Shrubbery tac_plus up to 2.x/3.x/4.0.4.28 Configuration File tac_plus.cfg os command injection

Summaryinfo

A vulnerability, which was classified as critical, was found in Shrubbery tac_plus up to 2.x/3.x/4.0.4.28. The affected element is an unknown function of the file tac_plus.cfg of the component Configuration File Handler. Such manipulation leads to os command injection. This vulnerability is traded as CVE-2023-48643. The attack may be launched remotely. There is no exploit available.

Detailsinfo

A vulnerability was found in Shrubbery tac_plus up to 2.x/3.x/4.0.4.28. It has been rated as critical. Affected by this issue is some unknown functionality of the file tac_plus.cfg of the component Configuration File Handler. The manipulation with an unknown input leads to a os command injection vulnerability. Using CWE to declare the problem leads to CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Shrubbery tac_plus 2.x, 3.x. and 4.x through F4.0.4.28 allows unauthenticated Remote Command Execution. The product allows users to configure authorization checks as shell commands through the tac_plus.cfg configuration file. These are executed when a client sends an authorization request with a username that has pre-authorization directives configured. However, it is possible to inject additional commands into these checks because strings from TACACS+ packets are used as command-line arguments. If the installation lacks a a pre-shared secret (there is no pre-shared secret by default), then the injection can be triggered without authentication. (The attacker needs to know a username configured to use a pre-authorization command.) NOTE: this is related to CVE-2023-45239 but the issue is in the original Shrubbery product, not Meta's fork.

The advisory is shared for download at github.com. This vulnerability is handled as CVE-2023-48643 since 11/17/2023. The exploitation is known to be easy. The attack may be launched remotely. Additional levels of successful authentication are needed for exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1202.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• Shrubbery

Name

• tac_plus

Version

• 2.x
• 3.x
• 4.0.4.0
• 4.0.4.1
• 4.0.4.2
• 4.0.4.3
• 4.0.4.4
• 4.0.4.5
• 4.0.4.6
• 4.0.4.7
• 4.0.4.8
• 4.0.4.9
• 4.0.4.10
• 4.0.4.11
• 4.0.4.12
• 4.0.4.13
• 4.0.4.14
• 4.0.4.15
• 4.0.4.16
• 4.0.4.17
• 4.0.4.18
• 4.0.4.19
• 4.0.4.20
• 4.0.4.21
• 4.0.4.22
• 4.0.4.23
• 4.0.4.24
• 4.0.4.25
• 4.0.4.26
• 4.0.4.27
• 4.0.4.28

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion