CVE-2023-28503: 
NixOS vulnerability analysis and mitigation

CVE-2023-28503 is an authentication bypass vulnerability discovered in Rocket Software's UniData and UniVerse products. The vulnerability affects UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002. The issue exists in the do_log_on_user() function in libunidata.so, where a special username (:local:) with a deterministic password can be leveraged to bypass authentication checks and execute OS commands as the root user. The vulnerability was discovered and reported by Rapid7 researchers in January 2023 (Rapid7 Blog).

The vulnerability exists in the authentication mechanism of the do_log_on_user() function within libunidata.so. The function contains a hardcoded username check for :local: and implements a flawed authentication logic that allows attackers to authenticate as any local user by providing a specially crafted password in the format of username:uid:gid. The CVSS v3.1 base score for this vulnerability is 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The successful exploitation of this vulnerability allows an unauthenticated attacker to bypass authentication and execute operating system commands with root privileges. This affects most of the services that UniData ships, and when combined with the udadmin service, leads directly to shell command execution. The vulnerability can also be used to exploit several post-authentication vulnerabilities that would normally require valid credentials (Rapid7 Blog).

Rocket Software has released patches to address this vulnerability. Organizations using affected versions should upgrade to UniData version 8.2.4 build 3003, UniVerse version 11.3.5 build 1001, or UniVerse version 12.2.1 build 2002, depending on their deployment. The patches are available to Rocket Software customers through Rocket Business Connect (Rapid7 Blog).