CVE-2023-44037
📋 TL;DR
This vulnerability in ZPE Systems Nodegrid OS allows remote attackers to obtain sensitive information through the TACACS+ server component. Attackers can potentially access credentials, configuration data, or other sensitive information stored or processed by TACACS+. Organizations running affected Nodegrid OS versions with TACACS+ enabled are at risk.
💻 Affected Systems
- ZPE Systems Nodegrid OS
📦 What is this software?
Nodegrid Os by Zpesystems
Nodegrid Os by Zpesystems
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials, leading to complete system compromise, data exfiltration, and potential lateral movement within the network.
Likely Case
Attackers gain access to sensitive configuration information, user credentials, or authentication data that could be used for further attacks.
If Mitigated
Limited information disclosure with no critical credentials exposed, minimal operational impact.
🎯 Exploit Status
The vulnerability allows information disclosure without authentication, suggesting relatively straightforward exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to Nodegrid OS v5.8.14 or v5.10.6 or later
Vendor Advisory: https://psirt.zpesystems.com/portal/en/kb/articles/security-advisory-zpe-ng-2023-002
Restart Required: Yes
Instructions:
1. Download the latest Nodegrid OS version from ZPE Systems support portal. 2. Backup current configuration. 3. Apply the update through the Nodegrid management interface or CLI. 4. Reboot the system as required. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable TACACS+ Server
linuxTemporarily disable the TACACS+ server component if not required for operations
# Access Nodegrid CLI
configure
no tacacs-server enable
commit
Restrict Network Access
linuxImplement network controls to restrict access to TACACS+ service (port 49)
# Example firewall rule to restrict TACACS+ access
iptables -A INPUT -p tcp --dport 49 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 49 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Nodegrid systems from untrusted networks
- Monitor TACACS+ traffic for unusual patterns or unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check Nodegrid OS version via CLI: 'show version' or web interface. If version is between v5.8.10-v5.8.13 or v5.10.3-v5.10.5, system is vulnerable.Check Version:
show versionVerify Fix Applied:
After update, verify version is v5.8.14+ or v5.10.6+ using 'show version' command.📡 Detection & Monitoring
Log Indicators:
- Unusual TACACS+ authentication requests
- Multiple failed TACACS+ connections from single source
- TACACS+ traffic from unexpected IP addresses
Network Indicators:
- Unusual volume of traffic to TACACS+ port 49
- TACACS+ connections from unauthorized networks
SIEM Query:
source_port:49 AND (src_ip NOT IN [authorized_networks] OR dest_ip IN [nodegrid_ips])