There is a Cross-Site Scripting (XSS) flaw affecting seven D-Link NAS devices, which could allow attackers to gain access and change stored contents.
The flaw was first found it in the firmware of D-Link DNS-320 rev A, which is a network storage enclosure that allows users to access stored data via SMB and can end up configured through a web interface, said researcher Benjamin Daniel Mussler. It was later found in six other models.
“The device’s administrative web interface contains a Stored Cross-Site Scripting vulnerability, exploitable through an unauthenticated SMB login attempt (445/tcp),” Mussler said. “The injected code is executed when the victim logs into the administrative web interface.”
“Unlike reflected XSS vulnerabilities, it does not require the victim to open an attacker-supplied link or to visit a malicious web page,” Mussler said. “This is one of the relatively few XSS vulnerabilities where malicious code can be injected despite having neither direct nor indirect access to the vulnerable web application. As such, it can be exploited even when access to ports 80/tcp (HTTP) and 443/tcp (HTTPS) is denied.”
“Due to the nature of the vulnerability, it would be trivial to automate the injection of malicious code into a number of vulnerable devices,” he said.
D-Link confirmed the same vulnerability exists in six other NAS models: DNS-320 rev B, DNS-320L, DNS-325, DNS-327L, DNS-340L, and DNS-345.
In mid July, D-Link pushed out patches for the firmware of DNS-320, DNS-320L and DNS-340L that solve the issue, but not for the rest of the affected products.
When Mussler publicly released information about the flaw at the beginning of August, there were no indication that the flaw was suffering from exploitation.
Ransomware authors might implement it to maximize the reach of the malware.
“NAS devices are often used to store backups of data the user considers important enough to keep a copy of. The vulnerability described in this advisory enables ransomware to have data deleted from a NAS device the next time the victim logs into the administrative web interface,” he said.
That’s one reason why, even for devices for which a firmware update solving the problem has been made available, users should be careful when applying it.
“If D-Link addresses the vulnerability with a firmware update, its installation will require users to log into the vulnerable web interface. However, if an attacker has already managed to store malicious code inside the web interface, logging in to install the update may cause this code to be executed,” Mussler said in a post.
“Vulnerable devices should not be accessible from untrusted and potentially hostile networks such as the Internet. If they are, they should be disconnected immediately. When a vulnerable device is not connected to the Internet but to a local network, the greatest risk may come from malware, more specifically ransomware.
“Ransomware is becoming increasingly capable, and the effects of this development are not restricted to infection and evasion,” he said. “Future ransomware may adapt to its environment in order to maximize its impact and, subsequently, the likelihood of a victim paying the ransom.”