Local Web Interface Vulnerability in Arc Could Lead to Sensitive Information Extraction and Arbitrary Code Execution

CVE-2023-5935

7.4HIGH

Key Information

Vendor: Nozomi Networks
Status: Arc
Vendor: CVE Published:; 15 May 2024

Summary

When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed.

Affected Version(s)

Arc < 1.6.0

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
May 15, 2024
Vulnerability Reserved.
Nov 2, 2023

Collectors

NVD DatabaseMitre Database

Credit

This issue was found by Diego Giubertoni of Nozomi Networks Security Research team during an internal penetration testing session.