CVE-2024-8131

Q: What is the severity of CVE-2024-8131?

CVE-2024-8131 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices by exploiting a command injection flaw in the web interface's module management function. Attackers can compromise the device, potentially gaining full control. This affects multiple D-Link NAS models that are no longer supported by the vendor.

6.3 MEDIUM

Remote Code Execution

📋 TL;DR

This critical vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices by exploiting a command injection flaw in the web interface's module management function. Attackers can compromise the device, potentially gaining full control. This affects multiple D-Link NAS models that are no longer supported by the vendor.

💻 Affected Systems

Products:

D-Link DNS-120
DNR-202L
DNS-315L
DNS-320
DNS-320L
DNS-320LW
DNS-321
DNR-322L
DNS-323
DNS-325
DNS-326
DNS-327L
DNR-326
DNS-340L
DNS-343
DNS-345
DNS-726-4
DNS-1100-4
DNS-1200-05
DNS-1550-04

Versions: All versions up to August 14, 2024

Operating Systems: Embedded Linux-based NAS firmware

Default Config Vulnerable: ⚠️ Yes

Notes: These products are end-of-life and no longer supported by D-Link. The vulnerability exists in the default web interface configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to execute arbitrary commands with root privileges, install malware, pivot to internal networks, and exfiltrate or destroy data.

🟠

Likely Case

Remote code execution leading to device takeover, ransomware deployment, or creation of a persistent backdoor for further attacks.

🟢

If Mitigated

Limited impact if devices are isolated behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via HTTP POST requests, making internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Internal devices remain vulnerable to attackers who gain network access, but risk is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub, making this easily weaponizable. The vulnerability requires no authentication and has simple exploitation steps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383

Restart Required: No

Instructions:

No official patch is available. D-Link has confirmed these products are end-of-life and recommends immediate retirement and replacement.

🔧 Temporary Workarounds

Disable Web Interface

linux

Disable the vulnerable CGI endpoint by removing or restricting access to /cgi-bin/apkg_mgr.cgi

rm /www/cgi-bin/apkg_mgr.cgi
chmod 000 /www/cgi-bin/apkg_mgr.cgi

Network Isolation

linux

Block all external access to the NAS web interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Immediately remove affected devices from internet-facing positions and isolate them in a restricted network segment
Implement strict network access controls allowing only necessary traffic from trusted sources

🔍 How to Verify

Check if Vulnerable:

Check if the device model is in the affected list and if the /cgi-bin/apkg_mgr.cgi endpoint is accessible via HTTP POST requests

Check Version:

Check device web interface or use command: cat /etc/version

Verify Fix Applied:

Verify the apkg_mgr.cgi file is removed or inaccessible, and test that POST requests to the endpoint no longer execute commands

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/apkg_mgr.cgi
Suspicious command execution in system logs
Multiple failed authentication attempts followed by successful POST requests

Network Indicators:

HTTP POST requests to /cgi-bin/apkg_mgr.cgi with shell metacharacters in parameters
Outbound connections from NAS to suspicious external IPs

SIEM Query:

source="nas_logs" AND (uri="/cgi-bin/apkg_mgr.cgi" AND method="POST" AND (param="f_module_name" AND value MATCHES "[;&|`$()]"))

📊 Metadata

CVE ID: CVE-2024-8131

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-77

Published: August 24, 2024

Last Updated: August 27, 2024

🔗 References

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_module_enable_disable.md Exploit,Third Party Advisory
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 Vendor Advisory
https://vuldb.com/?ctiid.275702 Permissions Required,VDB Entry
https://vuldb.com/?id.275702 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.396292 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Dnr 202l Firmware by Dlink

Dnr 322l Firmware by Dlink

Dnr 326 Firmware by Dlink

Dns 1100 4 Firmware by Dlink

Dns 120 Firmware by Dlink

Dns 1200 05 Firmware by Dlink

Dns 1550 04 Firmware by Dlink

Dns 315l Firmware by Dlink

Dns 320 Firmware by Dlink

Dns 320l Firmware by Dlink

Dns 320lw Firmware by Dlink

Dns 321 Firmware by Dlink

Dns 323 Firmware by Dlink

Dns 325 Firmware by Dlink

Dns 326 Firmware by Dlink

Dns 327l Firmware by Dlink

Dns 340l Firmware by Dlink

Dns 343 Firmware by Dlink

Dns 345 Firmware by Dlink

Dns 726 4 Firmware by Dlink