Description

D-Link, a Taiwanese networking solutions manufacturer, has patched two critical vulnerabilities discovered in its D-View 8 network management suite, which allow remote attackers to bypass authentication and execute arbitrary code. D-View is used by enterprises of all sizes to set device configurations, monitor performance, and create network maps, making network administration and management more efficient and time-consuming. On December 23, 2022, Trend Micro researchers discovered six vulnerabilities in D-View and reported them as part of the Zero Day Initiative program. Two of the six detected vulnerabilities have a critical grade of 9.8. The first vulnerability discovered is CVE-2023-32165, which is a remote code execution flaw caused by improper validation of a user-supplied path before using it in file operations, allowing attackers to execute code with SYSTEM privileges, which runs with the highest privileges and allows complete system takeover in the case of Windows. Similarly, the second flaw, CVE-2023-32169, is an authentication bypass issue caused by a hard-coded cryptographic key in the software's TokenUtils class. Furthermore, D-Link stated in a security bulletin issued on May 17, 2023, that the six flaws disclosed affect D-View 8 versions 2.0.1.27 and lower, and that this patch is a "beta software or hot-fix" release with final testing pending, and that it may cause some difficulties or instability in D-View.