Werk #9526: Fix denial of service against webconf

Komponente Firmware
Titel Fix denial of service against webconf
Datum 18.04.2023
Level Kleine Änderung
Klasse Bugfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen
Appliance Version 1.6.5

Prior to this Werk an attacker was able to cause blocking IO in webconf rendering it unresponsive. (Denial of Service)

This vulnerability was identified through a commissioned penetration test conducted by OPTIMAbit (Roman Mueller).

Mitigations: In case updateing is not possible, one can limit access to Webconf to trusted IPs e.g. within Apache.

Indicators of Compromise: After a malicious/faulty request webconf will not be accessible for about 5 minutes. After these 5 minutes one can find messages containing [Errno 32] Broken pipe in /var/log/syslog.

Vulnerability Management: We have rated the issue with a CVSS Score of 7.5 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. We assigned CVE-2023-22318 to this vulnerability.

Zur Liste aller Werks