CVE-2023-43744

Name of the Vulnerable Software and Affected Versions Zultys MX-SE versions prior to 17.0.10 patch 17161 Zultys MX-SE II versions prior to 17.0.10 patch 17161 Zultys MX-E versions prior to 17.0.10 patch 17161 Zultys MX-Virtual versions prior to 17.0.10 patch 17161 Zultys MX250 versions prior to 17.0.10 patch 17161 Zultys MX30 versions prior to 17.0.10 patch 17161 Zultys MX-SE versions prior to 16.04 patch 16109 Zultys MX-SE II versions prior to 16.04 patch 16109 Zultys MX-E versions prior to 16.04 patch 16109 Zultys MX-Virtual versions prior to 16.04 patch 16109 Zultys MX250 versions prior to 16.04 patch 16109 Zultys MX30 versions prior to 16.04 patch 16109

Description An OS command injection issue allows an administrator to execute arbitrary OS commands via a file name parameter in a patch application function. The Zultys MX Administrator client has a "Patch Manager" section that allows administrators to apply patches to the device. The user-supplied filename for the patch file is passed to a shell script without validation. Including bash command substitution characters in a patch file name results in execution of the provided command.

Recommendations For Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161, update to version 17.0.10 patch 17161 or later. For Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 16.04 patch 16109, update to version 16.04 patch 16109 or later. As a temporary workaround, consider validating the filename for the patch file before passing it to the shell script to prevent command injection.