CVE-2023-33965 – CVE-2023-33965 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-33965?

CVE-2023-33965 has a CVSS score of 9.6 (CRITICAL). CVE-2023-33965 is a command injection vulnerability in Brook's tproxy server that allows remote code execution. Attackers can exploit this by tricking victims into visiting malicious web pages that trigger requests to the local tproxy service. Users running vulnerable versions of Brook are affected.

📋 TL;DR

CVE-2023-33965 is a command injection vulnerability in Brook's tproxy server that allows remote code execution. Attackers can exploit this by tricking victims into visiting malicious web pages that trigger requests to the local tproxy service. Users running vulnerable versions of Brook are affected.

💻 Affected Systems

Products:

Brook

Versions: All versions before 20230606

Operating Systems: Cross-platform (Windows, Linux, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: The tproxy server component is vulnerable when enabled. Users who have configured Brook with tproxy functionality are at risk.

📦 What is this software?

Brook by Txthinking

View all CVEs affecting Brook →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to run arbitrary commands on the victim's system, potentially installing malware, stealing credentials, or creating backdoors.

🟢

If Mitigated

No impact if the vulnerability is patched or if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited through drive-by attacks via malicious web pages, making internet-facing systems particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems could still be targeted through phishing or compromised internal websites, though the attack vector is more constrained.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (visiting malicious webpage) but the technical complexity is low once the user is tricked.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 20230606

Vendor Advisory: https://github.com/txthinking/brook/security/advisories/GHSA-vfrj-fv6p-3cpf

Restart Required: Yes

Instructions:

1. Download Brook version 20230606 or later from the official repository. 2. Stop the running Brook service. 3. Replace the vulnerable binary with the patched version. 4. Restart the Brook service.

🔧 Temporary Workarounds

Disable tproxy server

all

Disable the vulnerable tproxy server component if not required

Stop the Brook service and ensure tproxy is not enabled in configuration

Network isolation

all

Restrict network access to the tproxy service

Configure firewall rules to block external access to the tproxy port (default 1080)

🧯 If You Can't Patch

Disable the tproxy server functionality entirely
Implement strict network segmentation and firewall rules to isolate the vulnerable service

🔍 How to Verify

Check if Vulnerable:

Check if Brook version is older than 20230606 and if tproxy server is enabled in configuration

Check Version:

brook --version or check the binary version information

Verify Fix Applied:

Verify Brook version is 20230606 or newer and test that tproxy functionality works without allowing command injection

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns from Brook process
Suspicious network requests to tproxy service

Network Indicators:

Unexpected HTTP requests to local tproxy service from browser processes
Command injection patterns in network traffic

SIEM Query:

process_name="brook" AND (command_line CONTAINS "bash" OR command_line CONTAINS "sh" OR command_line CONTAINS "cmd")

📊 Metadata

CVE ID: CVE-2023-33965

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-78

Published: June 1, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33965, you might also want to check these: