CVE-2023-28616
📋 TL;DR
This vulnerability in Stormshield Network Security (SNS) logs user passwords containing equals signs or spaces in cleartext when processed by the serverd component, potentially exposing them in system logs and Syslog transmissions. It affects SNS firewall administrators and users whose passwords contain these characters. The cleartext logging creates credential exposure risks.
💻 Affected Systems
- Stormshield Network Security (SNS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers with access to logs could extract administrator credentials, gain full control of the firewall, pivot to internal networks, and potentially compromise the entire network infrastructure.
Likely Case
Internal or external attackers with log access could harvest credentials, escalate privileges, and gain unauthorized access to network resources protected by the firewall.
If Mitigated
With proper log access controls and monitoring, credential exposure would be limited to authorized personnel only, reducing the attack surface.
🎯 Exploit Status
Exploitation requires access to system logs where passwords are recorded. No authentication bypass is needed once log access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.17, 4.6.4, or 4.7.1 depending on version branch
Vendor Advisory: https://advisories.stormshield.eu/2023-006
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download appropriate patch from Stormshield portal. 3. Apply patch through SNS web interface or CLI. 4. Reboot firewall to complete installation. 5. Verify version update.
🔧 Temporary Workarounds
Password Policy Enforcement
allImplement password policy that prohibits equals signs and spaces in passwords to prevent triggering the vulnerability.
Log Access Restriction
allRestrict access to system logs and Syslog destinations to prevent credential exposure.
🧯 If You Can't Patch
- Enforce password policies prohibiting equals signs and spaces in all user passwords
- Implement strict access controls on log files and Syslog destinations, monitor for unauthorized access
🔍 How to Verify
Check if Vulnerable:
Check SNS version via web interface or CLI. If version is before 4.3.17, 4.6.4, or 4.7.1 (depending on branch), system is vulnerable.Check Version:
show versionVerify Fix Applied:
Verify version is 4.3.17, 4.6.4, or 4.7.1 or later. Test with password containing equals sign or space and check logs for cleartext exposure.📡 Detection & Monitoring
Log Indicators:
- Cleartext passwords in serverd logs
- User authentication logs containing password strings with = or space characters
- Syslog transmissions containing password data
Network Indicators:
- Unusual access to log servers or Syslog destinations
- Authentication attempts from unexpected sources following log access
SIEM Query:
source="sns_logs" AND ("password=" OR "password " OR "passwd=" OR "passwd ")