CVE-2023-38316
📋 TL;DR
CVE-2023-38316 is a command injection vulnerability in OpenNDS Captive Portal that allows attackers to execute arbitrary operating system commands via specially crafted URLs when the custom unescape callback is enabled. This affects OpenNDS Captive Portal versions before 10.1.2, potentially compromising systems running vulnerable versions. Organizations using OpenNDS for captive portal functionality are at risk.
💻 Affected Systems
- OpenNDS Captive Portal
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level access, allowing attackers to install malware, exfiltrate data, pivot to other systems, or disrupt network services.
Likely Case
Unauthorized command execution leading to service disruption, data theft, or installation of backdoors on affected systems.
If Mitigated
Limited impact with proper network segmentation and monitoring, though the vulnerability still presents significant risk.
🎯 Exploit Status
Exploitation requires the custom unescape callback to be enabled. Attack vectors include HTTP GET requests with malicious URL parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.1.3
Vendor Advisory: https://github.com/openNDS/openNDS/releases/tag/v10.1.2
Restart Required: Yes
Instructions:
1. Update OpenNDS to version 10.1.3 or later. 2. For OpenWrt systems: update to OpenWrt master, 23.05, or 22.03 versions after August 28, 2023. 3. Restart the OpenNDS service after patching.
🔧 Temporary Workarounds
Disable custom unescape callback
linuxDisable the vulnerable feature if not required for functionality
# Edit OpenNDS configuration to disable custom unescape callback
# Configuration location varies by installation
Network isolation
linuxRestrict network access to OpenNDS portal to trusted networks only
# Use firewall rules to limit access
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Disable OpenNDS service entirely if not essential
- Implement strict network segmentation and monitoring for any OpenNDS traffic
🔍 How to Verify
Check if Vulnerable:
Check OpenNDS version and configuration. If version < 10.1.2 and custom unescape callback is enabled, system is vulnerable.Check Version:
opennds --version or check package manager (opkg list-installed | grep opennds on OpenWrt)Verify Fix Applied:
Verify OpenNDS version is 10.1.3 or later and restart service. Test with known safe payloads if possible.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- HTTP requests with suspicious URL parameters to OpenNDS
- Failed authentication attempts followed by command-like strings
Network Indicators:
- HTTP GET requests with shell metacharacters or command injection patterns to OpenNDS port
- Unusual outbound connections from OpenNDS host
SIEM Query:
source="opennds.log" AND (url="*;*" OR url="*|*" OR url="*`*" OR url="*$(*" OR url="*%3B*" OR url="*%7C*")🔗 References
- https://github.com/openNDS/openNDS/releases/tag/v10.1.2
- https://github.com/openwrt/routing/commit/0b19771fb2dd81e7c428759610aed583171eed80
- https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006-v4/#sthash.2vJg3d85.rwx82g1C.dpbs
- https://github.com/openNDS/openNDS/releases/tag/v10.1.2
- https://github.com/openwrt/routing/commit/0b19771fb2dd81e7c428759610aed583171eed80
- https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006-v4/#sthash.2vJg3d85.rwx82g1C.dpbs
