Critical Command Injection Flaw Threatens Over 61,000 D-Link NAS Devices

Summary: A critical command injection vulnerability, CVE-2024-10914, has been discovered in D-Link NAS devices, affecting over 61,000 systems globally. This flaw allows remote attackers to execute arbitrary commands without authentication, posing significant risks to sensitive data stored on these devices.

Threat Actor: Unknown | unknown
Victim: D-Link NAS Users | D-Link NAS Users

Key Point :

  • A command injection vulnerability in the `account_mgr.cgi` script allows attackers to execute arbitrary commands via crafted HTTP GET requests.
  • The vulnerability affects several D-Link NAS models, including DNS-320, DNS-320LW, DNS-325, and DNS-340L, with a CVSSv4 score of 9.2.
  • To mitigate the risk, users are advised to apply firmware updates, restrict network access, and monitor for security patches from D-Link.

A critical vulnerability, CVE-2024-10914, has been identified in D-Link NAS devices, posing a severe risk to over 61,000 systems worldwide. The flaw, a command injection vulnerability in the `account_mgr.cgi` script, allows remote attackers to execute arbitrary commands via specially crafted HTTP GET requests. This issue impacts several D-Link NAS models, including DNS-320, DNS-320LW, DNS-325, and DNS-340L, with a CVSSv4 score of 9.2, indicating a high severity level.

The vulnerability specifically affects the `name` parameter within the `cgi_user_add` command of the `account_mgr.cgi` script. Due to inadequate input sanitization, malicious commands injected into the `name` parameter can lead to unauthorized command execution. As NETSECFISH highlighted, “this flaw allows an unauthenticated attacker to inject arbitrary shell commands through crafted HTTP GET requests,” making it accessible to attackers without needing authentication.

Affected Devices

  • DNS-320 – Version 1.00
  • DNS-320LW – Version 1.01.0914.2012
  • DNS-325 – Versions 1.01 and 1.02
  • DNS-340L – Version 1.08

These models are commonly used for personal and small business data storage, meaning that sensitive information could be at risk if exploited.

An attacker can exploit CVE-2024-10914 by sending a specially crafted HTTP GET request to the NAS device’s IP address. The following example demonstrates an exploit using the `curl` command:

curl "http://[Target-IP]/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27" 

This command injects a shell command into the `name` parameter, triggering unintended execution on the target device. The Command Injection flaw, classified as CWE-77, exposes users to potential unauthorized access, data tampering, or even the deployment of malware on affected devices.

To mitigate this vulnerability, NETSECFISH suggests several immediate steps:

  • Apply Patches and Updates: Users should download and install any firmware updates provided by D-Link.
  • Restrict Network Access: As an interim measure, network access to the NAS management interface should be restricted to trusted IP addresses only.
  • Monitor for Firmware Updates: Affected device users should stay vigilant for any forthcoming security patches from D-Link.

Related Posts:

Source: https://securityonline.info/cve-2024-10914-cvss-9-2-command-injection-flaw-threatens-61000-d-link-nas-devices