Denial of Service Vulnerability in OpenNDS affecting Sierra Wireless ALEOS
CVE-2023-38321

7.5HIGH

Key Information:

Vendor: Sierra Wireless
Vendor: CVE Published:; 25 December 2023

🔔 Create Sierra Wireless Vulnerability Alert

What is CVE-2023-38321?

OpenNDS, utilized in Sierra Wireless ALEOS versions prior to 4.17.0.12, contains a vulnerability that allows remote attackers to exploit it by sending a specially crafted GET request to the /opennds_auth/ endpoint. If the GET request is lacking a custom query string parameter and client-token, it triggers a NULL pointer dereference, resulting in a daemon crash and potential captive portal outages. This vulnerability poses a significant risk as it can disrupt service availability.

References

https://openwrt.org/docs/guide-user/services/captive-port...

https://github.com/openNDS/openNDS/blob/master/ChangeLog

https://source.sierrawireless.com/-/media/support_downloa...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 25, 2023
Vulnerability Reserved
Jul 14, 2023

JSON