A critical vulnerability has been discovered in various D-Link Network Attached Storage (NAS) devices affecting their firmware versions up until 20240814. This security issue presents a high risk to the affected devices as they are no longer supported by D-Link, and the exploit has been publicly disclosed, making it more likely to be exploited by threat actors. The following devices are impacted by this vulnerability:

Details

The vulnerability (CVE-2024-8210) lies in the sprintf function of the /cgi-bin/hd_config.cgi file. By manipulating the f_mount argument, an attacker can execute a command injection attack, possibly leading to unauthorized remote access or actions on the affected device.

Here is an example code snippet that demonstrates the vulnerability within the affected function

char command[128];
sprintf(command, "mount %s /mnt/hd", f_mount);
system(command);

As seen in the code above, the sprintf function is used to concatenate the user-provided f_mount argument into a string that is then executed as a command by the system function without proper sanitization or escaping, leading to a severe risk of command injection.

Craft a malicious request to the target device as follows

POST /cgi-bin/hd_config.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: ...

f_mount=;COMMAND_TO_BE_EXECUTED

Replace COMMAND_TO_BE_EXECUTED with the desired command to be executed on the target system.

3. Send the malicious request to the target device to exploit the vulnerability and execute the chosen command.

Mitigation

Given that the affected products are no longer supported by D-Link, the vendor has confirmed that these devices are end-of-life and should be retired and replaced with more recent, supported devices. It is important for users of these outdated products to consider upgrading to newer, more secure NAS devices to avoid the risk of being affected by this critical vulnerability.

References

- Original Disclosure of CVE-2024-8210
- D-Link Product Page, Listing Affected Devices

Conclusion

The critical vulnerability CVE-2024-8210 in various D-Link NAS devices can lead to command injection and unauthorized remote actions on affected devices. Users should urgently consider upgrading their devices to newer, supported models as a security measure since the exploit is now public and the devices are no longer supported by the vendor D-Link.

Timeline

Published on: 08/27/2024 19:15:18 UTC
Last modified on: 08/29/2024 16:04:45 UTC