Skip to content

Commit

Permalink
DIVD-2024-00049
Browse files Browse the repository at this point in the history
  • Loading branch information
JstRelax authored Dec 2, 2024
1 parent ab243ba commit 464d1d6
Showing 1 changed file with 73 additions and 0 deletions.
73 changes: 73 additions & 0 deletions _cases/2024/DIVD-2024-00049.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
---
layout: case
title: "Vulnerabilities in D-Link Routers: Backdoor and Command Injection Exploits"
author: Stan Plasmeijer
lead: Koen Schagen
excerpt: "D-Link routers are affected by a backdoor vulnerability facilitated by hardcoded credentials and a command injection vulnerability."
researchers:
- Koen Schagen
cves:
- CVE-2024-3273
- CVE-2024-10914
product:
- D-Link Routers
versions:
- DNS-120
- DNR-202L
- DNS-315L
- DNS-320
- DNS-320L
- DNS-320LW
- DNS-321
- DNR-322L
- DNS-323
- DNS-325
- DNS-326
- DNS-327L
- DNR-326
- DNS-340L
- DNS-343
- DNS-345
- DNS-726-4
- DNS-1100-4
- DNS-1200-05
- DNS-1550-04
recommendation: "Install the update as soon as possible"
workaround: "None"
patch_status: "None"
status : Open
start: 2024-12-02
#end:
timeline:
- start: 2024-12-02
end:
event: "DIVD starts researching the vulnerability."
- start: 2024-12-02
end:
event: "DIVD finds fingerprint, preparing to scan."
- start: 2024-12-02
end:
event: "DIVD starts scanning the internet for vulnerable instances."
#ips:
---

## Summary

Certain legacy D-Link NAS models are affected by two critical vulnerabilities: a backdoor facilitated by hardcoded credentials and a command injection vulnerability. The backdoor account, with the username "messagebus," does not require a password, allowing attackers to easily gain unauthorized access. Additionally, the command injection vulnerability lies in the nas_sharing.cgi URI, where a system parameter containing a base64-encoded command can be exploited through a specially crafted HTTP GET request. Attackers who successfully exploit these vulnerabilities could execute arbitrary commands on the vulnerable devices, potentially gaining access to sensitive information, modifying system configurations, and more.

## Recommendations

These vulnerabilities impact legacy D-Link products that have reached their end-of-life ("EOL") or end-of-service-life ("EOS") status, meaning they no longer receive software updates or security patches from D-Link. As there is no patch available, it is recommended to either phase out these devices or place them behind a VPN or an IP allowlist to prevent unauthorized access. Additionally, users should ensure that these devices have the latest available firmware, update passwords frequently, and enable Wi-Fi encryption with unique passwords. It is also advised not to expose management interfaces to the internet.

## What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of D-Link and to notify these parties.

{% include timeline.html %}

## More information

* {% cve CVE-2024-3273 %}
* {% cve CVE-2024-10914 %}
* [D-Link Advisory CVE-2024-3273](https://supportannouncement.us.dlink.com/security/publication.aspx?name=sap10383)
* [D-Link advisory CVE-2024-10914](https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413)

0 comments on commit 464d1d6

Please sign in to comment.