CVE-2023-38324

Vulnerability

In OpenNDS versions before 10.1.2, a weak authentication vulnerability exists when the captive portal is configured as a FAS (Forward Authentication Service) and uses the default FAS key. The issue, tracked as CWE-1390 (Weak Authentication) [1], allows users to bypass the intended splash page sequence. Affected versions: OpenNDS before 10.1.2. The fix was included in OpenNDS 10.1.2, released on 29 July 2023 [4].

Exploitation

An attacker does not need authentication or special network position; they only need the captive portal to be using the default FAS key and OpenNDS configured as FAS. By exploiting the weak authentication mechanism, the attacker can skip the splash page and proceed directly to authentication, effectively bypassing the intended flow [1][4].

Impact

Successful exploitation allows an attacker to bypass the captive portal's splash page sequence, potentially gaining network access without proper authorization or acknowledgment of terms and conditions. This undermines the authentication and consent mechanism of the captive portal [1][4].

Mitigation

The vulnerability is fixed in OpenNDS version 10.1.2, released on 29 July 2023, and in the subsequent OpenNDS 10.1.3 version [4]. The fix is included in OpenWrt master, OpenWrt 23.05, and OpenWrt 22.03 as of 28 August 2023 (by updating to OpenNDS 10.1.3) [description]. Users should upgrade to version 10.1.2 or later, or ensure the FAS key is not set to the default value.