When it comes to household wireless router brands, many people would first think of TP-Link, a household name.
In fact, years ago, there was another brand that was comparable in popularity: D-Link. Although D-Link is not as prominent as it once was, it still exists and thrives, and it is the focus of this article.
So, why bring up D-Link now? Has it recently released any innovative products?
The answer is no. The reason for mentioning it is that a security agency has recently discovered serious vulnerabilities in some of D-Link’s NAS products. This security vulnerability, identified as “CVE-2024-10914,” has a severity score of 9.2, classifying it as a high-risk vulnerability.
What are the dangers of this vulnerability? It resides in the account_mgr.cgi script, where malicious attackers can exploit it by inserting malicious input into the name parameter and executing commands via HTTP GET requests, thus enabling injection attacks.
The presence of this vulnerability has been confirmed, and the affected D-Link NAS models include DNS-320 version 1.00, DNS-320LW version 1.01.0914.2012, DNS-325 versions 1.01 and 1.02, and DNS-340L version 1.08.
At this point, some might say:
Security vulnerabilities are normal; no manufacturer can guarantee that their products will be 100% free of them. If a vulnerability is found, the manufacturer just needs to release an update patch to fix it. However, the situation with the CVE-2024-10914 vulnerability is not so straightforward.
The D-Link NAS products with these vulnerabilities are older models that reached or exceeded their promised support period over four years ago. As a result, D-Link has stated that it will not release a patch to fix the CVE-2024-10914 vulnerability and advises users to stop using these products.
This means that D-Link will not provide a security patch to address the vulnerability. In this situation, users of the aforementioned D-Link NAS models must take this seriously.
Whether for home or business use, NAS devices often serve as data storage hubs and may hold a large amount of critical, sensitive information. The mechanism behind the CVE-2024-10914 vulnerability is now publicly known, and the possibility of an attack exploiting it objectively exists, so it is vital not to be complacent.
The simplest solution is, as D-Link recommends, to discontinue and replace these vulnerable NAS products entirely. However, this may be costly.
If immediate replacement is not feasible and continued use is necessary, it is advisable for users to adjust certain security settings on the NAS, such as restricting access to trusted IP addresses only and isolating the NAS from the internet to ensure that only authorized users can access it.
Time flies—back in the 2000s, the author even used D-Link switches. Now, 20 years later, it’s surprising that attention to the D-Link brand comes in the context of a security vulnerability, which is somewhat awkward. Hopefully, D-Link will learn from this, continually improve, and ensure the performance, user experience, and security of its products.
Disclaimer:
- This channel does not make any representations or warranties regarding the availability, accuracy, timeliness, effectiveness, or completeness of any information posted. It hereby disclaims any liability or consequences arising from the use of the information.
- This channel is non-commercial and non-profit. The re-posted content does not signify endorsement of its views or responsibility for its authenticity. It does not intend to constitute any other guidance. This channel is not liable for any inaccuracies or errors in the re-posted or published information, directly or indirectly.
- Some data, materials, text, images, etc., used in this channel are sourced from the internet, and all reposts are duly credited to their sources. If you discover any work that infringes on your intellectual property rights or personal legal interests, please contact us, and we will promptly modify or remove it.
