CVE-2023-38321

Vulnerability

OpenNDS, used in Sierra Wireless ALEOS before 4.17.0.12 and other products, contains a NULL pointer dereference in the /opennds_auth/ handler. When a remote attacker sends a GET request to that endpoint without a custom query string parameter and without a client-token, the code path dereferences a NULL pointer, leading to a daemon crash. The vulnerability is present in versions prior to the fix referenced in the change log [1].

Exploitation

An attacker does not require authentication or any special network position; they only need to send a crafted GET request to /opennds_auth/ on the affected device. The request must omit both a custom query string parameter and the client-token parameter. No user interaction or race condition is needed; a single request triggers the crash.

Impact

Successful exploitation causes a NULL pointer dereference that crashes the OpenNDS daemon. This results in a denial of service of the Captive Portal functionality, leaving users unable to authenticate or access the network through the portal. The impact is limited to availability; no data confidentiality or integrity is compromised.

Mitigation

The vulnerability is fixed in Sierra Wireless ALEOS version 4.17.0.12 and later, as well as in subsequent OpenNDS releases that include the patch from the change log [1]. Users should update to the latest patched version. No workarounds are documented in the available references; if an immediate update is not possible, restricting access to the /opennds_auth/ endpoint via firewall rules may reduce exposure, though this is not a complete mitigation.