised not to expose management interfaces to the internet.
+
+## What we are doing
+
+DIVD is currently working to identify parties that are running a vulnerable version of D-Link and to notify these parties. 
+
+{% include timeline.html %}
+
+## More information
+
+* {% cve CVE-2024-3273 %}
+* {% cve CVE-2024-10914 %}
+* [D-Link Advisory CVE-2024-3273](https://supportannouncement.us.dlink.com/security/publication.aspx?name=sap10383)
+* [D-Link advisory CVE-2024-10914](https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413)

From 4879492a9dd69455669237fb4d5086e475144d08 Mon Sep 17 00:00:00 2001
From: Stan Plasmeijer <111912052+JstRelax@users.noreply.github.com>
Date: Mon, 2 Dec 2024 18:54:59 +0100
Subject: [PATCH 2/2] tekst gewijzigd

---
 _cases/2024/DIVD-2024-00049.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/_cases/2024/DIVD-2024-00049.md b/_cases/2024/DIVD-2024-00049.md
index 94607382..94fc369c 100644
--- a/_cases/2024/DIVD-2024-00049.md
+++ b/_cases/2024/DIVD-2024-00049.md
@@ -1,16 +1,16 @@
 ---
 layout: case
-title: "Vulnerabilities in D-Link Routers: Backdoor and Command Injection Exploits"
+title: "Vulnerabilities in D-Link NAS: Backdoor and Command Injection Exploits"
 author: Stan Plasmeijer
 lead: Koen Schagen
-excerpt: "D-Link routers are affected by a backdoor vulnerability facilitated by hardcoded credentials and a command injection vulnerability."
+excerpt: "D-Link NAS are affected by a backdoor vulnerability facilitated by hardcoded credentials and a command injection vulnerability."
 researchers:
 - Koen Schagen
 cves:
 - CVE-2024-3273
 - CVE-2024-10914
 product:
-- D-Link Routers
+- D-Link NAS
 versions: 
 - DNS-120
 - DNR-202L
@@ -32,7 +32,7 @@ versions:
 - DNS-1100-4
 - DNS-1200-05
 - DNS-1550-04
-recommendation: "Install the update as soon as possible"
+recommendation: "Phase out the D-Link device or place it behind a VPN or an IP allowlist"
 workaround: "None"
 patch_status: "None"
 status : Open