Heap-based buffer overflow in Axis A1001 Network Door Controller's OSDP communication
CVE-2023-21406

8.8HIGH

Key Information:

Vendor: Axis Communications Ab
Status: Axis A1001 Network Door Controller
Vendor: CVE Published:; 25 July 2023

What is CVE-2023-21406?

A security flaw has been identified in the AXIS A1001 that affects its handling of communications over the Open Supervised Device Protocol (OSDP). The vulnerability manifests as a heap-based buffer overflow within the pacsiod process, which manages OSDP communications. An attacker can exploit this flaw by appending invalid data to an OSDP message, enabling them to write data beyond the limits of the allocated heap buffer. This unauthorized data manipulation poses a risk, potentially allowing for arbitrary code execution on the affected device. For further details on mitigation and impacted software versions, please consult Axis's official security advisory.

Affected Version(s)

AXIS A1001 Network Door Controller AXIS OS 1.65.4 or earlier

References

https://www.axis.com/dam/public/1b/21/5f/cve-2023-21406-e...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 25, 2023
Vulnerability Reserved
Nov 4, 2022

Axis Communications Ab

What is CVE-2023-21406?

Affected Version(s)

References

CVSS V3.1

Timeline