from the throw-it-in-the-trash-and-buy-a-new-one-I-need-another-beach-house dept.
BleepingComputer is reporting that D-Link will not fix security issues associated with CVE 2024-10194 on up to 60,000 of its older NAS devices.
From the article:
More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit.
The flaw, tracked as CVE-2024-10914, has a critical 9.2 severity score and is present in the 'cgi_user_add' command where the name parameter is insufficiently sanitized.
An unauthenticated attacker could exploit it to inject arbitrary shell commands by sending specially crafted HTTP GET requests to the devices.
The flaw impacts multiple models of D-Link network-attached storage (NAS) devices that are commonly used by small businesses:
- DNS-320 Version 1.00
- DNS-320LW Version 1.01.0914.2012
- DNS-325 Version 1.01, Version 1.02
- DNS-340L Version 1.08
In a technical write-up that provides exploit details, security researcher Netsecfish says that leveraging the vulnerability requires sending "a crafted HTTP GET request to the NAS device with malicious input in the name parameter."
curl "http://[Target-IP]/cgi-bin/account_mgr.cgi cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27"
"This curl request constructs a URL that triggers the cgi_user_add command with a name parameter that includes an injected shell command," the researcher explains.
[...]
In a security bulletin today, D-Link has confirmed that a fix for CVE-2024-10914 is not coming and the vendor recommends that users retire vulnerable products.
If that is not possible at the moment, users should at least isolate them from the public internet or place them under stricter access conditions.
Is this the appropriate way for D-Link to handle this? When told that a previously discovered (the existence of which has previously been disclosed to them) vulnerability will be made public, notify the world that the affected devices are "end-of-life" and "end-of-service"?
Do any Soylentils have one of the affected devices? (If so, please place your bank/credit/loan account details on those devices and provide us with IP addresses. Thanks!)
(Score: 1) by pTamok on Wednesday November 13, @11:12AM (1 child)
The most recent End-of-Life date for the affected devices is 31st May 2020
https://supportannouncement.us.dlink.com/security/publication.aspx?name=sap10383 [dlink.com]
I can understand why manufacturers don't want to support old equipment indefinitely.
However, I would like it if manufacturers made it possible to unlock bootloaders, flash new firmware, provide circuit diagrams and build specifications so that the FLOSS community has the ability to choose to continue to support the hardware. In an ideal world it would be a requirement at EOL or company close-down. It would also go a little way to reducing e-waste. I realise that with the way 'intellectual property' works now, it is practically impossible.
(Score: 2) by Thexalon on Wednesday November 13, @11:35AM
But you are forgetting something: EOLing your products is a good way to sell more product at a higher price than before (see: Cell phone prices going from $200 to $2000 with planned obsolescence being a big part of that). Which is what all manufacturers are trying to do. So even if the bug fix is free for the manufacturer (because the FLOSS folks figured it out and fixed it for them), they still have every incentive to say "screw you, won't fix, buy another one".
That is very much the direction our economy is heading: Stuff will be broken, and the only solution proffered by the manufacturers is to replace it. And expect "right-to-repair" laws to be repealed so that it becomes illegal to fix it.
Vote for Pedro