Argument injection vulnerability in Atos Unify OpenScape Session Border Controller, Atos Unify OpenScape Branch and Atos Unify OpenScape BCF
CVE-2023-6269

10CRITICAL

Key Information:

Vendor: Atos Unify
Status: Openscape Session Border Controller (sbc); Openscape Branch; Openscape Bcf
Vendor: CVE Published:; 5 December 2023

What is CVE-2023-6269?

An argument injection vulnerability exists in the administrative web interface of Atos Unify OpenScape products, specifically affecting the Session Border Controller and Branch systems, prior to version V10 R3.4.0, as well as the OpenScape BCF before versions V10R10.12.00 and V10R11.05.02. This vulnerability permits unauthenticated attackers to exploit the system, leading to unauthorized root access via SSH and potentially bypassing authentication protocols. Such exploitation facilitates unauthorized access as an arbitrary administrative user, significantly compromising the security of the affected systems.

Affected Version(s)

OpenScape BCF 0

OpenScape Branch 0

References

https://networks.unify.com/security/advisories/OBSO-2310-...

vendor-advisory

https://r.sec-consult.com/unifyroot

third-party-advisory

http://seclists.org/fulldisclosure/2023/Dec/16

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 5, 2023
Vulnerability Reserved
Nov 23, 2023

Credit

Armin Weihbold (SEC Consult Vulnerability Lab)