# Talos Vulnerability Report
### TALOS-2023-1700
## Milesight MilesightVPN requestHandlers.js verifyToken authentication bypass vulnerability
##### July 6, 2023
##### CVE Number
CVE-2023-22844
##### SUMMARY
An authentication bypass vulnerability exists in the requestHandlers.js verifyToken functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability.
##### CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Milesight VPN v2.0.2
##### PRODUCT URLS
MilesightVPN –
##### CVSSv3 SCORE
7.3 – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
##### CWE
CWE-321 – Use of Hard-coded Cryptographic Key
##### DETAILS
The MilesightVPN is software that make the process easier of setting up the VPN tunnel for Milesight products, as well as allows monitoring the connection status with a web server interface.
The MilesightVPN allows to manages the various VPN related configuration and the connected devices through its web interface. The web interface is protected by a login, the web interface verify if the user has the permission to access the webpage through a JSON Web Token.
The function to generate the JWT is `generateToken`:
function generateToken(data){
var created=Math.floor(Date.now()/1000);
var cert=fs.readFileSync(path.join(__dirname,’./https/privkey.pem’));
var token=jwt.sign({
data,
exp:created+expiretime
},cert,{algorithm:’RS256′});
return token;
}
And the function to verify the JWT is `verifyToken`:
function verifyToken(token){
var rt={};
var cert=fs.readFileSync(path.join(__dirname,’./https/public.pem’));
try{
var result=jwt.verify(token,cert,{algorithm:[‘RS256’]})||{};
var exp=result.exp?result.exp:0,current=Math.floor(Date.now()/1000);
if(currentRead More
References
Back to Main