D-Link issues rip and replace order for besieged NAS drives
D-Link is telling owners of expired NAS devices to pack them away and replace them with newer kit following the publication of security vulnerabilities that together are now being actively exploited.
It doesn't help that the devices, that reached their end-of-service (EOS) date years ago, have a backdoor (CVE-2024-3272, CVSS: 9.8 - critical) enabled by hardcoded credentials (username: messagebus, plus an empty password field).
This, combined with a command injection bug (CVE-2024-3273, CVSS: 7.3 - high) means attackers can remotely execute code (RCE) on the device, and with that do all manner of follow-on activities. User data is believed to be at risk.
The following models are vulnerable:
- DNS-340L (reached EOS in 2019)
- DNS-320L (reached EOS in 2020)
- DNS-327L (reached EOS in 2020)
- DNS-325 (reached EOS in 2017)
D-Link has held firm in its EOS assessment, reiterating that no firmware updates will be released for the affected devices, regardless of the latest security holes.
The cheaper consumer units have a habit of having the absolute WORST security. You'll note the article also includes a link to an article about a WD unit that had hardcoded insecure credentials as well. These units were introduced between around 2011-2014 based on my quick looking up, so they're old enough to be "EOL", but the fact that there's now zero use for them outside of "blockade it from outside network traffic" or "put it in the bin" should be an example of how these devices are regularly treated by manufacturers.
Rolling your own TrueNAS is not hard. If you can install Windows, you can install TrueNAS. Or you can find a friend willing to do it for you. Don't fall under the assumption that you can spend your way out of the problem with a retail unit.
https://www.theregister.com/2024/04/09/dlink_issues_rip_and_replace/
example eleventeen gorillon of why you should never, under any circumstances, trust any proprietary software.
(especially if it's being sold to you by a company who's primary product is anything but software)
This is true but I'm imagining if this was open source what kind of toolchain hell it'd be to build the firmware on a modern OS.