CVE-2024-7830

Q: What is the severity of CVE-2024-7830?

CVE-2024-7830 has a CVSS score of 8.8 (HIGH). A critical buffer overflow vulnerability in D-Link NAS devices allows remote attackers to execute arbitrary code by manipulating the photo_name parameter in the cgi_move_photo function. This affects multiple D-Link NAS models that are no longer supported by the vendor. Attackers can exploit this remotely without authentication to potentially take full control of affected devices.

8.8 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

A critical buffer overflow vulnerability in D-Link NAS devices allows remote attackers to execute arbitrary code by manipulating the photo_name parameter in the cgi_move_photo function. This affects multiple D-Link NAS models that are no longer supported by the vendor. Attackers can exploit this remotely without authentication to potentially take full control of affected devices.

💻 Affected Systems

Products:

D-Link DNS-120
DNR-202L
DNS-315L
DNS-320
DNS-320L
DNS-320LW
DNS-321
DNR-322L
DNS-323
DNS-325
DNS-326
DNS-327L
DNR-326
DNS-340L
DNS-343
DNS-345
DNS-726-4
DNS-1100-4
DNS-1200-05
DNS-1550-04

Versions: All versions up to August 14, 2024

Operating Systems: Embedded NAS firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected products are end-of-life and no longer supported by D-Link. No patches will be released.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, ransomware deployment, or use as a botnet node

🟠

Likely Case

Remote code execution allowing attackers to install malware, steal data, or pivot to internal networks

🟢

If Mitigated

Limited impact if devices are isolated from internet and internal networks with strict access controls

🌐 Internet-Facing: HIGH - Exploit is remote and unauthenticated, making internet-facing devices immediate targets

🏢 Internal Only: MEDIUM - Internal devices still vulnerable to internal attackers or compromised systems

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub. The vulnerability is remotely exploitable without authentication, making it attractive for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383

Restart Required: No

Instructions:

No official patch available. Vendor recommends retiring and replacing all affected devices as they are end-of-life.

🔧 Temporary Workarounds

Disable CGI endpoint via firewall

linux

Block access to the vulnerable CGI endpoint using network firewall rules

iptables -A INPUT -p tcp --dport 80 -m string --string "/cgi-bin/photocenter_mgr.cgi" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/cgi-bin/photocenter_mgr.cgi" --algo bm -j DROP

Disable Photo Center feature

all

Turn off the Photo Center functionality if available in device settings

🧯 If You Can't Patch

Immediately disconnect affected devices from the internet and isolate them from internal networks
Replace all affected D-Link NAS devices with supported, secure alternatives

🔍 How to Verify

Check if Vulnerable:

Check device model and firmware version against affected list. If device is one of the listed models, assume vulnerable.

Check Version:

Check device web interface or use manufacturer-specific CLI commands for firmware version

Verify Fix Applied:

No fix available to verify. Only complete replacement of affected devices resolves the vulnerability.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /cgi-bin/photocenter_mgr.cgi with long photo_name parameters
Multiple failed buffer overflow attempts in web logs
Unexpected process execution or system changes

Network Indicators:

HTTP POST requests to photocenter_mgr.cgi with unusually long parameters
Traffic patterns suggesting exploit delivery to NAS devices

SIEM Query:

source="web_logs" AND uri="/cgi-bin/photocenter_mgr.cgi" AND (param_length>100 OR contains(param,"photo_name"))

📊 Metadata

CVE ID: CVE-2024-7830

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: August 15, 2024

Last Updated: August 19, 2024

🔗 References

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_move_photo.md Exploit
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 Vendor Advisory
https://vuldb.com/?ctiid.274728 Permissions Required,VDB Entry
https://vuldb.com/?id.274728 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?submit.390118 Third Party Advisory,VDB Entry

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Dnr 202l Firmware by Dlink

Dnr 322l Firmware by Dlink

Dnr 326 Firmware by Dlink

Dns 1100 4 Firmware by Dlink

Dns 120 Firmware by Dlink

Dns 1200 05 Firmware by Dlink

Dns 1550 04 Firmware by Dlink

Dns 315l Firmware by Dlink

Dns 320 Firmware by Dlink

Dns 320l Firmware by Dlink

Dns 320lw Firmware by Dlink

Dns 321 Firmware by Dlink

Dns 323 Firmware by Dlink

Dns 325 Firmware by Dlink

Dns 326 Firmware by Dlink

Dns 327l Firmware by Dlink

Dns 340l Firmware by Dlink

Dns 343 Firmware by Dlink

Dns 345 Firmware by Dlink

Dns 726 4 Firmware by Dlink