D-link NAS devices exposed to CVE-2024-3272 & CVE-2024-3273 vulnerabilities

09 Apr 2024

D-Link’s Network Attached Storage devices are exposed to a security flaw that threat actors are actively exploiting to steal sensitive data and orchestrate malware attacks. 

 

The vulnerabilities are currently labeled and tracked as CVE-2024-3272 with a CVSS score of 9.8 (critical) and CVE-2024-3273 with a CVSS score of 7.3 (high).

Impacted products

These vulnerabilities are affecting over 92000 D-Link’s NAS devices. NAS devices or Network Attached Storage devices act as a centralized storage device connected to a network, which other machines on the network can connect to read and write data. These systems act as a convenient and reliable system over actual systems connected over a local network. NAS devices are independent devices with their processing capabilities and operating systems.

 

The vulnerabilities are impacting devices with End-of-Life (EOL) status.

 

The impacted models of D-Link NAS devices that are being exposed to the said vulnerabilities include DNS-320L, DNS-325L, DNS 327L, and DNS 340L

About the vulnerabilities

Experts have warned that upon effective exploitation of the vulnerabilities, attackers can execute a well-orchestrated botnet malware attack to remotely control the impacted devices. 

 

They could engage in arbitrary execution of commands, alter system configurations, and leverage compromised devices to orchestrate Denial of Service (DoS) attacks. Some cybersecurity experts have observed instances of Mirai Botnet Malware being delivered via exploitation of the vulnerabilities. The following are the vulnerabilities that are being exploited:

 

CVE-2024-3272 (CVSS 9.8)

It is a vulnerability that has created a backdoor account that is enabled by an attacker by hardcoding credentials into the firmware.

 

CVE-2024-3273 (CVSS 7.3)

It is a vulnerability that was found in DNS-320L, DNS-325, DNS-327L and DNS-340L. It was discovered recently with Proof of Concept of the exploit available. It allows remote access to the web management interface and enables an attacker to remotely execute commands.

 

Upon exploitation, the attacker can launch a full-fledged remote attack. The vulnerability can easily be remotely activated using an HTTP GET request that can be used to control exposed devices. 

SharkStriker’s action and recommendations

The following are the recommendations given and actions implemented by SharkStriker for their customers and partners:

 

  • We recommend users of legacy devices update their devices to the latest firmware from the D-Link site. (Note: products that have reached End of Life (EoL) will no longer be receiving device software updates) 
  • For proactive aversion of threats relating to the exploitation of these vulnerabilities, it is advised to replace hardware as soon as the device has reached the end-of-life status
  • SharkStriker’s threat experts are continuously monitoring customers’ environments for IoCs or IoAs
  • SharkStriker’s threat experts are continuously scanning the environment for vulnerabilities
  • Customers can check the status of their posture through STRIEGO’s dashboards

Get in Touch With us

Complete Visibility, Continuous Monitoring & Advanced Threat Protection with AI-backed Incident Remediation.

LEARN MORE