Exploit
CVE-2024-8129

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Aug 24, 2024 / Updated: 2mo ago

010
CVSS 5.3EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in multiple D-Link NAS devices, specifically affecting the HTTP POST Request Handler. The vulnerability is in the cgi_s3_modify function of the /cgi-bin/s3.cgi file. By manipulating the f_job_name argument, an attacker can execute a command injection attack. This vulnerability can be exploited remotely and does not require user interaction or special privileges. The affected devices include D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814.

Impact

The impact of this vulnerability is severe. With a CVSS v3.1 base score of 9.8 (Critical), it allows attackers to compromise the confidentiality, integrity, and availability of the affected systems. Successful exploitation could lead to unauthorized access, data theft, system modification, or complete system takeover. Given that the attack can be launched remotely without authentication, it poses a significant risk to exposed devices. The vulnerability is classified as a command injection issue (CWE-77 and CWE-78), which means attackers could potentially execute arbitrary commands on the affected systems with the privileges of the web server.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

There is no patch available for this vulnerability. The vendor, D-Link, has confirmed that the affected products are end-of-life and no longer supported. The recommendation is to retire and replace these devices as they will not receive security updates.

Mitigation

Given that there are no patches available and the affected devices are end-of-life, the primary mitigation strategy is to replace the vulnerable devices with newer, supported models. In the interim, if immediate replacement is not possible, consider the following steps: 1. Isolate affected devices from the internet and restrict access to trusted networks only. 2. Implement strong network segmentation to limit the potential impact of a compromise. 3. Monitor these devices closely for any signs of suspicious activity. 4. If possible, disable the vulnerable CGI script or restrict access to it. 5. Implement strong access controls and use firewalls to limit incoming connections to these devices. 6. Regularly backup any critical data stored on these devices. 7. Prioritize the replacement of these devices in your security roadmap.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8129. See article

Aug 24, 2024 at 3:40 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 24, 2024 at 3:41 PM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 28, 2024 at 9:23 PM / nvd
Static CVE Timeline Graph

Affected Systems

Dlink/dns-321_firmware
+null more

Exploits

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_s3_modify.md
+null more

Patches

supportannouncement.us.dlink.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

Update Fri Sep 27 06:35:53 UTC 2024
Update Fri Sep 27 06:35:53 UTC 2024
CVE-2024-8129 Exploit
CVE Id : CVE-2024-8129 Published Date: 2024-08-27T15:33:00+00:00 A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_s3_modify of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_job_name leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE:
CVE-2024-8129
Critical Severity Description A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_s3_modify of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_job_name leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
NA - CVE-2024-8129 - A vulnerability, which was classified as...
A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326,...
CVE-2024-8129
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Gravedad 3.1 (CVSS 3.1 Base Score)
See 9 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI