Researchers have found 53 vulnerabilities in Network Attached Storage (NAS) and Networked Video Recording (NVR) systems of D-Link. In the worst case an attacker can remotely take control of the device. The affected devices are DNS-320 DNS-320L, DNS-327L and DNR-326 although other devices are also vulnerable to one or more vulnerabilities, such as the DNS-320B, DNS-345, DNS-325 and DNS-322L.
Researchers of the Hungarian Search-Lab discovered several issues. E.g the authentication could be bypassed with several methods which allow an attacker to take control of the device without even using an exploit. The researchers also discovered half-baked solutions for earlier patched vulnerabilities that introduced even worse issues such as command injection, something that also allows an attacker to take over a device.
Another issue the researchers found was that attackers could upload files without authentication and that attackers can login using default user accounts without the ability of the administrator to change the (empty) passwords of these users. D-Link has released several updates that solve "most vulnerabilities" and "some vulnerabilities".
Details about two leaks will be disclosed by the end of June because D-Link hasn't patched them yet. An overview of all patches and vulnerable models can be found in this advisory. Users are advised to install patches when available and the researchers highly recommend not to expose the web interface of the DNS and DNR devices to the internet. Since the devices use the UPnP feature, this should be disabled in the router.
