CVE-2023-38320

Vulnerability

A NULL pointer dereference vulnerability exists in OpenNDS Captive Portal versions prior to 10.1.2. The flaw resides in the show_preauthpage function, which can be triggered by sending a crafted HTTP GET request with a missing User-Agent header. This causes the software to dereference a NULL pointer, leading to a crash. The issue was fixed in OpenNDS version 10.1.2 [1], but the advisory notes that OpenWrt updated to version 10.1.3 [2].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP GET request to the OpenNDS captive portal web server. The attacker does not need any prior authentication or special network position beyond network access to the portal. The key condition is that the User-Agent header is absent from the request, which causes the vulnerable code path to dereference a NULL pointer [1].

Impact

Successful exploitation results in a denial-of-service (DoS) condition by crashing the OpenNDS process, which disrupts captive portal functionality for all users. The impact is limited to availability; there is no evidence of information disclosure or privilege escalation [1].

Mitigation

The vulnerability is fixed in OpenNDS version 10.1.2. Users should upgrade to version 10.1.2 or later. The OpenWrt project incorporated the fix into OpenWrt 22.03 and 23.05 on 28 August 2023 by updating to OpenNDS version 10.1.3 [2]. Sierra Wireless also addressed the issue in ALEOS 4.17, which was released in October 2023 [3]. No workarounds have been published.