cbcvebase.
CVE-2023-41101
published 2023-11-17

CVE-2023-41101: An issue was discovered in the captive portal in OpenNDS before version 10.1.3. get_query in http_microhttpd.c does not validate the length of the query string…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.90%
77.1th percentile
An issue was discovered in the captive portal in OpenNDS before version 10.1.3. get_query in http_microhttpd.c does not validate the length of the query string of GET requests. This leads to a stack-based buffer overflow in versions 9.x and earlier, and to a heap-based buffer overflow in versions 10.x and later. Attackers may exploit the issue to crash OpenNDS (Denial-of-Service condition) or to inject and execute arbitrary bytecode (Remote Code Execution). Affected OpenNDS before version 10.1.3 fixed in OpenWrt master and OpenWrt 23.05 on 23. November by updating OpenNDS to version 10.2.0.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianopennds< opennds 10.2.0+dfsg-1 (forky)opennds 10.2.0+dfsg-1 (forky)
openndsopennds>= 0 < 10.2.0+dfsg-110.2.0+dfsg-1
openndsopennds>= 0 < 10.2.0+dfsg-110.2.0+dfsg-1
openndsopennds>= 9.0.0 < 10.1.310.1.3

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered via an oversized/unvalidated query string in HTTP GET requests to the OpenNDS captive portal; monitor for abnormally long GET request query strings targeting the OpenNDS portal endpoint
  • In OpenNDS versions 9.x and earlier, the overflow is stack-based; in versions 10.x, it is heap-based — tailor memory-corruption detection (e.g., stack canary alerts vs. heap corruption signals) accordingly
  • Crash of the OpenNDS process (captive portal daemon) may indicate exploitation for DoS; unexpected process restarts or exits should be investigated
  • ·Only OpenNDS versions before 10.1.3 are vulnerable; versions 10.2.0 and later are patched. Verify the installed OpenNDS version on OpenWrt devices to confirm exposure.
  • ·Debian 'bookworm' remains unresolved/open for this CVE; only forky, sid, and trixie have been fixed with 10.2.0+dfsg-1.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.