Miggo Logo
Miggo Vulnerability Database
CVE-2023-26150

CVE-2023-26150: asyncua Improper Authentication vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26150
GHSA ID
GHSA-2894-qcqf-g23g
EPSS Score
0.37822%
CWE
CWE-287
Published
10/3/2023
Updated
11/8/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
asyncuapip< 0.9.960.9.96

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing session activation checks in service handlers. The fix in PR #1015 added session activation verification through the is_activated() method. The UaProcessor.process_request function would handle service requests without checking session state, while InternalSession.create_session enabled session creation without requiring activation for subsequent operations. These missing checks allowed unauthenticated access to address space operations via the OPC UA services.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** *syn*u* ***or* *.*.** *r* vuln*r**l* to Improp*r *ut**nti**tion su** t**t it is possi*l* to ****ss ***r*ss Sp*** wit*out *n*ryption *n* *ut**nti**tion. **Not*:** T*is issu* is * r*sult o* missin* ****ks *or s*rvi**s t**t r*q

Reasoning

T** vuln*r**ility st*mm** *rom missin* s*ssion **tiv*tion ****ks in s*rvi** **n*l*rs. T** *ix in PR #**** ***** s*ssion **tiv*tion v*ri*i**tion t*rou** t** is_**tiv*t**() m*t*o*. T** U*Pro**ssor.pro**ss_r*qu*st *un*tion woul* **n*l* s*rvi** r*qu*sts