SecurePwn Part 2: Leaking Remote Memory Contents [CVE-2023-22897]

We discussed this vulnerability during Episode 206 on 25 April 2023

A post-auth remote information disclosure in the SecurePoint UTM firewall. The bug in this case is the fact that a session ID can be sent in a response before the session is fully initialized and used. In this case, uninitialized data is sent in the response and can be used to chain with a separate memory corruption to RCE the portal. The authentication requirement comes from the fact that in a typical browser login case, the sessionId is immediately initialized after login and the exploitable condition can’t be triggered.