NN-2023:13-01

Missing authentication for local web interface in Arc before v1.6.0

Last update: 2024-05-15

Advisory IDNN-2023:13-01
TopicMissing authentication for local web interface in Arc before v1.6.0
CWE ImpactCWE-306: Missing Authentication for Critical Function
Issue date2024-05-15
AffectsArc < v1.6.0
CVE Name(s)CVE-2023-5935
CVSS detailsCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score7.4
CVE Risk LevelHigh
Risk Level for Nozomi customersMedium

Summary

When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself.

Impact

A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed.

Affected Products

Arc < v1.6.0

Workarounds and Mitigations

N/A

Solutions

Upgrade to v1.6.0 or later.

Modification History

2024-05-15: Initial revision

Related Links

Acknowledgements

We thank the following parties for their efforts:

  • Diego Giubertoni of Nozomi Networks Security Research team for finding this issue during an internal penetration testing session

Contact

Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.
More contact details on the PSIRT page.