Advisory Details

October 4th, 2023

(0Day) D-Link D-View InstallApplication Use of Hard-coded Credentials Authentication Bypass Vulnerability

ZDI-23-1509
ZDI-CAN-19553

CVE ID CVE-2023-44411
CVSS SCORE 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AFFECTED VENDORS D-Link
AFFECTED PRODUCTS D-View
VULNERABILITY DETAILS

This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the InstallApplication class. The class contains a hard-coded password for the remotely reachable database. An attacker can leverage this vulnerability to bypass authentication on the system.

ADDITIONAL DETAILS

12/23/22 – The ZDI reported the vulnerability to the vendor.

08/25/23 – ZDI asked for an update.

08/30/23 – The vendor states they don’t have the case on record.

08/31/23 – ZDI forwarded the original report to the vendor.

09/29/23 – The ZDI informed the vendor that the case will be published as a zero-day advisory on 10/04/23.

-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.


DISCLOSURE TIMELINE
  • 2022-12-23 - Vulnerability reported to vendor
  • 2023-10-04 - Coordinated public release of advisory
CREDIT rgod
BACK TO ADVISORIES