CVE-2024-8211

Q: What is the severity of CVE-2024-8211?

CVE-2024-8211 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices by injecting malicious input into the f_newly_dev parameter of the hd_config.cgi script. It affects multiple D-Link NAS models that are no longer supported by the vendor. Attackers can exploit this without authentication to gain full control of vulnerable devices.

6.3 MEDIUM

Remote Code Execution

📋 TL;DR

This critical vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices by injecting malicious input into the f_newly_dev parameter of the hd_config.cgi script. It affects multiple D-Link NAS models that are no longer supported by the vendor. Attackers can exploit this without authentication to gain full control of vulnerable devices.

💻 Affected Systems

Products:

D-Link DNS-120
DNR-202L
DNS-315L
DNS-320
DNS-320L
DNS-320LW
DNS-321
DNR-322L
DNS-323
DNS-325
DNS-326
DNS-327L
DNR-326
DNS-340L
DNS-343
DNS-345
DNS-726-4
DNS-1100-4
DNS-1200-05
DNS-1550-04

Versions: All versions up to August 14, 2024

Operating Systems: Embedded Linux on D-Link NAS devices

Default Config Vulnerable: ⚠️ Yes

Notes: All affected products are end-of-life with no vendor support. Default configurations are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to data theft, ransomware deployment, lateral movement to internal networks, and persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing attackers to steal data, install malware, or use device as part of botnet for DDoS attacks.

🟢

If Mitigated

Limited impact if devices are isolated from internet and internal networks with strict network segmentation.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub. Simple HTTP request with command injection payload required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383

Restart Required: No

Instructions:

No official patch available. Vendor recommends retiring and replacing all affected devices.

🔧 Temporary Workarounds

Network Isolation

linux

Block all external access to affected devices and restrict internal access to specific IPs only.

iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

CGI Script Disable

linux

Remove or rename the vulnerable CGI script to prevent exploitation.

mv /cgi-bin/hd_config.cgi /cgi-bin/hd_config.cgi.disabled

🧯 If You Can't Patch

Immediately disconnect affected devices from internet and place behind strict firewall rules
Replace all affected devices with supported alternatives as soon as possible

🔍 How to Verify

Check if Vulnerable:

Check if device model is in affected list and has web interface accessible. Test with harmless command injection payload: curl 'http://device-ip/cgi-bin/hd_config.cgi?f_newly_dev=test;echo vulnerable'

Check Version:

Check web interface admin page or device label for model number

Verify Fix Applied:

Verify device is no longer accessible from untrusted networks and vulnerable script is disabled or removed.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /cgi-bin/hd_config.cgi with shell metacharacters in parameters
Unusual process execution from web server user
Failed authentication attempts followed by CGI access

Network Indicators:

HTTP POST/GET requests to hd_config.cgi with semicolons, pipes, or backticks in parameters
Outbound connections from NAS device to suspicious IPs

SIEM Query:

source="web_logs" AND uri="/cgi-bin/hd_config.cgi" AND (param="f_newly_dev" AND value MATCHES "[;|`&]"

📊 Metadata

CVE ID: CVE-2024-8211

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-77

Published: August 27, 2024

Last Updated: August 29, 2024

🔗 References

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R1_DiskMGR.md Exploit,Third Party Advisory
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 Vendor Advisory
https://vuldb.com/?ctiid.275920 Permissions Required
https://vuldb.com/?id.275920 Third Party Advisory
https://vuldb.com/?submit.397275 Issue Tracking
https://www.dlink.com/ Product

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Dnr 202l Firmware by Dlink

Dnr 322l Firmware by Dlink

Dnr 326 Firmware by Dlink

Dns 1100 4 Firmware by Dlink

Dns 120 Firmware by Dlink

Dns 1200 05 Firmware by Dlink

Dns 1550 04 Firmware by Dlink

Dns 315l Firmware by Dlink

Dns 320 Firmware by Dlink

Dns 320l Firmware by Dlink

Dns 320lw Firmware by Dlink

Dns 321 Firmware by Dlink

Dns 323 Firmware by Dlink

Dns 325 Firmware by Dlink

Dns 326 Firmware by Dlink

Dns 327l Firmware by Dlink

Dns 340l Firmware by Dlink

Dns 343 Firmware by Dlink

Dns 345 Firmware by Dlink

Dns 726 4 Firmware by Dlink