Over 50 security glitches found in D-Link’s NVR and NAS devices

Pierluigi Paganini June 01, 2015

D-Link NAS and NVR products discovered with serious security bugs, users are advised to apply the patches immediately, if they have any available to them.

A Hungry based security test company specializing in embedded systems, named SEARCH-LAB, has found D-Link’s NAS (Network Attached Storage) and NVR (Network Video Recorder) products having over 50 vulnerabilities.

A list of the security flaws includes CGI vulnerabilities, web page issues, authentication flaws, information leakage and input validation problems. Attackers can execute arbitrary code to take control over their targeted device, by benefiting from some of the weaknesses on the list – now, it makes the vulnerability a grave concern for all.

More than half of the listed security flaws can be easily exploited remotely by hackers over the Internet, GergelyEberhardt, SEARCH-LAD researcher told the “Security_Week”

Analysis of the D-Link DNS-320 (Rev A: 2.03), DNS-327L (1.02) NAS devices, DNS-320L (1.03b04) and D-Link DNR-326 Professional NVR (1.40b03) has been conducted by experts. The researchers identified that few vulnerabilities also impact DNS-322L, DNS-345, DNS-325 and more likely other products as well.

D-Link DNS-327L 3
D-Link got started notifying about the flaws by SEARCH-Lad in 2014. And in fact, the D-Link notified about the flaws by SEARCH-Lad in 2014. And in fact, the D-Link took actions to fill the security holes out. But, in some cases, fixing a vulnerability opened a new more damaging security hole.

Firmware versions that contain fixes are DNR-322L 2.10.B03, DNS-320L 1.04.B12, DNR-326 2.10.B03 and DNS-327L 1.03.B04. If a user can find a patch available, he/she must apply it on ASAP basis and protect their device from getting exposed online.

A detailed vulnerability report has been published by the SEARCH-LAB. At least 10 security bugs that haven’t been fixed as of now will be exposed in an advisory that SEARCH-LAB is planning to release after June 22 with complete details about bugs. The CVE identifiersCVE-2014-7857, CVE-2014-7858, CVE-2014-7860 and CVE-2014-7859 have been connected to a number of vulnerabilities.

“Although the speed of the patch release process was quite slow, D-Link at least fixed most of the discovered issues. Their response speed has significantly improved after we informed them of the exact timing of the publication.” said Eberhardt, SEARCH-LAB researcher. 

The vulnerabilities that SEARCH-LAB has reported include some of the flaws that already have been discovered by a security analyst at the Independent Evaluators, Jacob Holcomb. Still, Eberhardt claims that at least 12 glitches are the ones that haven’t been discovered before by either a company or individual.

Written by: Ali Qamar, Founder/Chief Editor at SecurityGladiators.com

Author Bio:
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at Security Gladiators, an ultimate source for cyber security. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – D-Link, NSA, NVR)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment