Global Impact (at time of dissemination)
• 4,100+ D-Link NAS publicly-facing devices worldwide, total (specific & general models)
• 460+ of these hosts have remote access capabilities
• 314+ of these hosts have VOIP functionality
• Hosts with publicly-facing file directories were discovered
Top affected countries:
1. UK
2. Russia
3. Germany
4. Italy
5. France
Summary
Censys is aware that on April 04, 2024, manufacturer D-Link published vulnerability CVE-2024-3273 that was discovered by a researcher on March 26, 2024. The vulnerability allows a remote attacker to take over end-of-life (EOL) network attached storage (NAS) devices DNS-320L, DNS-325, DNS-327L, and DNS-340L; however, D-Link points out this vulnerability affects all of its EOL NAS devices.
*Note: counts from other sources list exposed assets in excess of 92k hosts. Censys assesses that these counts likely did not take into account verifiable fingerprinting processes and asset identification as done in the queries used in this advisory.
Asset Description
D-Link NAS devices are “network attached storage” which allows users or organizations to link these data storage devices to local networks for customizable and remote access. The main use case of many of these devices is to backup important, and sometimes sensitive, data.
Impact
The vulnerability allows a remote attacker to take control of affected devices due to hardcoded, password-less credentials and a command injection vulnerability, according to the discoverer.
Successful exploitation by an attacker could result in data on the exploited NAS devices being stolen and/or destroyed. This could prove to be a significant risk for customers using D-Link NAS devices to store sensitive data.
An attacker could also use a victimized device to store any data it wishes (such as malware or other attacker tools) or, if device configurations permit, allow the attacker to jump to other points of the attached victim network.
Affected Assets
According to D-Link, this affects its EOL NAS device models DNS-320L, DNS-325, DNS-327L, and DNS-340L but also says that any of its EOL NAS devices are susceptible.
Censys’ Rapid Response Team was able to identify the following nine D-Link NAS models:
– DNS-320
– DNS-320L
– DNS-320LW
– DNS-325
– DNS-327L
– DNS-340L
– DNS-345
– DNR-202L
– DNR-322L
Censys did not observe any other specific models at the time of this publication and therefore, cannot precisely identify said models. Below are queries that will accurately uncover the aforementioned D-Link NAS models that are publicly-facing and recently observed from our scans. We have also added broader queries that show all D-Link NAS devices since D-Link says that all versions are affected.
Censys ASM Risk Name for Potentially Vulnerable Devices
Vulnerable D-Link NAS Device [CVE-2024-3273]
The risk above produces internet-facing D-Link devices corresponding with the listed model numbers mentioned above that appear in your ASM workspace.
Censys ASM customers will see this risk applied to affected assets in their workspaces. Those that have signed up for Rapid Response Automated Risk Alerting will be contacted directly regarding affected assets.
Censys ASM Query for Exposed Assets.
The query above will find D-Link devices appearing in your ASM workspace, without model specifications based on the ShareCenter webui software for D-Link devices. This query is provided for those who would like a broader query to further investigate exposed D-Link devices not covered by the models mentioned above.
Censys Search Queries
are shared directly with Censys customers. If you would like to obtain the Censys query to identify global instances related to this issue, or need help, please contact us.
Recommendations for remediation
from D-Link state that owners of D-Link devices that have reached EOL/EOS should discontinue use and/or replace them.
If you need assistance in positively identifying these assets, please let us know.
For extended context around this situation, please reference this Censys Research blog.
