NN-2023:17-01

Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1

Last update: 2024-09-19

Advisory IDNN-2023:17-01
TopicInformation disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1
CWE ImpactCWE-201: Insertion of Sensitive Information Into Sent Data
Issue date2024-04-10
AffectsGuardian, CMC < v23.4.1
CVE Name(s)CVE-2023-6916
CVSS DetailsCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Score7.5 (CVSS v4.0)
7.2 (CVSS v3.1)
CVE Risk LevelHigh (CVSS v4.0)
High (CVSS v3.1)
Risk Level for Nozomi customersHigh

Summary

Audit records for OpenAPI requests may include sensitive information.

Impact

Unauthorized access, privilege escalation.

Affected Products

Guardian, CMC < v23.4.1

Workarounds and Mitigations

Nozomi Networks recommends creating specific users for OpenAPI usage, with only the necessary permissions to access the required data sources. Additionally, it is advised to limit API keys to allowed IP addresses whenever possible. Finally, it is also suggested to regenerate existing API keys periodically and to review sign-ins via API keys in the audit records.

Solutions

Upgrade to v23.4.1 or later.

Modification History

2024-04-10: Initial revision
2024-04-10: updated the acknowledgements section
2024-04-11: technical update
2024-05-20: Added CVSS v4.0 scoring where applicable
2024-09-19: Revised CWE mapping

Related Links

Acknowledgements

We thank the following parties for their efforts:

  • Maciej Kosz for reporting this issue

Contact

Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.
More contact details on the PSIRT page.