CVE-2023-38321

Name of the Vulnerable Software and Affected Versions OpenNDS versions prior to 4.17.0.12

Description The issue allows remote attackers to cause a denial of service through a GET request to "/opennds auth/" that lacks a custom query string parameter and client-token, resulting in a NULL pointer dereference, daemon crash, and Captive Portal outage.

Recommendations For versions prior to 4.17.0.12, update to version 4.17.0.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/opennds auth/" endpoint until a patch is available. Avoid using the endpoint without a custom query string parameter and client-token to minimize the risk of exploitation.