CVE-2023-38317

Vulnerability

The vulnerability resides in OpenNDS versions before 10.1.3. The software does not properly sanitize the network interface name entry in its configuration file. This allows an attacker who has direct or indirect access to the configuration file to inject arbitrary commands. The affected versions are all prior to 10.1.3 [1][2].

Exploitation

To exploit, an attacker must have the ability to modify the configuration file, either through direct file system access or via any mechanism that allows writing to the configuration (e.g., a compromised web interface). The attacker can insert a malicious value for the network interface name containing command injection payloads. When OpenNDS processes the configuration, the injected commands are executed.

Impact

Successful exploitation leads to arbitrary OS command execution with the privileges of the OpenNDS process, typically root. This can result in full system compromise, including data exfiltration, installation of malware, or further lateral movement.

Mitigation

The vulnerability is fixed in OpenNDS version 10.1.3, released on August 28, 2023 [2]. Users should upgrade to this version or later. No workarounds are documented; however, restricting access to the configuration file to only trusted users can reduce the attack surface. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication.