At least 92,000 legacy D-Link NAS devices contain a hard-coded backdoor that allows attackers to break in. A patch does not exist.

A security researcher has discovered a dangerous flaw in D-Link NAS devices. The vulnerability consists of an injection flaw combined with a hardcoded account (Message bus, without password). The bug and account allow hackers to run their own code on the NAS.

Good and bad news

The good news is that D-Link no longer makes NAS devices today and the vulnerable devices are many years old. The bad news is that D-Link no longer supports the affected storage servers, but at least 92,000 vulnerable devices are still in use.

The following software is vulnerable to the error:

• DNS-320L version 1.11, version 1.03.0904.2013, version 1.01.0702.2013
• DNS-325 version 1.01
• DNS-327L version 1.09, version 1.00.0409.2013
• DNS-340L version 1.08

Very old and unsupported

D-Link does not intend to continue the divested NAS business. So users don’t have to wait for a patch. This is not surprising: for example, the vulnerable D-Link Sharecenter 2-Bay-BAS DNS-325 was withdrawn from circulation in 2015 and has not been supported since 2017.

The best solution is to finally send these vulnerable devices into a well-deserved retirement and replace them with an up-to-date solution. That being said, it’s not a good idea to make a NAS available directly over the Internet without additional protection. Especially in this case, data is easy prey for attackers.