CVE-2023-38318

Vulnerability

OpenNDS versions prior to 10.1.3 do not properly sanitize the gateway FQDN entry in the configuration file. This allows injection of arbitrary OS commands via the FQDN field. The vulnerability is present in the configuration parsing logic. Affected versions: all before 10.1.3. [1][2]

Exploitation

An attacker must have direct or indirect access to the OpenNDS configuration file. This could be achieved through local file access, compromised administrative interfaces, or other means. By modifying the gateway FQDN entry to include command injection payloads (e.g., using backticks or shell metacharacters), the attacker can cause the injected commands to be executed when the configuration is processed. No authentication is required beyond the ability to modify the config file. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the OpenNDS process. This can lead to full compromise of the affected system, including data exfiltration, installation of malware, or further lateral movement. The impact is high, as it enables remote code execution in the context of the captive portal service. [2]

Mitigation

The vulnerability is fixed in OpenNDS version 10.1.3, released on August 28, 2023. Users should upgrade to this version or later. No workaround is available if the configuration file cannot be sanitized manually. The fix ensures proper sanitization of the gateway FQDN field. [2]