FortiGuard Outbreak Alert: D-link Multiple Devices Attack

Description 

CVE-2024-3272 relies on the use of a user account present by default on all the impacted D-Link NAS models. These NAS Devices use Hard-Coded Credentials. The vulnerability CVE-2024-3273 allows a remote command injection on impacted D-link NAS devices.

By combining CVE-2024-3273 vulnerability with CVE-2024-3272, it is possible to send commands remotely without any authentication, making this attack very dangerous because attackers could steal sensitive data on these NAS devices and further use it for Ransomware attacks.

D-Link DIR-600 routers contain a Cross-Site Request Forgery (CSRF) vulnerability (CVE-2014-100005) that allows an attacker to change router configurations by hijacking an existing administrator session.

CVE-2021-40655 is a D-Link DIR-605 router Information Disclosure vulnerability that allows attackers to obtain a username and password by forging a post request.

D-Link Go-RT devices are vulnerable to Buffer Overflow vulnerability (CVE-2022-37055).

CVE ID    

CVE-2024-3272 (https://nvd.nist.gov/vuln/detail/CVE-2024-3272)
CVE-2024-3273 (https://nvd.nist.gov/vuln/detail/CVE-2024-3273)
CVE-2014-100005 (https://nvd.nist.gov/vuln/detail/CVE-2014-100005)
CVE-2021-40655 (https://nvd.nist.gov/vuln/detail/CVE-2021-40655)
CVE-2022-37055 (https://nvd.nist.gov/vuln/detail/CVE-2022-37055)

NDR Cloud Detection Rule

FortiNDR Cloud v2024.6+

Playbook 

N/A

Threat hunting

N/A

Suricata Coverage

N/A

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to
https://www.fortiguard.com/outbreak-alert/d-link-multiple-devices-attack