Security Advisory ZPE-NG-2023-001

Security Advisory ZPE-NG-2023-001

Advisory ID: ZPE-NG-2023-001
First Published: October 27, 2023
CVE ID: CVE-2023-43322
CVSSv3 Score: 8.8 (High)

Summary
Command injection [CWE-77] is possible in the following API endpoints:
  1. /v1/system/toolkit/files/upload
  2. /v1/system/toolkit/files/download
  3. /v1/system/toolkit/files/execute
  4. /v1/system/toolkit/files/remove
  5. /v1/system/toolkit/files/list
The implementation of these endpoints uses their arguments without neutralization to compose a command executed by a spawned shell.

This vulnerability does not allow to bypass authentication.

Affected Products

Nodegrid OS versions 5.0.0 to 5.0.17, 5.2.0 to 5.2.19, 5.4.0 to 5.4.16, 5.6.0 to 5.6.13, 5.8.0 to 5.8.10, and 5.10.0 to 5.10.3.

Nodegrid OS is used in the following products:
  1. Nodegrid Serial Console
  2. Nodegrid Serial Console Plus
  3. Nodegrid Net Services Router
  4. Nodegrid Gate SR
  5. Nodegrid Link SR
  6. Nodegrid Bold SR
  7. Nodegrid Hive SR
  8. Nodegrid Mini SR
  9. Nodegrid Manager

Summary

The attacker may execute a command from shell via an API endpoint that was not intended for that.

The command is executed as the authenticated user.

Solutions

Upgrade to Nodegrid OS version 5.10.4 or above.

Upgrade to Nodegrid OS version 5.8.11 or above.

Upgrade to Nodegrid OS version 5.6.14 or above.

Upgrade to Nodegrid OS version 5.4.17 or above.

Upgrade to Nodegrid OS version 5.2.20 or above.

Upgrade to Nodegrid OS version 5.0.18 or above.

Timeline

  1. 2023-08-03: Initial report
  2. 2023-08-11: Released 5.8.11 with a fix.
  3. 2023-08-25: Released 5.10.4 with a fix.
  4. 2023-09-29: Released 5.6.14 with a fix.
  5. 2023-10-20: Released 5.4.17, 5.2.20, and 5.0.18 with a fix.
  6. 2023-10-27: Initial public disclosure.
  7. 2023-11-03: Updated CVSS score.

Credit

This vulnerability was discovered and reported by Kevin Humphreys, Backbone Engineering, Meta.