A second identifier has been assigned to the recently disclosed D-Link network-attached storage (NAS) device vulnerabilities, just as attack attempts have soared.
An individual who uses the online moniker ‘NetworkSecurityFish’ has made public the details of a couple of vulnerabilities that can allow an unauthenticated attacker to hack some D-Link NAS devices.
Attacks can be launched by chaining a hardcoded credentials issue allowing remote access to the device’s web management interface, and a command injection bug. Initially the CVE-2024-3273 was assigned to both flaws, but a second identifier has now been assigned. CVE-2024-3272 is associated with the hardcoded credentials vulnerability and CVE-2024-3273 is for the command injection bug.
D-Link has published an advisory to inform customers about the vulnerabilities, but the vendor is not releasing patches because all of the affected products have reached end of life. The company is urging customers to replace impacted NAS appliances.
NetworkSecurityFish’s advisory lists four impacted NAS device models, which were initially the only ones listed in D-Link’s advisory as well. However, D-Link has now added 16 other DNS-series device models to its advisory.
The first exploitation attempts targeting CVE-2024-3273 and CVE-2024-3272 were observed just days after the vulnerabilities came to light. However, the number of exploitation attempts was initially small.
Threat intelligence firm GreyNoise had only seen attacks coming from a single IP address. The number has now increased to 140 unique IPs.
The Shadowserver Foundation, which has also been tracking exploitation attempts, reported seeing over 150 IPs attempting to exploit the D-Link NAS vulnerabilities as of April 10.
The non-profit cybersecurity organization noted that some of the attacks are associated with Mirai-like botnets, which typically abuse IoT devices to launch DDoS attacks.
The researcher who disclosed the vulnerabilities reported seeing more than 92,000 affected devices connected to the internet, but SecurityWeek noted when the attacks started that the actual number of vulnerable devices appears to be much smaller.
Indeed, GreyNoise reported seeing roughly 5,500 impacted devices, and Shadowserver is seeing approximately 2,400 devices.
The US cybersecurity agency CISA on Thursday added both CVE-2024-3273 and CVE-2024-3272 to its Known Exploited Vulnerabilities catalog, instructing government agencies to address them by May 2. CISA’s catalog includes an additional 16 D-Link product vulnerabilities.
Related: D-Link Says Hacker Exaggerated Data Breach Claims
Related: Western Digital, Synology NAS Vulnerabilities Exposed Millions of Users’ Files
Related: 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability
