Security Advisory ZPE-NG-2023-001
Advisory ID: ZPE-NG-2023-001
First Published: October 27, 2023
CVE ID: CVE-2023-43322
CVSSv3 Score: 8.8 (High)
Summary
Command injection [CWE-77] is possible in the following API endpoints:
- /v1/system/toolkit/files/upload
- /v1/system/toolkit/files/download
- /v1/system/toolkit/files/execute
- /v1/system/toolkit/files/remove
- /v1/system/toolkit/files/list
The implementation of these endpoints uses their arguments without neutralization to compose a command executed by a spawned shell.
This vulnerability does not allow to bypass authentication.
Affected Products
Nodegrid OS versions 5.0.0 to 5.0.17, 5.2.0 to 5.2.19, 5.4.0 to 5.4.16, 5.6.0 to 5.6.13, 5.8.0 to 5.8.10, and 5.10.0 to 5.10.3.
Nodegrid OS is used in the following products:
- Nodegrid Serial Console
- Nodegrid Serial Console Plus
- Nodegrid Net Services Router
- Nodegrid Gate SR
- Nodegrid Link SR
- Nodegrid Bold SR
- Nodegrid Hive SR
- Nodegrid Mini SR
- Nodegrid Manager
Summary
The attacker may execute a command from shell via an API endpoint that was not intended for that.
The command is executed as the authenticated user.
Solutions
Upgrade to Nodegrid OS version 5.10.4 or above.
Upgrade to Nodegrid OS version 5.8.11 or above.
Upgrade to Nodegrid OS version 5.6.14 or above.
Upgrade to Nodegrid OS version 5.4.17 or above.
Upgrade to Nodegrid OS version 5.2.20 or above.
Upgrade to Nodegrid OS version 5.0.18 or above.
Timeline
- 2023-08-03: Initial report
- 2023-08-11: Released 5.8.11 with a fix.
- 2023-08-25: Released 5.10.4 with a fix.
- 2023-09-29: Released 5.6.14 with a fix.
- 2023-10-20: Released 5.4.17, 5.2.20, and 5.0.18 with a fix.
- 2023-10-27: Initial public disclosure.
- 2023-11-03: Updated CVSS score.
Credit
This vulnerability was discovered and reported by Kevin Humphreys, Backbone Engineering, Meta.