CVE-2024-8213

Q: What is the severity of CVE-2024-8213?

CVE-2024-8213 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices by injecting malicious input into the f_source_dev parameter of the hd_config.cgi script. It affects multiple D-Link NAS models that are no longer supported by the vendor. Attackers can exploit this without authentication to gain full control of vulnerable devices.

6.3 MEDIUM

Remote Code Execution

📋 TL;DR

This critical vulnerability allows remote attackers to execute arbitrary commands on affected D-Link NAS devices by injecting malicious input into the f_source_dev parameter of the hd_config.cgi script. It affects multiple D-Link NAS models that are no longer supported by the vendor. Attackers can exploit this without authentication to gain full control of vulnerable devices.

💻 Affected Systems

Products:

D-Link DNS-120
DNR-202L
DNS-315L
DNS-320
DNS-320L
DNS-320LW
DNS-321
DNR-322L
DNS-323
DNS-325
DNS-326
DNS-327L
DNR-326
DNS-340L
DNS-343
DNS-345
DNS-726-4
DNS-1100-4
DNS-1200-05
DNS-1550-04

Versions: All versions up to August 14, 2024

Operating Systems: Embedded Linux on D-Link NAS devices

Default Config Vulnerable: ⚠️ Yes

Notes: All affected products are end-of-life with no vendor support. Default configurations are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal data, pivot to internal networks, or use devices for botnet activities.

🟠

Likely Case

Remote code execution leading to data theft, device takeover for crypto-mining or DDoS attacks, and lateral movement within networks.

🟢

If Mitigated

Limited impact if devices are isolated behind firewalls with strict network segmentation and no internet exposure.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Internal devices remain vulnerable to internal attackers or compromised systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub. The vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383

Restart Required: No

Instructions:

No official patch available. Vendor recommends retiring and replacing affected devices.

🔧 Temporary Workarounds

Block CGI Access

linux

Block access to the vulnerable CGI script at the network level

iptables -A INPUT -p tcp --dport 80 -m string --string "/cgi-bin/hd_config.cgi" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/cgi-bin/hd_config.cgi" --algo bm -j DROP

Disable Web Interface

all

Disable the web management interface if not required

# Configuration varies by device - typically in web interface under Administration > Management

🧯 If You Can't Patch

Immediately isolate affected devices from the internet using firewall rules
Replace affected devices with supported alternatives as soon as possible

🔍 How to Verify

Check if Vulnerable:

Check if device model is in affected list and has web interface accessible. Test with curl: curl -X POST 'http://[device-ip]/cgi-bin/hd_config.cgi' --data 'f_source_dev=;id'

Check Version:

# No version check available - all devices up to 20240814 are vulnerable

Verify Fix Applied:

Verify device is no longer accessible from untrusted networks and replacement device is deployed

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/hd_config.cgi
Commands containing shell metacharacters in f_source_dev parameter
Unexpected process execution or system changes

Network Indicators:

Outbound connections from NAS devices to suspicious IPs
Unusual traffic patterns from NAS management ports

SIEM Query:

source="nas_logs" AND (uri="/cgi-bin/hd_config.cgi" OR (method="POST" AND uri CONTAINS "hd_config"))

📊 Metadata

CVE ID: CVE-2024-8213

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-77

Published: August 27, 2024

Last Updated: August 29, 2024

🔗 References

https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_1st_DiskMGR.md Exploit,Third Party Advisory
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 Vendor Advisory
https://vuldb.com/?ctiid.275922 Permissions Required
https://vuldb.com/?id.275922 Third Party Advisory
https://vuldb.com/?submit.397277 Third Party Advisory
https://www.dlink.com/ Product

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Dnr 202l Firmware by Dlink

Dnr 322l Firmware by Dlink

Dnr 326 Firmware by Dlink

Dns 1100 4 Firmware by Dlink

Dns 120 Firmware by Dlink

Dns 1200 05 Firmware by Dlink

Dns 1550 04 Firmware by Dlink

Dns 315l Firmware by Dlink

Dns 320 Firmware by Dlink

Dns 320l Firmware by Dlink

Dns 320lw Firmware by Dlink

Dns 321 Firmware by Dlink

Dns 323 Firmware by Dlink

Dns 325 Firmware by Dlink

Dns 326 Firmware by Dlink

Dns 327l Firmware by Dlink

Dns 340l Firmware by Dlink

Dns 343 Firmware by Dlink

Dns 345 Firmware by Dlink

Dns 726 4 Firmware by Dlink