NN-2023:12-01
Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0
Last update: 2024-01-16
| Advisory ID | NN-2023:12-01 |
|---|---|
| Topic | Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0 |
| CWE Impact | CWE-306: Missing Authentication for Critical Function |
| Issue date | 2024-01-15 |
| Affects | Guardian, CMC < v23.3.0 |
| CVE Name(s) | CVE-2023-5253 |
| CVSS details | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CVSS Score | 5.3 |
| CVE Risk Level | Medium |
| Risk Level for Nozomi customers | Low |
Summary
A missing authentication check in the WebSocket channel used for the Check Point IoT integration in Nozomi Networks Guardian and CMC, may allow an unauthenticated attacker to obtain assets data without authentication.
Impact
Malicious unauthenticated users with knowledge on the underlying system may be able to extract asset information.
Affected Products
Guardian, CMC < v23.3.0
Workarounds and Mitigations
Use internal firewall features to limit access to the web management interface.
Solutions
Upgrade to v23.3.0 or later.
Modification History
2024-01-15: Initial revision
2024-01-16: CSAF path update
Related Links
Acknowledgements
We thank the following parties for their efforts:
- Nozomi Networks Product Security team for finding this issue during an internal VAPT testing session
Contact
Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.More contact details on the PSIRT page.