Security Advisory ZPE-NG-2023-002

Security Advisory ZPE-NG-2023-002

Advisory ID: ZPE-NG-2023-002
First Published: October 13, 2023
CVE ID: CVE-2023-44037
CVSSv3 Score: 7.5 (High)

Summary

Password sent as username when remote authentication is configured with method TACACS+ and TACACS+ minor version is 0.

This only happens if TACACS+ Version is configured as V0, V0_V1, or V1_V0.

Affected Products

Nodegrid OS versions 5.8.10 to 5.8.13, 5.10.3 to 5.10.5.

Nodegrid OS is used in the following products:
  1. Nodegrid Serial Console
  2. Nodegrid Serial Console Plus
  3. Nodegrid Net Services Router
  4. Nodegrid Gate SR
  5. Nodegrid Link SR
  6. Nodegrid Bold SR
  7. Nodegrid Hive SR
  8. Nodegrid Mini SR
  9. Nodegrid Manager
  10. Nodegrid Virtual Services Router

Impact

As the password is sent as username, the authentication will fail, and the TACACS+ authentication server logs may have the password in cleartext. This may expose sensitive data.

Mitigation

Configure TACACS+ to use only TACACS+ Version V1.

Solutions

Upgrade to Nodegrid OS version 5.10.6 or above.

Upgrade to Nodegrid OS version 5.8.14 or above.

Timeline

2023-10-13: Initial public disclosure
2023-10-20: Updated CVSS score, changed weakness enumeration.

Credit

This vulnerability was discovered and reported by Matt Vicari, Meta.