arstechnica.com Open in urlscan Pro
3.134.12.203  Public Scan

Form analysis
1 forms found in the DOM

GET /search/

<form action="/search/" method="GET" id="search_form">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>

Text Content

Skip to main content
 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums

Subscribe

Close


NAVIGATE

 * Store
 * Subscribe
 * Videos
 * Features
 * Reviews

 * RSS Feeds
 * Mobile Site

 * About Ars
 * Staff Directory
 * Contact Us

 * Advertise with Ars
 * Reprints


FILTER BY TOPIC

 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums


SETTINGS

Front page layout


Grid


List


Site theme

light

dark

Sign in

JUST ADD GET REQUEST —


CRITICAL TAKEOVER VULNERABILITIES IN 92,000 D-LINK DEVICES UNDER ACTIVE
EXPLOITATION


D-LINK WON'T BE PATCHING VULNERABLE NAS DEVICES BECAUSE THEY'RE NO LONGER
SUPPORTED.

Dan Goodin - 4/8/2024, 8:56 PM

Enlarge
Getty Images

READER COMMENTS

86

Hackers are actively exploiting a pair of recently discovered vulnerabilities to
remotely commandeer network-attached storage devices manufactured by D-Link,
researchers said Monday.

Roughly 92,000 devices are vulnerable to the remote takeover exploits, which can
be remotely transmitted by sending malicious commands through simple HTTP
traffic. The vulnerability came to light two weeks ago. The researcher said they
were making the threat public because D-Link said it had no plans to patch the
vulnerabilities, which are present only in end-of-life devices, meaning they are
no longer supported by the manufacturer.


AN IDEAL RECIPE

On Monday, researchers said their sensors began detecting active attempts to
exploit the vulnerabilities starting over the weekend. Greynoise, one of the
organizations reporting the in-the-wild exploitation, said in an email that the
activity began around 02:17 UTC on Sunday. The attacks attempted to download and
install one of several pieces of malware on vulnerable devices depending on
their specific hardware profile. One such piece of malware is flagged under
various names by 40 endpoint protection services.

Security organization Shadowserver has also reported seeing scanning or exploits
from multiple IP addresses but didn’t provide additional details.

The vulnerability pair, found in the nas_sharing.cgi programming interface of
the vulnerable devices, provide an ideal recipe for remote takeover. The first,
tracked as CVE-2024-3272 and carrying a severity rating of 9.8 out of 10, is a
backdoor account enabled by credentials hardcoded into the firmware. The second
is a command-injection flaw tracked as CVE-2024-3273 and has a severity rating
of 7.3. It can be remotely activated with a simple HTTP GET request.

Netsecfish, the researcher who disclosed the vulnerabilities, demonstrated how a
hacker could remotely commandeer vulnerable devices by sending a simple set of
HTTP requests to them. The code looks like this:

GET /cgi-bin/nas_sharing.cgiuser=messagebus&passwd=&cmd=15&system=<BASE64_ENCODED_COMMAND_TO_BE_EXECUTED>

Select Code

In the exploit example below, the text inside the first red rectangle contains
the hardcoded credentials—username messagebus and an empty password field—while
the next rectangle contains a malicious command string that has been base64
encoded.


ARS VIDEO


WHAT HAPPENS TO THE DEVELOPERS WHEN AI CAN CODE? | ARS FRONTIERS


Enlarge
netsecfish

“Successful exploitation of this vulnerability could allow an attacker to
execute arbitrary commands on the system, potentially leading to unauthorized
access to sensitive information, modification of system configurations, or
denial of service conditions,” netsecfish wrote.

Last week, D-Link published an advisory. D-Link confirmed the list of affected
devices:

Model Region Hardware Revision End of Service Life
Fixed Firmware Conclusion Last Updated DNS-320L All Regions All H/W Revisions
05/31/2020 : Link  Not Available Retire & Replace Device
04/01/2024 DNS-325 All Regions All H/W Revisions 09/01/2017 : Link Not Available
Retire & Replace Device 04/01/2024 DNS-327L All Regions All H/W Revisions
05/31/2020 : Link
Not Available Retire & Replace Device 04/01/2024 DNS-340L All Regions All H/W
Revisions 07/31/2019 : Link Not Available Retire & Replace Device 04/01/2024

According to netsecfish, Internet scans found roughly 92,000 devices that were
vulnerable.

