A vulnerability has been identified in the D-Link DNS series network storage devices, allowing for the exposure of sensitive device information to unauthorized actors. This vulnerability is due to an unauthenticated access flaw in the info.cgi
script, which can be exploited via a simple HTTP GET request, affecting over 920,000 devices on the Internet.
- DNS-327L Version=1.00.0409.2013
- DNS-320L Version=1.02.0329.2013 and Version=1.01.0914.2012
- DNS-320LW Version=1.01.0914.2012
Launch an HTTP GET request to the target device: http://127.0.0.1/cgi-bin/info.cgi
Several cases on the Internet were randomly selected:
It is recommended to restrict access to the administrative interfaces of the device to trusted IP addresses only and apply network-level authentication.