CVE-2023-38315
📋 TL;DR
CVE-2023-38315 is a NULL pointer dereference vulnerability in OpenNDS Captive Portal that allows remote attackers to cause a denial-of-service condition by sending a crafted HTTP GET request with a missing client token parameter. This affects OpenNDS versions before 10.1.2, causing the service to crash when exploited. Organizations using OpenNDS for captive portal functionality in public or private networks are affected.
💻 Affected Systems
- OpenNDS Captive Portal
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of the captive portal, preventing new users from authenticating and accessing network resources, potentially disrupting business operations or public access services.
Likely Case
Intermittent service crashes requiring manual restart of OpenNDS, causing temporary authentication failures and user access issues until service is restored.
If Mitigated
Minimal impact with proper network segmentation and monitoring; service may restart automatically or failover to redundant systems if configured.
🎯 Exploit Status
Exploitation requires sending a crafted HTTP request to the vulnerable endpoint; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.1.3
Vendor Advisory: https://github.com/openNDS/openNDS/releases/tag/v10.1.2
Restart Required: Yes
Instructions:
1. Update OpenNDS to version 10.1.3 or later. 2. For OpenWrt systems, update to OpenWrt master, 23.05, or 22.03 versions patched after August 28, 2023. 3. Restart the OpenNDS service after patching.
🔧 Temporary Workarounds
Network Filtering
linuxBlock or rate-limit HTTP requests to the OpenNDS captive portal endpoint from untrusted sources.
iptables -A INPUT -p tcp --dport 2050 -s untrusted_network -j DROP
🧯 If You Can't Patch
- Implement network segmentation to isolate the OpenNDS service from untrusted networks.
- Deploy a web application firewall (WAF) or reverse proxy to filter malicious HTTP requests before they reach OpenNDS.
🔍 How to Verify
Check if Vulnerable:
Check OpenNDS version; if it's below 10.1.2, the system is vulnerable.Check Version:
opennds --versionVerify Fix Applied:
Confirm OpenNDS version is 10.1.3 or higher and test with a crafted HTTP GET request to ensure no crash occurs.📡 Detection & Monitoring
Log Indicators:
- OpenNDS crash logs
- HTTP requests with missing or malformed client token parameters
- Service restart events in system logs
Network Indicators:
- HTTP GET requests to OpenNDS endpoint without proper query parameters
- Unusual spike in HTTP requests to port 2050 (default OpenNDS port)
SIEM Query:
source="opennds.log" AND ("crash" OR "segmentation fault" OR "null pointer")🔗 References
- https://github.com/openNDS/openNDS/releases/tag/v10.1.2
- https://github.com/openwrt/routing/commit/0b19771fb2dd81e7c428759610aed583171eed80
- https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006-v4/#sthash.2vJg3d85.rwx82g1C.dpbs
- https://github.com/openNDS/openNDS/releases/tag/v10.1.2
- https://github.com/openwrt/routing/commit/0b19771fb2dd81e7c428759610aed583171eed80
- https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006-v4/#sthash.2vJg3d85.rwx82g1C.dpbs
