From 47bd6c1bd6567ac4579be8c940225309be859198 Mon Sep 17 00:00:00 2001 From: seaxwi <71350948+seaxwi@users.noreply.github.com> Date: Thu, 19 Oct 2023 14:16:54 -0500 Subject: [PATCH 1/6] Create ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md --- ...abilities-in-Arduino-Create-Agent-1-3-2.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 content/About Arduino/Security Updates/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md diff --git a/content/About Arduino/Security Updates/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md b/content/About Arduino/Security Updates/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md new file mode 100644 index 00000000..f309c4bb --- /dev/null +++ b/content/About Arduino/Security Updates/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md @@ -0,0 +1,53 @@ +--- +title: "ASEC-23-001 - Vulnerabilities in Arduino Create Agent 1.3.2" +--- + +Bulletin ID: ASEC-23-001 +Date: Oct 18, 2023 +Product/Component: Arduino Create Agent +Affected versions: <= 1.3.2 +Fixed version: 1.3.3 + +## Summary + +This security bulletin provides information on a series of security vulnerabilities that have been identified in the Arduino Create Agent version 1.3.2 and below. + +Details on the security vulnerabilities and related advisories can be found below. The vulnerabilities were identified by Nozomi Networks Labs and promptly fixed by Arduino. + +### High risk + +* [CVE-2023-43802](https://www.cve.org/CVERecord?id=CVE-2023-43802) : Path Traversal (CWE-35), CVSS v3.1 Base Score 7.3 (CVSS:3.1/A + + AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) + +* [CVE-2023-43800](https://www.cve.org/CVERecord?id=CVE-2023-43800): Insufficient Verification of Data Authenticity (CWE-345), CVSS v3.1 Base Score 7.3 (CVSS:3.1/ + + AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) + +### Medium risk** + +* [CVE-2023-43801](https://www.cve.org/CVERecord?id=CVE-2023-43801): Path Traversal (CWE-35), CVSS v3.1 Base Score 6.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) +* [CVE-2023-43803](https://www.cve.org/CVERecord?id=CVE-2023-43803): Path Traversal (CWE-35), CVSS v3.1 Base Score 6.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) + +## Impact + +The identified vulnerabilities may allow an attacker, with local access to the victim machine, the following actions: + +* escalation of privileges to that of a user with credentials for the Arduino Create Agent service; +* Arbitrary code execution with the permissions of the user running the Arduino Create Agent service; +* Arbitrary file deletion of files accessible by the user running the Arduino Create Agent service. + +## Action Required + +All users are advised to update the Arduino Create Agent to version 1.3.3 or later. An update is automatically initiated when visiting the Arduino Web Editor or when setting up a new device via the Arduino IoT Cloud. Alternatively, a manual update can be performed by downloading the new version of the software [here](https://github.com/arduino/arduino-create-agent/releases). + +## Additional information + +* [Security Advisory - Path Traversal](https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-75j7-w798-cwwx) (CWE-35) +* [Security Advisory - Insufficient Verification of Data Authenticity](https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-4x5q-q7wc-q22p) (CWE-345) +* [Security Advisory - Path Traversal](https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-mjq6-pv9c-qppq) (CWE-35) +* [Security Advisory - Path Traversal](https://github.com/arduino/arduino-create-agent/security/advisories/GHSA-m5jc-r4gf-c6p8) (CWE-35) + +## Contact + +If you encounter any issues or have questions regarding this security update, please contact our security team at [security@arduino.cc](mailto:security@arduino.cc). From 986a2f188a227c0d1094eea4772cc43cb0d16483 Mon Sep 17 00:00:00 2001 From: seaxwi <71350948+seaxwi@users.noreply.github.com> Date: Thu, 19 Oct 2023 14:17:16 -0500 Subject: [PATCH 2/6] Rename and move into new security updates section --- .../ASEC-21-001-Vulnerabilities-in-Apache-Log4j.md} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename content/About Arduino/{My Arduino Account/About-security-vulnerabilities-in-Apache-Log4j.md => Security Updates/ASEC-21-001-Vulnerabilities-in-Apache-Log4j.md} (98%) diff --git a/content/About Arduino/My Arduino Account/About-security-vulnerabilities-in-Apache-Log4j.md b/content/About Arduino/Security Updates/ASEC-21-001-Vulnerabilities-in-Apache-Log4j.md similarity index 98% rename from content/About Arduino/My Arduino Account/About-security-vulnerabilities-in-Apache-Log4j.md rename to content/About Arduino/Security Updates/ASEC-21-001-Vulnerabilities-in-Apache-Log4j.md index 9205c56d..d40a14d9 100644 --- a/content/About Arduino/My Arduino Account/About-security-vulnerabilities-in-Apache-Log4j.md +++ b/content/About Arduino/Security Updates/ASEC-21-001-Vulnerabilities-in-Apache-Log4j.md @@ -1,5 +1,5 @@ --- -title: "About security vulnerabilities in Apache Log4j" +title: "ASEC-21-001 – Vulnerabilities in Apache Log4j" id: 4412377144338 --- From eb98e2c893dd570f76750a5b929455634fa58d08 Mon Sep 17 00:00:00 2001 From: seaxwi <71350948+seaxwi@users.noreply.github.com> Date: Thu, 19 Oct 2023 14:22:10 -0500 Subject: [PATCH 3/6] =?UTF-8?q?Security=20Updates=20=E2=86=92=20Arduino=20?= =?UTF-8?q?Security=20Bulletins?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ASEC-21-001-Vulnerabilities-in-Apache-Log4j.md | 0 .../ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename content/About Arduino/{Security Updates => Arduino Security Bulletins}/ASEC-21-001-Vulnerabilities-in-Apache-Log4j.md (100%) rename content/About Arduino/{Security Updates => Arduino Security Bulletins}/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md (100%) diff --git a/content/About Arduino/Security Updates/ASEC-21-001-Vulnerabilities-in-Apache-Log4j.md b/content/About Arduino/Arduino Security Bulletins/ASEC-21-001-Vulnerabilities-in-Apache-Log4j.md similarity index 100% rename from content/About Arduino/Security Updates/ASEC-21-001-Vulnerabilities-in-Apache-Log4j.md rename to content/About Arduino/Arduino Security Bulletins/ASEC-21-001-Vulnerabilities-in-Apache-Log4j.md diff --git a/content/About Arduino/Security Updates/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md b/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md similarity index 100% rename from content/About Arduino/Security Updates/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md rename to content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md From 9625cf08ab3b403dfee39b85a8169e2e59f23245 Mon Sep 17 00:00:00 2001 From: seaxwi <71350948+seaxwi@users.noreply.github.com> Date: Thu, 19 Oct 2023 14:27:58 -0500 Subject: [PATCH 4/6] Remove trailing trailing asterisks --- ...ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md b/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md index f309c4bb..966ae7d8 100644 --- a/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md +++ b/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md @@ -24,7 +24,7 @@ Details on the security vulnerabilities and related advisories can be found belo AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) -### Medium risk** +### Medium risk * [CVE-2023-43801](https://www.cve.org/CVERecord?id=CVE-2023-43801): Path Traversal (CWE-35), CVSS v3.1 Base Score 6.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) * [CVE-2023-43803](https://www.cve.org/CVERecord?id=CVE-2023-43803): Path Traversal (CWE-35), CVSS v3.1 Base Score 6.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) From 0417340098d52e4edae99582cb0ef99ada4697a6 Mon Sep 17 00:00:00 2001 From: seaxwi <71350948+seaxwi@users.noreply.github.com> Date: Thu, 19 Oct 2023 14:30:11 -0500 Subject: [PATCH 5/6] Add line breaks --- ...-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md b/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md index 966ae7d8..12f36c22 100644 --- a/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md +++ b/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md @@ -3,9 +3,9 @@ title: "ASEC-23-001 - Vulnerabilities in Arduino Create Agent 1.3.2" --- Bulletin ID: ASEC-23-001 -Date: Oct 18, 2023 -Product/Component: Arduino Create Agent -Affected versions: <= 1.3.2 +Date: Oct 18, 2023 +Product/Component: Arduino Create Agent +Affected versions: <= 1.3.2 Fixed version: 1.3.3 ## Summary From 927036a7c8729b4b1c65fa25fc63912f4f737c06 Mon Sep 17 00:00:00 2001 From: Renat0Ribeir0 Date: Fri, 20 Oct 2023 11:32:11 +0200 Subject: [PATCH 6/6] Fix capitalization --- ...ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md b/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md index 12f36c22..6a3d680c 100644 --- a/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md +++ b/content/About Arduino/Arduino Security Bulletins/ASEC-23-001-Vulnerabilities-in-Arduino-Create-Agent-1-3-2.md @@ -33,7 +33,7 @@ Details on the security vulnerabilities and related advisories can be found belo The identified vulnerabilities may allow an attacker, with local access to the victim machine, the following actions: -* escalation of privileges to that of a user with credentials for the Arduino Create Agent service; +* Escalation of privileges to that of a user with credentials for the Arduino Create Agent service; * Arbitrary code execution with the permissions of the user running the Arduino Create Agent service; * Arbitrary file deletion of files accessible by the user running the Arduino Create Agent service.