CVE-2023-46306 - OpenCVE

The web administration interface in NetModule Router Software (NRSW) 4.6 before 4.6.0.106 and 4.8 before 4.8.0.101 executes an OS command constructed with unsanitized user input: shell metacharacters in the /admin/gnssAutoAlign.php device_id parameter. This occurs because another thread can be started before the trap that triggers the cleanup function. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. NOTE: this is different from CVE-2023-0861 and CVE-2023-0862, which were fixed in version 4.6.0.105.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Netmodule	Nb1601 Nb1800 Nb1810 Nb2800 Nb2810 Nb3701 Nb3800 Netmodule Router Software Ng800

Configuration 1 [-]

AND

OR	cpe:2.3:h:netmodule:nb1601:-:::::::*
	cpe:2.3:h:netmodule:nb1800:-:::::::*
	cpe:2.3:h:netmodule:nb1810:-:::::::*
	cpe:2.3:h:netmodule:nb2800:-:::::::*
	cpe:2.3:h:netmodule:nb2810:-:::::::*
	cpe:2.3:h:netmodule:nb3701:-:::::::*
	cpe:2.3:h:netmodule:nb3800:-:::::::*
	cpe:2.3:h:netmodule:ng800:-:::::::*

OR	cpe:2.3:a:netmodule:netmodule_router_software::::::::
	cpe:2.3:a:netmodule:netmodule_router_software::::::::

No data.

References

Link	Providers
https://pentest.blog/advisory-netmodule-router-software-race-condition-leads-to-remote-code-execution/
https://share.netmodule.com/public/system-software/4.6/4.6.0.106/NRSW-RN-4.6.0.106.pdf
https://share.netmodule.com/public/system-software/4.8/4.8.0.101/NRSW-RN-4.8.0.101.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-10-22T00:00:00

