Flaws in legacy D-Link NAS devices under attack

Exploitation activity is ramping up for an unpatched vulnerability in several legacy D-Link NAS devices that reached end-of-life as far back as 2017.

Last week, D-Link published a security announcement for a command injection flaw and hardcoded backdoor vulnerability, tracked as CVE-2024-3273, in D-Link NAS devices models DNS-340L, DNS-320L, DNS-327L and DNS-325. D-Link credited VulDB for reporting the flaws on March 26, and warned that the exploit affects legacy D-Link products and all hardware revisions, which have reached end of life between 2017 and 2020 and are no longer supported.

The networking vendor urged customers to discontinue use and replace the devices. Exploitation could allow an unauthorized attacker to manipulate the web management interface and remotely exploit D-Link NAS devices that could contain sensitive data. With a proof-of-concept exploit available, reports of exploitation began just days following public disclosure.

"If US consumers continue to use devices against D-Link's recommendation, please make sure the device has the last-known firmware which can be located on the Legacy Website links above," D-Link wrote in the security announcement.

On Monday, the Shadowserver Foundation, a cybersecurity nonprofit organization, revealed its internet scans detected exploitation activity from "multiple IPs" for CVE-2024-3273.

We have started to see scans/exploits from multiple IPs for CVE-2024-3273 (vulnerability in end of life D-Link Network Area Storage devices). This involves chaining of a backdoor & command injection to achieve RCE.

D-Link announcement: https://t.co/Z3HD9k1nQc

— Shadowserver (@Shadowserver) April 8, 2024

Additionally, threat intelligence vendor GreyNoise began detecting exploitation attempts Sunday. GreyNoise urged anyone still using the devices, which D-Link does not recommend, to check their router's UPnP configuration to ensure that they are not internet-exposed.

D-Link credited a security researcher known as netsecfish for discovering CVE-2024-3273. In a GitHub post on March 26, the researcher revealed network scans showed 92,000 vulnerable NAS devices remained online, despite D-Link retiring the devices between 2017 and 2020.

Netsecfish warned the hardcoded backdoor vulnerability chain could allow an unauthenticated threat actor to execute arbitrary commands, modify system configurations and conduct denial-of-service attacks. The critically classified flaw can be exploited to request a username and password to gain system access.

VulDB provided additional information for CVE-2024-3273 in a separate blog post. "The exploitability is told to be easy," VulDB wrote in the blog.

TechTarget Editorial contacted D-Link regarding reports of exploitation. The vendor referred to last week's security announcement.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.