Enlarge
netsecfish

According to the Greynoise email, exploits company researchers are seeing look
like this:

GET /cgi-bin/nas_sharing.cgi?dbg=1&cmd=15&user=messagebus&passwd=&cmd=Y2QgL3RtcDsgcLnNo HTTP/1.1

Select Code

Other malware invoked in the exploit attempts include:

 * skid.arm -
   https://www.virustotal.com/gui/file/44df31da4ce8f4e5a3f9141773d5491f3250de66aa528b6fc2d74ac6adeb2d13
 * skid.arm5 -
   https://www.virustotal.com/gui/file/ab8f295ab1c8c3ce66f8fbda39df4aa8bcbca27d3ddb51b4b18b076c7186a933
 * skid.arm6 -
   https://www.virustotal.com/gui/file/2b1d187f3b6c93569f62b48fc10b627feeffc2f497e1f14965d15b755a2073ae
 * skid.arm7 -
   https://www.virustotal.com/gui/file/15f772d4c6ce512d7442760ae82f2d438bc8496680c950ecef8f56202441912d
 * skid.mips -
   https://www.virustotal.com/gui/file/1b1f226a2de6581606a6aa9249c9d89b9c771a14e02022371405396c278da62d
 * skid.mpsl -
   https://www.virustotal.com/gui/file/4ff0c418b636125fa295ea4467507db85e2ee19c38b1bf921e75fb3f217fae68
 * skid.x86 -
   https://www.virustotal.com/gui/file/859e679f8e8be4a4c895139fb7fb1b177627bbe712e1ed4c316ec85008426db8

The best defense against these attacks and others like them is to replace
hardware once it reaches end of life. Barring that, users of EoL devices should
at least ensure they’re running the most recent firmware. D-Link provides this
dedicated support page for legacy devices for owners to locate the latest
available firmware. Another effective protection is to disable UPnP and
connections from remote Internet addresses unless they’re absolutely necessary
and configured correctly.



READER COMMENTS

86
Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he
oversees coverage of malware, computer espionage, botnets, hardware hacking,
encryption, and passwords. In his spare time, he enjoys gardening, cooking, and
following the independent music scene.

Advertisement




CHANNEL ARS TECHNICA

UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to
answer once and for all the lingering questions we have about his enduringly
popular show. Was Dr. Sam Beckett really leaping between all those time periods
and people or did he simply imagine it all? What do people in the waiting room
do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years
following the series finale, answers to these mysteries and more await.

 * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

 * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT

 * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL?

 * SITREP: BOEING 707

 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE

 * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE

 * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985

 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT

 * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * THE F-35'S NEXT TECH UPGRADE

 * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER

 * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM
   STUDIOS

 * US NAVY GETS AN ITALIAN ACCENT

 * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS

 * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT

 * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK

 * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT

 * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS

 * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION

 * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES

 * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE

 * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE

 * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES

 * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM

 * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS

 * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES

 * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES

 * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES

 * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES

 * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES

 * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES

 * TEACH THE CONTROVERSY: FLAT EARTHERS

 * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND
   SPACEX GETS A CRUCIAL GREEN-LIGHT

 * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO

 * THE GREATEST LEAP, EPISODE 1: RISK

 * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES

More videos
← Previous story Next story →


RELATED STORIES

by Taboolaby Taboola
Sponsored LinksSponsored Links
Promoted LinksPromoted Links
Techno Mag

Access all TV channels anywhere, anytimeTechno Mag
Learn More
NovaWave

Incredible TV Box that Everyone Is Talking About: All Channels UnlimitedNovaWave
Shop Now
investing.com

What 25 Historical Figures Really Looked Like In Real Lifeinvesting.com
Private Jet I Search Ads

Private Jet Rentals In 2024 Might Be Cheaper Than You Think!Private Jet I Search
Ads
Search Now
Cyber Security

Cyber Security Jobs Secrets That Every Job Seeker Should Know About!Cyber
Security
LuxYouDesire.com

20 Most Expensive Cars In The WorldLuxYouDesire.com



TODAY ON ARS

 * Store
 * Subscribe
 * About Us
 * RSS Feeds
 * View Mobile Site

 * Contact Us
 * Staff
 * Advertise with us
 * Reprints


NEWSLETTER SIGNUP

Join the Ars Orbital Transmission mailing list to get weekly updates delivered
to your inbox. Sign me up →



CNMN Collection
WIRED Media Group
© 2024 Condé Nast. All rights reserved. Use of and/or registration on any
portion of this site constitutes acceptance of our User Agreement (updated
1/1/20) and Privacy Policy and Ars Technica Addendum. Ars may earn compensation
on sales from links on this site. Read our affiliate link policy.
Your California Privacy Rights | Manage Preferences
The material on this site may not be reproduced, distributed, transmitted,
cached or otherwise used, except with the prior written permission of Condé
Nast.
Ad Choices





WE CARE ABOUT YOUR PRIVACY

We and our 174 partners store and/or access information on a device, such as
unique IDs in cookies to process personal data. You may accept or manage your
choices by clicking below, including your right to object where legitimate
interest is used, or at any time in the privacy policy page. These choices will
be signaled to our partners and will not affect browsing data.More information
about your privacy


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Use precise geolocation data. Actively scan device characteristics for
identification. Store and/or access information on a device. Personalised
advertising and content, advertising and content measurement, audience research
and services development. List of Partners (vendors)

I Accept
Your Privacy Choices