D-LINK DNS Product Security Update Advisory (CVE-2024-3272, CVE-2024-3273)
Overview
D-LINK has released a security update to fix vulnerabilities in its products. users of affected products are advised to update to the latest version.
Affected Products
CVE-2024-3272
- DNS-320L version 1.11, version 1.03.0904.2013, version 1.01.0702.2013
- DNS-325 Version 1.01
- DNS-327L version 1.09, version 1.00.0409.2013
- DNS-340L version 1.08
CVE-2024-3273
- DNS-320L Version 1.11, 1.03.0904.2013, 1.01.0702.2013
- DNS-325 1.01
- DNS-327L 1.09, 1.00.0409.2013 version
- DNS-340L 1.08
Resolved Vulnerabilities
Backdoor and command injection vulnerability via a parameterized system variable due to hardcoded credentials in nas_sharing.cgi (CVE-2024-3272)
Command injection vulnerability in the organization of the cgi-bin/nas_sharing.cgi argument system in the HTTP GET request handler component (CVE-2024-3273)
Vulnerability Patches
Please follow the instructions on the Referenced Sites to update to the Vulnerability Patches version.
- end of service life and recommended device retirement and replacement
Referenced Sites
[1] DNS-320L / DNS-325 / DNS-327 / DNS-340L and All D-Link NAS Storage :: All Models and All Revision :: End of Service Life :: Vulnerabilities Reported by VulDB/Netsecfish
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
[2] Command Injection and Backdoor Account in D-Link NAS Devices
https://github.com/netsecfish/dlink
[3] Command Injection and Backdoor Account in D-Link NAS Devices
https://github.com/netsecfish/dlink
[4] DNS-320L / DNS-325 / DNS-327 / DNS-340L and All D-Link NAS Storage :: All Models and All Revision :: End of Service Life :: CVE-2024-3273 : Vulnerabilities Reported by VulDB/Netsecfish
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383