Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Find Over 50 Security Flaws in D-Link NAS, NVR Devices

SEARCH-LAB, a Hungary-based security testing company that specializes in embedded systems, has identified more than 50 vulnerabilities in network-attached storage (NAS) and network video recorder (NVR) products from D-Link.

SEARCH-LAB, a Hungary-based security testing company that specializes in embedded systems, has identified more than 50 vulnerabilities in network-attached storage (NAS) and network video recorder (NVR) products from D-Link.

The list of security holes includes information leakage, authentication flaws, CGI vulnerabilities, input validation problems, and webpage issues. Some of the weaknesses can be exploited by remote attackers to execute arbitrary code and take complete control of the targeted device.

SEARCH-LAB researcher Gergely Eberhardt told SecurityWeek that a large majority of the security bugs can be exploited remotely over the Internet.

Experts have conducted an analysis of D-Link DNS-320 (Rev A: 2.03), DNS-320L (1.03b04), DNS-327L (1.02) NAS devices, and the D-Link DNR-326 Professional NVR (1.40b03). Some of the vulnerabilities they have identified also impact DNS-320B, DNS-345, DNS-325, DNS-322L, and possibly other products.

SEARCH-LAB started reporting the vulnerabilities to D-Link in July 2014. The vendor has patched many of the flaws, but there are several issues that remain unfixed. In some cases, attempts to fix earlier vulnerabilities led to the introduction of even more serious problems, the security firm said.

The following firmware versions contain fixes: DNS-320L 1.04.B12, DNS-327L 1.03.B04, DNR-326 2.10.B03 and DNR-322L 2.10.B03. Users are advised to apply patches, if available, and ensure that their device’s web interface is not exposed on the Internet.

SEARCH-LAB has published a report detailing many of the vulnerabilities. At least ten bugs that have not been patched yet, including some potentially critical ones, will be detailed in an advisory that SEARCH-LAB plans on releasing after June 22. The CVE identifiers CVE-2014-7858, CVE-2014-7859, CVE-2014-7860 and CVE-2014-7857 have been assigned to some of the vulnerabilities.

“Although the speed of the patch release process was quite slow, D-Link at least fixed most of the discovered issues. Their response speed has significantly improved after we informed them of the exact timing of the publication,” Eberhardt said in an email.

Advertisement. Scroll to continue reading.

D-Link has been contacted for comment but has not replied.

The vulnerabilities detailed in the security firm’s report include ones that have been independently discovered by others. For example, some of the NAS box flaws were previously disclosed by Jacob Holcomb, a security analyst at Independent Security Evaluators. However, Eberhardt says he is fairly sure that at least 12 of the vulnerabilities have not been disclosed by others. The researcher has noted that it’s difficult to get an exact number because of the generic vulnerability descriptions in some of the earlier reports.

Related: Router Vendors Working to Patch NetUSB Driver Vulnerability

Related: D-Link Preparing Firmware Updates to Fix Router Vulnerabilities

Related: D-Link Failed to Patch HNAP Flaws in Routers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.