CVE-2024-8133

Q: What is the severity of CVE-2024-8133?

CVE-2024-8133 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices via command injection in the HTTP POST handler. It affects multiple end-of-life D-Link NAS models. Attackers can exploit this without authentication to gain full system control.

6.3 MEDIUM

Remote Code Execution

📋 TL;DR

This critical vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices via command injection in the HTTP POST handler. It affects multiple end-of-life D-Link NAS models. Attackers can exploit this without authentication to gain full system control.

💻 Affected Systems

Products:

D-Link DNS-120
DNR-202L
DNS-315L
DNS-320
DNS-320L
DNS-320LW
DNS-321
DNR-322L
DNS-323
DNS-325
DNS-326
DNS-327L
DNR-326
DNS-340L
DNS-343
DNS-345
DNS-726-4
DNS-1100-4
DNS-1200-05
DNS-1550-04

Versions: All versions up to August 14, 2024

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected products are end-of-life with no vendor support. Default configurations are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal data, pivot to internal networks, or use devices for botnets.

🟠

Likely Case

Remote code execution leading to data theft, ransomware deployment, or device takeover for malicious activities.

🟢

If Mitigated

Limited impact if devices are isolated behind firewalls with strict network controls and no internet exposure.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Internal devices remain vulnerable to network-based attacks but require attacker presence on the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code exists on GitHub. Attack requires sending crafted HTTP POST request to /cgi-bin/hd_config.cgi with malicious f_source_dev parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383

Restart Required: No

Instructions:

No official patch available. Vendor recommends retiring and replacing all affected devices as they are end-of-life.

🔧 Temporary Workarounds

Network Isolation

linux

Block all external access to affected devices at network perimeter

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Access Control

linux

Restrict web interface access to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Immediately disconnect affected devices from internet and place behind strict firewall rules
Replace all affected devices with supported alternatives as soon as possible

🔍 How to Verify

Check if Vulnerable:

Check device model and firmware version against affected list. Test by attempting exploitation (not recommended in production).

Check Version:

Check web interface admin page or use: cat /etc/version on device shell

Verify Fix Applied:

No fix available to verify. Verify devices are properly isolated or replaced.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /cgi-bin/hd_config.cgi with unusual f_source_dev parameter values
Unusual command execution in system logs

Network Indicators:

HTTP traffic to device web interface with POST requests containing shell metacharacters in parameters

SIEM Query:

source="web_logs" AND uri="/cgi-bin/hd_config.cgi" AND method="POST" AND (param="f_source_dev" AND value MATCHES "[;|&`$()]+")

📊 Metadata

CVE ID: CVE-2024-8133

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-77

Published: August 24, 2024

Last Updated: August 27, 2024

🔗 References

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R5_SpareDsk_DiskMGR.md Exploit,Third Party Advisory
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 Vendor Advisory
https://vuldb.com/?ctiid.275704 Permissions Required,VDB Entry
https://vuldb.com/?id.275704 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?submit.396295 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Dnr 202l Firmware by Dlink

Dnr 322l Firmware by Dlink

Dnr 326 Firmware by Dlink

Dns 1100 4 Firmware by Dlink

Dns 120 Firmware by Dlink

Dns 1200 05 Firmware by Dlink

Dns 1550 04 Firmware by Dlink

Dns 315l Firmware by Dlink

Dns 320 Firmware by Dlink

Dns 320l Firmware by Dlink

Dns 320lw Firmware by Dlink

Dns 321 Firmware by Dlink

Dns 323 Firmware by Dlink

Dns 325 Firmware by Dlink

Dns 326 Firmware by Dlink

Dns 327l Firmware by Dlink

Dns 340l Firmware by Dlink

Dns 343 Firmware by Dlink

Dns 345 Firmware by Dlink

Dns 726 4 Firmware by Dlink