Exploit
CVE-2024-8128

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Aug 24, 2024 / Updated: 2mo ago

010
CVSS 5.3EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in various D-Link NAS (Network Attached Storage) devices, specifically affecting the HTTP POST Request Handler. The vulnerability is located in the cgi_add_zip function of the /cgi-bin/webfile_mgr.cgi file. By manipulating the 'path' argument, an attacker can perform command injection. This vulnerability can be exploited remotely and does not require user interaction or special privileges.

Impact

The impact of this vulnerability is severe. It allows attackers to execute arbitrary commands on the affected systems, potentially leading to complete system compromise. The vulnerability affects all aspects of the CIA triad: 1. Confidentiality: High impact, potentially allowing unauthorized access to sensitive data stored on the NAS. 2. Integrity: High impact, enabling attackers to modify or delete data and system files. 3. Availability: High impact, possibly resulting in system disruption or denial of service. The vulnerability's attack vector is network-based, making it accessible to remote attackers. Its low attack complexity and lack of required privileges or user interaction make it relatively easy to exploit, increasing the risk to affected systems. One proof-of-concept exploit is available on github.com, though there is no evidence of active exploitation at the moment.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

No patch is available for this vulnerability. The affected D-Link NAS devices are end-of-life and no longer supported by the manufacturer. D-Link has confirmed that these products have reached their end-of-life status.

Mitigation

Given that the affected products are end-of-life and no patches will be released, the primary mitigation recommendation is to retire and replace these devices immediately. In the meantime, if immediate replacement is not possible, consider the following temporary mitigation steps: 1. Isolate affected devices: Restrict network access to these NAS devices, allowing connections only from trusted IP addresses or networks. 2. Use firewalls: Implement strict firewall rules to limit incoming traffic to the affected devices. 3. Monitor systems: Implement robust logging and monitoring to detect any suspicious activities or potential exploitation attempts. 4. Regular backups: Ensure all data on these devices is regularly backed up to secure, unaffected systems. 5. Accelerate replacement plans: Prioritize the replacement of these vulnerable devices with supported, secure alternatives as soon as possible.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8128. See article

Aug 24, 2024 at 11:39 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 24, 2024 at 11:41 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 28, 2024 at 9:23 PM / nvd
Static CVE Timeline Graph

Affected Systems

Dlink/dns-326_firmware
+null more

Exploits

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_add_zip.md
+null more

Patches

supportannouncement.us.dlink.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

Update Fri Sep 27 06:35:53 UTC 2024
Update Fri Sep 27 06:35:53 UTC 2024
CVE-2024-8128 Exploit
CVE Id : CVE-2024-8128 Published Date: 2024-08-27T15:32:00+00:00 A vulnerability, which was classified as critical, has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This issue affects the function cgi_add_zip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE:
CVE-2024-8128
Medium Severity Description A vulnerability, which was classified as critical, has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This issue affects the function cgi_add_zip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
NA - CVE-2024-8128 - A vulnerability, which was classified as...
A vulnerability, which was classified as critical, has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L,...
CVE-2024-8128
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Gravedad 3.1 (CVSS 3.1 Base Score)
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI