CVE-2023-41101: 
Linux Debian vulnerability analysis and mitigation

An issue was discovered in the captive portal in OpenNDS before version 10.1.3. The get_query function in http_microhttpd.c does not validate the length of the query string of GET requests, leading to a stack-based buffer overflow in versions 9.x and earlier, and a heap-based buffer overflow in versions 10.x and later (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The flaw exists in the query string handling of GET requests in the captive portal functionality. To exploit the vulnerability, an attacker must be able to interact with the captive portal running on the router, either by being within WiFi range or by compromising another device that can connect to that network (Decipher).

If successfully exploited, attackers may be able to crash OpenNDS (Denial-of-Service condition) or inject and execute arbitrary bytecode (Remote Code Execution). The vulnerability affects OpenNDS installations in critical infrastructure sectors, including manufacturing, healthcare, government facilities, energy, transportation, and emergency services (Record).

The vulnerability has been fixed in OpenNDS version 10.1.3. The fix addresses the buffer overflow issue that was causing segmentation faults. Users are advised to upgrade to version 10.1.3 or later. The patch has also been included in OpenWrt master and OpenWrt 23.05 through an update to OpenNDS version 10.2.0 (OpenNDS Release).

Security researchers from Forescout discovered this vulnerability along with other security flaws affecting Sierra Wireless routers. They noted that these devices are often left unpatched, with less than 10 percent of routers seen on Shodan confirmed to be patched against previous vulnerabilities (Decipher).