Security Flaws Found in D-Link Devices

Researches have unearthed a large amount of security flaws in several D-Link storage products, including some that allow an attacker to bypass authentication.

The company has already released a firmware update to address some of the problems, following an independent assessment performed by Search Lab. According to the report, affected devices include the D-Link DNS-320, 320L, 326, 327L, 320B, 345, 325, and 322L, among others.

One of the major flaws allows an attacker to log in using the "root", "nobody", and "admin" usernames, which are the default accounts for the devices.

The login_mgr.cgi performed the authentication based on the OS credentials stored in the /etc/shadow file. Since the shadow file was used directly, every valid user and password could be used as credentials.

These accounts default to an empty password, however, the user interface only allows you to change the admin password. As such, an attacker can easily gain access to your device.

Some of the other flaws include unauthenticated photo publishing, information leaks, and the ability to overwrite files. For a full list of the vulnerabilities, you can view the full report here.

D-Link has requested additional time to fix some of the vulnerabilities, so this report does not contain a final list of all found flaws.

If you have one of the affected D-Link devices, make sure to update your firmware to patch the published flaws. Keep an eye out for future updates to patch the remaining, unpublished vulnerabilities.