92,000+ internet-facing D-Link NAS devices accessible via “backdoor” account (CVE-2024-3273)

A vulnerability (CVE-2024-3273) in four old D-Link NAS models could be exploited to compromise internet-facing devices, a threat researcher has found.

The existence of the flaw was confirmed by D-Link last week, and an exploit for opening an interactive shell has popped up on GitHub.

About CVE-2024-3273

“The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hardcoded credentials, and a command injection vulnerability via the system parameter,” says the discoverer, who goes by the online handle “netsecfish”.

The “backdoor” account has messagebus as the username and doesn’t require a password.

“The system parameter within the request carries a base64 encoded value that, when decoded, appears to be a command,” netsecfish noted.

The flaw can be triggered by a specially crafted malicious HTTP GET request sent to the /cgi-bin/nas_sharing.cgi endpoint.

Attackers who manage to exploit the flaw could pull off arbitrary command execution on vulnerable devices, which means they could access sensitive information stored on them, make changes to the system configuration, etc., by specifying a command.

CVE-2024-3273 affects D-Link NAS models DNS-320L, DNS-325, DNS-327L, and DNS-340L, all of which have reached end-of-life (EOL) many years ago.

Unfortunately, many are still in use: netsecfish found over 92,000 of them exposed on the internet.

No patches available

There will be no patches for this flaw.

“This exploit affects a legacy D-Link products and all hardware revisions, which have reached their End of Life (“EOL”)/End of Service Life (“EOS”) Life-Cycle. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link,” the company said in the security advisory.

“D-Link US recommends that D-Link devices that have reached EOL/EOS be retired and replaced. If US consumers continue to use these devices against D-Link’s recommendation, please make sure the device has the last know firmware which can be located on the Legacy Website. Please make sure you frequently update the device’s unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.”

Users are also advised not to expose management interfaces to the internet.

UPDATE (April 8, 2024, 04:45 p.m. ET):

Both Greynoise and Shadowserver have detected in-the-wild attempts to exploit the two vulnerabilities.

According to Greynoise, attackers are trying to execute Mirai malware “for every possible CPU architecture in the expectation that at least one will work. The malware is fetched from 38[.]6[.]224[.]248 over HTTP.”

UPDATE (April 12, 2024, 07:05 p.m. ET):

CISA has added CVE-2024-3272 and CVE-2024-3273 to its known exploited vulnerabilities (KEV) catalog and said agencies should remove then from their networks as they devices are end-of-life.