Details of VAR-202307-1219

ID

VAR-202307-1219

CVE

CVE-2023-38101

TITLE

of netgear ProSAFE Network Management System Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-028078

DESCRIPTION

NETGEAR ProSAFE Network Management System SettingConfigController Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the SettingConfigController class. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19725. of netgear ProSAFE Network Management System Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 2.79

sources: NVD: CVE-2023-38101 // JVNDB: JVNDB-2023-028078 // ZDI: ZDI-23-915 // CNVD: CNVD-2024-33668

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-33668

AFFECTED PRODUCTS

vendor:	netgear	model:	prosafe network management system	scope:	lt	version:	1.7.0.20	Trust: 1.0
vendor:	ネットギア	model:	prosafe network management system	scope:	eq	version:	-	Trust: 0.8
vendor:	ネットギア	model:	prosafe network management system	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	prosafe network management system	scope:	eq	version:	1.7.0.20	Trust: 0.8
vendor:	netgear	model:	prosafe network management system	scope:	-	version:	-	Trust: 0.7
vendor:	netgear	model:	prosafe	scope:	-	version:	-	Trust: 0.6

sources: ZDI: ZDI-23-915 // CNVD: CNVD-2024-33668 // JVNDB: JVNDB-2023-028078 // NVD: CVE-2023-38101

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2023-38101
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2023-38101
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-38101
value:	HIGH
Trust: 0.8
ZDI:	CVE-2023-38101
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2024-33668
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-33668
severity:	HIGH
baseScore:	8.3
vectorString:	AV:N/AC:L/AU:M/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.4
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

zdi-disclosures@trendmicro.com:	CVE-2023-38101
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 1.0
nvd@nist.gov:	CVE-2023-38101
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2023-38101
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2023-38101
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-23-915 // CNVD: CNVD-2024-33668 // JVNDB: JVNDB-2023-028078 // NVD: CVE-2023-38101 // NVD: CVE-2023-38101

PROBLEMTYPE DATA

problemtype:	CWE-749	Trust: 1.0
problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	Exposing dangerous methods or functions (CWE-749) [ others ]	Trust: 0.8
problemtype:	others (CWE-Other) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-028078 // NVD: CVE-2023-38101

PATCH

title:	NETGEAR has issued an update to correct this vulnerability.	url:	https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025	Trust: 0.7
title:	Patch for NETGEAR ProSAFE Remote Code Execution Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/574046	Trust: 0.6

sources: ZDI: ZDI-23-915 // CNVD: CNVD-2024-33668

EXTERNAL IDS

db:	NVD	id:	CVE-2023-38101	Trust: 3.9
db:	ZDI	id:	ZDI-23-915	Trust: 2.5
db:	JVNDB	id:	JVNDB-2023-028078	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-19725	Trust: 0.7
db:	CNVD	id:	CNVD-2024-33668	Trust: 0.6

sources: ZDI: ZDI-23-915 // CNVD: CNVD-2024-33668 // JVNDB: JVNDB-2023-028078 // NVD: CVE-2023-38101

REFERENCES

url:	https://kb.netgear.com/000065707/security-advisory-for-multiple-vulnerabilities-on-the-prosafe-network-management-system-psv-2023-0024-psv-2023-0025	Trust: 2.5
url:	https://www.zerodayinitiative.com/advisories/zdi-23-915/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-38101	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2023-38101	Trust: 0.6

sources: ZDI: ZDI-23-915 // CNVD: CNVD-2024-33668 // JVNDB: JVNDB-2023-028078 // NVD: CVE-2023-38101

CREDITS

Steven Seeley of Source Incite

Trust: 0.7

sources: ZDI: ZDI-23-915

SOURCES

db:	ZDI	id:	ZDI-23-915
db:	CNVD	id:	CNVD-2024-33668
db:	JVNDB	id:	JVNDB-2023-028078
db:	NVD	id:	CVE-2023-38101

LAST UPDATE DATE

2025-02-08T23:22:45.844000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-23-915	date:	2023-07-13T00:00:00
db:	CNVD	id:	CNVD-2024-33668	date:	2024-07-26T00:00:00
db:	JVNDB	id:	JVNDB-2023-028078	date:	2025-02-07T05:11:00
db:	NVD	id:	CVE-2023-38101	date:	2025-02-06T18:01:03.677

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-23-915	date:	2023-07-13T00:00:00
db:	CNVD	id:	CNVD-2024-33668	date:	2024-07-25T00:00:00
db:	JVNDB	id:	JVNDB-2023-028078	date:	2025-02-07T00:00:00
db:	NVD	id:	CVE-2023-38101	date:	2024-05-03T02:15:52.977