Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-22844: TALOS-2023-1700 || Cisco Talos Intelligence Group

An authentication bypass vulnerability exists in the requestHandlers.js verifyToken functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability.

CVE
#vulnerability#web#cisco#js#intel#auth

SUMMARY

An authentication bypass vulnerability exists in the requestHandlers.js verifyToken functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight VPN v2.0.2

PRODUCT URLS

MilesightVPN - https://www.milesight-iot.com/milesightvpn/

CVSSv3 SCORE

7.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-321 - Use of Hard-coded Cryptographic Key

DETAILS

The MilesightVPN is software that make the process easier of setting up the VPN tunnel for Milesight products, as well as allows monitoring the connection status with a web server interface.

The MilesightVPN allows to manages the various VPN related configuration and the connected devices through its web interface. The web interface is protected by a login, the web interface verify if the user has the permission to access the webpage through a JSON Web Token.

The function to generate the JWT is generateToken:

function generateToken(data){
    var created=Math.floor(Date.now()/1000);
    var cert=fs.readFileSync(path.join(__dirname,'./https/privkey.pem'));
    var token=jwt.sign({
        data,
        exp:created+expiretime
    },cert,{algorithm:'RS256'});
    return token;
}

And the function to verify the JWT is verifyToken:

function verifyToken(token){
    var rt={};
    var cert=fs.readFileSync(path.join(__dirname,'./https/public.pem'));
    try{
        var result=jwt.verify(token,cert,{algorithm:['RS256']})||{};
        var exp=result.exp?result.exp:0,current=Math.floor(Date.now()/1000);
        if(current<=exp)
        {
            rt=result.data||{};
        }
    }
    catch(e){
    }
    return rt;
}

Because the public and private key used for these processes are not generated randomly during the installation of the MilesightVPN but, instead, are static in the installation folder, this make forging a JWT a trivial task, for this reason the web interface is vulnerable to an authentication bypass due to the possibilities of forging valid JWT.

VENDOR RESPONSE

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html

TIMELINE

2023-02-14 - Initial Vendor Contact
2023-02-21 - Vendor Disclosure
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Related news

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907