baramundi Management Agent (bMA), a module of baramundi Management Suite (bMS) is affected by a buffer overflow vulnerability. An attacker could potentially exploit the vulnerability to crash the affected module, or achieve remote code execution when a certain condition is met.
In both scenarios, the attacker must be able to trick the user into visiting a prepared web page that is hosted on the Internet/Intranet.
Affected products are all versions of baramundi, including bMS 2022 R1, bMS 2021 R2, bMS 2021 R1, and earlier.
I have notified baramundi AG of this vulnerability on August 04, 2022 and they release a security update S-2022-01 on September 27, 2022. The security update addresses the vulnerability in all supported versions. That means, if you are using a version that is no longer supported, then your version is still vulnerable. I encourage all affected companies to patch as soon as possible if they have not done so already.
The vulnerability has been assigned the identifier CVE-2022-43747 and has a high severity.
I would like to thank baramundi’s Product Security Incident Response Team for their professional communication and for baramundi’s commitment to addressing this weakness.
Disclosure Timeline
| 04.08.2022 | Initial notification per email |
| 09.08.2022 | Receipt confirmation. Vulnerability is being confirmed |
| 27.09.2022 | Vulnerability confirmed. Patch released. baramundi’s Public disclosure |
| 29.12.2022 | Own public disclosure 🙂 |
