Overview

On April 28, 2024, third-party security research from Tesserent (Melbourne, Australia) reported multiple vulnerabilities in the D-Link Nuclias Connect Network Device Management platform.

D-Link takes network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.

Report Information  

         - Report by: tesserent _dot_ com 

                      - Julian Muñoz  :: julian_dot_munoz _at_ tesserent _dot_ com 

                      - Damian Gomez :: damian _dot_ gomez@tesserent _dot_ com

         - Report Details (from Author's Report)

           - Public Disclosure Post : Link

           - CVE-2024-37744 - Link (TBD) - Insufficient Access Control  

           - CVE-2024-37746 - Link (TBD) - Directory Traversal Vulnerability

           - CVE-2024-37745 - Link (TBD) - Cross-Site Scripting (XSS) Vulnerability

                      - 1.0 Summary

                         The most critical vulnerabilities stem from inadequate access controls, where a user with the lowest privileges can manipulate private information to gain control over the root admin account. Once the root admin account is compromised, our investigation also uncovered a path traversal vulnerability, which permits users with administrative rights to access sensitive server files. Additionally, issues such as XSS and the insecure practice of storing tokens in local storage could lead to unauthorized access to other user accounts, including that of the root administrator.

                      - 1.1 Insufficient Access Controls (CVSS 3.1: HIGH)

                         Access controls restrict access to sections of an application that may contain sensitive/private information or functions. Insufficient access controls allow an unauthorized user to access sensitive application sections.

                      - 1.2 Directory Traversal (CVSS 3.1: HIGH)

                         Attackers can gain access to underlying system files. Directory Traversal vulnerabilities may occur via poor web server configuration or a vulnerable web application program. An attacker can inject a path to a file outside the web server root and retrieve its contents. An attacker may be able to obtain susceptible information about a web application and the underlying system, such as system usernames, groups, source code, configuration files, log files, and password files. This may allow an attacker to gather enough information about the system or application to enable them to launch further attacks, possibly leading the attacker to compromise the application.

                        - 1.3 Stored Cross Site Scripting (XSS) (CVSS 3.1: MEDIUM)

                         A stored cross-site scripting vulnerability allows an attacker to execute malicious code within a user's browser without the user's consent. In a stored cross-site scripting attack, the attacker tricks the application into injecting malicious code into the application's database. A victim's browser eventually executes that code when the victim requests to execute a particular functionality within the application. The application retrieves and displays the malicious code from the database in response to the request. The attacker typically constructs the code to transmit sensitive information about the user to the attacker. With this sensitive information, the attacker can perform operations on the user's behalf without the user's knowledge or consent. The attacker may also construct the code to redress the page, force the user to download malware or conduct a phishing attack.

                        - 1.4 Insecure Local Storage (CVSS 3.1: LOW)

                         The user's browser stores sensitive data within its local storage. Under certain circumstances, such as an XSS attack or using a shared computer, an attacker can extract/view this sensitive data from the user’s browser storage. With this sensitive information, the attacker can perform operations on the user's behalf without the user's knowledge or consent.

Affected Models

 Regarding the Security Update for Your D-Link Device

Installing software updates is critical in addressing security vulnerabilities in your D-Link devices. D-Link strongly urges all users to install the relevant updates and regularly check for further updates. After downloading the software update, it is essential to ALWAYS validate its success by comparing the software version on your product interface to the software update version.

Please note that beta software, beta firmware, or a hot-fix release is still undergoing rigorous testing before its official release. This ensures that the software is of the highest quality and meets our stringent standards. However, it is essential to understand that the user assumes all risk and liability for its use. D-Link does not provide express or implied warranties regarding the suitability or usability of the beta software, beta firmware, or hot-fix release. D-Link will not be liable for any direct, indirect, special, or consequential loss suffered by any party due to their use of the beta firmware, beta software, or hit-fix release.

NOTE: Our products have different hardware revisions, so please check your device’s hardware revision before downloading the corresponding firmware update. The hardware revision can be found on the product label next to the serial number or on the device's web interface.