D-Link has fixed two critical vulnerabilities in the D-View 8 network management suite that could allow remote attackers to bypass authentication and execute arbitrary code.
D Link is a popular brand that manufactures consumer and enterprise-grade networking hardware. D Link routers allow you to connect multiple devices to a network and manage the traffic on the network to find the shortest route between two devices that are trying to communicate with each other.
The vulnerabilities are:
- CVE-2023-32165: A remote code execution vulnerability that may allow an unauthenticated, remote attacker to execute code with SYSTEM privileges. This allows the code to run with the highest privileges in Windows, potentially allowing complete system takeover.
- CVE-2023-32169: An authentication bypass problem resulting from using a hard-coded cryptographic key on the TokenUtils class of the software. It could enable an unauthenticated attacker to execute privilege escalation, access information, change configurations and settings, and even install backdoors and malware.
D-Link has issued an advisory for the six flaws reported by ZDI, which affect D-View 8 versions 188.8.131.52 and below, urging administrators to upgrade to the patched version, 184.108.40.206, released on May 17 2023.
“Once D-Link was made aware of the reported security issues, we immediately began our investigation and began developing security patches,” D-Link’s security bulletin states.
upgrading to version 220.127.116.11 may cause problems or introduce instability to D-View, but the severity of defects probably outweighs the possible performance problems.
The vendor also told users to verify the hardware revision of their endpoints, by inspecting the underside label or the web configuration panel, so that they don’t download the wrong firmware update.