PT-2024-01: OS Command Injection in PT Network Attack Discovery (PT NAD) Vendor: Positive TechnologiesProduct: PT Network Attack Discovery (PT NAD)Vulnerable version: 12.0.0 - 12.0.577Vulnerability type:- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')Identifier (ID): BDU:2024-04638Vulnerability vector:- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H- Severity (CVSSv3.1): 9.6 (critical)- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H- Severity (CVSSv4.0): 9.4 (critical)Description:The vulnerability was identified in PT NAD affecting versions 12.0.x to 12.0.577. The vulnerability can be exploited by an attacker with network access to PT NAD to remotely execute OS commands as a superuser. Ability of exploitation depends on the configuration. Authorization is not required for vulnerability exploitation.Vulnerability status: Confirmed by vendorDate of vulnerability detection: 17.06.2024Recommendations: Update to version 12.0.578 or higherAdditional information: Security BulletinResearcher: Vsevolod Dergunov (Positive Technologies)
