D-Link fixed two critical flaws in the D-View 8 network management suite that could lead to authentication bypass and arbitrary code execution.
D-Link addressed two critical vulnerabilities (CVSS score: 9.8) in the D-View 8 network management suite that could be exploited by a remote attacker to bypass authentication and execute arbitrary code.
The D-View network management suite allows customers to monitor performance, configure devices and manage their networks in an efficient manner.
The vulnerability was reported to the company on December 23, 2022 through Trend Micro’s Zero Day Initiative (ZDI).
The first vulnerability is tracked as: CVE-2023-32165D-View TftpReceiveFileHandler directory traversal remote code execution flaw.
“This vulnerability could allow a remote attacker to execute arbitrary code on an affected D-Link D-View installation. No authentication is required to exploit this vulnerability.” reads advice Published by ZDI. “The specific flaw exists within the TftpReceiveFileHandler class.”
The vulnerability results because there is no proper validation of user-supplied paths before using them in file operations. An unauthenticated attacker could exploit this flaw to run code in the SYSTEM context.
This vulnerability was reported by Andrea Micalizzi (aka rgod).
Second defect tracked as CVE-2023-32169An authentication bypass issue caused by using hard-coded cryptographic key authentication in the TokenUtils class.
An attacker could exploit this vulnerability to bypass authentication on the target system.
“This vulnerability could allow a remote attacker to bypass authentication on an affected D-Link D-View installation. No authentication is required to exploit this vulnerability.” read the advice. “The specific flaw exists within the TokenUtils class. This issue is caused by a hard-coded encryption key.”
This vulnerability was discovered by Piotr Bazydlo (@chudypb) of the Trend Micro Zero Day Initiative.
The released patch is a ‘beta software or hotfix release’ that is still in final testing, the company pointed out.
“Please note that this is a device beta software, beta firmware or hotfix release that is still undergoing final testing prior to official release. Beta Software, Beta Firmware or Hotfixes are provided “as is” and “as available” and you use them at your own risk and responsibility. D-Link makes no warranties, either express or implied, regarding the suitability or usefulness of the beta firmware. D-Link shall not be liable for any direct, indirect, special or consequential losses suffered by any party as a result of using the Beta Firmware.”
We are in the finals!
Vote for Security Affairs (https://securityaffairs.com/) for Best European Cybersecurity Blogger Awards 2022 – Vote for your winners
Vote for me in Securityaffairs or the section where my name Pierluigi Paganini is reported.
Make Security Affairs your favorite blog.
Nominate Pierluigi Paganini and security issues here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(security work – hacking, RCE)
share