{"id":2036204,"date":"2024-11-13T12:22:08","date_gmt":"2024-11-13T17:22:08","guid":{"rendered":"https:\/\/securityboulevard.com\/?p=2036204"},"modified":"2024-11-13T12:22:08","modified_gmt":"2024-11-13T17:22:08","slug":"d-link-nas-wont-fix-richixbw","status":"publish","type":"post","link":"https:\/\/securityboulevard.com\/2024\/11\/d-link-nas-wont-fix-richixbw\/","title":{"rendered":"These 20 D-Link Devices Have Critical RCE Bug \u2014 but NO Patch NEVER"},"content":{"rendered":"
\"xkcd.com\/327<\/a>Company doesn\u2019t make storage devices now; has zero interest in fixing catastrophic\u202f\u202fvulnerability.<\/strong><\/h5>\n

D-Link NAS boxes are obsolete. Even the youngest has been out of support for four years.<\/strong> That\u2019s why D-Link says it\u2019s not going to patch the latest critical flaw in its old range of network storage devices.
\n
\nIn fact, the firm claims it\u2019s \u201cprohibited\u201d from doing so.<\/strong> In today\u2019s SB\u202f\u202fBlogwatch<\/a>, we find that bit kinda odd.
\n
\nYour humble blog\u00adwatcher<\/a> curated these bloggy bits for your enter\u00adtain\u00adment. Not to mention:\u202f\u202fSN#1000<\/i>.
\n<\/p>\n

\u2018Bobby\u2019 Flaw Flagged WONTFIX<\/h2>\n

What\u2019s the craic?<\/strong> Bill Toulas reports: D-Link won\u2019t fix critical flaw affecting 60,000 older NAS devices<\/a><\/p>\n

\u201cCommonly used by small businesses<\/tt>\u201d<\/strong>
\nCVE-2024-10914 has a critical [CVSS] 9.2 severity score and is present in the \u2018cgi_user_add\u2019 command. \u2026 An unauthenticated attacker could exploit it to inject arbitrary shell commands by sending specially crafted HTTP GET requests.
\n\u2026
\nThe flaw impacts multiple models of D-Link network-attached storage (NAS) devices that are commonly used by small businesses. \u2026 A fix for CVE-2024-10914 is not coming and the vendor recommends that users retire vulnerable products. \u2026 A D-Link spokesperson [said] the impacted products had reached EoL and will not be receiving security updates.
\n<\/p>\n

How many different products?<\/strong> Ionut Arghire usues all his fingers and toes: Many Legacy D-Link NAS Devices Exposed to Remote Attacks<\/a><\/p>\n

D-Link, however, warns that [20] discontinued NAS models are affected and that it cannot address the vulnerability, as all development and customer support have ceased. Some of these devices were retired a decade ago.
\n<\/p>\n

Who found it?<\/strong> NetworkSecurityFish: Command Injection Vulnerability<\/a><\/p>\n

The vulnerability is localized to the account_mgr.cgi script, particularly in the handling of the cgi_user_add command. The name parameter in this script does not adequately sanitize input, allowing for command execution. [For] example:
\n\u2026
\ncurl \"http:\/\/[Target-IP]\/cgi-bin\/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27\"<\/tt><\/strong>
\n<\/p>\n

What does D-Link have to say for itself?<\/strong> Not a lot: DNS-320 \/ DNS-325 \/ DNS-340L and all other D-Link NAS Models<\/a><\/p>\n

\u201cLatest firmware<\/tt>\u201d<\/strong>
\nProducts that have reached their EOL\/EOS no longer receive device software updates and security patches and are no longer supported by D-Link. \u2026 D-Link’s general policy is that when products reach EOS\/EOL, they can no longer be supported, and all firmware development ceases.
\n\u2026
\nD-Link US is prohibited from providing support for these EOL\/EOS products, if you are outside the US, please contact your regional D-Link office. If your device was provided by a licensed carrier (service provider) and firmware, please contact your carrier.
\n<\/p>\n

Well, that sucks.<\/strong> u\/JLeeSaxon<\/a> isn\u2019t happy:<\/p>\n

I can’t really agree with the, “It’s your fault for not throwing hardware that still runs fine in a landfill for no reason every September like Apple wants you to,” responses. \u2026 Don’t make it sound like some kind of age-based deterioration:\u202f\u2026\u202fThis flaw was always there and D-Link never found\/fixed it.
\n\u2026
\nNASA is still reprogramming Voyager 2, so let’s make sure we’re clear-eyed about the fact that these EOL decisions are 100% arbitrary and D-Link, if they were willing<\/i>, would absolutely be able to do an emergency fix here given how widespread and serious this flaw apparently is.
\n<\/p>\n

How should we react to D-Link\u2019s attitude?<\/strong> gavron<\/a> waxes metaphorical:<\/p>\n

Carrots and Sticks: Reward vendors who support their products. Punish those who don’t.
\n\u2026
\nBecause of this,\u202f\u2026\u202fI will never buy a D-Link product again. Of any type. For any purpose. Not even for consulting clients.
\n\u2026
\nYou are welcome to join me. If someone says, “Hey this D-Link switch is cheaper,” just tell them how D-Link treats you after<\/i> you give them your money, and eventually this will trickle down to lower quarterly earnings, less enjoyable shareholder 10Q reports, and they may get the message.
\n<\/p>\n

Why would owners have bought a D-Link NAS to begin with?<\/strong> Misgar<\/a> makes an important point:<\/p>\n

The answer might be that some D-Link NAS [were] less expensive than their QNAP and Synology counterparts. For some people, price is the overriding factor when making a purchase, regardless of any other factors. They might not be able to afford “better” products. They might be blissfully unaware of the weaknesses, or just not care.
\n<\/p>\n

Any other reasons?<\/strong> thesnide<\/a> offers some:<\/p>\n

The hardware was cheap and decent. The software is nicely hackable.
\n\u2026
\nI did strip all the D-Link firmware to replace it with a trimmed down one. Works flawlessly since day one. And that’s a long time [ago].
\n<\/p>\n

This sounds like a job for open source.<\/strong> u\/DGolden<\/a> agrees:<\/p>\n

It looks like people have worked out how to stick Linux \/ Debian \/ OpenWRT on at least some models:
\nhttps:\/\/jamie.lentin.co.uk\/devices\/dlink-dns325\/<\/a>
\nhttps:\/\/www.aboehler.at\/doku\/doku.php\/projects:dns320l<\/a>
\n<\/p>\n

Meanwhile,<\/strong> speaking of FLOSS, Wokan<\/a> has excellent gum health:\u00a0[You\u2019re fired\u2014Ed.]<\/em><\/p>\n

Meanwhile, 12 years later, my TrueNAS Scale\u202f\u2026\u202fbox running on a 2012 CPU is still serving up files and getting regular updates. If you want to have a NAS you pay for once and then not subscribe to, roll up your sleeves and learn a little DIY.
\n<\/p>\n

And Finally:<\/h4>\n

Love him or loathe him, you can\u2019t deny Steve Gibson is \u2026 old<\/a><\/b>