CVE-2024-8129
📋 TL;DR
This critical vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices by injecting malicious commands through the f_job_name parameter in HTTP POST requests. It affects multiple D-Link NAS models that are no longer supported by the vendor. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- D-Link DNS-120
- DNR-202L
- DNS-315L
- DNS-320
- DNS-320L
- DNS-320LW
- DNS-321
- DNR-322L
- DNS-323
- DNS-325
- DNS-326
- DNS-327L
- DNR-326
- DNS-340L
- DNS-343
- DNS-345
- DNS-726-4
- DNS-1100-4
- DNS-1200-05
- DNS-1550-04
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands with root privileges, install malware, exfiltrate data, or use device as pivot point in network attacks.
Likely Case
Remote code execution leading to data theft, ransomware deployment, or device becoming part of botnet.
If Mitigated
Limited impact if devices are isolated from internet and critical networks, with strict network segmentation and monitoring.
🎯 Exploit Status
Public exploit code available on GitHub. Attack requires only network access to device web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
Restart Required: No
Instructions:
No official patch available. Vendor recommends retiring and replacing all affected devices as they are end-of-life.
🔧 Temporary Workarounds
Network Isolation
linuxImmediately isolate affected devices from internet and critical networks
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disable Web Interface
linuxDisable the vulnerable CGI component if device functionality allows
chmod 000 /cgi-bin/s3.cgi
rm /cgi-bin/s3.cgi
🧯 If You Can't Patch
- Immediately disconnect affected devices from internet and place behind strict firewall rules
- Implement network segmentation to isolate devices from critical systems and monitor for suspicious traffic
🔍 How to Verify
Check if Vulnerable:
Check if device model is in affected list and web interface is accessible on port 80/443Check Version:
Check device web interface or serial number against affected models listVerify Fix Applied:
Test if /cgi-bin/s3.cgi endpoint is no longer accessible or returns error📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/s3.cgi with shell metacharacters in parameters
- Suspicious command execution in system logs
Network Indicators:
- HTTP POST requests to /cgi-bin/s3.cgi containing pipe characters, semicolons, or backticks in f_job_name parameter
- Outbound connections from NAS devices to unknown IPs
SIEM Query:
source="web_logs" AND uri="/cgi-bin/s3.cgi" AND method="POST" AND (param="f_job_name" AND value CONTAINS "|" OR value CONTAINS ";" OR value CONTAINS "`")