from the all-your-storage-are-belong-to-us dept.
Source: https://www.securityweek.com/flaw-gives-hackers-remote-access-files-stored-d-link-dns-320-devices
Researchers at Vietnam-based CyStack Security discovered the vulnerability and reported it to D-Link in mid-August. An advisory was released by the vendor roughly one month later, but it turned out that the security hole was actually fixed by mistake in April, when D-Link released version 2.06b01 of the firmware to address a weakness exploited by the Cr1ptT0r ransomware to infect D-Link NAS devices.
The flaw is tracked as CVE-2019-16057 and CyStack assigned it a CVSS score of 10. It affects D-Link DNS-320 devices with firmware version 2.05b10 and earlier.
CyStack's Nguyen Dang told SecurityWeek that the vulnerability can be exploited directly from the internet and he says there are currently at least 800 vulnerable devices that can be attacked from the web. Nguyen pointed out that all D-Link DNS-320 devices were vulnerable to attacks before the issue was patched in April.
The vulnerability has been described as a command injection issue present in the login module for the administration interface of the DNS-320.
CyStack Report: https://blog.cystack.net/d-link-dns-320-rce/
CyStack Security discovered a remote code execution vulnerability in the D-Link DNS-320 ShareCenter device which its version is lower or equal 2.05.B10 . By exploiting the vulnerability, a remote, unauthenticated attacker can access to all application commands with root permission. This device is a popular network storage device and interestingly, in the past, it was also reported that it contains a backdoor itself.
[...] D-Link team released a patch for this issue on 11/04/2019 [(April 11, 2019. --Ed.)]. According to their release notes, the patch is for login_mgr.cgi allows attackers pipe commands to the user.log. I don't know exactly what issue they found related to the flaw I'm addressing in this article, but the patch worked. They fixed it by type casting parameter port to Integer.
(Score: 3, Funny) by DannyB on Wednesday September 25 2019, @01:11PM
Shirley they must mean SecurityWeak.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 3, Interesting) by DannyB on Wednesday September 25 2019, @03:00PM (4 children)
Two wonderful features
and
It sounds like the backdoor was in the past. So it was fixed. But now a new remote code execution vulnerability?
Hmmmm. Aren't backdoors on purpose? Whoever created the backdoor needed a new one, but now it should be disguised as a remote code execution vulnerability.
And remember what we're talking about here. An NAS device where everyone in a small group or office keeps files.
Who wants to be able to snoop through files on NAS devices?
If only there were some way of having an NSA without buying an off the shelf closed-source unit.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 2) by HiThere on Wednesday September 25 2019, @06:05PM (1 child)
Was that typo at the end on purpose? I considered modding that post funny.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by DannyB on Wednesday September 25 2019, @06:40PM
Genuine Typo. Not on purpose.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 2) by driverless on Wednesday September 25 2019, @09:16PM (1 child)
It's not a remote code exec, it's an undocumented remote admin interface for the ISP's tech support staff.
(Score: 2) by DannyB on Wednesday September 25 2019, @09:28PM
Yes, I think that is exactly what it was intended as. Undocumented remote admin. But implemented or disguised as a vulnerability rather than a back door. They had been caught at having a back door previously. The discovery of a 2nd back door might set off alarm bells spooking potential
sheepcustomers.Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 0) by Anonymous Coward on Thursday September 26 2019, @01:17AM
Also, defense in depth already.
Seriously, why run the stock firmware from D-Link, when it is trivial to flash those devices with Alt-f https://sites.google.com/site/altfirmware/ [google.com] https://sourceforge.net/projects/alt-f/ [sourceforge.net] ?
There is so much you can do with with Alt-f instead of the stock firmware. Obviously the aftermarket firmware won't be free of any vulnerabilities, but for the trade-off of extra features that Alt-f has, it's worth it. Inspect the source if you must, although we all know that all those "800" devices/people certainly won't be doing that, and it's highly doubtful they would even know/care to upgrade the stock firmware.
I am by no means stating that it's a good idea to expose these devices directly to the Internet. However, with Alt-f you can run a local firewall on it, or if you don't trust that layer, just remove the default gateway, and/or block it at your perimeter firewall if it doesn't need external connectivity to the internet, ingress or egress. Alt-f gives you the extra tools you need to lock down and secure the device to a reasonable/acceptable level to mitigate risks like that which are described by the exploited vulnerability.
I'm actually surprised that D-Link even bothered to release a firmware update for a device which is EOL, so I'd take my chances with the aftermarket firmware, which granted is also dated, but so are all these hardware models anyway.