D-Link has fixed two critical-severity vulnerabilities in its D-View 8 network management suite that could allow remote attackers to bypass authentication and execute arbitrary code.
D-View is a network management suite developed by the Taiwanese networking solutions vendor D-Link, used by businesses of all sizes for monitoring performance, controlling device configurations, creating network maps, and generally making network management and administration more efficient and less time-consuming.
Security researchers participating in Trend Micro’s Zero Day Initiative (ZDI) discovered six flaws impacting D-View late last year and reported them to the vendor on December 23, 2022.
Two of the discovered vulnerabilities are critical severity (CVSS score: 9.8) and give unauthenticated attackers strong leverage over affected installations.
The first flaw is tracked as CVE-2023-32165 and is a remote code execution flaw arising from the lack of proper validation of a user-supplied path before using it in file operations.
An attacker leveraging the vulnerability could execute code with SYSTEM privileges, which for Windows, the code will run with the highest privileges, potentially allowing complete system takeover.
The second critical flaw has received the identifier CVE-2023-32169 and is an authentication bypass problem resulting from using a hard-coded cryptographic key on the TokenUtils class of the software.
Exploiting this flaw allows privilege escalation, unauthorized access of information, change of configuration and settings on the software, and even installation of backdoors and malware.
D-Link has released an advisory on all six flaws reported by the ZDI, which impact D-View 8 version 188.8.131.52 and below, urging admins to upgrade to the fixed version, 184.108.40.206, released on May 17, 2023.
“As soon as D-Link was made aware of the reported security issues, we had promptly started our investigation and began developing security patches,” reads D-Link’s security bulletin.
Although the vendor “strongly recommends” all users to install the security update, the announcement also warns that the patch is “beta software or hot-fix release,” still undergoing final testing.
This means that upgrading to 220.127.116.11 might cause problems or introduce instability to D-View, but the severity of the flaws likely outweighs any potential performance issues.
The company also advises users to verify the hardware revision of their products by checking on the underside label or the web configuration panel before downloading the corresponding firmware update.