plumpan

Plum

@plumpan

  • he/him

I occasionally write long posts but you should assume I'm talking out of my ass until proved otherwise. I do like writing shit sometimes.  

 

50/50 chance of suit pictures end up here or on the Art Directory account. Good luck.

 

Be 18+ or be gone you kids act fuckin' weird.

 

pfp by wackyanimal

 

I tag all of my posts complaining about stuff #complaining, feel free to muffle that if you'd like a more positive cohost experience.

 

 
Art and suit stuff: @PlumPanAD

 

 
"DMs":
Feel free to message as long as you have something to talk about!

log inask
plumpan
@plumpan

"Oh I don't want to do a lot of work setting up a NAS I'll just spend a bit of money on this retail unit"

D-Link issues rip and replace order for besieged NAS drives

D-Link is telling owners of expired NAS devices to pack them away and replace them with newer kit following the publication of security vulnerabilities that together are now being actively exploited.

It doesn't help that the devices, that reached their end-of-service (EOS) date years ago, have a backdoor (CVE-2024-3272, CVSS: 9.8 - critical) enabled by hardcoded credentials (username: messagebus, plus an empty password field).

This, combined with a command injection bug (CVE-2024-3273, CVSS: 7.3 - high) means attackers can remotely execute code (RCE) on the device, and with that do all manner of follow-on activities. User data is believed to be at risk.

The following models are vulnerable:

  • DNS-340L (reached EOS in 2019)
  • DNS-320L (reached EOS in 2020)
  • DNS-327L (reached EOS in 2020)
  • DNS-325 (reached EOS in 2017)

D-Link has held firm in its EOS assessment, reiterating that no firmware updates will be released for the affected devices, regardless of the latest security holes.

The cheaper consumer units have a habit of having the absolute WORST security. You'll note the article also includes a link to an article about a WD unit that had hardcoded insecure credentials as well. These units were introduced between around 2011-2014 based on my quick looking up, so they're old enough to be "EOL", but the fact that there's now zero use for them outside of "blockade it from outside network traffic" or "put it in the bin" should be an example of how these devices are regularly treated by manufacturers.

Rolling your own TrueNAS is not hard. If you can install Windows, you can install TrueNAS. Or you can find a friend willing to do it for you. Don't fall under the assumption that you can spend your way out of the problem with a retail unit.

https://www.theregister.com/2024/04/09/dlink_issues_rip_and_replace/

You must log in to comment.
Pinned Tags