CVE-2024-25763

Vulnerability

A use-after-free vulnerability exists in openNDS version 10.2.0 (commit c392cb41a4c470fd3be0e86c0de088c60262daf6) in the file /openNDS/src/auth.c. The function client_list_delete is called on line 222, passing a pointer named client. Inside client_list_delete (in src/client_list.c), if the condition on line 467 is true, the pointer is passed to _client_list_free_node on line 471, which frees the memory at line 448. Immediately after, at line 223 of auth.c, the code accesses client->fw_connection_state, which is now a freed pointer (Use-After-Free). [1]

Exploitation

An attacker must be able to trigger the code path that calls client_list_delete in auth.c. The exact trigger conditions are not fully detailed, but the vulnerability can be reached without authentication if the attacker can send network traffic that causes the affected gateway authentication daemon to process a client deletion while still accessing the freed memory. The sequence is: 1) The vulnerable function is invoked; 2) client_list_delete frees the client structure; 3) The subsequent read of client->fw_connection_state on the freed memory leads to a null pointer dereference or read of attacker-controlled data. [1]

Impact

Successful exploitation leads to a denial-of-service (DoS) via null pointer dereference or crash. The attacker causes the openNDS process to terminate, interrupting captive portal functionality for all users. The vulnerability is classified as a use-after-free, which could potentially be leveraged for arbitrary code execution under certain memory configurations, but the reference only confirms DoS impact. [1]

Mitigation

As of the publication date (2024-02-26), no patched version has been released. Users of openNDS 10.2.0 should monitor the project's GitHub repository for updates and apply a fix when available. No workarounds are provided in the reference. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at this time. [1]