CVE-2024-3272
📋 TL;DR
This vulnerability in D-Link network storage devices allows remote attackers to access hard-coded credentials via HTTP GET requests to the nas_sharing.cgi endpoint. Attackers can gain unauthorized access to affected devices, potentially compromising stored data and network security. Only end-of-life D-Link DNS models are affected, with no vendor support available.
💻 Affected Systems
- D-Link DNS-320L
- DNS-325
- DNS-327L
- DNS-340L
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise leading to data theft, ransomware deployment, and use as pivot point for internal network attacks.
Likely Case
Unauthorized access to stored files, configuration tampering, and credential harvesting from the compromised device.
If Mitigated
Limited impact if devices are isolated in separate network segments with strict access controls.
🎯 Exploit Status
Exploit code is publicly available on GitHub. Attack requires only HTTP access to the vulnerable endpoint with specific parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
Restart Required: No
Instructions:
No official patch exists. Vendor confirms products are end-of-life and recommends replacement.
🔧 Temporary Workarounds
Network Isolation
allPlace affected devices in isolated VLAN with strict firewall rules blocking external and unnecessary internal access.
HTTP Access Restriction
allBlock access to port 80/443 on affected devices except from authorized management stations.
🧯 If You Can't Patch
- Immediately disconnect affected devices from networks and replace with supported hardware
- If temporary use required, place behind VPN with strict access controls and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Test HTTP GET request to /cgi-bin/nas_sharing.cgi?user=messagebus on device IP. If response contains credentials or device information, it's vulnerable.Check Version:
Check device web interface or SSH to device and check firmware version in settings.Verify Fix Applied:
No fix available to verify. Only verification is device replacement.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /cgi-bin/nas_sharing.cgi with user=messagebus parameter
- Unusual authentication attempts or configuration changes
Network Indicators:
- HTTP traffic to port 80/443 of D-Link DNS devices with specific parameter patterns
- Outbound connections from DNS devices to unknown IPs
SIEM Query:
source_ip="DNS_DEVICE_IP" AND (url_path="/cgi-bin/nas_sharing.cgi" AND query_string CONTAINS "user=messagebus")🔗 References
- https://github.com/netsecfish/dlink
- https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
- https://vuldb.com/?ctiid.259283
- https://vuldb.com/?id.259283
- https://github.com/netsecfish/dlink
- https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
- https://vuldb.com/?ctiid.259283
- https://vuldb.com/?id.259283
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3272
