CVE-2023-38120

Name of the Vulnerable Software and Affected Versions Adtran SR400ac (affected versions not specified)

Description The issue is related to the lack of input validation in the SmartOS WiFi router ADTRAn SR400ac, allowing remote attackers to execute arbitrary code in the context of the root user. The specific flaw exists within the ping command, available over JSON-RPC, where a crafted host parameter can trigger the execution of a system call composed from a user-supplied string. Although authentication is required to exploit this issue, the existing authentication mechanism can be bypassed.

Recommendations As a temporary workaround, consider disabling the ping command over JSON-RPC until a patch is available. Restrict access to the JSON-RPC interface to minimize the risk of exploitation. Avoid using the host parameter in the ping command until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.