More than fifty vulnerabilities in D-Link NAS and NVR devices
http://www.search-lab.hu/advisories/secadv-20150527SEARCH-LAB performed an independent security assessment on four
different D-Link devices. The assessment has identified altogether 53
unique vulnerabilities in the latest firmware (dated 30-07-2014).
Several vulnerabilities can be abused by a remote attacker to execute
arbitrary code and gain full control over the devices. ...
... We also reported two other authentication bypass vulnerabilities
(CVE-2014-7857) to D-Link; but since these problems have not been
addressed correctly yet, we will only publish them after 22/06/2015. ...
Affected devices:
Main targeted devices during the assessment:
- DNS-320, Revision A: 2.03, 13/05/2013
- DNS-320L, 1.03b04, 11/11/2013
- DNS-327L, 1.02, 02/07/2014
- DNR-326, 1.40b03, 7/19/2013
Other devices were influenced by one or more vulnerabilities:
- DNS-320B, 1,02b01, 23/04/2014
- DNS-345, 1.03b06, 30/07/2014
- DNS-325, 1.05b03, 30/12/2013
- DNS-322L, 2.00b07
Solution:
Most of the vulnerabilities were fixed in:
- DNS-320L 1.04.B12
- DNS-327L 1.03.B04
Some of the vulnerabilities were fixed in:
- DNR-326 2.10.B03
- DNR-322L 2.10.B03