NN-2023:13-01
Missing authentication for local web interface in Arc before v1.6.0
Last update: 2024-05-20
| Advisory ID | NN-2023:13-01 |
|---|---|
| Topic | Missing authentication for local web interface in Arc before v1.6.0 |
| CWE Impact | CWE-306: Missing Authentication for Critical Function |
| Issue date | 2024-05-15 |
| Affects | Arc < v1.6.0 |
| CVE Name(s) | CVE-2023-5935 |
| CVSS Details | CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSS Score | 7.3 (CVSS v4.0) 7.4 (CVSS v3.1) |
| CVE Risk Level | High (CVSS v4.0) High (CVSS v3.1) |
| Risk Level for Nozomi customers | Medium |
Summary
When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself.
Impact
A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed.
Affected Products
Arc < v1.6.0
Workarounds and Mitigations
N/A
Solutions
Upgrade to v1.6.0 or later.
Modification History
2024-05-15: Initial revision
2024-05-20: Added CVSS v4.0 scoring where applicable
Related Links
Acknowledgements
We thank the following parties for their efforts:
- Diego Giubertoni of Nozomi Networks Security Research team for finding this issue during an internal penetration testing session
Contact
Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.More contact details on the PSIRT page.