D-Link, a leading manufacturer of network-attached storage (NAS) devices, has refused to release a security patch for a critical flaw affecting over 60,000 of its models. The vulnerability, tracked as CVE-2024-10914, allows an unauthenticated attacker to execute a command injection attack via an HTTP GET request.
The affected D-Link NAS models, including the DNS-320, DNS-325, and DNS-340L, have reached their end-of-life/end-of-service date in 2020. Despite numerous requests, D-Link has declined to provide a patch for this issue, citing that products no longer receiving device software updates and security patches are no longer supported.
However, security researcher Netsecfish has warned that the vulnerability is critical with a severity score of 9.2, making it a significant threat to users. The attack complexity might be high, but exploiting the vulnerability is theoretically possible, given the right knowledge and capability.
If you’re using one of these affected models, it’s highly recommended to replace your NAS system with a newer model that still receives patches from the manufacturer. Alternatively, restricting access to your NAS settings menu/interface to only trusted IP addresses or isolating your NAS from the public internet can provide an additional layer of security. Users can also consider downloading third-party firmware from trusted sources.
In the meantime, users can explore other options such as repurposing their old NAS for local backups or media storage, and upgrading to a newer device that handles open internet access. The importance of staying up-to-date with security patches cannot be overstated, especially when it comes to sensitive data handling devices like NAS systems.
Source: https://www.tomshardware.com/tech-industry/cyber-security