Over 50 Flaws in NAS, NVR Devices

Monday, June 1, 2015 @ 03:06 PM gHale

There are over 50 vulnerabilities in network-attached storage (NAS) and network video recorder (NVR) products from D-Link, researchers said.

The issues include information leakage, authentication flaws, CGI vulnerabilities, input validation problems, and webpage problems, said researchers at SEARCH-LAB, a Hungary-based security testing company that specializes in embedded systems.

Social Networks: Moose on the Loose
PuTTY Malware Steals Credentials
Apache Fixes Security Manager Hole
Cisco Video Conference Vulnerabilities

After analyzing the issues, the researcher said some weaknesses can end up leveraged by remote attackers to execute arbitrary code and take control of the targeted device.

Researchers tested D-Link DNS-320 (Rev A: 2.03), DNS-320L (1.03b04), DNS-327L (1.02) NAS devices, and the D-Link DNR-326 Professional NVR (1.40b03). Some of the vulnerabilities also have an impact on DNS-320B, DNS-345, DNS-325, and DNS-322L.

SEARCH-LAB started reporting the vulnerabilities to D-Link in July 2014. The vendor patched quite a few of the flaws, but there are several issues that remain open to the vulnerabilities. In some cases, attempts to fix earlier vulnerabilities led to the introduction of even more serious problems, SEARCH-LAB said.

The following firmware versions contain fixes: DNS-320L 1.04.B12, DNS-327L 1.03.B04, DNR-326 2.10.B03 and DNR-322L 2.10.B03. Users should apply patches and ensure their device’s web interface does not have Internet exposure.

SEARCH-LAB has published a report detailing the vulnerabilities. At least ten bugs that have not received a patch.