CVE-2023-48643 in tac_plus
Summary
by MITRE • 05/16/2024
Shrubbery tac_plus 2.x, 3.x. and 4.x through F4.0.4.28 allows unauthenticated Remote Command Execution. The product allows users to configure authorization checks as shell commands through the tac_plus.cfg configuration file. These are executed when a client sends an authorization request with a username that has pre-authorization directives configured. However, it is possible to inject additional commands into these checks because strings from TACACS+ packets are used as command-line arguments. If the installation lacks a a pre-shared secret (there is no pre-shared secret by default), then the injection can be triggered without authentication. (The attacker needs to know a username configured to use a pre-authorization command.) NOTE: this is related to CVE-2023-45239 but the issue is in the original Shrubbery product, not Meta's fork.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/20/2024
The vulnerability identified as CVE-2023-48643 affects the Shrubbery tac_plus authentication server versions 2.x through 4.x up to F4.0.4.28, presenting a critical security risk that allows unauthenticated remote command execution. This flaw resides in the authorization mechanism of the tac_plus service, which is commonly used for centralized network access control and authentication management. The vulnerability stems from improper input validation when processing TACACS+ packets, specifically in how command-line arguments are constructed from user-provided data. When authorization checks are configured as shell commands within the tac_plus.cfg configuration file, the system fails to properly sanitize inputs from TACACS+ packets, creating a command injection vulnerability that can be exploited without authentication.
The technical flaw manifests when the tac_plus service processes authorization requests from clients, particularly when usernames are configured with pre-authorization directives that execute shell commands. The system directly incorporates string data from TACACS+ packets into command-line arguments without adequate sanitization or escaping mechanisms. This injection occurs because the product treats user-supplied input as part of the command execution context rather than as separate parameter values. The vulnerability is particularly dangerous because it can be triggered through the default configuration where no pre-shared secret is required for authentication, making it accessible to any attacker who knows a valid username configured with pre-authorization commands. This design flaw creates a path for arbitrary command execution on the system running tac_plus, effectively granting attackers full control over the authentication server.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete system compromise, as attackers can execute any command available to the tac_plus process. The vulnerability affects organizations that rely on tac_plus for network access control, potentially enabling attackers to escalate privileges, exfiltrate sensitive data, or establish persistent access to network infrastructure. The lack of authentication requirements means that even unauthenticated attackers can exploit this vulnerability, making it particularly concerning for environments where tac_plus serves as a critical authentication component. Security professionals must consider the implications for network security posture, as this vulnerability could allow attackers to bypass traditional authentication controls and gain access to network resources that should be protected by tac_plus.
Organizations should implement immediate mitigations including configuring strong pre-shared secrets to prevent unauthorized access to the TACACS+ service, disabling unnecessary pre-authorization commands, and implementing network segmentation to limit access to tac_plus servers. The vulnerability aligns with CWE-77 and CWE-78 categories related to command injection flaws, and follows patterns seen in ATT&CK techniques such as T1059 for command and scripting interpreter. System administrators should also consider upgrading to patched versions of tac_plus, implementing proper input validation for all user-supplied data, and conducting comprehensive security assessments of all TACACS+ implementations. Additionally, monitoring for unusual authorization request patterns and implementing intrusion detection systems can help identify exploitation attempts, while regular security audits should verify that pre-authorization commands are properly configured and that no unnecessary shell command execution is permitted.