📄 الوصف (الإنجليزية)
A vulnerability was determined in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The affected element is the function cgi_adduser_to_session of the file /cgi-bin/account_mgr.cgi. This manipulation of the argument read_list causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
🤖 ملخص AI
A critical stack-based buffer overflow vulnerability exists in D-Link NAS devices (DNS and DNR series) affecting firmware versions up to 20260205. The vulnerability in the account_mgr.cgi file allows unauthenticated remote code execution through the read_list parameter. With public exploit availability and no patch currently available, this poses an immediate threat to organizations using these devices for data storage and backup.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: Apr 23, 2026 16:04
🇸🇦 التأثير على المملكة العربية السعودية
Saudi organizations across multiple critical sectors are at significant risk: Banking sector (SAMA-regulated institutions using D-Link NAS for transaction logs and backup), Government agencies (NCA, CITC infrastructure), Healthcare providers (SEHA facilities storing patient records), Energy sector (ARAMCO and downstream companies), and Telecommunications (STC, Mobily infrastructure). The vulnerability enables complete device compromise, data exfiltration, lateral network movement, and potential supply chain attacks through compromised backup systems.
🏢 القطاعات السعودية المتأثرة
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Critical Infrastructure
Data Centers and Cloud Services
🎯 تقنيات MITRE ATT&CK
⚖️ درجة المخاطر السعودية (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all D-Link DNS/DNR devices in your environment and document firmware versions
2. Isolate affected devices from production networks or restrict access to trusted networks only
3. Disable remote access to the web management interface (port 80/443) if not critical
4. Implement network segmentation to limit lateral movement from compromised NAS devices
5. Monitor for suspicious access patterns to /cgi-bin/account_mgr.cgi
COMPENSATING CONTROLS:
1. Deploy WAF rules to block requests containing 'read_list' parameter with suspicious payloads
2. Implement strict firewall rules allowing only authorized IPs to access management interfaces
3. Enable authentication logging and monitor for failed/successful login attempts
4. Deploy IDS/IPS signatures detecting buffer overflow attempts to account_mgr.cgi
5. Implement network-based access controls restricting CGI script access
DETECTION RULES:
1. Monitor HTTP POST requests to /cgi-bin/account_mgr.cgi with oversized read_list parameters (>1024 bytes)
2. Alert on any unauthenticated access attempts to account_mgr.cgi
3. Track process execution from httpd/web service processes
4. Monitor for unexpected child processes spawned from D-Link device web services
5. Log all firmware update attempts and configuration changes
PATCHING GUIDANCE:
1. Contact D-Link support immediately for firmware updates
2. Prepare isolated test environment to validate patches when available
3. Establish maintenance window for device updates
4. Consider replacement with patched models if updates are not forthcoming
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع أجهزة D-Link DNS/DNR في بيئتك وتوثيق إصدارات البرامج الثابتة
2. عزل الأجهزة المتأثرة عن شبكات الإنتاج أو تقييد الوصول للشبكات الموثوقة فقط
3. تعطيل الوصول البعيد إلى واجهة الإدارة على الويب (المنفذ 80/443) إذا لم يكن حرجاً
4. تنفيذ تقسيم الشبكة لتحديد الحركة الجانبية من أجهزة NAS المخترقة
5. مراقبة أنماط الوصول المريبة إلى /cgi-bin/account_mgr.cgi
الضوابط التعويضية:
1. نشر قواعد WAF لحجب الطلبات التي تحتوي على معامل read_list برموز مريبة
2. تنفيذ قواعد جدار الحماية الصارمة للسماح فقط بعناوين IP المصرح بها للوصول إلى واجهات الإدارة
3. تفعيل تسجيل المصادقة ومراقبة محاولات تسجيل الدخول الفاشلة والناجحة
4. نشر توقيعات IDS/IPS للكشف عن محاولات تجاوز المخزن المؤقت إلى account_mgr.cgi
5. تنفيذ ضوابط الوصول المستندة إلى الشبكة لتقييد الوصول إلى نصوص CGI
قواعد الكشف:
1. مراقبة طلبات HTTP POST إلى /cgi-bin/account_mgr.cgi مع معاملات read_list كبيرة الحجم (>1024 بايت)
2. تنبيه على أي محاولات وصول غير مصرح بها إلى account_mgr.cgi
3. تتبع تنفيذ العمليات من عمليات httpd/خدمة الويب
4. مراقبة العمليات الفرعية غير المتوقعة المنبثقة من خدمات الويب لجهاز D-Link
5. تسجيل جميع محاولات تحديث البرامج الثابتة والتغييرات في الإعدادات
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.14.2.1 - Secure development policy
ECC 2024 A.12.2.1 - Monitoring and logging
ECC 2024 A.13.1.3 - Segregation of networks
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.DS-6 - Data protection and integrity
DE.CM-1 - Detection and monitoring
RS.RP-1 - Response planning
🟡 ISO 27001:2022
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
A.12.2.1 - Monitoring and logging
A.13.1.3 - Segregation of networks
A.12.3.1 - Installation of software on operational systems
🟣 PCI DSS v4.0.1
Requirement 6.2 - Security patches and updates
Requirement 11.2 - Vulnerability scanning
Requirement 12.2 - Configuration standards
🔗 المراجع والمصادر 5
🔗
https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_168/168.md
cna@vuldb.com
Exploit
Third Party Advisory
🔗
https://vuldb.com/submit/780437
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/vuln/354350
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/vuln/354350/cti
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://www.dlink.com/
cna@vuldb.com
Product
📦 المنتجات المتأثرة 20 منتج
dlink:dnr-202l_firmware
dlink:dnr-326_firmware
dlink:dns-1100-4_firmware
dlink:dns-120_firmware
dlink:dns-1200-05_firmware
dlink:dns-1550-04_firmware
dlink:dns-315l_firmware
dlink:dns-320_firmware
dlink:dns-320l_firmware
dlink:dns-320lw_firmware
dlink:dns-321_firmware
dlink:dns-322l_firmware
dlink:dns-323_firmware
dlink:dns-325_firmware
dlink:dns-326_firmware
dlink:dns-327l_firmware
dlink:dns-340l_firmware
dlink:dns-343_firmware
dlink:dns-345_firmware
dlink:dns-726-4_firmware