Details of VAR-202307-1321

ID

VAR-202307-1321

CVE

CVE-2023-38096

TITLE

of netgear ProSAFE Network Management System Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-028074

DESCRIPTION

NETGEAR ProSAFE Network Management System MyHandlerInterceptor Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of NETGEAR ProSAFE Network Management System. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MyHandlerInterceptor class. The issue results from improper implementation of the authentication mechanism. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-19718. of netgear ProSAFE Network Management System Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 2.79

sources: NVD: CVE-2023-38096 // JVNDB: JVNDB-2023-028074 // ZDI: ZDI-23-920 // CNVD: CNVD-2024-33666

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-33666

AFFECTED PRODUCTS

vendor:	netgear	model:	prosafe network management system	scope:	lt	version:	1.7.0.20	Trust: 1.0
vendor:	ネットギア	model:	prosafe network management system	scope:	eq	version:	-	Trust: 0.8
vendor:	ネットギア	model:	prosafe network management system	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	prosafe network management system	scope:	eq	version:	1.7.0.20	Trust: 0.8
vendor:	netgear	model:	prosafe network management system	scope:	-	version:	-	Trust: 0.7
vendor:	netgear	model:	prosafe	scope:	-	version:	-	Trust: 0.6

sources: ZDI: ZDI-23-920 // CNVD: CNVD-2024-33666 // JVNDB: JVNDB-2023-028074 // NVD: CVE-2023-38096

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2023-38096
value:	CRITICAL
Trust: 1.0
nvd@nist.gov:	CVE-2023-38096
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2023-38096
value:	CRITICAL
Trust: 0.8
ZDI:	CVE-2023-38096
value:	CRITICAL
Trust: 0.7
CNVD:	CNVD-2024-33666
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-33666
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

zdi-disclosures@trendmicro.com:	CVE-2023-38096
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2023-38096
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
ZDI:	CVE-2023-38096
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-23-920 // CNVD: CNVD-2024-33666 // JVNDB: JVNDB-2023-028074 // NVD: CVE-2023-38096 // NVD: CVE-2023-38096

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-287	Trust: 1.0
problemtype:	Inappropriate authentication (CWE-287) [ others ]	Trust: 0.8
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-028074 // NVD: CVE-2023-38096

PATCH

title:	NETGEAR has issued an update to correct this vulnerability.	url:	https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025	Trust: 0.7
title:	Patch for NETGEAR ProSAFE Authentication Bypass Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/571371	Trust: 0.6

sources: ZDI: ZDI-23-920 // CNVD: CNVD-2024-33666

EXTERNAL IDS

db:	NVD	id:	CVE-2023-38096	Trust: 3.9
db:	ZDI	id:	ZDI-23-920	Trust: 2.5
db:	JVNDB	id:	JVNDB-2023-028074	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-19718	Trust: 0.7
db:	CNVD	id:	CNVD-2024-33666	Trust: 0.6

sources: ZDI: ZDI-23-920 // CNVD: CNVD-2024-33666 // JVNDB: JVNDB-2023-028074 // NVD: CVE-2023-38096

REFERENCES

url:	https://kb.netgear.com/000065707/security-advisory-for-multiple-vulnerabilities-on-the-prosafe-network-management-system-psv-2023-0024-psv-2023-0025	Trust: 2.5
url:	https://www.zerodayinitiative.com/advisories/zdi-23-920/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-38096	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2023-38096	Trust: 0.6

sources: ZDI: ZDI-23-920 // CNVD: CNVD-2024-33666 // JVNDB: JVNDB-2023-028074 // NVD: CVE-2023-38096

CREDITS

Steven Seeley of Source Incite

Trust: 0.7

sources: ZDI: ZDI-23-920

SOURCES

db:	ZDI	id:	ZDI-23-920
db:	CNVD	id:	CNVD-2024-33666
db:	JVNDB	id:	JVNDB-2023-028074
db:	NVD	id:	CVE-2023-38096

LAST UPDATE DATE

2025-02-08T23:24:19.358000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-23-920	date:	2023-07-13T00:00:00
db:	CNVD	id:	CNVD-2024-33666	date:	2024-07-26T00:00:00
db:	JVNDB	id:	JVNDB-2023-028074	date:	2025-02-07T02:40:00
db:	NVD	id:	CVE-2023-38096	date:	2025-02-06T18:01:32.923

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-23-920	date:	2023-07-13T00:00:00
db:	CNVD	id:	CNVD-2024-33666	date:	2024-07-18T00:00:00
db:	JVNDB	id:	JVNDB-2023-028074	date:	2025-02-07T00:00:00
db:	NVD	id:	CVE-2023-38096	date:	2024-05-03T02:15:52.070