A security researcher has uncovered a serious XSS vulnerability in seven D-Link NAS devices which allows malicious users to gain access to the device and files.
D-Link NAS Owners Should Be on Alert
The security expert Benjamin Daniel Mussler has identified the single XSS flaw that affects seven current D-Link NAS products. The first traces of the issues were found in the firmware of the D-Link DNS-320 rev A. The configuration of the firmware allows code injections through the SMB port (445/tcp). The malicious code is executed when the victim user logs into the administrative web interface.
Unlike other XSS attacks, this one does not require the user to open a malicious link. The code is directly injected into the browser without direct access to the vulnerable application. This makes it possible to run even when ordinary access via the secured login is denied. The way the code is built makes it very easy to automate inside tools and scripts that can be crafted by criminals. Upon intrusion, the malicious users can modify the contents of the devices at will.
These are the affected D-Link NAS devices:
- DNS-320 rev B
- DNS-320L
- DNS-325
- DNS-327L
- DNS-340L
- DNS-345
- DNS-320 rev A.
Security experts state that the issue may be exploited by ransomware developers who can access the sensitive data through the vulnerability. As NAS devices are often used to make secure backups of important information, this fact makes them very vulnerable. Most of these products also provide additional features such as hosting web sites, BitTorrent seeding, home media streaming and providing printer server functionality.
Most consumer grade products also have some form of RAID configuration support which makes them critical targets as some levels of the file integrity solution. A ransomware may seriously disrupt this feature. D-Link has not yet provided a firmware update to amend the issues.
