D-Link fixes auth bypass and RCE flaws in D-View 8 software

D-Link

D-Link has fixed two critical-severity vulnerabilities in its D-View 8 network management suite that could allow remote attackers to bypass authentication and execute arbitrary code.

D-View is a network management suite developed by the Taiwanese networking solutions vendor D-Link, used by businesses of all sizes for monitoring performance, controlling device configurations, creating network maps, and generally making network management and administration more efficient and less time-consuming.

Security researchers participating in Trend Micro’s Zero Day Initiative (ZDI) discovered six flaws impacting D-View late last year and reported them to the vendor on December 23, 2022.

Two of the discovered vulnerabilities are critical severity (CVSS score: 9.8) and give unauthenticated attackers strong leverage over affected installations.

The first flaw is tracked as CVE-2023-32165 and is a remote code execution flaw arising from the lack of proper validation of a user-supplied path before using it in file operations.

An attacker leveraging the vulnerability could execute code with SYSTEM privileges, which for Windows, the code will run with the highest privileges, potentially allowing complete system takeover.

The second critical flaw has received the identifier CVE-2023-32169 and is an authentication bypass problem resulting from using a hard-coded cryptographic key on the TokenUtils class of the software.

Exploiting this flaw allows privilege escalation, unauthorized access of information, change of configuration and settings on the software, and even installation of backdoors and malware.

D-Link has released an advisory on all six flaws reported by the ZDI, which impact D-View 8 version 2.0.1.27 and below, urging admins to upgrade to the fixed version, 2.0.1.28, released on May 17, 2023.

“As soon as D-Link was made aware of the reported security issues, we had promptly started our investigation and began developing security patches,” reads D-Link’s security bulletin.

Although the vendor “strongly recommends” all users to install the security update, the announcement also warns that the patch is “beta software or hot-fix release,” still undergoing final testing.

This means that upgrading to 2.0.1.28 might cause problems or introduce instability to D-View, but the severity of the flaws likely outweighs any potential performance issues.

The company also advises users to verify the hardware revision of their products by checking on the underside label or the web configuration panel before downloading the corresponding firmware update.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn