# Talos Vulnerability Report

### TALOS-2023-1700

## Milesight MilesightVPN requestHandlers.js verifyToken authentication bypass vulnerability

##### July 6, 2023

##### CVE Number

CVE-2023-22844

##### SUMMARY

An authentication bypass vulnerability exists in the requestHandlers.js verifyToken functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability.

##### CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight VPN v2.0.2

##### PRODUCT URLS

MilesightVPN –

##### CVSSv3 SCORE

7.3 – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

##### CWE

CWE-321 – Use of Hard-coded Cryptographic Key

##### DETAILS

The MilesightVPN is software that make the process easier of setting up the VPN tunnel for Milesight products, as well as allows monitoring the connection status with a web server interface.

The MilesightVPN allows to manages the various VPN related configuration and the connected devices through its web interface. The web interface is protected by a login, the web interface verify if the user has the permission to access the webpage through a JSON Web Token.

The function to generate the JWT is `generateToken`:

function generateToken(data){
var created=Math.floor(Date.now()/1000);
var cert=fs.readFileSync(path.join(__dirname,’./https/privkey.pem’));
var token=jwt.sign({
data,
exp:created+expiretime
},cert,{algorithm:’RS256′});
return token;
}

And the function to verify the JWT is `verifyToken`:

function verifyToken(token){
var rt={};
var cert=fs.readFileSync(path.join(__dirname,’./https/public.pem’));
try{
var result=jwt.verify(token,cert,{algorithm:[‘RS256’]})||{};
var exp=result.exp?result.exp:0,current=Math.floor(Date.now()/1000);
if(currentRead More