Source URL: https://it.slashdot.org/story/24/11/11/2158210/d-link-wont-fix-critical-flaw-affecting-60000-older-nas-devices?utm_source=rss1.0mainlinkanon&utm_medium=feed
Source: Slashdot
Title: D-Link Won’t Fix Critical Flaw Affecting 60,000 Older NAS Devices
Feedly Summary:
AI Summary and Description: Yes
Summary: D-Link has announced no patch for a critical command injection vulnerability affecting over 60,000 NAS devices, urging users to either retire or isolate the devices. This situation emphasizes significant risks for small businesses relying on vulnerable hardware, reminding security professionals of ongoing hardware security challenges.
Detailed Description: D-Link’s decision not to release a fix for a critical vulnerability, CVE-2024-10914, impacting a range of their network-attached storage (NAS) devices raises serious concerns about hardware security and the risk management strategies of small businesses. This vulnerability allows unauthenticated attackers to execute arbitrary commands via unsanitized HTTP requests, emphasizing the importance of proactive device management.
Key points include:
– **Critical Vulnerability**: CVE-2024-10914 allows potential exploitation through unprotected web interfaces, signifying a severe risk profile for affected devices.
– **Affected Models**: The flaw impacts popular D-Link NAS models often used by small businesses, specifically:
– DNS-320 Version 1.00
– DNS-320LW Version 1.01.0914.2012
– DNS-325 Version 1.01 and 1.02
– DNS-340L Version 1.08
– **User Recommendations**: D-Link advises users to either retire the vulnerable devices or isolate them from public internet access. This recommendation indicates a shift in accountability where end-users must mitigate risks when vendors fail to provide necessary updates.
– **Discovery of Multiple Flaws**: The recent announcement follows another serious vulnerability (CVE-2024-3273) also discovered in D-Link devices, demonstrating ongoing security issues with the brand’s hardware.
– **Scope of Impact**: A search conducted by Netsecfish identified over 61,000 vulnerable devices spread across nearly 41,000 unique IP addresses, underscoring the widespread nature of the issue.
This situation calls for increased awareness and responsive actions from security and compliance professionals managing hardware assets, particularly in small business settings where budget constraints may limit options for immediate upgrades or replacements. Regular assessments of device security and an understanding of vulnerability management are imperative.