cbcvebase.
CVE-2023-32077
published 2023-08-24

CVE-2023-32077: Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to…

PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.15%
86.3th percentile
Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server.

Affected

6 ranges
VendorProductVersion rangeFixed in
github.comgravitl_netmaker>= 0 < 0.17.10.17.1
github.comgravitl_netmaker>= 0.18.0 < 0.18.60.18.6
gravitlnetmaker< 0.17.10.17.1
gravitlnetmaker
netmakernetmaker< 0.17.10.17.1
netmakernetmaker0.18.0 – 0.18.5

Detection & IOCsextracted from sources · hover to see the quote

url/api/dns
  • Detect unauthenticated exploitation attempts against the Netmaker DNS API endpoint: look for GET requests to /api/dns with the Authorization header value 'x secretkey' returning HTTP 200 with JSON body containing 'address', 'network', and 'name' fields.
  • Shodan/FOFA fingerprinting: Netmaker instances can be identified by HTML body containing the string 'netmaker', which can be used to scope detection to exposed instances.
  • ·The hardcoded DNS secret key ('x secretkey') is present in Netmaker versions prior to 0.17.1 and 0.18.6. Versions 0.18.0–0.18.5 are confirmed vulnerable and require upgrade to 0.18.6 or later.
  • ·For users on 0.17.1, pulling the latest Docker image and restarting is sufficient: `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.