Independent cybersecurity researcher under the pseudonym “Netsecfish” found serious vulnerability in several models of network storage facilities -Link, which are no longer supported by the manufacturer. The problem is the script “/cgi-bin/nas_sharing.cgi”, which affects the component of the HTTP GET handler.
The vulnerability that received the designation CVE-2024-3273, is associated with the presence of sewn in the software Account (user name “Messagebus” without password) and the ability to injure commands through the “System” parameter. This allows attackers remotely execute commands on the device.
An example of POC-Exflict, published by the researcher, shows how to add how to add commands in Base64 encoding to the System parameter leads to its execution on the device.
The White Hacker warns that the successful use of this vulnerability can lead to unauthorized access to sensitive information, changing the system settings or creating conditions for an attack type “Refusal for maintenance”.
models of devices that are affected by CVE-2024-3273, as follows:
- DNS-320L versions according to 1.11, 03/03/04.2013, 1.01.0702.2013;
- DNS-325 versions according to 1.01;
- DNS-327L versions according to 11.09, version 1.00.0409.2013;
- DNS-340L version 1.08.
According to NetSecfish, more than 92,000 D-Link vulnerable devices were found on the network, at risk of attacks through this vulnerability.
D-Link reported that the devices have reached the end of its life cycle and are no longer supported. The manufacturer recommends replacing obsolete devices with those models that will still receive firmware updates.
On its official D-Link website, also published