CVE-2024-3273

Опубликовано: 04 апр. 2024

Источник: nvd

CVSS3: 7.3

CVSS3: 9.8

CVSS2: 7.5

EPSS Критический

Описание

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

Ссылки

https://github.com/netsecfish/dlink
Exploit
Third Party Advisory
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
Vendor Advisory
https://vuldb.com/?ctiid.259284
Permissions Required
VDB Entry
https://vuldb.com/?id.259284
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.304661
Third Party Advisory
VDB Entry
https://github.com/netsecfish/dlink
Exploit
Third Party Advisory
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383
Vendor Advisory
https://vuldb.com/?ctiid.259284
Permissions Required
VDB Entry
https://vuldb.com/?id.259284
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.304661
Third Party Advisory
VDB Entry
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3273
US Government Resource
https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

Одно из

cpe:2.3:o:dlink:dns-320l_firmware:1.01.0702.2013:*:*:*:*:*:*:*

cpe:2.3:o:dlink:dns-320l_firmware:1.03.0904.2013:*:*:*:*:*:*:*

cpe:2.3:o:dlink:dns-320l_firmware:1.11:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*

Конфигурация 2

Одновременно

cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*

Конфигурация 3

Одновременно

cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*

Конфигурация 4

Одновременно

cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*

Конфигурация 5

Одновременно

cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*

Конфигурация 6

Одновременно

cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*

Конфигурация 7

Одновременно

cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*

Конфигурация 8

Одновременно

cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*

Конфигурация 9

Одновременно

cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*

Конфигурация 10

Одновременно

cpe:2.3:o:dlink:dns-325_firmware:1.01:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*

Конфигурация 11

Одновременно

cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*

Конфигурация 12

Одновременно

Одно из

cpe:2.3:o:dlink:dns-327l_firmware:1.00.0409.2013:*:*:*:*:*:*:*

cpe:2.3:o:dlink:dns-327l_firmware:1.09:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*

Конфигурация 13

Одновременно

cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*

Конфигурация 14

Одновременно

cpe:2.3:o:dlink:dns-340l_firmware:1.08:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*

Конфигурация 15

Одновременно

cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*

Конфигурация 16

Одновременно

cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*

Конфигурация 17

Одновременно

cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*

Конфигурация 18

Одновременно

cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*

Конфигурация 19

Одновременно

cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*

Конфигурация 20

Одновременно

cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.94425

Критический

7.3 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-77

Связанные уязвимости

GHSA-52h8-5hwm-jv8x

CVSS3: 7.3

github

почти 2 года назад

A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

BDU:2024-02740

CVSS3: 9.8

fstec

почти 2 года назад

Уязвимость CGI-скрипта nas_sharing.cgi микропрограммного обеспечения устройств NAS D-Link DNS-320L, DNS-325, DNS-327L и DNS-340L, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 100%

0.94425

Критический

7.3 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-77