Nozomi discloses presence of security flaws affect component of Arduino Create Cloud IDE

Researchers from Nozomi Networks Labs security team recently disclosed four vulnerabilities in the Arduino Create Agent software used for configuring Arduino Opta devices. These vulnerabilities could potentially allow a local user to gain elevated privileges and delete protected files. In response to this disclosure, Arduino promptly released patches for the open-source Arduino Create Agent repository. The updated software version is now available for download on the official website. 

The researchers have also provided detailed information about these vulnerabilities in a recent blog post, urging asset owners to review their development ecosystems and download the latest Arduino Create Agent software from the official website for installation.

Nozomi identified that the Arduino IDE (Integrated Development Environment) software is accessible both as a local download or through the Arduino cloud infrastructure via web connection. “To connect over the web, Arduino devices require an agent service called Arduino Create Agent that acts as a communication bridge between the browser and the Arduino device connected to the workstation through a USB cable,” they added. 

Italy-based Arduino designs and produces ubiquitous single-board microcontrollers and microcontroller kits for building digital devices. Their products are historically open-source technologies, simple, cost effective, and easy to use and deploy. 

The Arduino Opta is a microPLC (programmable logic controller) designed for industrial IoT (Internet of Things) facilities and control system architectures. It intended to be deployed in industrial automation facilities and control system architectures. To enable software developers to utilize and deploy their devices, Arduino provides a large set of libraries distributed within an IDE , used to write customized applications. The Arduino Opta is fully integrated with this development platform. 

PLC devices are adopted in industrial automation facilities and their security level is critical to avoid unauthorized access to services or resources that should be protected by external entities. 

The researchers said that the most high risk vulnerabilities are CVE-2023-43802 and CVE-2023-43800. “Both allow an attacker with access to the system to escalate their privileges to that of a user with credentials for the Arduino Create Agent service. The impact of the privilege escalation depends on the configuration of the workstation where the Arduino Create Agent service is running. This is a common scenario, since engineering workstations are accessed by multiple operators with different accounts.” 

They added that a user with a standard account could try to impersonate a different one or eventually acquire a higher privileged account gaining the ability to execute privileged operations on the system that normally should be denied, such as shutting down the system. The issue could be exploited not only by a physical user (e.g. an operator of the workstation) but also by another software with local privileges running on it, such as a malware that infected the system and exploits the vulnerability.

The CVE-2023-43802 vulnerability is a ‘Path Traversal’ that leads to an arbitrary file overwriting on the system, while CVE-2023-43800 loophole is an ‘Insufficient Verification of Data Authenticity’ that allows an attacker to replace a component of the Arduino Create Agent service and afterwards invoke its execution. Both vulnerabilities, when exploited, would allow an attacker to perform arbitrary code execution on the system in the context of the Arduino Create Agent service running on it, leading to the privilege escalation scenarios described above.

Nozomi added that “CVE-2023-43801 and CVE-2023-43803 are two Path Traversal vulnerabilities that can be abused in the same way. A low privileged user with access to the system can exploit these vulnerabilities to delete arbitrary files and folders owned by the user that runs the Arduino Create Agent service, such as reserved documents or critical system configuration files if the vulnerable agent has been started with a high-privileged account.” 

They added that in this case these vulnerabilities can be abused not only by a physical user interacting with the workstation, but also by a malware that infected the system to corrupt it in terms of availability, by deleting protected resources.

“All of the vulnerabilities described require local access to the device (a user interacting with the system or a malicious software running on it) due to the CORS policy (Cross-Origin Resource Sharing) implemented in the Arduino Create Agent,” Nozomi detailed. “A threat actor could potentially exploit an additional vulnerability allowing them to generate a trusted HTTP request (e.g.: a Cross Site scripting attack on the create.arduino.cc web application) to interact remotely with the Arduino Create Agent service running locally on the workstation machine. This step and attack chain would allow the remote exploitation of the vulnerabilities described.”  

Nozomi Networks Labs clarified that it has not conducted security research on the web applications hosted on the domain *[dot]arduino[dot]cc, and the security posture of the cloud-based Arduino web editor is out of scope for this blog.

Following Nozomi’s disclosure, Arduino promptly implemented necessary fixes to the Arduino Create Agent service. These fixes have been included in the official update released 1.3.3 and can be downloaded from the official repository. It is advisable for users who utilize the Arduino Web Editor to promptly upgrade the Arduino Create Agent to the latest version to avoid any potential misuse of their systems.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.