NN-2023:17-01
Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1
Last update: 2024-04-11
| Advisory ID | NN-2023:17-01 |
|---|---|
| Topic | Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1 |
| CWE Impact | CWE-522: Insufficiently Protected Credentials |
| Issue date | 2024-04-10 |
| Affects | Guardian, CMC < v23.4.1 |
| CVE Name(s) | CVE-2023-6916 |
| CVSS details | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVSS Score | 7.2 |
| CVE Risk Level | High |
| Risk Level for Nozomi customers | High |
Summary
Audit records for OpenAPI requests may include sensitive information.
Impact
Unauthorized access, privilege escalation.
Affected Products
Guardian, CMC < v23.4.1
Workarounds and Mitigations
Nozomi Networks recommends creating specific users for OpenAPI usage, with only the necessary permissions to access the required data sources. Additionally, it is advised to limit API keys to allowed IP addresses whenever possible. Finally, it is also suggested to regenerate existing API keys periodically and to review sign-ins via API keys in the audit records.
Solutions
Upgrade to v23.4.1 or later.
Modification History
2024-04-10: Initial revision
2024-04-10: updated the acknowledgements section
2024-04-11: technical update
Related Links
Acknowledgements
We thank the following parties for their efforts:
- Maciej Kosz for reporting this issue
Contact
Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.More contact details on the PSIRT page.