Cyber Resilience

CVE-2023-41101

Critical

Published: 17 November 2023

Published
17 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0544 90.4th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-41101 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Opennds Opennds. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-41101 is a buffer overflow vulnerability in the captive portal component of OpenNDS, specifically in the get_query function within http_microhttpd.c. The function fails to validate the length of query strings in incoming GET requests, resulting in a stack-based overflow in versions 9.x and earlier and a heap-based overflow in versions 10.x and later. The flaw affects all releases prior to 10.1.3 and carries a CVSS 3.1 score of 9.8.

Unauthenticated remote attackers can trigger the issue simply by sending a crafted GET request to an exposed OpenNDS instance. Successful exploitation may crash the daemon, producing a denial-of-service condition, or allow injection and execution of arbitrary code, granting full control over the affected device.

The vulnerability was addressed by commit c294cf30 in the OpenNDS repository, with the official fix released in version 10.2.0. OpenWrt integrated the corrected package into its master and 23.05 branches on 23 November 2023; a related advisory was also published by Sierra Wireless. The associated EPSS score has remained low, with a current value of 0.0544 and a peak of 0.0558.

EU & UK References

Vulnerability details

An issue was discovered in the captive portal in OpenNDS before version 10.1.3. get_query in http_microhttpd.c does not validate the length of the query string of GET requests. This leads to a stack-based buffer overflow in versions 9.x and earlier,…

more

and to a heap-based buffer overflow in versions 10.x and later. Attackers may exploit the issue to crash OpenNDS (Denial-of-Service condition) or to inject and execute arbitrary bytecode (Remote Code Execution). Affected OpenNDS before version 10.1.3 fixed in OpenWrt master and OpenWrt 23.05 on 23. November by updating OpenNDS to version 10.2.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

opennds
opennds
9.0.0 — 10.1.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References