A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function sprintf of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_mount leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
References
Link | Resource |
---|---|
https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_3rd_DiskMGR.md | Exploit Third Party Advisory |
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | Vendor Advisory |
https://vuldb.com/?ctiid.275919 | Permissions Required |
https://vuldb.com/?id.275919 | Third Party Advisory |
https://vuldb.com/?submit.397274 | Third Party Advisory |
https://www.dlink.com/ | Product |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
AND |
|
Configuration 8 (hide)
AND |
|
Configuration 9 (hide)
AND |
|
Configuration 10 (hide)
AND |
|
Configuration 11 (hide)
AND |
|
Configuration 12 (hide)
AND |
|
Configuration 13 (hide)
AND |
|
Configuration 14 (hide)
AND |
|
Configuration 15 (hide)
AND |
|
Configuration 16 (hide)
AND |
|
Configuration 17 (hide)
AND |
|
Configuration 18 (hide)
AND |
|
Configuration 19 (hide)
AND |
|
Configuration 20 (hide)
AND |
|
History
29 Aug 2024, 16:04
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-78 | |
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 9.8 |
CPE | cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:* cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:* |
|
First Time |
Dlink dns-1100-4
Dlink dns-326 Dlink dns-320l Dlink dns-320 Firmware Dlink dns-325 Dlink dnr-322l Dlink dns-343 Firmware Dlink dns-320lw Dlink dns-325 Firmware Dlink dns-320lw Firmware Dlink dns-315l Dlink dns-320 Dlink dns-1550-04 Firmware Dlink dns-726-4 Firmware Dlink dns-315l Firmware Dlink dns-1550-04 Dlink dns-323 Firmware Dlink dns-320l Firmware Dlink dnr-202l Dlink dnr-326 Firmware Dlink dns-321 Dlink dns-726-4 Dlink dnr-322l Firmware Dlink dns-323 Dlink dns-1100-4 Firmware Dlink dnr-326 Dlink dns-1200-05 Firmware Dlink Dlink dns-340l Firmware Dlink dns-120 Firmware Dlink dns-327l Dlink dns-1200-05 Dlink dns-345 Firmware Dlink dns-340l Dlink dns-326 Firmware Dlink dns-120 Dlink dns-345 Dlink dns-343 Dlink dns-327l Firmware Dlink dnr-202l Firmware Dlink dns-321 Firmware |
|
References | () https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R12R5_3rd_DiskMGR.md - Exploit, Third Party Advisory | |
References | () https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 - Vendor Advisory | |
References | () https://vuldb.com/?ctiid.275919 - Permissions Required | |
References | () https://vuldb.com/?id.275919 - Third Party Advisory | |
References | () https://vuldb.com/?submit.397274 - Third Party Advisory | |
References | () https://www.dlink.com/ - Product |
28 Aug 2024, 12:57
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
27 Aug 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-27 19:15
Updated : 2024-08-29 16:04
NVD link : CVE-2024-8210
Mitre link : CVE-2024-8210
CVE.ORG link : CVE-2024-8210
JSON object : View
Products Affected
dlink
- dns-345_firmware
- dns-321
- dns-120_firmware
- dns-1200-05
- dns-343
- dns-325
- dnr-202l
- dns-1550-04_firmware
- dns-315l
- dns-326_firmware
- dns-320l_firmware
- dns-327l_firmware
- dns-1100-4_firmware
- dns-320lw
- dns-1200-05_firmware
- dns-321_firmware
- dns-320lw_firmware
- dns-345
- dns-325_firmware
- dns-1550-04
- dnr-202l_firmware
- dnr-326_firmware
- dns-320
- dns-323_firmware
- dns-320_firmware
- dnr-326
- dns-327l
- dns-315l_firmware
- dns-726-4_firmware
- dns-340l_firmware
- dns-340l
- dns-120
- dnr-322l
- dns-1100-4
- dns-343_firmware
- dns-326
- dnr-322l_firmware
- dns-323
- dns-726-4
- dns-320l