Werk #9526: Fix denial of service against webconf

Component Firmware
Title Fix denial of service against webconf
Date Apr 18, 2023
Level Trivial Change
Class Bug Fix
Compatibility Compatible - no manual interaction needed
Appliance Version 1.6.5

Prior to this Werk an attacker was able to cause blocking IO in webconf rendering it unresponsive. (Denial of Service)

This vulnerability was identified through a commissioned penetration test conducted by OPTIMAbit (Roman Mueller).

Mitigations: In case updateing is not possible, one can limit access to Webconf to trusted IPs e.g. within Apache.

Indicators of Compromise: After a malicious/faulty request webconf will not be accessible for about 5 minutes. After these 5 minutes one can find messages containing [Errno 32] Broken pipe in /var/log/syslog.

Vulnerability Management: We have rated the issue with a CVSS Score of 7.5 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. We assigned CVE-2023-22318 to this vulnerability.

To the list of all Werks