Exploit
CVE-2024-8130

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Aug 24, 2024 / Updated: 2mo ago

010
CVSS 5.3EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in multiple D-Link NAS (Network Attached Storage) devices, affecting the HTTP POST Request Handler component. Specifically, the vulnerability is in the cgi_s3 function of the /cgi-bin/s3.cgi file. The issue allows for command injection through manipulation of the f_a_key argument. This vulnerability can be exploited remotely and does not require user interaction or privileges. It affects various D-Link models including DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, up to firmware version 20240814.

Impact

The impact of this vulnerability is severe. With a CVSS v3.1 base score of 9.8 (Critical), it poses a significant threat to the confidentiality, integrity, and availability of affected systems. Successful exploitation could allow an attacker to execute arbitrary commands on the target device, potentially leading to complete system compromise. This could result in unauthorized access to sensitive data stored on the NAS, modification or deletion of files, and disruption of services. Given that these are network storage devices, a breach could expose critical business or personal data, depending on the device's use case.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. D-Link has released information about the vulnerability and potential mitigations on their support announcement page at https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383. However, it's crucial to note that this vulnerability affects products that are no longer supported by D-Link. The vendor has confirmed that the affected products are end-of-life.

Mitigation

Given that the affected devices are end-of-life and no longer supported by D-Link, the primary mitigation recommendation is to retire and replace these devices immediately. If immediate replacement is not feasible, consider the following temporary mitigations: 1. Isolate affected devices: Place the vulnerable NAS devices behind a firewall and restrict access only to trusted IP addresses. 2. Disable remote access: If possible, disable remote management features and access the devices only from the local network. 3. Monitor for suspicious activity: Implement robust logging and monitoring to detect any potential exploitation attempts. 4. Apply network segmentation: Separate the NAS devices from critical network segments to limit potential damage in case of compromise. 5. Regular backups: Ensure all data on these devices is regularly backed up to a secure, unaffected system. 6. Update firmware: If any firmware updates are available (even if they don't directly address this vulnerability), apply them as they may include general security improvements. It's important to stress that these mitigations are temporary measures. The most effective solution is to replace these end-of-life devices with current, supported models that receive regular security updates.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8130. See article

Aug 24, 2024 at 4:39 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 24, 2024 at 4:39 PM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 28, 2024 at 9:23 PM / nvd
Static CVE Timeline Graph

Affected Systems

Dlink/dnr-326_firmware
+null more

Exploits

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_s3.md
+null more

Patches

supportannouncement.us.dlink.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

Update Fri Sep 27 06:35:53 UTC 2024
Update Fri Sep 27 06:35:53 UTC 2024
CVE-2024-8130 Exploit
CVE Id : CVE-2024-8130 Published Date: 2024-08-27T15:34:00+00:00 A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this vulnerability is the function cgi_s3 of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_a_key leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE:
CVE-2024-8130
Critical Severity Description A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this vulnerability is the function cgi_s3 of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_a_key leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
CVE-2024-8130
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Gravedad 3.1 (CVSS 3.1 Base Score)
NA - CVE-2024-8130 - A vulnerability has been found in D-Link...
A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345,...
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI