baramundi Management Agent (bMA), a module of baramundi Management Suite (bMS) is affected by a buffer overflow vulnerability. An attacker could potentially exploit the vulnerability to crash the affected module, or achieve remote code execution when a certain condition is met.
In both scenarios, the attacker must be able to trick the user into visiting a prepared web page that is hosted on the Internet/Intranet.
Affected products are all versions of baramundi, including bMS 2022 R1, bMS 2021 R2, bMS 2021 R1, and earlier.
I have notified baramundi AG of this vulnerability on August 04, 2022 and they release a security update S-2022-01 on September 27, 2022. The security update addresses the vulnerability in all supported versions. That means, if you are using a version that is no longer supported, then your version is still vulnerable. I encourage all affected companies to patch as soon as possible if they have not done so already.
The vulnerability has been assigned the identifier CVE-2022-43747 and has a high severity.
I would like to thank baramundi’s Product Security Incident Response Team for their professional communication and for baramundi’s commitment to addressing this weakness.
|04.08.2022||Initial notification per email|
|09.08.2022||Receipt confirmation. Vulnerability is being confirmed|
|27.09.2022||Vulnerability confirmed. Patch released. baramundi’s Public disclosure|
|29.12.2022||Own public disclosure 🙂|