Pierluigi Paganini May 25, 2023

D-Link fixed two critical flaws in its D-View 8 network management suite that could lead to authentication bypass and arbitrary code execution.

D-Link has addressed two critical vulnerabilities (CVSS score: 9.8) in its D-View 8 network management suite that could be exploited by remote attackers to bypass authentication and execute arbitrary code.

The D-View network management suite allows customers to monitor performance, configure devices, and manage the network in an efficient way.

The vulnerabilities were reported to the company on December 23, 2022 through Trend Micro’s Zero Day Initiative (ZDI).

The first vulnerability, tracked as CVE-2023-32165, is a D-View TftpReceiveFileHandler Directory Traversal Remote Code Execution flaw.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.” reads the advisory published by ZDI. “The specific flaw exists within the TftpReceiveFileHandler class.”

The vulnerability is caused by the lack of proper validation of a user-supplied path prior to using it in file operations. An unauthenticated attacker can exploit the flaw to execute code in the context of SYSTEM.

The vulnerability was reported by Andrea Micalizzi (aka rgod)

The second flaw, tracked as CVE-2023-32169, is an authentication bypass issue caused by the use of hard-coded cryptographic key authentication in the TokenUtils class.

An attacker can exploit this vulnerability to bypass authentication on the target system.

“This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.” reads the advisory. “The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key.”

The vulnerability was discovered by Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative.

The company pointed out that the released patch is “beta software or hot-fix release,” which is still undergoing final testing.

“Please note that this is a device beta software, beta firmware, or hot-fix release which is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis and the user assumes all risk and liability for use thereof. D-Link does not provide any warranties, whether express or implied, as to the suitability or usability of the beta firmware. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party as a result of their use of the beta firmware.”

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)