Security

D-Link fixes two critical flaws in D-View 8 network management suite

D-Link fixed two critical flaws in its D-View 8 network management suite that could lead to authentication bypass and arbitrary code execution.

D-Link has addressed two critical vulnerabilities (CVSS score: 9.8) in its D-View 8 network management suite that could be exploited by remote attackers to bypass authentication and execute arbitrary code.

The D-View network management suite allows customers to monitor performance, configure devices, and manage the network in an efficient way.

The vulnerabilities were reported to the company on December 23, 2022 through Trend Micro’s Zero Day Initiative (ZDI).

The first vulnerability, tracked as CVE-2023-32165, is a D-View TftpReceiveFileHandler Directory Traversal Remote Code Execution flaw.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.” reads the advisory published by ZDI. “The specific flaw exists within the TftpReceiveFileHandler class.”

The vulnerability is caused by the lack of proper validation of a user-supplied path prior to using it in file operations. An unauthenticated attacker can exploit the flaw to execute code in the context of SYSTEM.

The vulnerability was reported by Andrea Micalizzi (aka rgod)

The second flaw, tracked as CVE-2023-32169, is an authentication bypass issue caused by the use of hard-coded cryptographic key authentication in the TokenUtils class.

An attacker can exploit this vulnerability to bypass authentication on the target system.

“This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.” reads the advisory. “The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key.”

The vulnerability was discovered by Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative.

The company pointed out that the released patch is “beta software or hot-fix release,” which is still undergoing final testing.

“Please note that this is a device beta software, beta firmware, or hot-fix release which is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis and the user assumes all risk and liability for use thereof. D-Link does not provide any warranties, whether express or implied, as to the suitability or usability of the beta firmware. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party as a result of their use of the beta firmware.”

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

US government sanctions twelve Kaspersky Lab executives

The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned twelve Kaspersky Lab executives for their…

14 hours ago

Experts found a bug in the Linux version of RansomHub ransomware

The RansomHub ransomware operators added a Linux encryptor to their arsenal, the version targets VMware…

19 hours ago

UEFICANHAZBUFFEROVERFLOW flaw in Phoenix SecureCore UEFI firmware potentially impacts hundreds of PC and server models

A serious vulnerability (CVE-2024-0762) in the Phoenix SecureCore UEFI firmware potentially impacts hundreds of PC…

2 days ago

Russia-linked APT Nobelium targets French diplomatic entities

French information security agency ANSSI reported that Russia-linked threat actor Nobelium is behind a series…

2 days ago

US bans sale of Kaspersky products due to risks to national security

The US government announced the ban on selling Kaspersky software due to security risks from…

2 days ago

Atlassian fixed six high-severity bugs in Confluence Data Center and Server

Australian software company Atlassian addressed multiple high-severity vulnerabilities in its Confluence, Crucible, and Jira solutions.…

2 days ago

This website uses cookies.