Updated: 2024-09-12T18:22:55.873Z

Reserved: 2023-10-22T00:00:00

Link: CVE-2023-46306

Vulnrichment

Updated: 2024-08-02T20:45:40.734Z

NVD

Status : Modified

Published: 2023-10-22T21:15:07.930

Modified: 2024-09-12T19:35:08.270

Link: CVE-2023-46306

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-46306", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-09-12T18:22:55.873Z", "dateReserved": "2023-10-22T00:00:00", "datePublished": "2023-10-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-22T20:07:16.731137"}, "descriptions": [{"lang": "en", "value": "The web administration interface in NetModule Router Software (NRSW) 4.6 before 4.6.0.106 and 4.8 before 4.8.0.101 executes an OS command constructed with unsanitized user input: shell metacharacters in the /admin/gnssAutoAlign.php device_id parameter. This occurs because another thread can be started before the trap that triggers the cleanup function. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. NOTE: this is different from CVE-2023-0861 and CVE-2023-0862, which were fixed in version 4.6.0.105."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://share.netmodule.com/public/system-software/4.8/4.8.0.101/NRSW-RN-4.8.0.101.pdf"}, {"url": "https://share.netmodule.com/public/system-software/4.6/4.6.0.106/NRSW-RN-4.6.0.106.pdf"}, {"url": "https://pentest.blog/advisory-netmodule-router-software-race-condition-leads-to-remote-code-execution/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:A/A:H/C:H/I:H/PR:H/S:C/UI:N", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:45:40.734Z"}, "title": "CVE Program Container", "references": [{"url": "https://share.netmodule.com/public/system-software/4.8/4.8.0.101/NRSW-RN-4.8.0.101.pdf", "tags": ["x_transferred"]}, {"url": "https://share.netmodule.com/public/system-software/4.6/4.6.0.106/NRSW-RN-4.6.0.106.pdf", "tags": ["x_transferred"]}, {"url": "https://pentest.blog/advisory-netmodule-router-software-race-condition-leads-to-remote-code-execution/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "affected": [{"vendor": "netmodule", "product": "netmodule_router_software", "cpes": ["cpe:2.3:a:netmodule:netmodule_router_software:4.6.0.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.6.0.0", "status": "affected", "lessThan": "4.6.0.106", "versionType": "custom"}]}, {"vendor": "netmodule", "product": "netmodule_router_software", "cpes": ["cpe:2.3:a:netmodule:netmodule_router_software:4.8:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.8", "status": "affected", "lessThan": "4.8.0.101", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-12T18:17:05.575956Z", "id": "CVE-2023-46306", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T18:22:55.873Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://share.netmodule.com/public/system-software/4.8/4.8.0.101/NRSW-RN-4.8.0.101.pdf", "tags": ["x_transferred"]}, {"url": "https://share.netmodule.com/public/system-software/4.6/4.6.0.106/NRSW-RN-4.6.0.106.pdf", "tags": ["x_transferred"]}, {"url": "https://pentest.blog/advisory-netmodule-router-software-race-condition-leads-to-remote-code-execution/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:45:40.734Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-46306", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-12T18:17:05.575956Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:netmodule:netmodule_router_software:4.6.0.0:*:*:*:*:*:*:*"], "vendor": "netmodule", "product": "netmodule_router_software", "versions": [{"status": "affected", "version": "4.6.0.0", "lessThan": "4.6.0.106", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:netmodule:netmodule_router_software:4.8:*:*:*:*:*:*:*"], "vendor": "netmodule", "product": "netmodule_router_software", "versions": [{"status": "affected", "version": "4.8", "lessThan": "4.8.0.101", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T18:22:01.528Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AC:L/AV:A/A:H/C:H/I:H/PR:H/S:C/UI:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://share.netmodule.com/public/system-software/4.8/4.8.0.101/NRSW-RN-4.8.0.101.pdf"}, {"url": "https://share.netmodule.com/public/system-software/4.6/4.6.0.106/NRSW-RN-4.6.0.106.pdf"}, {"url": "https://pentest.blog/advisory-netmodule-router-software-race-condition-leads-to-remote-code-execution/"}], "descriptions": [{"lang": "en", "value": "The web administration interface in NetModule Router Software (NRSW) 4.6 before 4.6.0.106 and 4.8 before 4.8.0.101 executes an OS command constructed with unsanitized user input: shell metacharacters in the /admin/gnssAutoAlign.php device_id parameter. This occurs because another thread can be started before the trap that triggers the cleanup function. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. NOTE: this is different from CVE-2023-0861 and CVE-2023-0862, which were fixed in version 4.6.0.105."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-22T20:07:16.731137"}}}, "cveMetadata": {"cveId": "CVE-2023-46306", "state": "PUBLISHED", "dateUpdated": "2024-09-12T18:22:55.873Z", "dateReserved": "2023-10-22T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-10-22T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:netmodule:nb1601:-:*:*:*:*:*:*:*", "matchCriteriaId": "5C90BC32-C405-4178-B944-9CF39C212C46", "vulnerable": false}, {"criteria": "cpe:2.3:h:netmodule:nb1800:-:*:*:*:*:*:*:*", "matchCriteriaId": "A80AE348-C415-4B5F-B359-26E2F2A132F7", "vulnerable": false}, {"criteria": "cpe:2.3:h:netmodule:nb1810:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3CF8E81-2EB5-4CDC-9FC9-CEAF4E1E7514", "vulnerable": false}, {"criteria": "cpe:2.3:h:netmodule:nb2800:-:*:*:*:*:*:*:*", "matchCriteriaId": "EFF579A1-A31C-47F3-912A-43F5B4894497", "vulnerable": false}, {"criteria": "cpe:2.3:h:netmodule:nb2810:-:*:*:*:*:*:*:*", "matchCriteriaId": "41310FAF-CD23-4126-942D-DA950A96DF3E", "vulnerable": false}, {"criteria": "cpe:2.3:h:netmodule:nb3701:-:*:*:*:*:*:*:*", "matchCriteriaId": "962F7AFA-76A3-4F83-AA2C-AB168C644104", "vulnerable": false}, {"criteria": "cpe:2.3:h:netmodule:nb3800:-:*:*:*:*:*:*:*", "matchCriteriaId": "7120564A-4FE0-403E-A976-9658A665E51A", "vulnerable": false}, {"criteria": "cpe:2.3:h:netmodule:ng800:-:*:*:*:*:*:*:*", "matchCriteriaId": "0408E588-146F-4AD2-9D58-A12EBA83A697", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:netmodule:netmodule_router_software:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B651903-7598-4F86-B2C1-53923B573509", "versionEndExcluding": "4.6.0.105", "vulnerable": true}, {"criteria": "cpe:2.3:a:netmodule:netmodule_router_software:*:*:*:*:*:*:*:*", "matchCriteriaId": "B543F356-8395-4F7E-A3C8-1A5DB362533C", "versionEndExcluding": "4.7.0.103", "versionStartIncluding": "4.7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The web administration interface in NetModule Router Software (NRSW) 4.6 before 4.6.0.106 and 4.8 before 4.8.0.101 executes an OS command constructed with unsanitized user input: shell metacharacters in the /admin/gnssAutoAlign.php device_id parameter. This occurs because another thread can be started before the trap that triggers the cleanup function. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. NOTE: this is different from CVE-2023-0861 and CVE-2023-0862, which were fixed in version 4.6.0.105."}, {"lang": "es", "value": "La interfaz de administraci\u00f3n web en NetModule Router Software (NRSW) 4.6 anterior a 4.6.0.106 y 4.8 anterior a 4.8.0.101 ejecuta un comando del sistema operativo construido con entrada de usuario no sanitizada: metacaracteres de shell en el par\u00e1metro /admin/gnssAutoAlign.php device_id. Esto ocurre porque se puede iniciar otro subproceso antes de la captura que activa la funci\u00f3n de limpieza. Un exploit exitoso podr\u00eda permitir a un usuario autenticado ejecutar comandos arbitrarios con privilegios elevados. NOTA: esto es diferente de CVE-2023-0861 y CVE-2023-0862, que se corrigieron en la versi\u00f3n 4.6.0.105."}], "id": "CVE-2023-46306", "lastModified": "2024-09-12T19:35:08.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2023-10-22T21:15:07.930", "references": [{"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://pentest.blog/advisory-netmodule-router-software-race-condition-leads-to-remote-code-execution/"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://share.netmodule.com/public/system-software/4.6/4.6.0.106/NRSW-RN-4.6.0.106.pdf"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://share.netmodule.com/public/system-software/4.8/4.8.0.101/NRSW-RN-4.8.0.101.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}