| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.7 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Netmaker up to 0.18.5. It has been rated as problematic. The impacted element is an unknown function of the component DNS Handler. This manipulation causes hard-coded key. This vulnerability is tracked as CVE-2023-32077. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.
Details
A vulnerability has been found in Netmaker up to 0.18.5 and classified as problematic. Affected by this vulnerability is an unknown function of the component DNS Handler. The manipulation with an unknown input leads to a hard-coded key vulnerability. The CWE definition for the vulnerability is CWE-321. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. As an impact it is known to affect confidentiality. The summary by CVE is:
Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server.
The weakness was disclosed 08/25/2023 as GHSA-8x8h-hcq8-jwwx. The advisory is shared at github.com. This vulnerability is known as CVE-2023-32077 since 05/01/2023. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1600.001 for this issue.
Upgrading to version 0.18.6 eliminates this vulnerability. Applying the patch 1621c27c1d176b639e9768b2acad7693e387fd51 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.8VulDB Meta Temp Score: 6.7
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.5
NVD Vector: 🔍
CNA Base Score: 7.5
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Hard-coded keyCWE: CWE-321 / CWE-320
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Netmaker 0.18.6
Patch: 1621c27c1d176b639e9768b2acad7693e387fd51
Timeline
05/01/2023 🔍08/25/2023 🔍
08/25/2023 🔍
05/18/2026 🔍
Sources
Advisory: GHSA-8x8h-hcq8-jwwxStatus: Confirmed
CVE: CVE-2023-32077 (🔍)
GCVE (CVE): GCVE-0-2023-32077
GCVE (VulDB): GCVE-100-237937
Entry
Created: 08/25/2023 07:03Updated: 05/18/2026 20:16
Changes: 08/25/2023 07:03 (51), 05/18/2026 20:16 (26)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.