D-Link fixes critical in D-View software
Take action: It's good to read to the end of an advisory - There is a critical vulnerability, but this time the patch is still half-baked and not finalized. It may cause more problems by itself. In such situations it's prudent that you do as much lock down and isolation of the product and wait for the final patch to be issuer instead of rushing to patch. Always confirm whether the patch is finally released and what risks you incur with and without it.
Learn More
D-Link, a Taiwanese networking solutions vendor has addressed two critical vulnerabilities in its D-View 8 network management software that allowed unauthorized access and execution of arbitrary code.
The critical flaws are:
- CVE-2023-32165 a remote code execution flaw arising from the lack of proper validation of a user-supplied path before using it in file operations. An attacker using the vulnerability could execute code with SYSTEM privileges, which for Windows, the code will run with the highest privileges, potentially allowing complete system takeover.
- CVE-2023-32169 an authentication bypass problem resulting from using a hard-coded cryptographic key on the TokenUtils class of the software. Exploiting this flaw allows privilege escalation, unauthorized access of information, change of configuration and settings on the software, and even installation of backdoors and malware.
D-Link is urging users to upgrade to the fixed version (2.0.1.28) released on May 17, 2023, although the patch is still undergoing final testing and may cause potential performance issues.
