Rewterz Threat Advisory – Multiple D-Link D-View Vulnerabilities

Severity

High

Analysis Summary

CVE-2023-32165 CVSS:9.8

D-Link D-View could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in TftpReceiveFileHandler class. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-32164 CVSS:7.5

D-Link D-View could allow a remote attacker to obtain sensitive information, caused by a flaw in TftpSendFileThread class. By sending a specially crafted request, an attacker couldexploit this vulnerability to obtain sensitive information.

CVE-2023-32167 CVSS:6.5

D-Link D-View could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially crafted request to the uploadMib function to create arbitrary files on the system.

CVE-2023-32166 CVSS:8.1

D-Link D-View could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially crafted request to the uploadFile function to create arbitrary files on the system.

CVE-2023-32168 CVSS:8.8

D-Link D-View could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw in the showUser method. By sending a specially crafted request, an attacker could exploit this vulnerability to escalate privileges to resources normally protected from the user.

Impact

• Code Execution
• Privilege Escalation
• Information Disclosure
• Data Manipulation

Indicators Of Compromise

CVE

• CVE-2023-32165
• CVE-2023-32164
• CVE-2023-32167
• CVE-2023-32166
• CVE-2023-32168

Affected Vendors

D-Link

Affected Products

• D-Link D-View 2.0.1.27

Remediation

Refer to D-Link Web site for patch, upgrade or suggested workaround information.

D-Link Web site