Exploit
CVE-2024-8133

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Aug 24, 2024 / Updated: 2mo ago

010
CVSS 5.3EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been identified in multiple D-Link NAS (Network Attached Storage) devices, specifically affecting the HTTP POST Request Handler component. The vulnerability is present in the cgi_FMT_R5_SpareDsk_DiskMGR function of the /cgi-bin/hd_config.cgi file. This flaw allows for command injection through the manipulation of the f_source_dev argument. The attack can be initiated remotely and does not require user interaction or privileges.

Impact

This vulnerability enables remote attackers to execute arbitrary commands on the affected D-Link NAS devices. Given its critical nature and high CVSS base score of 9.8, the potential impacts are severe: 1. Complete system compromise: Attackers can gain full control over the affected devices. 2. Data breach: Unauthorized access to sensitive information stored on the NAS. 3. System manipulation: Ability to modify or delete data, potentially leading to data loss or corruption. 4. Use as an entry point: The compromised NAS could be used as a springboard for further attacks on the internal network. 5. Operational disruption: Potential for denial of service or degradation of NAS performance. The vulnerability affects confidentiality, integrity, and availability, all rated as "HIGH" impact in the CVSS scoring.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. D-Link has released information about the security issue, which can be found at: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 However, it's crucial to note that this vulnerability affects products that are no longer supported by D-Link. The vendor has confirmed that the affected products are end-of-life.

Mitigation

Given the critical nature of this vulnerability and the end-of-life status of the affected products, the following mitigation steps are recommended: 1. Immediate replacement: The primary recommendation is to retire and replace the affected D-Link NAS devices with supported, up-to-date alternatives. 2. If immediate replacement is not possible: a. Isolate affected devices: Place the vulnerable NAS devices behind a firewall and restrict access to trusted IP addresses only. b. Disable remote access: If possible, disable remote access features on these devices. c. Monitor closely: Implement enhanced monitoring for any suspicious activities on these devices. d. Regular backups: Ensure all data on these devices is regularly backed up to secure, unaffected systems. 3. Conduct a thorough security audit to identify any potential compromises that may have occurred before mitigation. 4. Develop and implement a plan to phase out these end-of-life devices as soon as possible to prevent future vulnerabilities. 5. Educate users about the risks of continuing to use these devices and the importance of migrating to supported hardware.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8133. See article

Aug 24, 2024 at 7:13 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 24, 2024 at 7:13 PM
Static CVE Timeline Graph

Affected Systems

Dlink/dns-321_firmware
+null more

Exploits

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R5_SpareDsk_DiskMGR.md
+null more

Patches

supportannouncement.us.dlink.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

Update Fri Sep 27 06:35:53 UTC 2024
Update Fri Sep 27 06:35:53 UTC 2024
CVE-2024-8133 Exploit
CVE Id : CVE-2024-8133 Published Date: 2024-08-27T15:35:00+00:00 A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_R5_SpareDsk_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2024-8133
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. It has been declared as critical.
NA - CVE-2024-8133 - A vulnerability was found in D-Link DNS-120,...
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345,...
CVE-2024-8133
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Gravedad 3.1 (CVSS 3.1 Base Score)
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI