14 DAY TRIAL // An independent security evaluation on three network-attached storage devices and one network video recorded from D-Link revealed a total of 53 vulnerabilities, some of them still to be addressed by the vendor.
Security testing company SEARCH-LAB started its assessment efforts in 2014 and maintained communication with D-Link about their findings to resolve the issues as quick and efficient as possible.
Solving one issue caused more severe ones to appear
Some of the nastiest flaws refer to authentication, uploading arbitrary files and executing malicious code on the affected device. Some of the attacks could be carried out without resorting to exploitation of a programming or design weakness.
SEARCH-LAB says that the evaluation focused on DNS-320 (Revision A: 2.03), DNS-320L (1.03b04), DNS-327L (1.02) and DNR-326 (1.40b03), which share parts of the firmware code.
However, the researchers say that other devices were influenced by one or more of the vulnerabilities identified, listing DNS-320B (1,02b01), DNS-345 (1.03b06), DNS-325 (1.05b03) and DNS-322L (2.00b07).
Since receiving the initial report from SEARCH-LAB, D-Link solved some of the problems, but the process caused other, more severe issues to occur, such as command injection and the possibility to gain complete control of the device.
A second vulnerability report coming in June
Following an almost year-long message exchange with the manufacturer, the security company released a first advisory, disclosing only the vulnerabilities that have been patched. A second report is scheduled for publishing on June 22, detailing the glitches that have not been fixed yet.
SEARCH-LAB obtained CVE identifiers for some of the glitches discovered, such as check_login bypass vulnerability in DNR-326 (CVE-2014-7858), buffer overflow in login_mgr.cgi and in file_sharing.cgi (CVE-2014-7859) and unauthenticated photo publish (CVE-2014-7860).
Another track number (CVE-2014-7857) was obtained for two authentication bypass vulnerabilities, for which attempts for a correct patch have been made, but did not fully mitigate the risk. Details about them are to be included in the report in June.
Credited for the research and the discovery of the flaws is Gergely Eberhardt, who advises users to apply the latest firmware updates for the affected products. Also highly recommended is to prevent access to the products from outside the local network.
A good way to do this is to block access from the Internet to the router they connect to, because support for UPnP (Universal Plug and Play) can still expose them to risks.