Company doesn’t make storage devices now; has zero interest in fixing catastrophic  vulnerability.

‘Bobby’ Flaw Flagged WONTFIX

What’s the craic? Bill Toulas reports: D-Link won’t fix critical flaw affecting 60,000 older NAS devices

“Commonly used by small businesses”
CVE-2024-10914 has a critical [CVSS] 9.2 severity score and is present in the ‘cgi_user_add’ command. … An unauthenticated attacker could exploit it to inject arbitrary shell commands by sending specially crafted HTTP GET requests.
…
The flaw impacts multiple models of D-Link network-attached storage (NAS) devices that are commonly used by small businesses. … A fix for CVE-2024-10914 is not coming and the vendor recommends that users retire vulnerable products. … A D-Link spokesperson [said] the impacted products had reached EoL and will not be receiving security updates.

How many different products? Ionut Arghire usues all his fingers and toes: Many Legacy D-Link NAS Devices Exposed to Remote Attacks

D-Link, however, warns that [20] discontinued NAS models are affected and that it cannot address the vulnerability, as all development and customer support have ceased. Some of these devices were retired a decade ago.

Who found it? NetworkSecurityFish: Command Injection Vulnerability

The vulnerability is localized to the account_mgr.cgi script, particularly in the handling of the cgi_user_add command. The name parameter in this script does not adequately sanitize input, allowing for command execution. [For] example:
…
curl "http://[Target-IP]/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27"

What does D-Link have to say for itself? Not a lot: DNS-320 / DNS-325 / DNS-340L and all other D-Link NAS Models

“Latest firmware”
Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link. … D-Link’s general policy is that when products reach EOS/EOL, they can no longer be supported, and all firmware development ceases.
…
D-Link US is prohibited from providing support for these EOL/EOS products, if you are outside the US, please contact your regional D-Link office. If your device was provided by a licensed carrier (service provider) and firmware, please contact your carrier.

Well, that sucks. u/JLeeSaxon isn’t happy:

I can’t really agree with the, “It’s your fault for not throwing hardware that still runs fine in a landfill for no reason every September like Apple wants you to,” responses. … Don’t make it sound like some kind of age-based deterioration: … This flaw was always there and D-Link never found/fixed it.
…
NASA is still reprogramming Voyager 2, so let’s make sure we’re clear-eyed about the fact that these EOL decisions are 100% arbitrary and D-Link, if they were willing, would absolutely be able to do an emergency fix here given how widespread and serious this flaw apparently is.

How should we react to D-Link’s attitude? gavron waxes metaphorical:

Carrots and Sticks: Reward vendors who support their products. Punish those who don’t.
…
Because of this, … I will never buy a D-Link product again. Of any type. For any purpose. Not even for consulting clients.
…
You are welcome to join me. If someone says, “Hey this D-Link switch is cheaper,” just tell them how D-Link treats you after you give them your money, and eventually this will trickle down to lower quarterly earnings, less enjoyable shareholder 10Q reports, and they may get the message.

Why would owners have bought a D-Link NAS to begin with? Misgar makes an important point:

The answer might be that some D-Link NAS [were] less expensive than their QNAP and Synology counterparts. For some people, price is the overriding factor when making a purchase, regardless of any other factors. They might not be able to afford “better” products. They might be blissfully unaware of the weaknesses, or just not care.

Any other reasons? thesnide offers some:

The hardware was cheap and decent. The software is nicely hackable.
…
I did strip all the D-Link firmware to replace it with a trimmed down one. Works flawlessly since day one. And that’s a long time [ago].

This sounds like a job for open source. u/DGolden agrees:

It looks like people have worked out how to stick Linux / Debian / OpenWRT on at least some models:
https://jamie.lentin.co.uk/devices/dlink-dns325/
https://www.aboehler.at/doku/doku.php/projects:dns320l

Meanwhile, speaking of FLOSS, Wokan has excellent gum health: [You’re fired—Ed.]

Meanwhile, 12 years later, my TrueNAS Scale … box running on a 2012 CPU is still serving up files and getting regular updates. If you want to have a NAS you pay for once and then not subscribe to, roll up your sleeves and learn a little DIY.

And Finally:

Love him or loathe him, you can’t deny Steve Gibson is … old

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Randall Munroe (cc:by-nc)