Assigner | Nozomi |
Reserved | 2023-11-02 |
Published | 2024-05-15 |
Updated | 2024-06-06 |
Description
When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed.
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | |
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Problem types
CWE-306 Missing Authentication for Critical Function
Product status
Any version before 1.6.0
Credits
This issue was found by Diego Giubertoni of Nozomi Networks Security Research team during an internal penetration testing session.
References
https://security.nozominetworks.com/NN-2023:13-01