D-Link refuses to patch a security flaw on over 60,000 NAS devices — the company instead recommends replacing legacy NAS with newer models
It's time to buy a new NAS.
Security researcher Netsecfish discovered a critical flaw in several popular D-Link NAS models that could allow an unauthenticated attacker to execute a command injection attack via an HTTP GET request. According to Netsecfish’s Notion site (h/t BleepingComputer), the vulnerability is in the account_mgr.cgi script, where they could add the malicious input in the name parameter to execute the exploit. This issue is tracked in the National Vulnerability Database (NVD) as CVE-2024-10914 and declared a critical flaw with a severity score 9.2.
The following D-Link models are affected by the issue: DNS-320 Version 1.00, DNS-320LW Version 1.01.0914.2012, DNS-325 Version 1.01, Version 1.02, and DNS-340L Version 1.08.
Unfortunately for the users of these devices, D-Link declined to release a security patch for this issue, noting that “Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link.” The affected models have all reached their end-of-life/end-of-service date as of 2020, and “D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS.”
Netsecfish conducted an FOFA of the affected D-Link models, and the platform returned 61,147 results with 41,097 unique IP addresses. Although the NVD says that the attack complexity might be high and exploiting the vulnerability is difficult, anyone with the knowledge and capability could theoretically access any of these publicly available D-Link NAS machines.
If you’re using one of these models, it’s highly recommended that you replace your NAS system with one that’s still receiving patches from the manufacturer. If that isn’t possible right now, Netsecfish suggests restricting access to your NAS settings menu/interface to only trusted IP addresses. You could also isolate your NAS from the public internet to ensure that only authorized users can interact with it.
Alternatively, you could look for third-party firmware supporting the affected hardware. However, you must ensure you download the firmware from a trusted source. But if you think it’s time to get a new NAS for your home, office, or business, you should check out our list of the best NAS before picking one to install.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Jowi Morales is a tech enthusiast with years of experience working in the industry. He’s been writing with several tech publications since 2021, where he’s been interested in tech hardware and consumer electronics.
-
Alvar "Miles" Udell These units are over 10 years old, with the DNS-320 going on 15 years. Even the relatively inexpensive Synology DS423 vs the DNS-340L (both 4 bay units) is immensely more powerful for $370. Time to upgrade.Reply -
sharpless78
If they still work, why should someone be forced to update them?Alvar Miles Udell said:These units are over 10 years old, with the DNS-320 going on 15 years. Even the relatively inexpensive Synology DS423 vs the DNS-340L (both 4 bay units) is immensely more powerful for $370. Time to upgrade. -
USAFRet
Because there is a security vulnerability, which won't be patched by the manufacturer.sharpless78 said:If they still work, why should someone be forced to update them? -
Alvar "Miles" Udell sharpless78 said:If they still work, why should someone be forced to update them?
I'm all for keeping things going if they perform to the task they are designed for, but if you get 10 or even 15 years of use out of the same piece of technology, it's out of support, and a modern replacement is both far more capable and quite affordable, then it's exceeded its useful life and is time to be repurposed and replaced. In the case of these NAS's, it could easily be repurposed to a local only backups machine or a media server, something which doesn't require internet access, while a replacement NAS was procured to handle open internet access.
Think about a mobile phone. Your iPhone 6 or Galaxy S20 may still be plenty fast for the tasks you use it for, but would you really trust an out of support device with handling your sensitive data? -
TechieTwo IME people need to seriously investigate the true security of any network devices they are looking to purchase prior to purchase. Personal and SOHO hardware seems to be the most vulnerable because the mfgs. are negligent in provided a secure product. Naturally most personal/SOHO use is by people who do not work in network security daily so they are the easiest to exploit. For those who don't know it almost ALL personal internet modems and routers regardless of brand have major security issues. It's so prevalent that Congress has requested that all Chinese mfgs. of Wi-Fi modems sold in the U.S. be investigated for backdoor reporting to China on U.S. citizen's activity. In addition, router hacks are on the rise. https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/Reply -
JustinZ Just your usual capitalism. Do not get rid of your device. Remove it from the Internet, access it only via a VPN, firewall it, put it behind a reverse proxy with authentication, put it on it's own VLAN, install Linux on it. So many options instead of giving in to capitalism and replacing a working device.Reply -
nrdwka
There is text on "reach" language, that newer nas device are not cheap, 200$ is an expensive device.Alvar Miles Udell said:I'm all for keeping things going if they perform to the task they are designed for, but if you get 10 or even 15 years of use out of the same piece of technology, it's out of support, and a modern replacement is both far more capable and quite affordable, then it's exceeded its useful life and is time to be repurposed and replaced. In the case of these NAS's, it could easily be repurposed to a local only backups machine or a media server, something which doesn't require internet access, while a replacement NAS was procured to handle open internet access.
Think about a mobile phone. Your iPhone 6 or Galaxy S20 may still be plenty fast for the tasks you use it for, but would you really trust an out of support device with handling your sensitive data?
S20... New Phones are expensive, I cannot afford someting newer than my s9 what work just fine. -
thestryker This is the inherent danger of buying any piece of hardware you do not have control over. I can't say I particularly fault the company for not updating devices of this age. It sounds like there are ways to limit vulnerability so at least they don't have to be tossed. Personally speaking I'd never connect a NAS device to the internet directly as you're relying on the device manufacturer for security.Reply -
AlienDarkCat Just turn off the internet access on the NAS and use it on your LAN only, and block access to it with your router's firewall. There's no need to buy a new device. Of course, if you need to access the data on it outside your LAN, I suggest buying a new NAS other than D-Link.Reply