D-View 8: TrendMicro (ZDI) Reported Multiple Vulnerabilities

17 maggio, 2023

Overview

 

On December 28, 2022, 3rd party security research from TrendMicro ZDI reported the D-Link D-View 8.0 Network Device Management platform as having multiple vulnerabilities.  The research was done on a demo version of the software, the corrected, and qualified version is the first release version from D-Link Corporation.

 

 

As soon as D-Link was made aware of the reported security issues, we had promptly started our investigation and began developing security patches.

 

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.

  

Report information  

 

        - Reported by TrendMicro ZDI

 

                 - ZDI-CAN-19496: D-Link D-View TftpSendFileThread Directory Traversal Information Disclosure Vulnerability
 
                   - ZDI-CAN-19497: D-Link D-View TftpReceiveFileHandler Directory Traversal Remote Code Execution Vulnerability

                   - ZDI-CAN-19527: D-Link D-View uploadFile Directory Traversal Arbitrary File Creation Vulnerability

                   - ZDI-CAN-19529: D-Link D-View uploadMib Directory Traversal Arbitrary File Creation or Deletion Vulnerability

                   - ZDI-CAN-19534: D-Link D-View showUser Improper Authorization Privilege Escalation Vulnerability

                   - ZDI-CAN-19659: D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability
 

 

Affected Models

 

Model Software Version
Fixed Release
Recommendation Last Updated
D-View 8
v2.0.1.27 and below
v2.0.1.28

You must update via the application (downloadable from https://dview.dlink.com/), or

contact you regional technical support for license verification

05/17/2023

  

Regarding Security patch for your D-Link Devices and Software
 
Firmware and software updates address the security vulnerabilities in affected D-Link devices and software. D-Link will update this continually and we strongly recommend all users to install the relevant updates.