D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. An attacker can leverage this vulnerability to bypass authentication on the system. . Was ZDI-CAN-19659.
The problem lies in the TokenUtils class of D-View software, which uses a hardcoded cryptographic key to handle authentication tokens. Because the key is known (or can be reproduced), an attacker can independently generate valid authentication tokens. As a result, it is possible to bypass the entire authentication mechanism without knowledge of any login credentials.
An attacker gains unauthorized access to the D-Link D-View system from the network, which may lead to complete takeover of the application, disclosure of sensitive data, and modification of the configuration of managed network devices.
Security patches available from the manufacturer should be applied according to the references (D-Link SAP10332 announcement available at supportannouncement.us.dlink.com)
D-Link D-View 8 — specific versions indicated in the manufacturer's references (SAP10332)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDlink D View 8
APPDlink≤ 2.0.1.27
Related vulnerabilities
D-Link D-View 8 — pominięcie uwierzytelnienia przez zakodowany klucz kryptograficzny
D-Link D-View: RCE przez ujawnioną niebezpieczną funkcję w coreservice_action_script
D-Link D-View: RCE przez path traversal w TftpReceiveFileHandler
D-Link D-View: hardcoded credentials umożliwiają bypass uwierzytelnienia
D-Link D-View 8: Manipulacja inwentarzem sond umożliwia RCE i DoS