There are over 50 vulnerabilities in network-attached storage (NAS) and network video recorder (NVR) products from D-Link, researchers said.
The issues include information leakage, authentication flaws, CGI vulnerabilities, input validation problems, and webpage problems, said researchers at SEARCH-LAB, a Hungary-based security testing company that specializes in embedded systems.
After analyzing the issues, the researcher said some weaknesses can end up leveraged by remote attackers to execute arbitrary code and take control of the targeted device.
Researchers tested D-Link DNS-320 (Rev A: 2.03), DNS-320L (1.03b04), DNS-327L (1.02) NAS devices, and the D-Link DNR-326 Professional NVR (1.40b03). Some of the vulnerabilities also have an impact on DNS-320B, DNS-345, DNS-325, and DNS-322L.
SEARCH-LAB started reporting the vulnerabilities to D-Link in July 2014. The vendor patched quite a few of the flaws, but there are several issues that remain open to the vulnerabilities. In some cases, attempts to fix earlier vulnerabilities led to the introduction of even more serious problems, SEARCH-LAB said.
The following firmware versions contain fixes: DNS-320L 1.04.B12, DNS-327L 1.03.B04, DNR-326 2.10.B03 and DNR-322L 2.10.B03. Users should apply patches and ensure their device’s web interface does not have Internet exposure.
SEARCH-LAB has published a report detailing the vulnerabilities. At least ten bugs that have not received a patch.