Exploit
CVE-2024-8131

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Aug 24, 2024 / Updated: 2mo ago

010
CVSS 5.3EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in multiple D-Link NAS (Network Attached Storage) devices. The vulnerability affects the function module_enable_disable in the file /cgi-bin/apkg_mgr.cgi, which is part of the HTTP POST Request Handler. This flaw allows for command injection through the manipulation of the f_module_name argument. The attack can be launched remotely and requires no user interaction or special privileges. This vulnerability affects various D-Link NAS models including DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, up to firmware versions released before August 14, 2024.

Impact

The impact of this vulnerability is severe. An attacker exploiting this flaw could potentially execute arbitrary commands on the affected devices, leading to complete system compromise. This could result in unauthorized access to sensitive data stored on the NAS, manipulation of files, installation of malware, or using the compromised device as a stepping stone for further attacks on the network. Given the nature of NAS devices, which often store critical business or personal data, the confidentiality, integrity, and availability of this data could be severely compromised. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), indicating the highest level of severity, with potential for high impact on confidentiality, integrity, and availability of the system.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch for this vulnerability is available. D-Link has released information about the vulnerability on their support announcement page at https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383. However, it's crucial to note that this vulnerability affects products that are no longer supported by D-Link. The vendor has confirmed that the affected products are end-of-life.

Mitigation

Given that the affected devices are end-of-life and no longer supported by D-Link, the primary mitigation recommendation is to retire and replace these devices with newer, supported models. If immediate replacement is not feasible, consider the following temporary mitigation steps: 1. Isolate affected NAS devices from the internet and restrict access to trusted IP addresses only. 2. Implement strong network segmentation to limit the potential impact if a device is compromised. 3. Monitor these devices closely for any signs of suspicious activity. 4. Regularly backup data stored on these devices to a secure, unaffected system. 5. If possible, disable remote access features and use these devices only on internal networks. 6. Keep all other network security measures up-to-date, including firewalls and intrusion detection systems. However, it's strongly emphasized that these are temporary measures, and the most effective mitigation is to replace these vulnerable, end-of-life devices as soon as possible.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8131. See article

Aug 24, 2024 at 5:37 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 24, 2024 at 5:38 PM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 28, 2024 at 9:23 PM / nvd
Static CVE Timeline Graph

Affected Systems

Dlink/dns-326_firmware
+null more

Exploits

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_module_enable_disable.md
+null more

Patches

supportannouncement.us.dlink.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

Update Fri Sep 27 06:35:53 UTC 2024
Update Fri Sep 27 06:35:53 UTC 2024
Update Sun Sep 8 22:33:07 UTC 2024
Update Sun Sep 8 22:33:07 UTC 2024
Update Fri Aug 30 22:28:54 UTC 2024
Update Fri Aug 30 22:28:54 UTC 2024
CVE-2024-8131 Exploit
CVE Id : CVE-2024-8131 Published Date: 2024-08-27T15:34:00+00:00 A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function module_enable_disable of the file /cgi-bin/apkg_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_module_name leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE:
CVE-2024-8131
Critical Severity Description A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function module_enable_disable of the file /cgi-bin/apkg_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_module_name leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI