Bulletin ID: ASEC-23-001
Date: Oct 18, 2023
Product/Component: Arduino Create Agent
Affected versions: <= 1.3.2
Fixed version: 1.3.3
Summary
This security bulletin provides information on a series of security vulnerabilities that have been identified in the Arduino Create Agent version 1.3.2 and below.
Details on the security vulnerabilities and related advisories can be found below. The vulnerabilities were identified by Nozomi Networks Labs and promptly fixed by Arduino.
High risk
- CVE-2023-43802 : Path Traversal (CWE-35), CVSS v3.1 Base Score 7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)
- CVE-2023-43800: Insufficient Verification of Data Authenticity (CWE-345), CVSS v3.1 Base Score 7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)
Medium risk
- CVE-2023-43801: Path Traversal (CWE-35), CVSS v3.1 Base Score 6.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L)
- CVE-2023-43803: Path Traversal (CWE-35), CVSS v3.1 Base Score 6.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L)
Impact
The identified vulnerabilities may allow an attacker, with local access to the victim machine, the following actions:
- Escalation of privileges to that of a user with credentials for the Arduino Create Agent service;
- Arbitrary code execution with the permissions of the user running the Arduino Create Agent service;
- Arbitrary file deletion of files accessible by the user running the Arduino Create Agent service.
Action Required
All users are advised to update the Arduino Create Agent to version 1.3.3 or later. An update is automatically initiated when visiting the Arduino Cloud Editor or when setting up a new device in Arduino Cloud. Alternatively, a manual update can be performed by downloading the new version of the software here.
Additional information
- Security Advisory - Path Traversal (CWE-35)
- Security Advisory - Insufficient Verification of Data Authenticity (CWE-345)
- Security Advisory - Path Traversal (CWE-35)
- Security Advisory - Path Traversal (CWE-35)
Contact
If you encounter any issues or have questions regarding this security update, please contact our security team at security@arduino.cc.