www.belgium.be Logo of the federal government

WARNING: CRITICAL AND HIGH VULNERABILITIES IN D-LINK D-VIEW CAN BE EXPLOITED TO EXECUTE CODE. PATCH IMMEDIATELY!

Reference: 
Advisory #2024-77
Version: 
1.0
Affected software: 
D-Link D-View version v2.0.1.89 and below
Type: 
Remote code execution, authentication bypass
CVE/CVSS: 

CVE-2024-5296: 9.9 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-5297: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-5298: 8.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-5299: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Sources

D-Link Advisory - https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10386

Risks

On 14 May 2024, D-Link and the Zero Day Initiative reported publicly about 4 high to critical vulnerabilities in D-Link D-View 8. The reported vulnerabilities are CVE-2024-5296, CVE-2024-5297, CVE-2024-5298 and CVE-2024-5299.

D-View 8 is a network monitoring and traffic management software used by network administrators. There is presently no indication that these vulnerabilities have come under active exploitation (cut-off date: 28 May 2024).

Exploitation of these vulnerabilities have a high impact on confidentiality, integrity and availability.

These vulnerabilities can be exploited separately, or in combination with each other to bypass authentication requirements in order to achieve remote code execution. More precisely, authentication is required to exploit the vulnerabilities CVE-2024-5297, CVE-2024-5298 and CVE-2024-5299. However, the existing authentication mechanism can be bypassed for instance by chaining it with CVE-2024-5296.

Description

CVE-2024-5296 is an authentication bypass vulnerability. This vulnerability is rated critical as it allows remote attackers to bypass authentication on affected installations of D-Link D-View. A remote attacker can leverage this vulnerability within the TokenUtils class, where there is a hard-coded cryptographic key, to bypass authentication on the system. Of note, authentication if not required to exploit this vulnerability.

CVE-2024-5297, CVE-2024-5298 and CVE-2024-5299 are all remote code execution vulnerabilities. Although authentication is required to exploit these vulnerabilities, the existing authentication mechanism can be bypassed for instance by chaining it with CVE-2024-5296.

CVE-2024-5297 contains a flaw within the executeWmicCmd method which results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.

CVE-2024-5298 lies within the queryDeviceCustomMonitorResult method. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to execute code in the context of root.

CVE-2024-5299 contains a flaw within execMonitorScript method. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to execute code in the context of root.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

D-Link reported that these vulnerabilities are fixed with software update v2.0.3.88.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Zero-day initiative reports