NN-2023:14-01

Unsafe temporary data privileges on Unix systems in Arc before v1.6.0

Last update: 2024-05-15

Advisory IDNN-2023:14-01
TopicUnsafe temporary data privileges on Unix systems in Arc before v1.6.0
CWE ImpactCWE-732: Incorrect Permission Assignment for Critical Resource
Issue date2024-05-15
AffectsArc < v1.6.0
CVE Name(s)CVE-2023-5936
CVSS detailsCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score7.8
CVE Risk LevelHigh
Risk Level for Nozomi customersHigh

Summary

On Unix systems (Linux, MacOS), Arc uses a temporary file with unsafe privileges.

Impact

By tampering with such file, a malicious local user in the system may be able to trigger arbitrary code execution with root privileges.

Affected Products

Arc < v1.6.0

Workarounds and Mitigations

N/A

Solutions

Upgrade to v1.6.0 or later.

Modification History

2024-05-15: Initial revision

Related Links

Acknowledgements

We thank the following parties for their efforts:

  • Diego Giubertoni of Nozomi Networks Security Research team for finding this issue during an internal penetration testing session

Contact

Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.
More contact details on the PSIRT page.