ExploitCVE-2024-9004
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary
A critical vulnerability has been discovered in D-Link DAR-7000 devices running firmware versions up to 20240912. The vulnerability affects an unknown function in the file /view/DBManage/Backup_Server_commit.php. By manipulating the 'host' argument, an attacker can execute OS command injection. This vulnerability can be exploited remotely and does not require user interaction or privileges. The exploit has been publicly disclosed and may be actively used. It's important to note that this vulnerability only affects products that are no longer supported by the maintainer.
Impact
This vulnerability allows remote attackers to execute arbitrary OS commands on the affected D-Link DAR-7000 devices. The potential impacts are severe: 1. Complete system compromise: Attackers can gain full control over the affected device. 2. Data breach: Unauthorized access to sensitive information stored on or passing through the device. 3. Network pivot: The compromised device could be used as a launching point for further attacks on the internal network. 4. Service disruption: Attackers could manipulate or shut down device functions, potentially disrupting network operations. 5. Malware installation: The vulnerability could be exploited to install persistent malware or backdoors on the device. Given the CVSS v3.1 base score of 9.8 (Critical) and the attack vector being network-based with low attack complexity, this vulnerability poses an immediate and severe risk to affected systems.
Exploitation
One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available for this vulnerability. D-Link has released an update to address this issue. The patch information can be found at: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10354
Mitigation
Given the severity of this vulnerability, the following mitigation steps are recommended: 1. Immediate patching: Apply the security update provided by D-Link as soon as possible for all affected DAR-7000 devices with firmware versions up to 20240912. 2. Network segmentation: Isolate affected devices that cannot be immediately patched from critical network segments. 3. Access control: Implement strict access controls to limit who can reach the vulnerable /view/DBManage/Backup_Server_commit.php file. 4. Network monitoring: Enhance monitoring for suspicious activities, particularly any attempts to exploit this vulnerability. 5. Firewall rules: Implement firewall rules to restrict unnecessary access to the affected devices, especially from untrusted networks. 6. Consider replacement: As the affected products are no longer supported by the maintainer, consider replacing these devices with supported alternatives if patching is not possible. 7. Regular security assessments: Conduct frequent security scans and penetration tests to identify and address any exploitation attempts. 8. Incident response preparation: Update incident response plans to include steps for dealing with potential exploits of this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Timeline
Feedly found the first article mentioning CVE-2024-9004. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-9004
A CVSS base score of 6.3 has been assigned.
EPSS Score was set to: 0.05% (Percentile: 16.5%)
A CVSS base score of 9.8 has been assigned.
CVE-2024-9004 is a critical vulnerability in the D-Link DAR-7000, with a CVSS score of 9.8, that allows remote attackers to exploit an OS command injection via the argument host in the /view/DBManage/Backup_Server_commit.php endpoint. The details provided do not specify whether the vulnerability is actively exploited in the wild, nor do they mention any proof-of-concept exploits, mitigations, detections, or patches available. Additionally, there is no information regarding potential downstream impacts to other third-party vendors or technology. See article
A CVSS base score of 9.8 has been assigned.