D-Link has addressed two critical-severity vulnerabilities in its D-View 8 network management suite that could allow remote attackers to bypass authentication and execute arbitrary code.
D-View is a network management suite developed by Taiwanese network solutions provider D-Link, used by businesses of all sizes to monitor performance, control device configurations, create network maps and generally , make network management and administration more efficient and less time-consuming. consuming.
Security researchers participating in Trend Micro’s Zero Day Initiative (ZDI) discovered six flaws affecting D-View late last year and reported them to the vendor on December 23, 2022.
Two of the discovered vulnerabilities are of critical severity (CVSS score: 9.8) and give unauthenticated attackers high leverage over affected installations.
The first fault is tracked as CVE-2023-32165 and is a remote code execution flaw resulting from failure to properly validate a user-supplied path before using it in file operations.
An attacker taking advantage of the vulnerability could run code with SYSTEM privileges, which for Windows, the code will run with the highest privileges, potentially allowing a full system takeover.
The second critical flaw has been given the identifier CVE-2023-32169 and is an authentication bypass issue resulting from the use of a hard-coded cryptographic key on the software’s TokenUtils class.
Exploitation of this flaw allows elevation of privileges, unauthorized access to information, modification of software configuration and settings, and even installation of backdoors and malware.
D-Link has issued an advisory on the six ZDI-reported vulnerabilities affecting D-View 8 version 220.127.116.11 and lower, urging administrators to upgrade to the patched version, 18.104.22.168, released on May 17, 2023.
“As soon as D-Link was made aware of the reported security issues, we promptly launched our investigation and began developing security fixes,” it reads. D-Link Security Bulletin.
Although the vendor “strongly recommends” that all users install the security update, the announcement also warns that the fix is ”beta software or a patch release”, still in final testing.
This means that upgrading to 22.214.171.124 may cause problems or introduce instability to D-View, but the severity of the flaws likely outweighs any potential performance issues.
The company also advises users to check the hardware revision of their products by checking on the bottom label or the web-based control panel before downloading the corresponding firmware update.