D-Link in a Pickle: CISA Flags Critical NAS Security Flaws for Immediate Fix

CISA’s latest plot twist: D-Link’s NAS devices feature not one, but two ‘come-hack-me’ signposts for cyber ne’er-do-wells. Cue the federal scramble to patch up before hackers RSVP with mischief. #CybersecurityDrama #PatchItLikeItsHot

Hot Take:

Well, well, well, if it isn’t our old friend, the “Hard-Coded Credentials” back at it again with a side of “Command Injection.” It’s like a cyber villain’s favorite snack combo. And the Cybersecurity and Infrastructure Security Agency (CISA) is that overworked waiter who keeps updating the menu with these spicy specials. Bon Appétit, hackers! Agencies, you’ve got some patching to do, or it’s going to be a data breach buffet!

Key Points:

  • CISA has spotted two new “No Trespassing” signs on the cyber highway, but hackers have already spray-painted them with graffiti.
  • These vulnerabilities are in D-Link NAS devices, which are basically the digital equivalent of leaving your diary in a public park.
  • Under BOD 22-01, federal agencies have homework: fix these issues before they turn into cyber sob stories.
  • Even though BOD 22-01 is like a strict parent for federal agencies, CISA is nudging everyone else to follow the curfew too.
  • Imagine the Known Exploited Vulnerabilities Catalog as a ‘Most Wanted’ list, but for code flaws. It’s getting thicker by the minute!
Title: D-Link DNS-320L/DNS-325/DNS-327L/DNS-340L HTTP GET Request nas_sharing.cgi hard-coded credentials
Cve id: CVE-2024-3272
Cve state: PUBLISHED
Cve assigner short name: VulDB
Cve date updated: 04/11/2024
Cve description: ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259283. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

Title: D-Link DNS-320L/DNS-325/DNS-327L/DNS-340L HTTP GET Request nas_sharing.cgi command injection
Cve id: CVE-2024-3273
Cve state: PUBLISHED
Cve assigner short name: VulDB
Cve date updated: 04/05/2024
Cve description: ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

Need to know more?

When "Oops" Is an Understatement

So here's the gossip: CISA has been nosing around and found that some D-Link NAS devices are as secure as a screen door on a submarine. We're talking vulnerabilities so basic, they're like leaving your keys in the car with a "Steal me" sign. And CISA, bless their digital hearts, has decided it's time the world knew about CVE-2024-3272 and CVE-2024-3273.

Homework for the Feds, Guidance for the Rest

BOD 22-01 is not just a string of letters and numbers—it's a Binding Operational Directive. Think of it as a stern teacher handing out assignments to federal agencies, with the Known Exploited Vulnerabilities Catalog serving as the textbook. And this is one of those classes where doing the homework isn't just for a good grade; it's for not getting hacked to oblivion.

No Agency Left Behind

Just because BOD 22-01 only has jurisdiction over the federal playground doesn't mean the rest of the kids can't play by the rules. CISA is that cool uncle telling everyone, "Hey, these vulnerabilities are serious business," and urging everyone to patch up faster than you can say "cybersecurity hygiene."

The Catalog of Digital Dread

Ever wonder what keeps your friendly neighborhood IT person up at night? It might just be the Known Exploited Vulnerabilities Catalog. This list is like a who's who of software's most unwanted. And CISA isn't shy about adding new members to the club. They're on a mission to tackle these cyber threats one CVE at a time, even if it means the list ends up longer than a CVS receipt.

So, What's the Moral of the Story?

If there's something strange in your network neighborhood, who you gonna call? Probably CISA. But in the meantime, it might be wise to not wait around for the haunting and take care of these pesky vulnerabilities before they take care of your data.

Tags: CISA vulnerabilities catalog, Command Injection, CVE-2024-3272, CVE-2024-3273, D-Link NAS vulnerabilities, federal cybersecurity, Hard-Coded Credentials