CVE-2023-43800
📋 TL;DR
This vulnerability allows local attackers or those who can bypass CORS restrictions to escalate privileges to the level of the Arduino Create Agent service user via a crafted HTTP POST request to the /v2/pkgs/tools/installed endpoint. It affects users running vulnerable versions of Arduino Create Agent on their systems. The vulnerability enables unauthorized privilege escalation without requiring authentication.
💻 Affected Systems
- Arduino Create Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full control over the Arduino Create Agent service account, potentially allowing them to execute arbitrary code with the service's privileges, install malicious packages, or compromise the host system.
Likely Case
Local users or attackers who can reach the localhost interface escalate privileges to the service account level, enabling unauthorized software installation or configuration changes.
If Mitigated
With proper network segmentation and access controls, only authorized local users could potentially exploit this, limiting the attack surface.
🎯 Exploit Status
Exploitation requires crafting a specific HTTP POST request to the vulnerable endpoint. No authentication is required if the attacker can reach the endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.3
Vendor Advisory: https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-4x5q-q7wc-q22p
Restart Required: Yes
Instructions:
1. Download Arduino Create Agent version 1.3.3 or later from official sources. 2. Stop the Arduino Create Agent service. 3. Install the updated version. 4. Restart the service.
🧯 If You Can't Patch
- Restrict network access to the Arduino Create Agent service using firewall rules to allow only trusted hosts.
- Run the Arduino Create Agent service with minimal privileges using a dedicated low-privilege service account.
🔍 How to Verify
Check if Vulnerable:
Check if Arduino Create Agent is running and its version is below 1.3.3. Look for the agent process and check its version information.Check Version:
Check the agent's version through its interface or look for version files in the installation directory.Verify Fix Applied:
Verify that Arduino Create Agent version is 1.3.3 or higher by checking the version number in the application or via package manager.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to /v2/pkgs/tools/installed endpoint
- Unexpected privilege escalation events
- Unauthorized package installation attempts
Network Indicators:
- HTTP POST requests to localhost:port/v2/pkgs/tools/installed from unexpected sources
- CORS bypass attempts to the agent endpoint
SIEM Query:
source="arduino-agent" AND (url_path="/v2/pkgs/tools/installed" OR event_type="privilege_escalation")🔗 References
- https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3
- https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-4x5q-q7wc-q22p
- https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide
- https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3
- https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-4x5q-q7wc-q22p
- https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide
