baramundi Management Agent (bMA), a module of baramundi Management Suite (bMS) is affected by a buffer overflow vulnerability. An attacker could potentially exploit the vulnerability to crash the affected module, or achieve remote code execution when a certain condition is met.

In both scenarios, the attacker must be able to trick the user into visiting a prepared web page that is hosted on the Internet/Intranet.

Affected products are all versions of baramundi, including bMS 2022 R1, bMS 2021 R2, bMS 2021 R1, and earlier.

I have notified baramundi AG of this vulnerability on August 04, 2022 and they release a security update S-2022-01 on September 27, 2022. The security update addresses the vulnerability in all supported versions. That means, if you are using a version that is no longer supported, then your version is still vulnerable. I encourage all affected companies to patch as soon as possible if they have not done so already.

The vulnerability has been assigned the identifier CVE-2022-43747 and has a high severity.

I would like to thank baramundi’s Product Security Incident Response Team for their professional communication and for baramundi’s commitment to addressing this weakness.

Disclosure Timeline

04.08.2022 Initial notification per email
09.08.2022 Receipt confirmation. Vulnerability is being confirmed
27.09.2022 Vulnerability confirmed. Patch released. baramundi’s Public disclosure
29.12.2022 Own public disclosure 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.