CVE-2023-35793

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in Cassia Access Controller (AC) version 2.1.1.2303271039. The Web SSH functionality, which uses the WebSSH2 library, does not require a CSRF token when establishing an SSH session with a gateway. The request is a GET to /ap/remote/?ssh_port=9999 and relies on the ac:ssid cookie (which has SameSite=Strict) for authentication [1][2]. No CSRF token or other anti-CSRF mechanism is present on this endpoint [1][2].

Exploitation

An attacker must trick an already authenticated administrator into clicking a crafted link (e.g., via email, chat, or an ITSM ticket) [1][2]. The link targets the AC IP with a specific gateway MAC address and SSH port. Upon clicking, the administrator's browser sends the authenticated GET request, establishing a persistent SSH session (even after the browser is closed) to the attacker-controlled gateway [1][2]. The attacker does not need any prior access to the AC or network position beyond social engineering the admin [1].

Impact

Successful exploitation allows an attacker to initiate an SSH tunnel from the AC to a gateway of their choice [1]. This can be leveraged for further attacks, such as local port forwarding and remote brute‑forcing of SSH credentials, especially if default passwords are used [2]. The impact is a breach of integrity and confidentiality, as the attacker gains an indirect foothold into the internal network via the trusted AC [1][2]. The vulnerability does not directly grant administrative privileges on the AC but can facilitate privilege escalation on connected gateways [1].

Mitigation

Cassia Networks has confirmed the vulnerability and released a fix in version Cassia-AC-2.1.1.2308181707 [1][2]. Users should upgrade to this patched version or later [1][2]. No workaround is documented in the available references; if upgrading is not immediately possible, administrators should exercise caution when clicking links while logged into the AC [1][2].