Dive Brief:
- Attackers are scanning and actively exploiting a command injection and hardcoded credential backdoor vulnerability in D-Link network area storage devices, researchers at Shadowserver said Monday in a post on X, the site formerly known as Twitter.
- There is no patch available for CVE-2024-3273, nor is one coming. D-Link advised owners of the four affected products to retire and replace the devices as they have reached end of life and are no longer supported, the company said in an April 4 security announcement.
- “D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it,” D-Link said.
Dive Insight:
Network devices are common targets for financially-motivated and nation-state linked attackers. Vulnerabilities in devices sold by Citrix, Ivanti and Barracuda were widely exploited during the last year.
Boeing and Comcast were both impacted by attacks linked to exploits of the Citrix vulnerability, dubbed CitrixBleed, and a pair of systems operated by the Cybersecurity and Infrastructure Security Agency were compromised by an attack linked to widely exploited vulnerabilities in Ivanti remote access VPNs.
While the Ivanti, Citrix and Barracuda devices are still currently supported by their vendors, the D-Link products impacted by the active exploits are out of service and ineligible for firmware updates. It’s unclear how many enterprises use the impacted D-Link NAS devices, but the Taiwan-based vendor has marketed its NAS gear to small- and medium-sized businesses.
More than 92,000 vulnerable D-Link NAS devices were publicly exposed on March 26 when the researcher that discovered the vulnerability, “Netsecfish,” shared their findings with D-Link and disclosed the vulnerability.
“This exploitation could lead to arbitrary command execution on the affected D-Link NAS devices, granting attackers potential access to sensitive information, system configuration alteration, or denial of service, by specifying a command,” the research said in GitHub post.
Exploit code and proof of concept details for the vulnerabilities, which affect D-Link devices DNS-340L, DNS-320L, DNS-327L and DNS-325, are publicly available, according to Shadowserver.