Overview
The DNS-315L DNS-320L, DNS-327L, DNS-340L, and DNS-345 have been identifed as having a vulnerability in their Web-GUI application that allows malicious users to gain access to the device configuraiton, device operating system, and stored file without requiring log-in credentials. Under normal operation locally, or remote by the use of mydlink service/apps does not expose this vulnerability to security risk. If the network it is connected or a device on that network (PC, laptop, tablet, mobile, router, etc) has been compromised then this network maybe be at risk to this vulnerability. Recommendations section below will guide you in closing this security issue in the product.
References
Reported to and corrected by D-Link Corporation through D-Link Europe LTD
General Public News: Story
Description
The DNS-315L, DNS-320L, DNS-327L, DNS-340L, and DNS-345 have an application, login_mgr.cgi, that has a parameter that allows a malicious user to send the device commands without the device requiring the user to log-in. These commands can be sent (injected) into the device causing changes in configuraiton, the device's applications be changed, the device's operating system could be compromised, and stored files could be accessed.
Recommendation
Immediately update to the fixed firmware referenced in the able below. Please continue to monior this page for further updates and disclousres.
D-Link recommend your network, that includes the D-Link Network Attached Storage is connected, is protected by a firewall or better security policy to mitigate a malicious remote user.
D-Link recommend restricting the network attached storage from communicating with the internet. Filters can be added to most popular routers/firewalls that will restrict the devices access to the local network only.
All devices on your network should have log-in credentials and if your network has WiFi, please make sure WiFi encryptiion-keys are enabled. Also for devices that cannot notify the owner of a new software updates, to check for updates from the devices manufacture.
D-Link recommends all PCs (Window or Mac) are scanned for virus, bots, or other damaging software that could compromise the network they are connected.
WiFi encryption reduces the risk to this vulnerabilty if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffice and intercept the cookie.
The default configuration of D-Link's Network Attached Storage is to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to the for security concerns with in their network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enable WiFi encrytion, and evaluate all security risks for your network regularly.
Affected Product
|
Model Name
|
HW Version
|
Current FW Version
|
New Firmware for Correction
|
| DNS-315L |
Ax (Intenational/Non-US) |
1.02b02 and older |
FW: BETA 1,02b03 |
| DNS-320L |
Ax (Worldwide)
|
1.03b04 and older
|
FW: BETA 1.03b08
|
|
DNS-327L
|
Ax (Worldwide) |
1.02 and older
|
FW: BETA 1.03b03 |
| DNS-340L |
A1 (Unreleased) |
1.00 |
Device will ship with fixed fimrware v. 1.01 |
| DNS-345 |
Ax (Worldwide) |
1.04b01 and older |
FW: 1.04b02 |
Security Fixes Provided by New Firmware
|
Model Name
|
HW Version
|
New Firmware |
New Firmware Corrections
|
|
DNS-315L
|
Ax (Intenational/Non-US) |
BETA 1,02b03 |
1. The port parameter of login_mgr.cgi has been fixed.
2. Fix ftp can't login with anonymous. |
|
DNS-320L
|
Ax (Worldwide) |
BETA 1.03b08 |
1. The port parameter of login_mgr.cgi has been fixed. |
| DNS-327L |
Ax (Worldwide) |
BETA 1.03b03 |
1. The port parameter of login_mgr.cgi has been fixed. |
| DNS-340L |
A1 (Unreleased) |
Release is V. 1.01 |
1. Device will launch with cgi fix.
|
| DNS-345 |
Ax (Worldwide) |
1.04b02 |
1. Factory reset no longer causes the system to freeze after a reboot.
2. The port parameter of login_mgr.cgi has been fixed. |
Security patch for your D-Link Devices
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.