CVE-2024-3272 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability

Exploit added

April 11, 2024

Action due

May 2, 2024

Action required

This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.

Description

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259283. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

References

Weakness Enumeration

CWE-ID	CWE Name
CWE-798	Use of Hard-coded Credentials

Known Affected Software Configurations

cpe:2.3:o:dlink:dnr-202l_firmware:-:::::::*
cpe:2.3:o:dlink:dnr-322l_firmware:-:::::::*
cpe:2.3:o:dlink:dnr-326_firmware:-:::::::*
cpe:2.3:o:dlink:dns-1100-4_firmware:-:::::::*
cpe:2.3:o:dlink:dns-1200-05_firmware:-:::::::*
cpe:2.3:o:dlink:dns-120_firmware:-:::::::*
cpe:2.3:o:dlink:dns-1550-04_firmware:-:::::::*
cpe:2.3:o:dlink:dns-315l_firmware:-:::::::*
cpe:2.3:o:dlink:dns-320l_firmware:-:::::::*
cpe:2.3:o:dlink:dns-320lw_firmware:-:::::::*
cpe:2.3:o:dlink:dns-321_firmware:-:::::::*
cpe:2.3:o:dlink:dns-323_firmware:-:::::::*
cpe:2.3:o:dlink:dns-325_firmware:-:::::::*
cpe:2.3:o:dlink:dns-326_firmware:-:::::::*
cpe:2.3:o:dlink:dns-327l_firmware:-:::::::*
cpe:2.3:o:dlink:dns-340l_firmware:-:::::::*
cpe:2.3:o:dlink:dns-343_firmware:-:::::::*
cpe:2.3:o:dlink:dns-345_firmware:-:::::::*
cpe:2.3:o:dlink:dns-726-4_firmware:-:::::::*
cpe:2.3:o:dlink:dns-320_firmware:-:::::::*

Details

Source:
NVD

Published:
April 4, 2024

Updated:
August 1, 2024

Risk information

CVSS v3

Base score:
9.8

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Base score:
10

Severity:

HIGH

Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C