Details of VAR-202307-1178

ID

VAR-202307-1178

CVE

CVE-2023-38102

TITLE

of netgear ProSAFE Network Management System Vulnerability regarding lack of authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2023-028088

DESCRIPTION

NETGEAR ProSAFE Network Management System createUser Missing Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the createUser function. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-19726. (DoS) It may be in a state

Trust: 2.79

sources: NVD: CVE-2023-38102 // JVNDB: JVNDB-2023-028088 // ZDI: ZDI-23-914 // CNVD: CNVD-2024-33669

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-33669

AFFECTED PRODUCTS

vendor:	netgear	model:	prosafe network management system	scope:	lt	version:	1.7.0.20	Trust: 1.0
vendor:	ネットギア	model:	prosafe network management system	scope:	eq	version:	-	Trust: 0.8
vendor:	ネットギア	model:	prosafe network management system	scope:	eq	version:	1.7.0.20	Trust: 0.8
vendor:	ネットギア	model:	prosafe network management system	scope:	-	version:	-	Trust: 0.8
vendor:	netgear	model:	prosafe network management system	scope:	-	version:	-	Trust: 0.7
vendor:	netgear	model:	prosafe	scope:	-	version:	-	Trust: 0.6

sources: ZDI: ZDI-23-914 // CNVD: CNVD-2024-33669 // JVNDB: JVNDB-2023-028088 // NVD: CVE-2023-38102

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2023-38102
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2023-38102
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-38102
value:	HIGH
Trust: 0.8
ZDI:	CVE-2023-38102
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2024-33669
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-33669
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

zdi-disclosures@trendmicro.com:	CVE-2023-38102
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2023-38102
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ZDI:	CVE-2023-38102
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-23-914 // CNVD: CNVD-2024-33669 // JVNDB: JVNDB-2023-028088 // NVD: CVE-2023-38102 // NVD: CVE-2023-38102

PROBLEMTYPE DATA

problemtype:	CWE-862	Trust: 1.0
problemtype:	Lack of authentication (CWE-862) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-028088 // NVD: CVE-2023-38102

PATCH

title:	NETGEAR has issued an update to correct this vulnerability.	url:	https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025	Trust: 0.7
title:	Patch for NETGEAR ProSAFE Privilege Escalation Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/574031	Trust: 0.6

sources: ZDI: ZDI-23-914 // CNVD: CNVD-2024-33669

EXTERNAL IDS

db:	NVD	id:	CVE-2023-38102	Trust: 3.9
db:	ZDI	id:	ZDI-23-914	Trust: 2.5
db:	JVNDB	id:	JVNDB-2023-028088	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-19726	Trust: 0.7
db:	CNVD	id:	CNVD-2024-33669	Trust: 0.6

sources: ZDI: ZDI-23-914 // CNVD: CNVD-2024-33669 // JVNDB: JVNDB-2023-028088 // NVD: CVE-2023-38102

REFERENCES

url:	https://kb.netgear.com/000065707/security-advisory-for-multiple-vulnerabilities-on-the-prosafe-network-management-system-psv-2023-0024-psv-2023-0025	Trust: 2.5
url:	https://www.zerodayinitiative.com/advisories/zdi-23-914/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-38102	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2023-38102	Trust: 0.6

sources: ZDI: ZDI-23-914 // CNVD: CNVD-2024-33669 // JVNDB: JVNDB-2023-028088 // NVD: CVE-2023-38102

CREDITS

Steven Seeley of Source Incite

Trust: 0.7

sources: ZDI: ZDI-23-914

SOURCES

db:	ZDI	id:	ZDI-23-914
db:	CNVD	id:	CNVD-2024-33669
db:	JVNDB	id:	JVNDB-2023-028088
db:	NVD	id:	CVE-2023-38102

LAST UPDATE DATE

2025-02-09T22:57:56.967000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-23-914	date:	2023-07-13T00:00:00
db:	CNVD	id:	CNVD-2024-33669	date:	2024-07-26T00:00:00
db:	JVNDB	id:	JVNDB-2023-028088	date:	2025-02-07T08:32:00
db:	NVD	id:	CVE-2023-38102	date:	2025-02-06T18:00:50.560

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-23-914	date:	2023-07-13T00:00:00
db:	CNVD	id:	CNVD-2024-33669	date:	2024-07-25T00:00:00
db:	JVNDB	id:	JVNDB-2023-028088	date:	2025-02-07T00:00:00
db:	NVD	id:	CVE-2023-38102	date:	2024-05-03T02:15:53.147