Over 92,000 end-of-life D-Link NAS models have a critical flaw in them that allows attackers to backdoor to the devices, leading to unauthorized access to sensitive data. The models include DNS-340L, DNS-320L, DNS-327L, and DNS-325.
Exploiting this involves manipulating the nas_sharing_cgi CGI script, which will result in data theft, denial of service attacks, and other malicious activities. To go a little more in depth in terms of username and password being exposed the problem lies within the request, which includes the user=messagebus and an empty password field, this indicates a backdoor with no authentication required. Attackers can also exploit the “System” parameter within the request to inject their own commands. Chaining these two together on one of these D-Link devices can cause access to sensitive information, system configuration alteration, and denial of service as mentioned before.
D-Link recommends retiring and replacing all affected devices as no patches are coming due to its end-of-life status. Now since the news has spread there have been several reports of attackers trying to find these devices open on the internet and to start attacking them. If you are to continue to use these devices it is recommended to have the latest firmware and update the device’s password to web GUI (Graphical User Interface) and enable wi-fi encryption. Adding another layer of protection, you can add a firewall rule to drop any ingress HTTP/HTTPS requests to the NAS.
