Security researcher Netsecfish has identified a critical command injection vulnerability that impacts numerous older D-Link network-attached storage (NAS) devices. This issue, known as CVE-2024-10914 in the National Vulnerability Database (NVD), has a high severity score of 9.2, which presents a serious threat to users who still depend on these outdated devices.
Details of the Vulnerability
The issue lies within the 'cgi_user_add' command function, particularly in the 'name' parameter, which does not adequately sanitize user input. The dangerous aspect of this flaw is its potential for exploitation without needing authentication, enabling attackers to send arbitrary shell commands via specially crafted HTTP GET requests.
Affected D-Link Models
Netsecfish conducted a FOFA scan on the impacted NAS devices, yielding 61,147 results from 41,097 distinct IP addresses. While the NVD indicates that the complexity of the attack is high, skilled attackers might still be able to take advantage of these vulnerable devices if they are connected to the public internet.
D-Link's Response
Regrettably, D-Link has announced that it will not provide a patch for this vulnerability, as these models have all been classified as end-of-life/end-of-service (EOL/EOS) since 2020. D-Link advised users to either retire or replace their devices, as no further software updates or security fixes will be issued.
Recommendations for Users
Security professionals have recommended several temporary measures for users who cannot quickly swap out their affected D-Link NAS devices. Firstly, they emphasize the importance of isolating these devices from any public internet access to reduce the risk of attacks. Furthermore, organizations should establish strict access control policies, ensuring that only trusted IP addresses and authorized users can access the devices. For those looking for other options, experts propose considering third-party firmware, but warn that such firmware should only be obtained from trusted and verified sources. However, these strategies should be seen as stopgap measures, and users are encouraged to create and implement plans to replace these vulnerable devices as soon as possible.
