NN-2023:15-01

Sensitive data exfiltration via unsafe permissions on Windows systems in Arc before v1.6.0

Last update: 2024-05-15

Advisory IDNN-2023:15-01
TopicSensitive data exfiltration via unsafe permissions on Windows systems in Arc before v1.6.0
CWE ImpactCWE-732: Incorrect Permission Assignment for Critical Resource
Issue date2024-05-15
AffectsArc < v1.6.0
CVE Name(s)CVE-2023-5937
CVSS detailsCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CVSS Score3.8
CVE Risk LevelLow
Risk Level for Nozomi customersMedium

Summary

On Windows systems, the Arc configuration files resulted to be world-readable.

Impact

This can lead to information disclosure by local attackers, via exfiltration of sensitive data from configuration files.

Affected Products

Arc < v1.6.0

Workarounds and Mitigations

N/A

Solutions

Upgrade to v1.6.0 or later.

Modification History

2024-05-15: Initial revision

Related Links

Acknowledgements

We thank the following parties for their efforts:

  • Diego Giubertoni, Gabriele Quagliarella of Nozomi Networks Security Research team for finding this issue during an internal penetration testing session

Contact

Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.
More contact details on the PSIRT page.