The vulnerabilities and their potential impact are as follows:
- CVE-2013-1599 could allow an attacker to execute arbitrary commands from the administration Web interface
- CVE-2013-1600 could allow an attacker to access the video stream via HTTP
- CVE-2013-1601 could allow an attacker to access the ASCII video stream via image luminance
- CVE-2013-1602 could allow an attacker to access the video stream via RTSP
- CVE-2013-1603 could allow an attacker to bypass RTSP authentication using hard-coded credentials
Sophos' Paul Ducklin notes that the last vulnerability is a dangerously simple hardwired backdoor password. "Hardwired passwords were a design blunder back in the 1970s; in the 2010s, they are simply unacceptable," he writes.
The researchers say they notified D-Link of the vulnerabilities on March 19, 2013, and that D-Link has prepared patches for all of the flaws, which "are scheduled for posting on [the] D-Link Web site over the next few days."