CVE-2024-8212 in DNS-120info

Summary

by MITRE • 08/27/2024

A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_R12R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 08/29/2024

This critical vulnerability identified as CVE-2024-8212 affects multiple D-Link network attached storage devices including models such as DNS-120, DNR-202L, and various other DNS-3xx and DNS-7xx series devices. The vulnerability resides within the web interface configuration component of these devices, specifically in the cgi_FMT_R12R5_2nd_DiskMGR function located in the /cgi-bin/hd_config.cgi file. The flaw represents a command injection vulnerability that stems from improper input validation of the f_source_dev parameter, allowing attackers to execute arbitrary commands on the affected devices. This vulnerability has been publicly disclosed and is actively being exploited, making it particularly dangerous for systems that remain operational despite their end-of-life status.

The technical nature of this vulnerability aligns with CWE-77 and CWE-94, which respectively address command injection and code injection flaws in software systems. The attack vector is remote, meaning that an unauthenticated attacker can exploit this vulnerability from outside the local network without requiring physical access or prior authentication. The exploitation occurs through manipulation of the f_source_dev argument in the cgi-bin/hd_config.cgi endpoint, which allows for arbitrary command execution on the device. This type of vulnerability enables attackers to gain full control over the affected storage devices, potentially leading to data theft, device compromise, or use as a pivot point for attacks against other systems on the network. The attack surface is particularly concerning given that these devices are often deployed in home and small office environments where network security measures may be minimal.

The operational impact of this vulnerability extends beyond simple device compromise, as these network attached storage devices typically serve as central repositories for sensitive data including personal files, business documents, and potentially confidential information. The command injection capability allows attackers to execute arbitrary system commands, potentially enabling them to install malware, modify device configurations, or establish persistent access. In enterprise environments, these devices may be connected to internal networks, making them potential entry points for lateral movement attacks. The vulnerability's classification as critical according to CVSS scoring systems reflects the severity of potential damage and the ease of exploitation. Given that D-Link has confirmed these products are end-of-life, there will be no official security updates or patches, leaving affected users vulnerable to continued exploitation.

Organizations and individuals using these affected D-Link devices should immediately implement mitigation strategies to protect their networks. The most effective approach is to physically disconnect the affected devices from the network and replace them with supported models. Network segmentation should be implemented to isolate these devices if physical removal is not immediately possible. Access control measures such as disabling remote management features and implementing strong firewall rules can help reduce the attack surface. Monitoring network traffic for suspicious activity related to the affected cgi-bin endpoints may help detect exploitation attempts. Additionally, users should consider implementing network intrusion detection systems that can identify command injection attempts. According to ATT&CK framework, this vulnerability maps to T1059.001 (Command and Scripting Interpreter: PowerShell) and T1059.007 (Command and Scripting Interpreter: JavaScript), as attackers may leverage these devices to execute malicious commands. Organizations should also review their device inventory to identify all potentially affected units and ensure that these end-of-life devices are properly retired from service to prevent continued exposure to this and other known vulnerabilities.

Responsible

VulDB

Disclosure

08/27/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.07482

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!