CVE-2024-3273

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/netsecfish/dlink	Exploit Third Party Advisory
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383	Vendor Advisory
https://vuldb.com/?ctiid.259284	Permissions Required
https://vuldb.com/?id.259284	Third Party Advisory
https://vuldb.com/?submit.304661	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND

cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*

History

15 Apr 2024, 20:13

Type	Values Removed	Values Added
CVSS	v2 : ~~7.5~~ v3 : ~~7.3~~	v2 : 7.5 v3 : 9.8
CPE		cpe:2.3:h:dlink:dns-320l:-:::::::* cpe:2.3:h:dlink:dns-1100-4:-:::::::* cpe:2.3:o:dlink:dnr-202l_firmware:-:::::::* cpe:2.3:h:dlink:dns-1200-05:-:::::::* cpe:2.3:o:dlink:dns-1550-04_firmware:-:::::::* cpe:2.3:o:dlink:dns-345_firmware:-:::::::* cpe:2.3:h:dlink:dnr-202l:-:::::::* cpe:2.3:o:dlink:dnr-322l_firmware:-:::::::* cpe:2.3:h:dlink:dns-320:-:::::::* cpe:2.3:h:dlink:dns-321:-:::::::* cpe:2.3:h:dlink:dns-320lw:-:::::::* cpe:2.3:o:dlink:dns-327l_firmware:-:::::::* cpe:2.3:o:dlink:dns-1200-05_firmware:-:::::::* cpe:2.3:h:dlink:dns-327l:-:::::::* cpe:2.3:o:dlink:dns-325_firmware:-:::::::* cpe:2.3:o:dlink:dns-320l_firmware:-:::::::* cpe:2.3:h:dlink:dns-1550-04:-:::::::* cpe:2.3:o:dlink:dns-343_firmware:-:::::::* cpe:2.3:o:dlink:dns-320_firmware:-:::::::* cpe:2.3:o:dlink:dns-120_firmware:-:::::::* cpe:2.3:o:dlink:dns-320lw_firmware:-:::::::* cpe:2.3:h:dlink:dns-726-4:-:::::::* cpe:2.3:o:dlink:dnr-326_firmware:-:::::::* cpe:2.3:h:dlink:dns-340l:-:::::::* cpe:2.3:o:dlink:dns-323_firmware:-:::::::* cpe:2.3:o:dlink:dns-326_firmware:-:::::::* cpe:2.3:h:dlink:dns-120:-:::::::* cpe:2.3:o:dlink:dns-315l_firmware:-:::::::* cpe:2.3:h:dlink:dns-326:-:::::::* cpe:2.3:o:dlink:dns-340l_firmware:-:::::::* cpe:2.3:h:dlink:dns-345:-:::::::* cpe:2.3:o:dlink:dns-1100-4_firmware:-:::::::* cpe:2.3:h:dlink:dns-343:-:::::::* cpe:2.3:h:dlink:dns-323:-:::::::* cpe:2.3:h:dlink:dns-315l:-:::::::* cpe:2.3:o:dlink:dns-321_firmware:-:::::::* cpe:2.3:h:dlink:dnr-326:-:::::::* cpe:2.3:o:dlink:dns-726-4_firmware:-:::::::* cpe:2.3:h:dlink:dns-325:-:::::::* cpe:2.3:h:dlink:dnr-322l:-:::::::*
First Time		Dlink dnr-202l Firmware Dlink dns-343 Dlink dnr-322l Firmware Dlink dns-1100-4 Firmware Dlink dns-340l Firmware Dlink dnr-326 Dlink dns-726-4 Firmware Dlink dns-1550-04 Firmware Dlink dnr-202l Dlink dns-120 Firmware Dlink dns-1550-04 Dlink dns-1100-4 Dlink dns-326 Dlink dns-1200-05 Dlink dns-320lw Firmware Dlink dns-327l Dlink dns-315l Firmware Dlink dns-120 Dlink dns-320l Firmware Dlink dns-343 Firmware Dlink dns-345 Dlink dns-327l Firmware Dlink dns-320lw Dlink dns-320 Firmware Dlink dns-323 Firmware Dlink dns-325 Dlink dns-321 Dlink dns-320l Dlink dns-726-4 Dlink dns-326 Firmware Dlink dns-345 Firmware Dlink dns-1200-05 Firmware Dlink dnr-322l Dlink Dlink dns-325 Firmware Dlink dns-340l Dlink dns-321 Firmware Dlink dns-320 Dlink dns-323 Dlink dnr-326 Firmware Dlink dns-315l
References	~~() https://github.com/netsecfish/dlink -~~	() https://github.com/netsecfish/dlink - Exploit, Third Party Advisory
References	~~() https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 -~~	() https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 - Vendor Advisory
References	~~() https://vuldb.com/?ctiid.259284 -~~	() https://vuldb.com/?ctiid.259284 - Permissions Required
References	~~() https://vuldb.com/?id.259284 -~~	() https://vuldb.com/?id.259284 - Third Party Advisory
References	~~() https://vuldb.com/?submit.304661 -~~	() https://vuldb.com/?submit.304661 - Third Party Advisory

11 Apr 2024, 10:15

Type	Values Removed	Values Added
References	~~{'url': 'https://news.ycombinator.com/item?id=39960107', 'source': 'cna@vuldb.com'}~~

07 Apr 2024, 14:15

Type	Values Removed	Values Added
References		() https://news.ycombinator.com/item?id=39960107 -

05 Apr 2024, 05:15

Type	Values Removed	Values Added
Summary		(es) NO SOPORTADO CUANDO SE ASIGNÓ Se ha encontrado una vulnerabilidad clasificada como crítica en D-Link DNS-320L, DNS-325, DNS-327L y DNS-340L hasta 20240403. Una función desconocida del archivo / cgi-bin/nas_sharing.cgi del componente HTTP GET Request Handler. La manipulación del SYSTEM de argumentos conduce a la inyección de comandos. Es posible lanzar el ataque de forma remota. El exploit ha sido divulgado al público y puede utilizarse. El identificador de esta vulnerabilidad es VDB-259284. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contactó primeramente con el proveedor y se confirmó de inmediato que el producto ha llegado al final de su vida útil. Debería retirarse y reemplazarse.
References		() https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 -

04 Apr 2024, 04:15

Type	Values Removed	Values Added
Summary	(en) A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.	(en) UNSUPPORTED WHEN ASSIGNED A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

04 Apr 2024, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-04 01:15

Updated : 2024-04-15 20:13

NVD link : CVE-2024-3273

Mitre link : CVE-2024-3273

CVE.ORG link : CVE-2024-3273

JSON object : View

Products Affected

dlink

dns-1200-05
dns-315l
dns-120_firmware
dnr-326
dns-320_firmware
dns-320l
dnr-202l_firmware
dns-327l_firmware
dns-325_firmware
dns-343
dnr-202l
dns-340l
dns-323
dns-315l_firmware
dnr-322l_firmware
dns-1100-4
dns-321
dns-345
dns-1550-04_firmware
dns-320lw
dns-1200-05_firmware
dns-320l_firmware
dns-323_firmware
dns-726-4_firmware
dns-327l
dns-1550-04
dns-326_firmware
dns-345_firmware
dns-320lw_firmware
dns-343_firmware
dns-340l_firmware
dnr-326_firmware
dns-726-4
dns-326
dns-320
dnr-322l
dns-120
dns-1100-4_firmware
dns-321_firmware
dns-325

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

9.8 /10