Security Alert D-Link CVE-2024-3272 & CVE-2024-3273: Stormshield’s product response

Published on: 10 04 2024

Author: Stormshield Customer Security Lab

2 minutes

Two critical vulnerabilities impacting NAS devices from D-Link, identified by the references CVE-2024-3272 & CVE-2024-3273, have been detected after numerous exploitations attempts. They have been assigned a respective CVSS 3.1 score of 9.8 and 7.3. The Stormshield Customer Security Lab details our protection offerings.

It must be noticed that there are multiple proofs of concept easily available online and these vulnerabilities are currently exploited in the wild. Furthermore, these vulnerabilities will not be fixed by D-Link since the impacted devices have reached their end of support. List of impacted devices below:

  • DNS-320L (end of support may, 31st 2020),
  • DNS-325 (end of support 1st september 2017),
  • DNS-327L (end of support 31st may 2020),
  • DNS-340L (end of support 31st july, 2019).

 

Technical details of D-Link vulnerabilities

The CVE-2024-3272 relies on the use of an internal account available by default on all the impacted devices. This account does not require any password. The CVE-2024-3273 allows an attacked to send remote commands by contacting a specifying URL available on the NAS. This requires an authentication beforehand.

The inherent risk of the attack comes from the use of these two vulnerabilities together, allowing to remotely send command while bypassing any authentication on the NAS. More than 90.000 NAS are vulnerable to this attack.

The vulnerability CVE-2024-3272 relies on the use of a user account presents by default on all the impacted D-Link models. The specificity of the ‘messagebus’ account is to not have any associated password and thus allowing a remote actor to bypass the authentication on the NAS. The vulnerability CVE-2024-3273 allows a remote command to be sent on the endpoint /cgi-bin/nas_sharing.cgi’. By combining these 2 CVE, it is possible to send commands remotely without any authentication, making this attack very dangerous.

 

Attack modelling with MITRE ATT&CK

MITRE ATT&CK

  • T1190 (Exploit Public-Facing Application)
  • T1203 (Exploitation for Client Execution)

IoC

A list of IPs scanning or exploiting these vulnerabilities is available here: viz.greynoise.io/tags/d-link-nas-cve-2024-3273-rce-attempt.

 

D-Link vulnerabilities: Stormshield protections

Protection with Stormshield Network Security

The Stormshield Network Security firewall solutions detect and even block an exploitation attempt of these vulnerabilities. They detect and block exploitation of CVE-2024-3272 & CVE-2024-3273 with the protocol inspection:

  • http:url:decoded.426 : Exploitation of a command injection vulnerability in D-Link NAS devices (CVE-2024-3273)

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Recommandations regarding the D-Link vulnerabilities

The recommendation from D-Link is to immediately stop using the vulnerable NAS since they are not supported anymore. The alert bulletin is available here: supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383.

Tags :

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need more information about Stormshield protection? The Technical Support teams are at your disposal to help you. Contact them through the incident manager located in the MyStormshield private area. To access it, select the menu "Technical Support / Report an incident / Track an incident".
Stormshield's Cyber Threat Intelligence team has two primary missions: to study cyber threats to understand them and to continuously improve Stormshield product protections. All with the goal of contributing to the cybersecurity community's effort to address cyber threats.
About the author
mm
Stormshield Customer Security Lab
Last articles

See all articles from Alert

Read more