NN-2023:15-01
Sensitive data exfiltration via unsafe permissions on Windows systems in Arc before v1.6.0
Last update: 2024-05-20
| Advisory ID | NN-2023:15-01 |
|---|---|
| Topic | Sensitive data exfiltration via unsafe permissions on Windows systems in Arc before v1.6.0 |
| CWE Impact | CWE-732: Incorrect Permission Assignment for Critical Resource |
| Issue date | 2024-05-15 |
| Affects | Arc < v1.6.0 |
| CVE Name(s) | CVE-2023-5937 |
| CVSS Details | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
| CVSS Score | 5.2 (CVSS v4.0) 3.8 (CVSS v3.1) |
| CVE Risk Level | Medium (CVSS v4.0) Low (CVSS v3.1) |
| Risk Level for Nozomi customers | Medium |
Summary
On Windows systems, the Arc configuration files resulted to be world-readable.
Impact
This can lead to information disclosure by local attackers, via exfiltration of sensitive data from configuration files.
Affected Products
Arc < v1.6.0
Workarounds and Mitigations
N/A
Solutions
Upgrade to v1.6.0 or later.
Modification History
2024-05-15: Initial revision
2024-05-20: Added CVSS v4.0 scoring where applicable
Related Links
Acknowledgements
We thank the following parties for their efforts:
- Diego Giubertoni, Gabriele Quagliarella of Nozomi Networks Security Research team for finding this issue during an internal penetration testing session
Contact
Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.More contact details on the PSIRT page.