A severe security flaw affecting over 61,000 D-Link network-attached storage (NAS) devices will remain unpatched, leaving users vulnerable to potential attacks. The company has announced it will not address this critical security issue due to the affected models reaching their end-of-life status.
The vulnerability, identified as CVE-2024-10914, allows unauthorized attackers to inject malicious commands into certain D-Link NAS devices. This flaw received a critical severity score of 9.2 out of 10, highlighting its potential for causing significant harm.
Affected models include:
- DNS-320 (Version 1.00)
- DNS-320LW (Version 1.01.0914.2012)
- DNS-325 (Version 1.01 and 1.02)
- DNS-340L (Version 1.08)
These devices are primarily used by small and medium-sized businesses, making the lack of a fix particularly concerning for this sector.
The vulnerability stems from insufficient input sanitization in the device's account management script. Attackers can exploit this weakness by sending a specially crafted HTTP GET request to the device's IP address, potentially gaining control over the NAS and accessing stored data.
While D-Link acknowledges the severity of the issue, the company has confirmed that no patch will be released due to the end-of-service status of these models. Instead, they recommend users take the following precautions:
- Retire and replace affected devices with newer, supported models
- Isolate vulnerable NAS devices from the public internet
- Implement strict firewall rules to limit access
- Regularly update device credentials and enable encryption
- Consider using third-party firmware (for advanced users)
This situation underscores the risks associated with using outdated hardware that no longer receives security updates. Users of affected D-Link NAS devices should prioritize upgrading to newer models or implementing robust security measures to protect their data from potential breaches.