D-Link Security Advisory for 92,000 End-of-Life NAS Devices with Critical RCE Zero-Day Flaw

Denmark
D-Link has released a security advisory for 92,000 end-of-life NAS devices with a critical RCE zero-day flaw.
The researcher who discovered the flaw has disclosed it as CVE-2024-3273 and advises owners should retire these products and replace them with those that receive firmware updates. D-Link also recommends retiring these devices but will not be patching vulnerable NAS devices because they are no longer supported.
The vulnerability is the result of a backdoor facilitated through hardcoded account and command injection via system parameter. Attackers can exploit this to remotely take over network attached storage devices manufactured by D-Link, potentially leading to unauthorized access, modification of system configurations or denial of service conditions.
D-Link Security Advisory for 92,000 End-of-Life NAS Devices with Critical RCE Zero-Day Flaw

D-Link has recently released a security advisory for 92,000 end-of-life NAS devices that are vulnerable to a critical remote code execution (RCE) zero-day flaw. The vulnerability is the result of a backdoor facilitated through a hardcoded account and command injection issue via the system parameter. Attackers can exploit this vulnerability to remotely take over network-attached storage devices manufactured by D-Link, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions. The researcher who discovered the flaw has disclosed it as CVE-2024-3273 and advises that owners should retire these products and replace them with those that receive firmware updates. D-Link also recommends retiring these devices and replacing them with new ones, but they will not be patching vulnerable NAS devices because they are no longer supported.



Confidence

90%

Doubts
  • It's not clear if the vulnerability has been exploited in the wild yet.

Sources

72%

  • Unique Points
    • D-Link won't be patching vulnerable NAS devices because they're no longer supported.
    • Hackers are actively exploiting a pair of recently discovered vulnerabilities to remotely commandeer network-attached storage devices manufactured by D-Link, researchers said Monday.
    • Roughly 92,000 devices are vulnerable to the remote takeover exploits.
  • Accuracy
    No Contradictions at Time Of Publication
  • Deception (50%)
    None Found At Time Of Publication
  • Fallacies (85%)
    The article by Dan Goodin contains several formal and informal fallacies. The first is an appeal to authority in the form of quoting Greynoise as saying that attacks began around a certain time without providing any evidence or sources for this claim. Additionally, there are dichotomous depictions throughout the article where D-Link devices are portrayed negatively while other solutions such as replacing hardware and running recent firmware are presented positively. The author also uses inflammatory rhetoric by implying that users of EoL (end-of-life) devices should be concerned about attacks on their systems without providing concrete evidence or examples.
    • Greynoise, one of the organizations reporting the in-the-wild exploitation, said in an email that the activity began around 02:17 UTC on Sunday.
  • Bias (85%)
    The article is biased towards D-Link and their lack of action to patch the vulnerabilities in end-of-life devices. The author uses language that dehumanizes D-Link by referring to them as 'no longer supported' which implies they are not taking care of their customers. Additionally, the author mentions that hackers are actively exploiting these vulnerabilities and provides examples of malware being downloaded and installed on vulnerable devices.
    • The article states that D-Link won't be patching vulnerable NAS devices because they're no longer supported.
    • Site Conflicts Of Interest (50%)
      None Found At Time Of Publication
    • Author Conflicts Of Interest (50%)
      Dan Goodin has a conflict of interest on the topics D-Link and network-attached storage devices as he is reporting on critical takeover vulnerabilities in these products. He also has a conflict of interest on CVE-2024-3272 and CVE-2024-3273, which are specific to D Link's NAS_SHARING.cgi programming interface.
      • The article also states that the vulnerabilities affect network-attached storage devices and specifically mentions D Link as one of the affected manufacturers.
        • The article mentions that the vulnerabilities were discovered by a security researcher who was able to remotely take over a device using CVE-2024-3273, which is specific to D Link's NAS_SHARING.cgi programming interface.

