CVE-2023-38523

Vulnerability

The web interface on multiple Samsung Harman AMX N-Series devices allows unauthenticated directory listing of the /tmp/ directory. This affects N-Series N1115 Wallplate Video Encoder before 1.15.61, N1x22A, N1x33A, N1x33, N2x35, N2x35A, N2xx2, N2xx2A Video Encoder/Decoder before 1.15.61, N3000 Video Encoder/Decoder before 2.12.105, and N4321 Audio Transceiver before 1.00.06 [1]. The /tmp/ directory contains sensitive files such as command history and screenshots of files being processed [1].

Exploitation

An attacker can access the /tmp/ directory by sending an HTTP GET request to http:///tmp/ without any authentication [1]. No special network position or user interaction is required; the device must be reachable over the network. The web server (lighttpd) responds with an HTML directory listing, exposing filenames and allowing further retrieval of files [1].

Impact

Successful exploitation results in information disclosure. An attacker can retrieve command history logs and screenshots of files being processed, which may contain sensitive configuration data or credentials [1]. The attacker gains no code execution or privilege escalation, but the exposed information can aid further attacks.

Mitigation

Samsung Harman has released firmware updates to address this issue. For N3000 devices, version 2.12.105 is the first fixed version, and a later hotfix (2.12.158) is available [2]. For other N-Series models, the fixed version is 1.15.61 [1]. Users should update to the latest firmware. No workaround is documented; restricting network access to the web interface is a general precaution.