Vulnerabilities > CVE-2023-38321 - NULL Pointer Dereference vulnerability in Sierrawireless Aleos
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
OpenNDS, as used in Sierra Wireless ALEOS before 4.17.0.12 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference, daemon crash, and Captive Portal outage) via a GET request to /opennds_auth/ that lacks a custom query string parameter and client-token.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/openNDS/openNDS/blob/master/ChangeLog
- https://github.com/openNDS/openNDS/blob/master/ChangeLog
- https://openwrt.org/docs/guide-user/services/captive-portal/opennds
- https://openwrt.org/docs/guide-user/services/captive-portal/opennds
- https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx
- https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx