D-View 8: TrendMicro (ZDI) Reported Multiple Vulnerabilities
17 May, 2023
Overview
On December 28, 2022, 3rd party security research from TrendMicro ZDI reported the D-Link D-View 8.0 Network Device Management platform as having multiple vulnerabilities. The research was done on a demo version of the software, the corrected, and qualified version is the first release version from D-Link Corporation.
As soon as D-Link was made aware of the reported security issues, we had promptly started our investigation and began developing security patches.
D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.
Report information
- Reported by TrendMicro ZDI
- ZDI-CAN-19496: D-Link D-View TftpSendFileThread Directory Traversal Information Disclosure Vulnerability
- ZDI-CAN-19497: D-Link D-View TftpReceiveFileHandler Directory Traversal Remote Code Execution Vulnerability
- ZDI-CAN-19527: D-Link D-View uploadFile Directory Traversal Arbitrary File Creation Vulnerability
- ZDI-CAN-19529: D-Link D-View uploadMib Directory Traversal Arbitrary File Creation or Deletion Vulnerability
- ZDI-CAN-19534: D-Link D-View showUser Improper Authorization Privilege Escalation Vulnerability
- ZDI-CAN-19659: D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability
Affected Models
Model | Software Version |
Fixed Release |
Recommendation | Last Updated |
D-View 8 |
v2.0.1.27 and below |
v2.0.1.28 |
You must update via the application (downloadable from https://dview.dlink.com/), or contact you regional technical support for license verification |
05/17/2023 |