Kratos Security Advisory: CVE-2023-36670

Synopsis

Kratos NGC Indoor Unit (IDU) command injection vulnerability

Type/Severity

Security Advisory / High

Description

Kratos NGC Indoor Unit (IDU) command injection vulnerability. Remotely exploitable command injection vulnerability found on the Kratos NGC-IDU version 9.1.0.4.

Solution

This issue cannot be resolved in NGC IDU, which is End-of-Life effective August 1st, 2023. Kratos encourages customers to use good physical security of the ODU by locking the unit enclosure to prevent unauthorized access. The IDU should be installed on a trusted network, and access should be limited to authorized hosts using iptables/firewall.

Affected Products

Kratos NGC Indoor Unit (NGC-IDU)

Fix

Upgrade to latest NGC IDU product: NGC2-IDU SW & HW Accessories.

Credit/Discoverer

Paul Noalhyt, Red Balloon Security

Kratos Security Advisory: CVE-2023-36670

Synopsis

Type/Severity

Description

Solution

Affected Products

Fix

Credit/Discoverer

Systems & Platforms

Products

About Kratos

Investors