CVE-2024-10914 (CVSS 9.2): Command Injection Flaw Threatens 61,000+ D-Link NAS Devices

A critical vulnerability, CVE-2024-10914, has been identified in D-Link NAS devices, posing a severe risk to over 61,000 systems worldwide. The flaw, a command injection vulnerability in the `account_mgr.cgi` script, allows remote attackers to execute arbitrary commands via specially crafted HTTP GET requests. This issue impacts several D-Link NAS models, including DNS-320, DNS-320LW, DNS-325, and DNS-340L, with a CVSSv4 score of 9.2, indicating a high severity level.

The vulnerability specifically affects the `name` parameter within the `cgi_user_add` command of the `account_mgr.cgi` script. Due to inadequate input sanitization, malicious commands injected into the `name` parameter can lead to unauthorized command execution. As NETSECFISH highlighted, “this flaw allows an unauthenticated attacker to inject arbitrary shell commands through crafted HTTP GET requests,” making it accessible to attackers without needing authentication.

Affected Devices

• DNS-320 – Version 1.00
• DNS-320LW – Version 1.01.0914.2012
• DNS-325 – Versions 1.01 and 1.02
• DNS-340L – Version 1.08

These models are commonly used for personal and small business data storage, meaning that sensitive information could be at risk if exploited.

An attacker can exploit CVE-2024-10914 by sending a specially crafted HTTP GET request to the NAS device’s IP address. The following example demonstrates an exploit using the `curl` command:

curl "http://[Target-IP]/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27" 

This command injects a shell command into the `name` parameter, triggering unintended execution on the target device. The Command Injection flaw, classified as CWE-77, exposes users to potential unauthorized access, data tampering, or even the deployment of malware on affected devices.

To mitigate this vulnerability, NETSECFISH suggests several immediate steps:

• Apply Patches and Updates: Users should download and install any firmware updates provided by D-Link.
• Restrict Network Access: As an interim measure, network access to the NAS management interface should be restricted to trusted IP addresses only.
• Monitor for Firmware Updates: Affected device users should stay vigilant for any forthcoming security patches from D-Link.

Related Posts:

• APT organization steals D-Link company digital certificate to sign its malware
• Hackers Actively Exploiting Critical D-Link NAS Vulnerability: 90,000+ Devices at Risk
• QNAP detects a large number of ransomware attacks
• CVE-2024-3273: D-Link NAS Vulnerability Threatens 92,000 Devices
• D-Link router and modem vulnerabilities are being exploited by Satori IoT botnet