CVE-2023-43802
📋 TL;DR
This vulnerability allows local attackers or those who bypass CORS restrictions to execute arbitrary code with the privileges of the Arduino Create Agent service via a crafted HTTP POST request to the /upload endpoint. It affects users running Arduino Create Agent versions before 1.3.3. The vulnerability enables privilege escalation from a lower-privileged user to the service account.
💻 Affected Systems
- Arduino Create Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the Arduino Create Agent service user, potentially leading to complete control over the affected system.
Likely Case
Local privilege escalation allowing attackers to execute arbitrary code, install malware, or access sensitive data on systems where the agent is running.
If Mitigated
No impact if the service is not running or if proper network segmentation prevents access to the localhost interface.
🎯 Exploit Status
Exploitation requires ability to send HTTP requests to localhost interface. The CWE-22 (Path Traversal) suggests filename parameter manipulation leads to arbitrary file upload/execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.3
Vendor Advisory: https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-75j7-w798-cwwx
Restart Required: Yes
Instructions:
1. Download Arduino Create Agent version 1.3.3 or later from official sources. 2. Stop the Arduino Create Agent service. 3. Install the updated version. 4. Restart the service.
🔧 Temporary Workarounds
Network Access Restriction
allBlock access to Arduino Create Agent port (default 8991) from unauthorized users using firewall rules.
sudo ufw deny 8991
netsh advfirewall firewall add rule name="Block Arduino Agent" dir=in action=block protocol=TCP localport=8991
Service Disablement
allTemporarily disable the Arduino Create Agent service if not actively needed for development.
sudo systemctl stop arduino-create-agent
sc stop "Arduino Create Agent"
🧯 If You Can't Patch
- Run Arduino Create Agent with minimal necessary privileges using a dedicated low-privilege service account.
- Implement strict network segmentation to isolate systems running vulnerable versions from other network resources.
🔍 How to Verify
Check if Vulnerable:
Check if Arduino Create Agent is running and accessible on localhost:8991, then attempt to access /upload endpoint with crafted filename parameter.Check Version:
arduino-create-agent --version or check service properties/package versionVerify Fix Applied:
Verify installed version is 1.3.3 or later and test that crafted requests to /upload endpoint no longer result in privilege escalation.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to /upload endpoint
- File write operations in unexpected directories by Arduino Create Agent process
- Process execution from unusual locations by the agent service account
Network Indicators:
- HTTP POST requests to localhost:8991/upload with suspicious filename parameters
- Unusual outbound connections from Arduino Create Agent process
SIEM Query:
source="arduino-agent.log" AND (uri_path="/upload" AND http_method="POST") AND filename="*../*"🔗 References
- https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3
- https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-75j7-w798-cwwx
- https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide
- https://github.com/arduino/arduino-create-agent/releases/tag/1.3.3
- https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-75j7-w798-cwwx
- https://www.nozominetworks.com/blog/security-flaws-affect-a-component-of-the-arduino-create-cloud-ide
