Exploit
CVE-2024-8134

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Aug 24, 2024 / Updated: 2mo ago

010
CVSS 5.3EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been identified in multiple D-Link Network Attached Storage (NAS) devices. The vulnerability affects the function cgi_FMT_Std2R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi, which is part of the HTTP POST Request Handler. The issue allows for command injection through the manipulation of the argument f_source_dev. This vulnerability can be exploited remotely and requires no user interaction or privileges. The affected devices include D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 up to firmware version 20240814.

Impact

The impact of this vulnerability is severe. An attacker exploiting this vulnerability could gain unauthorized access to the affected D-Link NAS devices, potentially allowing them to execute arbitrary commands with the highest privileges. This could lead to complete system compromise, including unauthorized data access, modification, or deletion, as well as using the compromised device as a foothold for further network intrusion. The CVSS v3.1 base score of 9.8 (Critical) indicates maximum impact on confidentiality, integrity, and availability of the affected systems. Given the nature of NAS devices, which often store sensitive and critical data, the potential for data theft or corruption is particularly concerning.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. D-Link has released security advisory SAP10383, which can be found at https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383. However, it's crucial to note that this vulnerability affects products that are no longer supported by the maintainer. D-Link has confirmed that the affected products are end-of-life, and the vendor recommends that these devices should be retired and replaced. This means that while a patch exists, it may not be applicable or advisable to apply to these outdated devices.

Mitigation

Given that the affected devices are end-of-life and no longer supported, the primary mitigation strategy is to replace these devices with newer, supported models. If immediate replacement is not feasible, consider the following interim measures: 1. Isolate affected devices from the internet and restrict network access to trusted IP addresses only. 2. Implement strong network segmentation to limit the potential impact of a compromise. 3. Monitor these devices closely for any signs of suspicious activity. 4. Regularly backup any critical data stored on these devices. 5. Plan for the immediate replacement of these devices with current, supported models that receive regular security updates. It's crucial to emphasize that these mitigation steps are temporary and that the only long-term solution is to replace the vulnerable devices. Prioritize the replacement of these devices based on their criticality and exposure in your network.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8134. See article

Aug 24, 2024 at 8:04 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 24, 2024 at 8:04 PM
Threat Intelligence Report

The vulnerability CVE-2024-8134 affects the WordPress Favicon Generator plugin, with a CVSS score of 9.6, making it critical. It allows for remote command injection, potentially leading to unauthorized access or data manipulation. Users should update to the latest version of the plugin to mitigate the risk of exploitation. See article

Aug 30, 2024 at 1:32 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 28, 2024 at 9:23 PM / nvd
Static CVE Timeline Graph

Affected Systems

Dlink/dns-326_firmware
+null more

Exploits

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R5_1st_DiskMGR.md
+null more

Patches

supportannouncement.us.dlink.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

References

@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 34 - SANS Institute
Product: GiveWP Active Installations: 100,000+ CVSS Score: 9.8 NVD: NVD References: NVD References: - - CVE-2024-7946 - Itsourcecode Online Blood Bank Management System 1.0 is vulnerable to a critical sql injection in the User Signup component's register.php file, allowing for remote attacks. Product: Adonesevangelista Online Blood Bank Management System CVSS Score: 9.8 NVD: NVD References: - - - - CVE-2024-7947 - SourceCodester Point of Sales and Inventory Management System 1.0 is vulnerable to sql injection in the file login.php through manipulation of the email argument, allowing for remote attacks due to a critical vulnerability that has been publicly disclosed.

News

Update Fri Sep 27 06:35:53 UTC 2024
Update Fri Sep 27 06:35:53 UTC 2024
@RISK: The Consensus Security Vulnerability Alert: Vol. 24, Num. 34 - SANS Institute
Product: GiveWP Active Installations: 100,000+ CVSS Score: 9.8 NVD: NVD References: NVD References: - - CVE-2024-7946 - Itsourcecode Online Blood Bank Management System 1.0 is vulnerable to a critical sql injection in the User Signup component's register.php file, allowing for remote attacks. Product: Adonesevangelista Online Blood Bank Management System CVSS Score: 9.8 NVD: NVD References: - - - - CVE-2024-7947 - SourceCodester Point of Sales and Inventory Management System 1.0 is vulnerable to sql injection in the file login.php through manipulation of the email argument, allowing for remote attacks due to a critical vulnerability that has been publicly disclosed.
CVE-2024-8134 Exploit
CVE Id : CVE-2024-8134 Published Date: 2024-08-27T15:39:00+00:00 A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_Std2R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Zap:【S:神】100点:【コマンドインジェクション】【CVE-2024-8134】D-Link製NAS等に存在する脆弱性で、リモートでのコマンドインジェクションが可能。公開されており、ベンダーからは当該製品がサポート終了と確認されている。 翻訳:D-Link製の複数のNASやネットワークレコーダーにおいて、HTTP POSTリクエストハンドラの/cgibin/hd_config.cgiのcgi_FMT_Std2R5_1st_DiskMGRに脆弱性が発見されました。この脆弱性はf_source_dev引数の操作でコマンドインジェクションを引き起こし、リモートから悪用可能です。公開されており、製品はサポート終了のため、交換が推奨されます。
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life.
CVE-2024-8134
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Gravedad 3.1 (CVSS 3.1 Base Score)
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI