From 464d1d65c808b6366e1f9ee9a6ea30605b91eaea Mon Sep 17 00:00:00 2001 From: Stan Plasmeijer <111912052+JstRelax@users.noreply.github.com> Date: Mon, 2 Dec 2024 16:24:33 +0100 Subject: [PATCH] DIVD-2024-00049 --- _cases/2024/DIVD-2024-00049.md | 73 ++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 _cases/2024/DIVD-2024-00049.md diff --git a/_cases/2024/DIVD-2024-00049.md b/_cases/2024/DIVD-2024-00049.md new file mode 100644 index 00000000..94607382 --- /dev/null +++ b/_cases/2024/DIVD-2024-00049.md @@ -0,0 +1,73 @@ +--- +layout: case +title: "Vulnerabilities in D-Link Routers: Backdoor and Command Injection Exploits" +author: Stan Plasmeijer +lead: Koen Schagen +excerpt: "D-Link routers are affected by a backdoor vulnerability facilitated by hardcoded credentials and a command injection vulnerability." +researchers: +- Koen Schagen +cves: +- CVE-2024-3273 +- CVE-2024-10914 +product: +- D-Link Routers +versions: +- DNS-120 +- DNR-202L +- DNS-315L +- DNS-320 +- DNS-320L +- DNS-320LW +- DNS-321 +- DNR-322L +- DNS-323 +- DNS-325 +- DNS-326 +- DNS-327L +- DNR-326 +- DNS-340L +- DNS-343 +- DNS-345 +- DNS-726-4 +- DNS-1100-4 +- DNS-1200-05 +- DNS-1550-04 +recommendation: "Install the update as soon as possible" +workaround: "None" +patch_status: "None" +status : Open +start: 2024-12-02 +#end: +timeline: +- start: 2024-12-02 + end: + event: "DIVD starts researching the vulnerability." +- start: 2024-12-02 + end: + event: "DIVD finds fingerprint, preparing to scan." +- start: 2024-12-02 + end: + event: "DIVD starts scanning the internet for vulnerable instances." +#ips: +--- + +## Summary + +Certain legacy D-Link NAS models are affected by two critical vulnerabilities: a backdoor facilitated by hardcoded credentials and a command injection vulnerability. The backdoor account, with the username "messagebus," does not require a password, allowing attackers to easily gain unauthorized access. Additionally, the command injection vulnerability lies in the nas_sharing.cgi URI, where a system parameter containing a base64-encoded command can be exploited through a specially crafted HTTP GET request. Attackers who successfully exploit these vulnerabilities could execute arbitrary commands on the vulnerable devices, potentially gaining access to sensitive information, modifying system configurations, and more. + +## Recommendations + +These vulnerabilities impact legacy D-Link products that have reached their end-of-life ("EOL") or end-of-service-life ("EOS") status, meaning they no longer receive software updates or security patches from D-Link. As there is no patch available, it is recommended to either phase out these devices or place them behind a VPN or an IP allowlist to prevent unauthorized access. Additionally, users should ensure that these devices have the latest available firmware, update passwords frequently, and enable Wi-Fi encryption with unique passwords. It is also advised not to expose management interfaces to the internet. + +## What we are doing + +DIVD is currently working to identify parties that are running a vulnerable version of D-Link and to notify these parties. + +{% include timeline.html %} + +## More information + +* {% cve CVE-2024-3273 %} +* {% cve CVE-2024-10914 %} +* [D-Link Advisory CVE-2024-3273](https://supportannouncement.us.dlink.com/security/publication.aspx?name=sap10383) +* [D-Link advisory CVE-2024-10914](https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413)