Security News > 2023 > May > D-Link fixes auth bypass and RCE flaws in D-View 8 software
D-Link has fixed two critical-severity vulnerabilities in its D-View 8 network management suite that could allow remote attackers to bypass authentication and execute arbitrary code.
D-View is a network management suite developed by the Taiwanese networking solutions vendor D-Link, used by businesses of all sizes for monitoring performance, controlling device configurations, creating network maps, and generally making network management and administration more efficient and less time-consuming.
Security researchers participating in Trend Micro's Zero Day Initiative discovered six flaws impacting D-View late last year and reported them to the vendor on December 23, 2022.
The first flaw is tracked as CVE-2023-32165 and is a remote code execution flaw arising from the lack of proper validation of a user-supplied path before using it in file operations.
The second critical flaw has received the identifier CVE-2023-32169 and is an authentication bypass problem resulting from using a hard-coded cryptographic key on the TokenUtils class of the software.
D-Link has released an advisory on all six flaws reported by the ZDI, which impact D-View 8 version 2.0.1.27 and below, urging admins to upgrade to the fixed version, 2.0.1.28, released on May 17, 2023.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-05-03 | CVE-2023-32169 | D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. | 0.0 |
| 2024-05-03 | CVE-2023-32165 | D-Link D-View TftpReceiveFileHandler Directory Traversal Remote Code Execution Vulnerability. | 0.0 |