CVE-2023-22581

White Rabbit Switch - Unauthenticated remote code execution

CVE

CVE-2023-22581

Title

White Rabbit Switch - Unauthenticated remote code execution

Case

DIVD-2022-00068

Credits

Tom Wolters (Chapter8) (finder)
Victor Pasman (DIVD) (analyst)

Affected products

Product	Affected	Unaffected	Unknown
CERN White Rabbit Switch	>= < v6.0.1 to < v6.0.1 (v.x.y.z)
CERN White Rabbit Switch		everything else

CVSS

Base score: 9.8 (CRITICAL)

References

https://csirt.divd.nl/CVE-2023-22581/ ( third-party-advisory )
https://csirt.divd.nl/DIVD-2022-00068/ ( third-party-advisory )

Problem type(s)

CWE-20 Improper Input Validation

Impact(s)

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs

Date published

12 Apr 2023 19:00 UTC

Last modified

Description

White Rabbit Switch contains a vulnerability which makes it possible for an attacker to to perform system commands under the context of the web application (the default installation makes the webserver run as the root user).

Workaround(s)

Upgrade to version 6.0.2

JSON version.

DIVD CSIRT

CVE-2023-22581

White Rabbit Switch - Unauthenticated remote code execution

Description

Workaround(s)