D-Link Refuses To Patch ~60,000 Venerable NAS Devices
Time To Toss Out Some D-Link NAS Devices
There are four D-Link NAS devices which include the DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 Version 1.01, Version 1.02, and DNS-340L Version 1.08 which all have a serious vulnerability. Sadly, since they are rather elderly, D-Link has decided they will not release a patch to fix the issue, so their customers best choice is to toss them out. These devices are more commonly found being used in small businesses as opposed to in a home, which will cause a lot of frustration for customers and employees alike.
The vulnerability has a 9.2 severity score, and will allow an attacker to inject arbitrary shell commands by sending specially crafted HTTP GET requests to the devices. D-Link no longer makes NAS devices, which is the main reason for their choice not to patch these old products. If there is any bright spot to this, it is that you won’t have to worry about ending up with another dodgy D-Link NAS device as they don’t sell them anymore.
If you can’t immediately replace the device, you’d best take it offline before a simple Curl command starts running code neither you nor your customers want running on a device that holds private data.
The flaw, tracked as CVE-2024-10914, has a critical 9.2 severity score and is present in the ‘cgi_user_add’ command where the name parameter is insufficiently sanitized.
More Tech News From Around The Web
- LG’s New Stretchable Display Can Grow By 50% @ Slashdot
- NVIDIA App v1.0 @ TechPowerUp
- Winos4.0 abuses gaming apps to infect, control Windows machines @ The Register
- FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023 @ Bleeping Computer
- Micron 6550 ION 61.44TB PCIe Gen5 NVMe SSD Launched @ ServeTheHome
- The US government wants developers to stop using C and C++ @ The Register
- FiiO Industrial Park/Factory Tour + Interview with Founder @ TechPowerUp