Backdoor in D-Link DNS-320L/LW ShareCenter

1) Hidden functionality (backdoor)

EUVDB-ID: #VU9871

Risk: Critical

CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-912 - Hidden Functionality (Backdoor)

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to vulnerable device.

The vulnerability exists due to presence of a backdoor code (hard-coded account credentials) in firmware shared by WD My Cloud and D-LINK DNS-320L ShareCenter software. A remote attacker can send a specially crafted HTTP GET request to the affected device and gain unauthorized access to it.

Exploitation example:

 GET /cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&start=1&count=1;touch+/tmp/gulftech; HTTP/1.1

where login is "mydlinkBRionyg" and password is "abc12345cba".

List of affected Western Digital devices:

               MyCloud
               MyCloudMirror
               My Cloud Gen 2
               My Cloud PR2100
               My Cloud PR4100
               My Cloud EX2 Ultra
               My Cloud EX2
               My Cloud EX4
               My Cloud EX2100
               My Cloud EX4100
               My Cloud DL2100
               My Cloud DL4100
               My Cloud DL4100

Note: this vulnerability was updated according to GulfTech advisory. Vulnerability severity is raised to critical and this vulnerability is being treated as a zero-day.

Mitigation

Update to version 1.06 or later.

Vulnerable software versions

D-Link DNS-320: 1.00 - 1.05

External links

http://gulftech.org/advisories/DNS-320L%20ShareCenter%20Backdoor/126
ftp://ftp2.dlink.com/PRODUCTS/DNS-320L/REVA/DNS-320L_REVA_RELEASE_NOTES_v1.10B03_EN.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.