D-Link has recently patched two critical-severity vulnerabilities in its D-View 8 network management suite, which could have allowed remote attackers to bypass authentication and execute arbitrary code. D-View is a network management suite developed by Taiwanese networking solutions vendor D-Link, utilized by businesses of various sizes to monitor performance, manage device configurations, create network maps, and generally streamline network management and administration.
Security researchers participating in Trend Micro's Zero Day Initiative (ZDI) uncovered six flaws affecting D-View in late 2022 and reported them to the vendor on December 23, 2022. Among the discovered vulnerabilities, two are of critical severity (CVSS score: 9.8) and provide unauthenticated attackers with significant leverage over affected installations. The first flaw, identified as CVE-2023-32165, is a remote code execution vulnerability caused by inadequate validation of a user-supplied path before using it in file operations. An attacker exploiting this vulnerability could execute code with SYSTEM privileges, which, for Windows, would run with the highest privileges, potentially enabling full system takeover.
The second critical flaw is assigned the identifier CVE-2023-32169 and is an authentication bypass issue resulting from the use of a hard-coded cryptographic key in the TokenUtils class of the software. Exploiting this vulnerability allows for privilege escalation, unauthorized access to information, alteration of configuration and settings within the software, and even the installation of backdoors and malware.
D-Link has published an advisory on all six flaws reported by the ZDI, affecting D-View 8 version 22.214.171.124 and below, and encourages administrators to upgrade to the fixed version, 126.96.36.199, released on May 17, 2023. "As soon as D-Link was made aware of the reported security issues, we had promptly started our investigation and began developing security patches," reads D-Link's security bulletin. Although the vendor "strongly recommends" all users to install the security update, the announcement also cautions that the patch is a "beta software or hot-fix release," still undergoing final testing. This implies that upgrading to 188.8.131.52 might cause issues or introduce instability to D-View, but the severity of the flaws likely outweighs any potential performance problems. The company also advises users to verify the hardware revision of their products by checking the underside label or the web configuration panel before downloading the appropriate firmware update.