CVE-2023-38319

Vulnerability

OpenNDS versions prior to 10.1.3 [1][2] contain a command injection vulnerability in the configuration file handling. The FAS key entry is not sanitized, enabling arbitrary OS command execution when an attacker can directly or indirectly write to or modify this configuration file. The issue was fixed in version 10.1.3 [2].

Exploitation

An attacker must have direct or indirect access to the OpenNDS configuration file (typically /etc/config/opennds or similar). This could be achieved through local access, a separate vulnerability that allows file write, or by compromising an administrative interface that can modify the configuration. The attacker inserts a malicious command into the FAS key field; OpenNDS then unsafely processes this value, leading to OS command execution.

Impact

Successful exploitation results in arbitrary OS command execution with the privileges of the OpenNDS process (often root). The attacker can then fully compromise the host system, including data exfiltration, installation of malware, or lateral movement within the network.

Mitigation

Upgrade to OpenNDS version 10.1.3, released on 2023-08-28 [2], which includes the fix. As a workaround, restrict access to the OpenNDS configuration file to only trusted administrators and review any third-party integrations that might modify this file. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.