Sometimes a device in the IT infrastructure resembles that ripped T-shirt you’ve been wearing since high school: You could patch it, but maybe it’s better just to throw the thing out and buy a new one.
That seems to be the idea behind an advisory from networking hardware and telecoms manufacturer D-Link, after security researcher “netsecfish” identified vulnerabilities impacting cloud-storage models DNS-340L, DNS-320L, DNS-327L, and DNS-325—all currently tagged online by the manufacturer as “End of Life,” or EOL.
“D-Link US recommends that D-Link devices that have reached EOL/EOS be retired and replaced,” a highlighted and bolded line from the April 4 company announcement read.
What these do: The storage enclosure devices in question create a central network point for file backup, enabling home and small-office users to share and access documents, music, photos, or other data.
The discovery: According to netsecfish’s summary, the vulnerability, tracked as CVE-2024-3273, exists in a CGI script, which processes user requests, handling the functions between query and database.
The script potentially enables unauthorized access because of a backdoor account, a kind of secret entry point “facilitated by hardcoded credentials.” Netsecfish said this flaw “could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions.”
End of story? Nonprofit security tracker Shadowserver said on its official X account that the platform has seen scans and exploits from multiple IPs for CVE-2024-3273, advising that owners take the devices offline “or at least have their remote access firewalled.” (Shadowserver’s scans, so far, have found nearly 2,000 vulnerable D-Link instances.)
D-Link did not respond to request for an interview by publication, but said in its April 4 advisory, “If a product has reached End of Support (“EOS”) / End of Life (“EOL”), there is normally no further extended support or development for it. Typically for these products, D-Link will be unable to resolve device or firmware issues since all development and customer support has ceased.”
The statement’s use of “normally” and “typically” offers a sliver of hope that an update is not completely out of the question—and who knows, maybe the shirt gets one more wear and one more patch.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.