CVE-2024-3272

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259283. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND
cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND
cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*

History

15 Apr 2024, 20:14

Type Values Removed Values Added
CPE cpe:2.3:h:dlink:dns-326:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-120:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-315l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-345_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-320lw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-321_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-323_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-320l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-1100-4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-343_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-340l:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-315l:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-726-4_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1200-05:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1550-04:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-321:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-322l:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-345:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dnr-326_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-323:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-340l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-343:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-202l:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dnr-326:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dnr-202l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-325:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-120_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-1200-05_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-1550-04_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320lw:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dnr-322l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-325_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-326_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-320l:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-327l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-726-4:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-327l:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dns-1100-4:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dns-320_firmware:-:*:*:*:*:*:*:*
References () https://github.com/netsecfish/dlink - () https://github.com/netsecfish/dlink - Exploit, Third Party Advisory
References () https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 - () https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 - Vendor Advisory
References () https://vuldb.com/?ctiid.259283 - () https://vuldb.com/?ctiid.259283 - Permissions Required
References () https://vuldb.com/?id.259283 - () https://vuldb.com/?id.259283 - Third Party Advisory
First Time Dlink dnr-202l Firmware
Dlink dns-343 Firmware
Dlink dns-726-4 Firmware
Dlink dnr-202l
Dlink dns-320lw Firmware
Dlink dns-327l Firmware
Dlink dns-343
Dlink dnr-322l
Dlink dns-320l Firmware
Dlink dns-323
Dlink dns-326
Dlink dns-120
Dlink dns-321
Dlink dns-320lw
Dlink dns-1100-4
Dlink dns-315l
Dlink dns-320
Dlink dns-321 Firmware
Dlink dns-345 Firmware
Dlink dnr-326
Dlink dns-1100-4 Firmware
Dlink dns-325 Firmware
Dlink dns-345
Dlink dnr-322l Firmware
Dlink dns-1200-05
Dlink dns-323 Firmware
Dlink dns-1200-05 Firmware
Dlink dns-340l
Dlink dns-1550-04 Firmware
Dlink dns-327l
Dlink
Dlink dns-326 Firmware
Dlink dns-320l
Dlink dns-726-4
Dlink dns-325
Dlink dns-320 Firmware
Dlink dns-340l Firmware
Dlink dns-120 Firmware
Dlink dnr-326 Firmware
Dlink dns-315l Firmware
Dlink dns-1550-04

05 Apr 2024, 05:15

Type Values Removed Values Added
References
  • () https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 -
Summary
  • (es) ** NO COMPATIBLE CUANDO SE ASIGNÓ ** Se encontró una vulnerabilidad, que fue clasificada como muy crítica, en D-Link DNS-320L, DNS-325, DNS-327L y DNS-340L hasta 20240403. Este problema afecta a algunos procesamientos desconocidos de el archivo /cgi-bin/nas_sharing.cgi del componente HTTP GET Request Handler. La manipulación del argumento usuario con el bus de mensajes de entrada conduce a credenciales codificadas. El ataque puede iniciarse de forma remota. El exploit ha sido divulgado al público y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-259283. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el fabricante. NOTA: Se contactó primeramente con el proveedor y se confirmó de inmediato que el producto ha llegado al final de su vida útil. Debería retirarse y reemplazarse.

04 Apr 2024, 01:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-04-04 01:15

Updated : 2024-08-14 19:32


NVD link : CVE-2024-3272

Mitre link : CVE-2024-3272

CVE.ORG link : CVE-2024-3272


JSON object : View

Products Affected

dlink

  • dnr-322l_firmware
  • dns-345
  • dns-726-4_firmware
  • dns-320_firmware
  • dns-343
  • dns-320
  • dns-1200-05
  • dns-320l_firmware
  • dns-326_firmware
  • dns-321
  • dnr-202l
  • dnr-326
  • dns-320lw_firmware
  • dns-340l
  • dns-120
  • dns-327l
  • dns-345_firmware
  • dns-1100-4
  • dns-321_firmware
  • dns-323_firmware
  • dns-340l_firmware
  • dns-325_firmware
  • dns-1100-4_firmware
  • dns-325
  • dns-1200-05_firmware
  • dnr-326_firmware
  • dns-1550-04_firmware
  • dns-320lw
  • dnr-322l
  • dns-327l_firmware
  • dns-315l
  • dns-120_firmware
  • dns-326
  • dns-323
  • dns-315l_firmware
  • dns-343_firmware
  • dns-1550-04
  • dns-726-4
  • dns-320l
  • dnr-202l_firmware
CWE
CWE-798

Use of Hard-coded Credentials