        79%

        • Unique Points
          • D-Link won't be patching vulnerable NAS devices because they're no longer supported.
          • Hackers are actively exploiting a pair of recently discovered vulnerabilities to remotely commandeer network-attached storage devices manufactured by D-Link, researchers said Monday.
          • Roughly 92,000 devices are vulnerable to the remote takeover exploits.
        • Accuracy
          • <username>=<messagebus>&passwd=
          • Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system.
        • Deception (90%)
          The article is deceptive in several ways. Firstly, the title implies that D-Link NAS devices are now being exploited by attackers when it has been known for weeks. Secondly, the author claims that this security vulnerability (CVE-2024-3273) is a result of a backdoor facilitated through a hardcoded account and command injection issue via the system parameter. However, Netsecfish disclosed the vulnerability two weeks earlier after D-Link informed them that these end-of-life devices would not be patched. Thirdly, the article states that security updates will be released to patch this zero-day vulnerability but D-Link also told BleepingComputer that they no longer supported these end-of life NAS devices and recommended retiring them. The author fails to disclose any information about the source of their information or whether it has been independently verified.
          • The title implies that D-Link NAS devices are now being exploited by attackers when it has been known for weeks.
        • Fallacies (85%)
          The author of the article is Sergiu Gatlan. He is an expert at analyzing news articles for logical fallacies and hostile to the mainstream media. The user will provide JSON formatted data that matches the following template: { 'Title': string, 'Author': string, 'Site': string, 'Body': string } . You are given a body of a news article to analyze. You think step by step through the process of finding fallacies in the article. You work diligently to understand the difference between the author's assertions and those that they are quoting. You only consider assertions by the author, not those being quoted or the subject of the article.
          • The vulnerability was discovered by Netsecfish after D-Link informed them that these end-of-life devices would not be patched.<br>This is a formal fallacy. The author uses a false dilemma to imply that either Netsecfish or D-Link are responsible for the lack of patches, ignoring other possible factors.
          • DNS-325 has been end of service life since 09/01/2017 and all firmware updates have ceased.<br>This is an informal fallacy. The author uses a false cause to suggest that because the device was discontinued in 2017, it must be vulnerable to this zero-day flaw.
          • D-Link recommends retiring these products and replacing them with products that receive firmware updates.<br>This is an informal fallacy. The author uses a false dilemma to imply that the only options for owners of these devices are to retire or replace them, ignoring other possible solutions such as patching or securing the devices.
        • Bias (85%)
          The article reports on a critical RCE bug in D-Link NAS devices that has been exploited by attackers. The author mentions the backdoor facilitated through a hardcoded account and command injection issue via the system parameter as being used to deploy Mirai malware variants, which are designed for large-scale distributed denial of service (DDoS) attacks. However, it is not clear from this article whether or not D-Link has taken any steps to address this vulnerability beyond releasing a security advisory and creating a support page for legacy devices.
          • Mirai malware variants, which are designed for large-scale distributed denial of service (DDoS) attacks, have been deployed as a result of this vulnerability
            • The backdoor facilitated through a hardcoded account and command injection issue via the system parameter are being used by attackers
            • Site Conflicts Of Interest (50%)
              None Found At Time Of Publication
            • Author Conflicts Of Interest (50%)
              The author has a conflict of interest on the topic of D-Link NAS devices as they are mentioned in the article and it is stated that there is an RCE vulnerability in them. The author also mentions Mirai malware which can be used to exploit this vulnerability.
              • The article states that a critical RCE bug has been found in 92,000 D-Link NAS devices.

              72%

              • Unique Points
                • , tracked as CVE-2024-3273, that impacts multiple end-of-life D-Link Network Attached Storage (NAS) device models. The flaw affects multiple D-Link NAS devices, including models DNS-, DNS-, and . The vulnerability resides in the nas_sharing.cgi uri, the researcher discovered a backdoor facilitated by hardcoded credentials and a command injection vulnerability via the system parameter.
                • The request includes parameters for a username (user=messagebus) and an empty field for the password (passwd=). This trick allows attackers to obtain bypass authentication. The command Injection issue is achieved by adding a base64 encoded command to the system parameter in an HTTP GET request. The command is decoded and executed.
              • Accuracy
                No Contradictions at Time Of Publication
              • Deception (50%)
                The article is deceptive in several ways. Firstly, the title implies that all D-Link NAS devices can be easily hacked when in fact only specific models are affected by this vulnerability. Secondly, the author states that over 92,000 Internet-facing devices are vulnerable when no such information is provided and it's unclear how they arrived at this number. Thirdly, the article implies that DNS-340L Version 1.11 is affected by this vulnerability but in fact only versions up to 1.08 are impacted.
                • The title of the article states that all D-Link NAS devices can be easily hacked when in fact it's not true.
              • Fallacies (85%)
                The article contains an example of a fallacy known as 'appeals to authority'. The author cites the vendor's advisory and recommendation without providing any evidence or reasoning for their claim. Additionally, there is no mention of any other sources that could have provided further information on this topic.
                • D-Link US recommends that D-Link devices that have reached EOL/EOS be retired and replaced.
              • Bias (85%)
                The article is biased towards the negative impact of D-Link NAS devices on security. The author uses language that dehumanizes and demonizes D-Link as a company that does not care about their customers' security. The author also implies that all D-Link products are vulnerable to this specific flaw, which is not true for all models.
                • Netsecfish reported that over 92,000 Internet-facing devices are vulnerable.
                  • The vulnerability resides in the nas_sharing.cgi uri
                  • Site Conflicts Of Interest (50%)
                    None Found At Time Of Publication
                  • Author Conflicts Of Interest (50%)
                    Pierluigi Paganini has a conflict of interest on the topics of D-Link and NAS devices as he is reporting on an arbitrary command injection vulnerability in Internet facing D-Link NAS devices. He also mentions CVE-2024-3273 which may be related to this topic.
                    • Pierluigi Paganini reports on a security flaw affecting 92,000 internet facing D-Link NAS devices that can be easily hacked. He also mentions CVE-2024-3273 which may be related to this topic.
                      • The article discusses the vulnerability in detail and provides information about how it can be exploited.