Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Find Over 50 Security Flaws in D-Link NAS, NVR Devices

SEARCH-LAB, a Hungary-based security testing company that specializes in embedded systems, has identified more than 50 vulnerabilities in network-attached storage (NAS) and network video recorder (NVR) products from D-Link.

SEARCH-LAB, a Hungary-based security testing company that specializes in embedded systems, has identified more than 50 vulnerabilities in network-attached storage (NAS) and network video recorder (NVR) products from D-Link.

The list of security holes includes information leakage, authentication flaws, CGI vulnerabilities, input validation problems, and webpage issues. Some of the weaknesses can be exploited by remote attackers to execute arbitrary code and take complete control of the targeted device.

SEARCH-LAB researcher Gergely Eberhardt told SecurityWeek that a large majority of the security bugs can be exploited remotely over the Internet.

Experts have conducted an analysis of D-Link DNS-320 (Rev A: 2.03), DNS-320L (1.03b04), DNS-327L (1.02) NAS devices, and the D-Link DNR-326 Professional NVR (1.40b03). Some of the vulnerabilities they have identified also impact DNS-320B, DNS-345, DNS-325, DNS-322L, and possibly other products.

SEARCH-LAB started reporting the vulnerabilities to D-Link in July 2014. The vendor has patched many of the flaws, but there are several issues that remain unfixed. In some cases, attempts to fix earlier vulnerabilities led to the introduction of even more serious problems, the security firm said.

The following firmware versions contain fixes: DNS-320L 1.04.B12, DNS-327L 1.03.B04, DNR-326 2.10.B03 and DNR-322L 2.10.B03. Users are advised to apply patches, if available, and ensure that their device’s web interface is not exposed on the Internet.

Advertisement. Scroll to continue reading.

SEARCH-LAB has published a report detailing many of the vulnerabilities. At least ten bugs that have not been patched yet, including some potentially critical ones, will be detailed in an advisory that SEARCH-LAB plans on releasing after June 22. The CVE identifiers CVE-2014-7858, CVE-2014-7859, CVE-2014-7860 and CVE-2014-7857 have been assigned to some of the vulnerabilities.

“Although the speed of the patch release process was quite slow, D-Link at least fixed most of the discovered issues. Their response speed has significantly improved after we informed them of the exact timing of the publication,” Eberhardt said in an email.

D-Link has been contacted for comment but has not replied.

The vulnerabilities detailed in the security firm’s report include ones that have been independently discovered by others. For example, some of the NAS box flaws were previously disclosed by Jacob Holcomb, a security analyst at Independent Security Evaluators. However, Eberhardt says he is fairly sure that at least 12 of the vulnerabilities have not been disclosed by others. The researcher has noted that it’s difficult to get an exact number because of the generic vulnerability descriptions in some of the earlier reports.

Related: Router Vendors Working to Patch NetUSB Driver Vulnerability

Related: D-Link Preparing Firmware Updates to Fix Router Vulnerabilities

Related: D-Link Failed to Patch HNAP Flaws in Routers

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.