CVE-2023-38323

Vulnerability

OpenNDS versions prior to 10.1.3 contain a command injection vulnerability in the handling of the status_path script entry within the configuration file. The software does not sanitize this entry, allowing an attacker who can modify the configuration file to inject arbitrary OS commands. The affected versions are all releases before 10.1.3 [1][2].

Exploitation

An attacker requires either direct write access to the OpenNDS configuration file or indirect access (e.g., through another vulnerability that allows file modification). The attacker edits the status_path entry to include shell metacharacters and commands. When OpenNDS processes the status path (e.g., during a status check), the injected commands are executed by the system shell [1].

Impact

Successful exploitation allows arbitrary OS command execution with the privileges of the OpenNDS daemon, typically root. This can lead to full compromise of the captive portal system, including data exfiltration, installation of malware, or lateral movement within the network [2].

Mitigation

The vulnerability is fixed in OpenNDS version 10.1.3, released on August 28, 2023 [2]. Users should upgrade to this version or later. No workaround is documented; restricting access to the configuration file can reduce the attack surface but does not eliminate the risk if an attacker gains indirect access [1].