Overview

D-Link Corporation recommends all network attached storage and network video recorders be connected behind an adeqate firewall system that restricts access to local LAN only. Until report is completely verified and patches available if necessary, we do not recommend exposing these D-Link device to internet traffic.

A 3rd party has performed an independent security assessment on D-Link storage devices. The report has identified unique vulnerabilities in these product using the public available firmware classified as:

• Authentication can be bypassed.
• Some implemented security features may introduce command injection exploits.
• Unauthenticated file upload.
• Default users (root, nobody) can be used during authentication, and the administrator cannot change the default (empty) password of these users from the device web GUI.

References

SEARCH-LAB :: Link :: Disclosure May 27, 2015

SEARCH-LAB :: Link :: Original Report :: Initially July 30, 2014

CVE-2014-7857 :: Authentication bypass vulnerability

CVE-2014-7858 :: Check_login bypass vulnerability in DNR-326

CVE-2014-7859 :: Buffer overflow in login_mgr.cgi and in file_sharing.cgi

CVE-2014-7860 :: Unauthenticated photo publish

Description

The 3rd party has published details in a full report lined in the Reference section. In order to maintain authenticity of the report we recommend any questions be directed toward the 3rd party at this time.

Recommendations

All devices on your network should have log-in credentials. If your network has WiFi, please make sure WiFi encryption-keys are enabled. For devices that cannot notify the owner of a new software updates, check for updates from the devices manufacture. For D-Link devices you can find them at http://support.dlink.com

Immediately update to the patched firmware referenced in the table below once they are made available. Please continue to monitor this page for further updates and disclourses.

D-Link recommends that your D-Link device remote network management feature be disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to exploit your device.  If remote network management is disabled, a malicious user would require to be on the local network side of the network or have compromised another device on the network that could be used to attack the device.

D-Link recommends that all PCs (Window or Mac) be up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.

WiFi encryption reduces the risk to this vulnerability if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffic and intercept the cookie. 

The default configuration of D-Link's devices is to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to  and for security concerns within their network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enabling WiFi encryption, monitoring the routers log files, and access-lists for your devices so security risks for your entire network are minimized.

Affected Product

For products with firmware labeled "Hot-Fix Beta", these products are beyond their Service Life-Cycle, so there is no further support or development. Hot-Fix Beta are patches to the firmware that have been spot-tested for the correction to an firmware bug or security issue.  These Hot-Fix Betas do not recieve the comprehensive QA and security test plans that active Life-Cycle product recieve.

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.

Firmware updates are often directed to addressing security vulnerabilities in the devices that may be exploited by Internet attacks such as a ransomware attack.  However, once the device is infected by the virus, firmware updates will not restore your data.  Antivirus companies have created new tools to address past ransomware attacks and may develop decrypting tools to address the Cr1ptT0r Ransomware in the future. Until that time, to better protect your devices from Internet viruses, malware and ransomware:
 
1.    Do not connect these devices directly to the Internet and/or port-forward services directly from the Internet.
2.    Keep device firmware up-to-date.
3.    Any computer accessing information on these devices should have appropriate antivirus protection and malware protection enabled.
4.    Regular back-ups of stored information on these devices should occur in case a disaster recovery is needed.
 
DNS-320 Ax/Bx, DNS-325 Ax, and DNS-345 Ax have passed their end of service date as displayed on its product support page. For these models, please remove the Internet access of NAS on your router by disabling the port-forwarding and DMZ setting.

Once a product is end of service, it is no longer supported by D-Link through customer support and it does not receive software/firmware updates.
 
D-Link End of Life policy can be found here: https://www.dlink.com/en/eol-policy

Please also check the regional website for the most updated EOL product information.