CVE-2024-7922: D-Link DNS-120 Firmware RCE Vulnerability

CVE-2024-7922 Overview

CVE-2024-7922 is a command injection vulnerability affecting more than 20 end-of-life D-Link network-attached storage (NAS) models. The flaw resides in the /cgi-bin/myMusic.cgi handler, specifically in functions including cgi_audio_search, cgi_create_playlist, cgi_get_album_all_tracks, cgi_get_alltracks_editlist, cgi_get_artist_all_album, cgi_get_genre_all_tracks, cgi_get_tracks_list, cgi_set_airplay_content, and cgi_write_playlist. Authenticated attackers can manipulate input parameters to inject operating system commands. The exploit has been publicly disclosed. D-Link has confirmed these products are end-of-life and will not receive a patch.

Critical Impact

Remote attackers with low-privilege access can execute arbitrary operating system commands on affected NAS devices, potentially exposing stored data and providing a foothold into the internal network.

Affected Products

• D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321 (firmware up to 20240814)
• D-Link DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345 (firmware up to 20240814)
• D-Link DNS-726-4, DNS-1100-4, DNS-1200-05, DNS-1550-04 (firmware up to 20240814)

Discovery Timeline

• 2024-08-19 - CVE-2024-7922 published to NVD
• 2024-08-20 - Last updated in NVD database
• End-of-Life Status - D-Link confirmed affected products are no longer supported and recommends retirement

Technical Details for CVE-2024-7922

Vulnerability Analysis

The vulnerability is a command injection flaw [CWE-77] in the myMusic.cgi binary shipped with D-Link NAS firmware. Multiple handler functions accept user-controlled parameters and pass them to underlying shell command execution without proper sanitization. An attacker who can reach the web interface and supply crafted parameters can break out of intended command context and execute arbitrary shell commands under the privileges of the CGI process. The EPSS score of 11.87% places this vulnerability in the 93rd percentile for likelihood of exploitation, reflecting the public availability of proof-of-concept code.

Root Cause

The handlers in /cgi-bin/myMusic.cgi concatenate request parameters directly into shell command strings. The lack of input validation, shell metacharacter filtering, or use of safer execution APIs allows characters such as ;, |, &, and backticks to terminate the intended command and append attacker-supplied commands.

Attack Vector

The attack is network-based and requires low-privileged authentication. An attacker sends an HTTP request to /cgi-bin/myMusic.cgi invoking one of the vulnerable functions, embedding shell metacharacters and commands into a parameter value. The injected commands are executed by the device's operating system. Public proof-of-concept material is available in the BuaaIOTTeam IoT D-Link NAS repository and a second function-specific writeup. Refer to these references for technical exploitation details.

Detection Methods for CVE-2024-7922

Indicators of Compromise

• HTTP requests to /cgi-bin/myMusic.cgi containing shell metacharacters such as ;, |, &, $(, or backticks in query string or POST body parameters
• Unexpected outbound connections originating from D-Link NAS device IP addresses, particularly to unfamiliar external hosts
• New or modified files in NAS storage shares that were not created by legitimate users
• Unexpected process activity or new persistent services on the NAS device

Detection Strategies

• Inspect web server and reverse proxy logs for requests to myMusic.cgi with suspicious parameter content
• Deploy network intrusion detection signatures that flag command injection patterns in HTTP traffic to NAS management interfaces
• Monitor DNS queries and egress traffic from NAS devices for anomalies suggesting post-exploitation command-and-control activity

Monitoring Recommendations

• Place affected NAS devices on isolated VLANs and log all north-south and east-west traffic
• Forward network telemetry to a centralized analytics platform for retrospective hunting against the function names listed in this advisory
• Alert on any authentication events to the NAS web UI from unexpected source addresses or at unusual times

How to Mitigate CVE-2024-7922

Immediate Actions Required

• Retire and replace affected D-Link NAS devices, as the vendor has confirmed end-of-life status and will not issue a fix
• Remove affected devices from any internet-exposed interface and block inbound access at the perimeter firewall
• Rotate any credentials, SSH keys, or API tokens that were stored on or accessed through the NAS
• Audit data stored on the appliance for unauthorized access or modification before decommissioning

Patch Information

No patch is available. D-Link has published an official end-of-life security advisory (SAP10383) confirming the products are no longer supported and directing customers to retire the hardware.

Workarounds

• Disconnect affected NAS devices from the network if replacement is not immediate
• If temporary operation is required, restrict access to the web interface using firewall ACLs that allow only specific management workstations
• Disable the audio/music streaming features that expose the myMusic.cgi endpoint where the device configuration permits
• Migrate data to a currently supported storage platform that receives security updates

# Example perimeter firewall rules to block external access to NAS management
iptables -A FORWARD -p tcp --dport 80 -d <NAS_IP> -j DROP
iptables -A FORWARD -p tcp --dport 443 -d <NAS_IP> -j DROP
iptables -A INPUT -p tcp --dport 80 -s <ALLOWED_MGMT_SUBNET> -d <NAS_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -d <NAS_IP> -j DROP