CVE-2023-38422 – Walchem Intuition 9 firmware versions before v4... (How to Fix)

Q: What is the severity of CVE-2023-38422?

CVE-2023-38422 has a CVSS score of 7.5 (HIGH). Walchem Intuition 9 firmware versions before v4.21 lack authentication on certain API routes, allowing unauthenticated attackers to access and export sensitive data. This affects industrial control systems using these vulnerable firmware versions.

📋 TL;DR

Walchem Intuition 9 firmware versions before v4.21 lack authentication on certain API routes, allowing unauthenticated attackers to access and export sensitive data. This affects industrial control systems using these vulnerable firmware versions.

💻 Affected Systems

Products:

Walchem Intuition 9

Versions: All firmware versions prior to v4.21

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the management web server component of the firmware. No special configuration required for exploitation.

📦 What is this software?

Intuition 9 Firmware by Walchem

View all CVEs affecting Intuition 9 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of sensitive operational data including configuration files, process parameters, and potentially credentials, leading to operational disruption or manipulation.

🟠

Likely Case

Unauthorized data exfiltration of configuration and operational data, potentially enabling reconnaissance for further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external access to management interfaces.

🌐 Internet-Facing: HIGH - Direct internet exposure allows unauthenticated attackers to exploit this vulnerability remotely.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to access sensitive data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the management interface but no authentication or special tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.21

Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-23-229-04

Restart Required: Yes

Instructions:

1. Download firmware v4.21 from Walchem support portal. 2. Backup current configuration. 3. Upload and install firmware update via management interface. 4. Verify installation and restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Walchem devices from untrusted networks and restrict access to management interfaces.

Access Control Lists

all

Implement firewall rules to restrict access to management web server ports (typically 80/443).

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable devices from untrusted networks
Deploy network monitoring and intrusion detection for unauthorized access attempts to management interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version in device web interface or via SNMP. Versions below 4.21 are vulnerable.

Check Version:

Check via web interface at http(s)://device-ip/ or via SNMP if configured.

Verify Fix Applied:

Confirm firmware version shows 4.21 or higher in device management interface.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated API requests to sensitive endpoints
Multiple failed authentication attempts followed by successful unauthenticated access

Network Indicators:

Unusual data export traffic from management interface
Unauthenticated HTTP requests to API endpoints

SIEM Query:

source_ip=* AND (http_uri CONTAINS "/api/" OR http_uri CONTAINS "/export/") AND http_status=200 AND auth_status="none"

📊 Metadata

CVE ID: CVE-2023-38422

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-306

Published: August 23, 2023

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-229-04 Third Party Advisory,US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-229-04 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38422, you might also want to check these: