CVE-2023-35794 – This vulnerability allows unauthenticated acces... (How to Fix)

Q: What is the severity of CVE-2023-35794?

CVE-2023-35794 has a CVSS score of 8.8 (HIGH). This vulnerability allows unauthenticated access to the Web SSH terminal in Cassia Access Controller. Attackers can bypass authentication and gain SSH console access to the device. Organizations using Cassia Access Controller 2.1.1.2303271039 are affected.

📋 TL;DR

This vulnerability allows unauthenticated access to the Web SSH terminal in Cassia Access Controller. Attackers can bypass authentication and gain SSH console access to the device. Organizations using Cassia Access Controller 2.1.1.2303271039 are affected.

💻 Affected Systems

Products:

Cassia Access Controller

Versions: 2.1.1.2303271039

Operating Systems: Embedded/Linux-based IoT platform

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Web SSH terminal endpoint specifically; other components may have different authentication mechanisms.

📦 What is this software?

Access Controller by Cassianetworks

View all CVEs affecting Access Controller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, modify configurations, install malware, or pivot to other network resources.

🟠

Likely Case

Unauthorized access to SSH console leading to configuration changes, data exfiltration, or disruption of IoT device management.

🟢

If Mitigated

Limited impact if network segmentation isolates the controller and strong authentication is enforced at network level.

🌐 Internet-Facing: HIGH - Direct internet exposure allows remote attackers to exploit without any authentication.

🏢 Internal Only: HIGH - Even internally, lack of authentication allows any network user to access the SSH console.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP access to the Web SSH endpoint; no credentials or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.cassianetworks.com/products/iot-access-controller/

Restart Required: No

Instructions:

Check Cassia Networks website for security updates and patch announcements. No specific patch instructions available at this time.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to the Access Controller using firewall rules

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Web Server Configuration

all

Add authentication layer before the Web SSH endpoint

# Configure web server (nginx/apache) to require authentication for /console or similar paths

🧯 If You Can't Patch

Isolate the Access Controller in a separate VLAN with strict network segmentation
Implement network-based authentication (802.1X) or VPN access for all controller connections

🔍 How to Verify

Check if Vulnerable:

Attempt to access the Web SSH console endpoint without authentication. If accessible, the system is vulnerable.

Check Version:

Check device web interface or SSH banner for version information

Verify Fix Applied:

Verify that authentication is required before accessing the Web SSH console endpoint.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access to /console or similar SSH endpoints
Failed authentication attempts followed by successful console access

Network Indicators:

HTTP requests to SSH console endpoints without authentication headers
Unusual SSH traffic patterns from web server

SIEM Query:

source="web_logs" AND (uri="/console" OR uri="/ssh") AND NOT (auth_token EXISTS OR cookie EXISTS)

📊 Metadata

CVE ID: CVE-2023-35794

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: October 27, 2023

Last Updated: November 21, 2024

🔗 References

https://blog.kscsc.online/cves/202335794/md.html
https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking Exploit,Third Party Advisory
https://www.cassianetworks.com/products/iot-access-controller/ Product
https://blog.kscsc.online/cves/202335794/md.html
https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking Exploit,Third Party Advisory
https://www.cassianetworks.com/products/iot-access-controller/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35794, you might also want to check these: