Security Experts:

Researchers Find Over 50 Security Flaws in D-Link NAS, NVR Devices

SEARCH-LAB, a Hungary-based security testing company that specializes in embedded systems, has identified more than 50 vulnerabilities in network-attached storage (NAS) and network video recorder (NVR) products from D-Link.

The list of security holes includes information leakage, authentication flaws, CGI vulnerabilities, input validation problems, and webpage issues. Some of the weaknesses can be exploited by remote attackers to execute arbitrary code and take complete control of the targeted device.

SEARCH-LAB researcher Gergely Eberhardt told SecurityWeek that a large majority of the security bugs can be exploited remotely over the Internet.

Experts have conducted an analysis of D-Link DNS-320 (Rev A: 2.03), DNS-320L (1.03b04), DNS-327L (1.02) NAS devices, and the D-Link DNR-326 Professional NVR (1.40b03). Some of the vulnerabilities they have identified also impact DNS-320B, DNS-345, DNS-325, DNS-322L, and possibly other products.

SEARCH-LAB started reporting the vulnerabilities to D-Link in July 2014. The vendor has patched many of the flaws, but there are several issues that remain unfixed. In some cases, attempts to fix earlier vulnerabilities led to the introduction of even more serious problems, the security firm said.

The following firmware versions contain fixes: DNS-320L 1.04.B12, DNS-327L 1.03.B04, DNR-326 2.10.B03 and DNR-322L 2.10.B03. Users are advised to apply patches, if available, and ensure that their device’s web interface is not exposed on the Internet.

SEARCH-LAB has published a report detailing many of the vulnerabilities. At least ten bugs that have not been patched yet, including some potentially critical ones, will be detailed in an advisory that SEARCH-LAB plans on releasing after June 22. The CVE identifiers CVE-2014-7858, CVE-2014-7859, CVE-2014-7860 and CVE-2014-7857 have been assigned to some of the vulnerabilities.

“Although the speed of the patch release process was quite slow, D-Link at least fixed most of the discovered issues. Their response speed has significantly improved after we informed them of the exact timing of the publication,” Eberhardt said in an email.

D-Link has been contacted for comment but has not replied.

The vulnerabilities detailed in the security firm’s report include ones that have been independently discovered by others. For example, some of the NAS box flaws were previously disclosed by Jacob Holcomb, a security analyst at Independent Security Evaluators. However, Eberhardt says he is fairly sure that at least 12 of the vulnerabilities have not been disclosed by others. The researcher has noted that it’s difficult to get an exact number because of the generic vulnerability descriptions in some of the earlier reports.

Related: Router Vendors Working to Patch NetUSB Driver Vulnerability

Related: D-Link Preparing Firmware Updates to Fix Router Vulnerabilities

Related: D-Link Failed to Patch HNAP Flaws in Routers

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.