Initiativen für
    
    Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
      
     
                  Reference:
Advisory #2024-77
Version:
1.0
Affected software:
D-Link D-View version v2.0.1.89 and below
Type:
Remote code execution, authentication bypass
CVE/CVSS:
CVE-2024-5296: 9.9 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)CVE-2024-5297: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)CVE-2024-5298: 8.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)CVE-2024-5299: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
D-Link Advisory - https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10386
On 14 May 2024, D-Link and the Zero Day Initiative reported publicly about 4 high to critical vulnerabilities in D-Link D-View 8. The reported vulnerabilities are CVE-2024-5296, CVE-2024-5297, CVE-2024-5298 and CVE-2024-5299.
D-View 8 is a network monitoring and traffic management software used by network administrators. There is presently no indication that these vulnerabilities have come under active exploitation (cut-off date: 28 May 2024).
Exploitation of these vulnerabilities have a high impact on confidentiality, integrity and availability.
These vulnerabilities can be exploited separately, or in combination with each other to bypass authentication requirements in order to achieve remote code execution. More precisely, authentication is required to exploit the vulnerabilities CVE-2024-5297, CVE-2024-5298 and CVE-2024-5299. However, the existing authentication mechanism can be bypassed for instance by chaining it with CVE-2024-5296.
CVE-2024-5296 is an authentication bypass vulnerability. This vulnerability is rated critical as it allows remote attackers to bypass authentication on affected installations of D-Link D-View. A remote attacker can leverage this vulnerability within the TokenUtils class, where there is a hard-coded cryptographic key, to bypass authentication on the system. Of note, authentication if not required to exploit this vulnerability.
CVE-2024-5297, CVE-2024-5298 and CVE-2024-5299 are all remote code execution vulnerabilities. Although authentication is required to exploit these vulnerabilities, the existing authentication mechanism can be bypassed for instance by chaining it with CVE-2024-5296.
CVE-2024-5297 contains a flaw within the executeWmicCmd method which results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.
CVE-2024-5298 lies within the queryDeviceCustomMonitorResult method. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to execute code in the context of root.
CVE-2024-5299 contains a flaw within execMonitorScript method. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to execute code in the context of root.
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
D-Link reported that these vulnerabilities are fixed with software update v2.0.3.88.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Zero-day initiative reports