Exploit
CVE-2024-8127

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Aug 24, 2024 / Updated: 2mo ago

010
CVSS 5.3EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in multiple D-Link NAS (Network Attached Storage) devices, specifically affecting the function cgi_unzip of the file /cgi-bin/webfile_mgr.cgi component in the HTTP POST Request Handler. This vulnerability allows for command injection through manipulation of the 'path' argument. The attack can be initiated remotely and does not require user interaction or privileges. Affected devices include various models in the DNS and DNR series, such as DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, up to firmware version 20240814.

Impact

The vulnerability has a high severity impact on affected systems. If exploited, it could lead to unauthorized command execution on the target device, potentially allowing an attacker to gain full control over the NAS. This could result in unauthorized access to sensitive data stored on the device, modification or deletion of files, and use of the compromised device as a foothold for further attacks on the network. The remote nature of the exploit and the lack of required user interaction make this vulnerability particularly dangerous, as it could be exploited en masse against internet-exposed devices.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. D-Link has released information about the vulnerability on their support announcement page. However, it's important to note that this vulnerability affects products that are no longer supported by D-Link. The vendor has confirmed that the affected products are end-of-life.

Mitigation

Given that the affected devices are end-of-life and no longer supported by D-Link, the primary mitigation recommendation is to retire and replace these devices with newer, supported models. If immediate replacement is not feasible, consider the following interim measures: 1. Isolate affected devices from the internet and restrict access to them from trusted internal networks only. 2. Implement strong network segmentation to limit the potential impact if a device is compromised. 3. Regularly monitor these devices for any signs of suspicious activity or unauthorized access. 4. Ensure that any sensitive data stored on these devices is backed up and, if possible, moved to more secure storage solutions. 5. If the devices must remain in use, consider implementing additional security controls such as a reverse proxy or application-level firewall to filter and monitor incoming requests to these devices.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8127. See article

Aug 24, 2024 at 9:40 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 24, 2024 at 9:41 AM
Threat Intelligence Report

The vulnerability CVE-2024-8127 affects the WordPress Favicon Generator plugin, with a CVSS score of 9.6, making it critical. It allows for remote command injection, potentially leading to unauthorized access or data manipulation. Mitigations, detections, and patches should be implemented promptly to prevent exploitation by threat actors and protect against downstream impacts to other third-party vendors or technologies. See article

Aug 30, 2024 at 1:32 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 28, 2024 at 9:22 PM / nvd
Static CVE Timeline Graph

Affected Systems

Dlink/dnr-326_firmware
+null more

Exploits

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_unzip.md
+null more

Patches

supportannouncement.us.dlink.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

References

@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 34 - SANS Institute
Product: GiveWP Active Installations: 100,000+ CVSS Score: 9.8 NVD: NVD References: NVD References: - - CVE-2024-7946 - Itsourcecode Online Blood Bank Management System 1.0 is vulnerable to a critical sql injection in the User Signup component's register.php file, allowing for remote attacks. Product: Adonesevangelista Online Blood Bank Management System CVSS Score: 9.8 NVD: NVD References: - - - - CVE-2024-7947 - SourceCodester Point of Sales and Inventory Management System 1.0 is vulnerable to sql injection in the file login.php through manipulation of the email argument, allowing for remote attacks due to a critical vulnerability that has been publicly disclosed.

News

@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 34 - SANS Institute
Product: GiveWP Active Installations: 100,000+ CVSS Score: 9.8 NVD: NVD References: NVD References: - - CVE-2024-7946 - Itsourcecode Online Blood Bank Management System 1.0 is vulnerable to a critical sql injection in the User Signup component's register.php file, allowing for remote attacks. Product: Adonesevangelista Online Blood Bank Management System CVSS Score: 9.8 NVD: NVD References: - - - - CVE-2024-7947 - SourceCodester Point of Sales and Inventory Management System 1.0 is vulnerable to sql injection in the file login.php through manipulation of the email argument, allowing for remote attacks due to a critical vulnerability that has been publicly disclosed.
CVE-2024-8127 Exploit
CVE Id : CVE-2024-8127 Published Date: 2024-08-27T14:53:00+00:00 A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This vulnerability affects the function cgi_unzip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE:
CVE-2024-8127
Medium Severity Description A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This vulnerability affects the function cgi_unzip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
NA - CVE-2024-8127 - A vulnerability classified as critical was...
A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L,...
CVE-2024-8127
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Gravedad 3.1 (CVSS 3.1 Base Score)
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI