D-Link D-View InstallApplication Use of Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability. The specific flaw exists within the InstallApplication class. The class contains a hard-coded password for the remotely reachable database. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19553.
The InstallApplication class contains hardcoded credentials for a remotely accessible database. An attacker, without needing any credentials or user interaction, can use this password to establish a database connection and bypass the system's authentication mechanisms. The vulnerability is accessible remotely over the network, and the low attack complexity makes its exploitation relatively simple.
An attacker can completely bypass D-Link D-View system authentication, gaining unauthorized access to the database and potentially taking control of the network management system, resulting in violation of data confidentiality, integrity, and availability.
Patches available from the manufacturer should be applied in accordance with the references. Additionally, it is recommended to restrict network access to the D-View interface exclusively to trusted hosts and implement network segmentation to prevent unauthorized access to the management system.
D-Link D-View 8 — specific versions indicated in the manufacturer's references and in the Zero Day Initiative advisory (ZDI-CAN-19553)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDlink D View 8
APPDlink1.0.2.13
Related vulnerabilities
D-Link D-View 8 — pominięcie uwierzytelnienia przez zakodowany klucz kryptograficzny
D-Link D-View: RCE przez ujawnioną niebezpieczną funkcję w coreservice_action_script
D-Link D-View: RCE przez path traversal w TftpReceiveFileHandler
D-Link D-View: pominięcie uwierzytelnienia przez hardkodowany klucz kryptograficzny
D-Link D-View 8: Manipulacja inwentarzem sond umożliwia RCE i DoS