D-Link is telling owners of expired NAS devices to pack them away and replace them with newer kit following the publication of security vulnerabilities that together are now being actively exploited.

It doesn't help that the devices, that reached their end-of-service (EOS) date years ago, have a backdoor (CVE-2024-3272, CVSS: 9.8 - critical) enabled by hardcoded credentials (username: messagebus, plus an empty password field). 

This, combined with a command injection bug (CVE-2024-3273, CVSS: 7.3 - high) means attackers can remotely execute code (RCE) on the device, and with that do all manner of follow-on activities. User data is believed to be at risk.

The issues were first published by a researcher who uses the alias "netsecfish" on March 26, who at the time could only recommend applying vendor patches that would never arrive.

"Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions," they said.

At the time the research went out, more than 92,000 vulnerable devices were facing the internet, the majority of which were based in the UK, although thousands were also vulnerable in Thailand, Italy, Germany, and more.

The following models are vulnerable:

• DNS-340L (reached EOS in 2019) 

• DNS-320L (reached EOS in 2020)

• DNS-327L (reached EOS in 2020)

• DNS-325 (reached EOS in 2017)

D-Link has held firm in its EOS assessment, reiterating that no firmware updates will be released for the affected devices, regardless of the latest security holes.

"This exploit affects legacy D-Link products and all hardware revisions, which have reached their End of Life /End of Service Life-Cycle," it said in an advisory. 

"Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link.

"D-Link US recommends that D-Link devices that have reached EOL/EOS be retired and replaced."

The vulnerabilities lie in the nas_sharing.cgi CGI script which can be targeted by a malicious HTTP GET request that includes the hardcoded credentials, plus a malicious command string.

As of Monday, both GreyNoise and Shadowserver both reported seeing active scans and exploit attempts of CVE-2024-3273.

"Exploit and PoC details are public," Shadowserver xeeted after confirming attacks from multiple IPs. "As there is no patch for this vulnerability, these devices should be taken offline/replaced or at least have their remote access firewalled."

GreyNoise observed attacks in which miscreants were attempting to deploy a variant, skid.x86, of the Mirai botnet on devices. Mirai is routinely used to carry out distributed denial of service (DDoS) attacks.

D-Link was approached for additional comment but it didn't immediately respond. ®

https://www.theregister.com//2024/04/09/dlink_issues_rip_and_replace/