Zultys Security Advisory Notice - SAN23-001 Rev 2.0
Unauthorized Administrative Access Vulnerabilities (CVE-2023-43742, CVE-2023-43743, CVE-2023-43744)
MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, MX30
MX firmware 3.2.10 to 17.0.10
Several security vulnerabilities in the MX platform were responsibly reported to Zultys and subsequently detailed in CVE-2023-43742, CVE-2023-43743 and CVE-2023-43744. Patches are available for MX Release 16.0.4 and 17.0.10 to remediate the vulnerabilities.
CVE-2023-43742 – The service that runs on TCP port 7505 used by MX Administrator is vulnerable to authentication bypass. An anonymous attacker on the Internet can gain full administrative access without valid credentials.
CVE-2023-43743 – The web-based administration service on TCP port 443 is vulnerable to SQL injection. Web-based administration service is present in MX firmware 16.0.4 and later.
CVE-2023-43744 – The MX Administrator Patch Manager service allows remote authenticated users to perform OS command injection attacks. Users with administrator level access to the system can use this to execute OS commands on the underlying host.
The actions required to protect a system via a firmware upgrade and/or a patch vary depending on the firmware version that an MX system is currently running.
Install patch 17161 (or later replacement) via Patch Manager
|17.0.6||Upgrade to 17.0.10 and install patch 17161 (or later replacement) via Patch Manager|
Install patch 16109 (or later replacement) via Patch Manager
Upgrade to a supported release (16.0.4 or 17.0.10) and patch
15.0.x and earlier
Upgrade to a supported (16.0.4 or 17.0.10) and patch
If the current firmware is more than 2 major releases prior to the target release, a multi-step upgrade must be performed. Refer to the MX firmware release notes for additional details.
A system must be covered by a current Software Subscription or Software Assurance agreement to be eligible to upgrade firmware.
Release 17 does not support MXIE, users still utilizing MXIE must move to ZAC if upgrading from Release 16 or earlier to Release 17.0.10.
Mitigation / Workaround
If it is not immediately possible to upgrade or patch a system, access should be denied to the relevant services from untrusted IP addresses using the MX ‘Service Protection – Source Based Firewall’ feature where available (Release 14.0.4+) or block access to the relevant ports from untrusted IP addresses using an external firewall.
|Services||Ports||Applicable to Version|
7117, 7134, 7505
Zultys would like to thank Stephen Breen of Atredis Partners for reporting these issues to us.
Initial Security Advisory Notice.
|Patch numbers updated. Patch 17159 replaced by 17161. Patch 16107 replaced by 16109|
Details of CVE numbers added. Content updated accordingly.