Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Researchers Find Over 50 Security Flaws in D-Link NAS, NVR Devices

SEARCH-LAB, a Hungary-based security testing company that specializes in embedded systems, has identified more than 50 vulnerabilities in network-attached storage (NAS) and network video recorder (NVR) products from D-Link.

SEARCH-LAB, a Hungary-based security testing company that specializes in embedded systems, has identified more than 50 vulnerabilities in network-attached storage (NAS) and network video recorder (NVR) products from D-Link.

The list of security holes includes information leakage, authentication flaws, CGI vulnerabilities, input validation problems, and webpage issues. Some of the weaknesses can be exploited by remote attackers to execute arbitrary code and take complete control of the targeted device.

SEARCH-LAB researcher Gergely Eberhardt told SecurityWeek that a large majority of the security bugs can be exploited remotely over the Internet.

Experts have conducted an analysis of D-Link DNS-320 (Rev A: 2.03), DNS-320L (1.03b04), DNS-327L (1.02) NAS devices, and the D-Link DNR-326 Professional NVR (1.40b03). Some of the vulnerabilities they have identified also impact DNS-320B, DNS-345, DNS-325, DNS-322L, and possibly other products.

SEARCH-LAB started reporting the vulnerabilities to D-Link in July 2014. The vendor has patched many of the flaws, but there are several issues that remain unfixed. In some cases, attempts to fix earlier vulnerabilities led to the introduction of even more serious problems, the security firm said.

The following firmware versions contain fixes: DNS-320L 1.04.B12, DNS-327L 1.03.B04, DNR-326 2.10.B03 and DNR-322L 2.10.B03. Users are advised to apply patches, if available, and ensure that their device’s web interface is not exposed on the Internet.

SEARCH-LAB has published a report detailing many of the vulnerabilities. At least ten bugs that have not been patched yet, including some potentially critical ones, will be detailed in an advisory that SEARCH-LAB plans on releasing after June 22. The CVE identifiers CVE-2014-7858, CVE-2014-7859, CVE-2014-7860 and CVE-2014-7857 have been assigned to some of the vulnerabilities.

Advertisement. Scroll to continue reading.

“Although the speed of the patch release process was quite slow, D-Link at least fixed most of the discovered issues. Their response speed has significantly improved after we informed them of the exact timing of the publication,” Eberhardt said in an email.

D-Link has been contacted for comment but has not replied.

The vulnerabilities detailed in the security firm’s report include ones that have been independently discovered by others. For example, some of the NAS box flaws were previously disclosed by Jacob Holcomb, a security analyst at Independent Security Evaluators. However, Eberhardt says he is fairly sure that at least 12 of the vulnerabilities have not been disclosed by others. The researcher has noted that it’s difficult to get an exact number because of the generic vulnerability descriptions in some of the earlier reports.

Related: Router Vendors Working to Patch NetUSB Driver Vulnerability

Related: D-Link Preparing Firmware Updates to Fix Router Vulnerabilities

Related: D-Link Failed to Patch HNAP Flaws in Routers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.