cbcvebase.
CVE-2023-28502
published 2023-03-29

CVE-2023-28502: Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer from a stack-based…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
61.10%
99.0th percentile
Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer from a stack-based buffer overflow in the "udadmin" service that can lead to remote code execution as the root user.

Affected

6 ranges
VendorProductVersion rangeFixed in
rocket_softwareunidata< 8.2.43.30038.2.43.3003
rocket_softwareuniverse< 11.3.5.100111.3.5.1001
rocket_softwareuniverse< 12.2.1.200212.2.1.2002
rocketsoftwareunidata<= 8.2.4
rocketsoftwareuniverse<= 11.3.5
rocketsoftwareuniverse12.0.0 – 12.2.1

Detection & IOCsextracted from sources · hover to see the quote

processudadmin_server
otherUniData 8.2.4 build 3001 (targeted)
  • Monitor for stack-based buffer overflow exploitation attempts against the udadmin_server RPC service; the password field is specially encoded to include NUL bytes, which is anomalous for standard authentication traffic.
  • Alert on oversized username or password fields sent to the udadmin service; both fields are copied to a stack buffer with no bounds checking (strcpy-equivalent), making abnormally long values a strong exploit indicator.
  • Look for forked child process crashes from udadmin_server as a sign of failed or probing exploitation attempts against non-targeted versions.
  • ·The Metasploit module specifically targets UniData 8.2.4 build 3001; exploitation against other vulnerable versions (prior to 8.2.4 build 3003) will crash the forked process rather than achieve RCE, meaning exploit attempts may appear as service crashes rather than successful compromise.
  • ·The vulnerability is confirmed for the Linux version of udadmin_server only; scope of impact on other platforms is not addressed in available sources.
  • ·UniVerse is also affected; patched versions are UniVerse 11.3.5 build 1001 or 12.2.1 build 2002 and above.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.