Overview

An information disclosure vulnerability has been identified in the /xml/info.xml URI accessible through D-Link NAS devices. This vulnerability, affecting over 61,000 devices on the Internet, allows unauthorized access to sensitive device information without authentication, which could be exploited by an attacker to gain insight into device specifics that could facilitate further attacks.

image.png

Affected Devices

Affected Components

The vulnerability is specifically located in the /xml/info.xml URI which is accessible via HTTP GET request. This XML file contains sensitive information about the NAS device, including hardware version and firmware details.

CWE

CWE-200: Exposure of Sensitive Information.

Exploitation

An attacker can exploit this vulnerability by sending a simple HTTP GET request to the target device. The following curl command exemplifies how an attacker might access the /xml/info.xml URI:

curl "[Target-IP]/xml/info.xml"

Actual Result

Sample 1

image.png

Sample 2

image.png