{"id":1107,"date":"2024-04-09T07:02:10","date_gmt":"2024-04-09T05:02:10","guid":{"rendered":"https:\/\/techlance.ddns.net\/?p=1107"},"modified":"2024-04-09T07:03:48","modified_gmt":"2024-04-09T05:03:48","slug":"komentojen-injektointi-ja-takaporttitili-d-link-nas-laitteissa","status":"publish","type":"post","link":"https:\/\/techlance.ddns.net\/en\/komentojen-injektointi-ja-takaporttitili-d-link-nas-laitteissa\/","title":{"rendered":"Komentojen injektointi ja takaporttitili D-Link NAS -laitteissa"},"content":{"rendered":"<p>Luokitus: Kriittinen, Ratkaisu: Ei saatavilla, Hy\u00f6dynt\u00e4misen kypsyys: Konseptitodiste, CVSSv3.1: 9.8, CVEt: CVE-2024-3274, CVE-2024-3273, CVE-2024-3272, Yhteenveto: CVE-2024-3272 ** EI TUE KUN M\u00c4\u00c4RITETTY ** Haavoittuvuus, joka on luokiteltu eritt\u00e4in kriittiseksi, on l\u00f6ydetty D-Link DNS-320L, DNS-325, DNS-327L ja DNS-340L -laitteista versioon 20240403 asti. T\u00e4m\u00e4 ongelma vaikuttaa joihinkin tuntemattomiin prosesseihin tiedostossa \/cgi-bin\/nas_sharing.cgi komponentissa HTTP GET -pyynn\u00f6n k\u00e4sittelij\u00e4. Argumentin user manipulointi sy\u00f6tteell\u00e4 messagebus johtaa kovakoodattuihin tunnistetietoihin. Hy\u00f6kk\u00e4ys voidaan aloittaa et\u00e4n\u00e4. Hyv\u00e4ksik\u00e4yt\u00f6st\u00e4 on julkaistu tietoja julkisesti, ja sit\u00e4 voidaan k\u00e4ytt\u00e4\u00e4. T\u00e4h\u00e4n haavoittuvuuteen liitetty tunniste on VDB-259283. HUOM: T\u00e4m\u00e4 haavoittuvuus vaikuttaa vain tuotteisiin, joita yll\u00e4pit\u00e4j\u00e4 ei en\u00e4\u00e4 tue. HUOM: Valmistajaan otettiin yhteytt\u00e4 aikaisin, ja he vahvistivat v\u00e4litt\u00f6m\u00e4sti, ett\u00e4 tuote on elinkaarensa p\u00e4\u00e4ss\u00e4. Se tulisi poistaa k\u00e4yt\u00f6st\u00e4 ja korvata. CVE-2024-3273 ja CVE-2024-3274 ** EI TUE KUN M\u00c4\u00c4RITETTY ** Haavoittuvuus on l\u00f6ydetty D-Link DNS-320L, DNS-320LW ja DNS-327L -laitteista versioon 20240403 asti ja luokiteltu ongelmalliseksi. T\u00e4m\u00e4 haavoittuvuus vaikuttaa tuntemattomaan toiminnallisuuteen tiedostossa \/cgi-bin\/info.cgi komponentissa HTTP GET -pyynn\u00f6n k\u00e4sittelij\u00e4. Manipulointi johtaa komentojen injektointiin ja tiedon paljastumiseen. Hy\u00f6kk\u00e4ys voidaan suorittaa et\u00e4n\u00e4. Hyv\u00e4ksik\u00e4yt\u00f6st\u00e4 on julkaistu tietoja julkisesti, ja sit\u00e4 voidaan k\u00e4ytt\u00e4\u00e4. T\u00e4lle haavoittuvuudelle on annettu tunniste VDB-259285. HUOM: T\u00e4m\u00e4 haavoittuvuus vaikuttaa vain tuotteisiin, joita yll\u00e4pit\u00e4j\u00e4 ei en\u00e4\u00e4 tue. HUOM: Valmistajaan otettiin yhteytt\u00e4 aikaisin, ja he vahvistivat v\u00e4litt\u00f6m\u00e4sti, ett\u00e4 tuote on elinkaarensa p\u00e4\u00e4ss\u00e4. Se tulisi poistaa k\u00e4yt\u00f6st\u00e4 ja korvata. Katso my\u00f6s: <a href=\"https:\/\/github.com\/netsecfish\/dlink\">https:\/\/github.com\/netsecfish\/dlink<\/a><\/p>\n\n\n\n<p>Classification: Critical, Solution: Unavailable, Exploit Maturity: Proof-of-Concept, CVSSv3.1: 9.8, CVEs: CVE-2024-3274, CVE-2024-3273, CVE-2024-3272, Summary: CVE-2024-3272 ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file \/cgi-bin\/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument user with the input messagebus leads to hard-coded credentials. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259283. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. CVE-2024-3273 and CVE-2024-3274 ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in D-Link DNS-320L, DNS-320LW and DNS-327L up to 20240403 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file \/cgi-bin\/info.cgi of the component HTTP GET Request Handler. The manipulation leads to command injection and information disclosure . The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259285 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. See also: https:\/\/github.com\/netsecfish\/dlink<\/p>\n\n\n\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-3274\">https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-3274<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>Luokitus: Kriittinen, Ratkaisu: Ei saatavilla, Hy\u00f6dynt\u00e4misen kypsyys: Konseptitodiste, CVSSv3.1: 9.8, CVEt: CVE-2024-3274, CVE-2024-3273, CVE-2024-3272, Yhteenveto: CVE-2024-3272 ** EI TUE KUN [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[21,9],"tags":[22,15],"class_list":["post-1107","post","type-post","status-publish","format-standard","hentry","category-data-protection","category-security","tag-data-protection","tag-tietoturva"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/posts\/1107","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/comments?post=1107"}],"version-history":[{"count":0,"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/posts\/1107\/revisions"}],"wp:attachment":[{"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/media?parent=1107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/categories?post=1107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/tags?post=1107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}