Command Injection Vulnerability in D-Link Network Attached Storage Devices
CVE-2024-3273

9.8CRITICAL

Key Information:

Vendor
D-link
Status
Dns-320l
Dns-325
Dns-327l
Dns-340l
Vendor
CVE Published:
4 April 2024

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 7,990πŸ’° RansomwareπŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 93%πŸ¦… CISA ReportedπŸ“° News Worthy

What is CVE-2024-3273?

CVE-2024-3273 is a critical command injection vulnerability identified in certain D-Link network storage devices, including models DNS-320L, DNS-325, DNS-327L, and DNS-340L. These devices are primarily used for storing and managing data in small to medium-sized businesses and home networks. The vulnerability allows an attacker to manipulate a specific argument in the device's HTTP GET request handler, potentially enabling remote command injection. Given that the affected products are no longer supported by the vendor, organizations using them face significant risks, including unauthorized system access and potential data compromise.

Technical Details

The vulnerability resides in the file /cgi-bin/nas_sharing.cgi, where the handling of input arguments can be exploited by attackers. The exact nature of the command injection allows an adversary to execute arbitrary commands on the affected device, which can lead to a complete compromise of the system. Since this issue is critical in nature and has been publicly disclosed, attackers may exploit it swiftly in environments where these devices are still operational.

Impact of the Vulnerability

  1. Remote Code Execution: The fundamental risk posed by CVE-2024-3273 is the potential for remote code execution, allowing attackers to gain unauthorized access and control over the affected D-Link devices.

  2. Data Breach Risk: With the ability to execute arbitrary commands, attackers may access sensitive data stored on the devices, leading to significant data breaches that can affect both personal and organizational information.

  3. Legacy System Exploitation: As the vulnerable models are no longer supported, organizations using these products not only miss crucial security updates but also expose themselves to ongoing security risks, making them attractive targets for attackers, including ransomware groups.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.

Affected Version(s)

DNS-320L 20240403

DNS-325 20240403

DNS-327L 20240403

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-3273 - Proof of Concept

CVE-2024-3273
Created by Chocapikk

CVE-2024-3273
Created by adhikara13

News Articles

favicon imagehackhunting

Hackers Actively Exploit Critical D-Link NAS Vulnerabilities on EoL Devices

In late March 2024, critical vulnerabilities were disclosed in D-Link NAS devices, allowing unauthorized access and command execution. Nearly 92,000 devices were at risk, attracting threat actors. D-Link issued a security advisory and recommended upgrading affected devices, implementing security mea...

9 months ago

favicon imagewww.sincos.org

CISA adds D-Link multiple NAS devices bugs to its Known Exploited Vulnerabilities catalog

CISA adds D-Link multiple NAS devices bugs to its Known Exploited Vulnerabilities catalog

9 months ago

favicon imageGreyNoise

CVE-2024-3273: D-Link NAS RCE Exploited in the Wild | GreyNoise Blog

Check out this blog to stay informed about a critical remote code execution vulnerability affecting D-Link NAS devices. It is being tracked under CVE-2024-3273 and believed to affect as many as 92,000 devices.

9 months ago

References

https://vuldb.com/?id.259284
vdb-entrytechnical-description
https://vuldb.com/?ctiid.259284
signaturepermissions-required
https://vuldb.com/?submit.304661
third-party-advisory

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ¦…

    CISA Reported

  • 🟑

    Public PoC available

  • πŸ’°

    Used in Ransomware

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by BleepingComputer

  • Vulnerability published

Collectors

NVD DatabaseMitre DatabaseCISA Database5 Proof of Concept(s)15 News Article(s)

Credit

netsecfish
netsecfish (VulDB User)
.