CVE-2023-38336 – CVE-2023-38336 is a command injection vulnerabi... (How to Fix)

📋 TL;DR

CVE-2023-38336 is a command injection vulnerability in netkit-rcp (part of rsh-client) that allows attackers to execute arbitrary commands via specially crafted filenames. This affects systems using rsh-client 0.17-24 where netkit-rcp is installed and accessible. The vulnerability occurs because the program uses /bin/sh to process filenames without proper sanitization.

💻 Affected Systems

Products:

netkit-rcp
rsh-client

Versions: 0.17-24

Operating Systems: Debian-based systems (Debian, Ubuntu)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where netkit-rcp is installed and accessible. The rsh suite is often disabled by default in modern systems but may be present in legacy environments.

📦 What is this software?

Netkit by Netkit

View all CVEs affecting Netkit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root privileges, allowing complete control over the affected system, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution with the privileges of the user running netkit-rcp, potentially leading to data exfiltration, privilege escalation, or installation of backdoors.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege principles, and input validation are implemented, potentially containing the attack to isolated segments.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to have some level of access to trigger netkit-rcp with malicious filenames. Similar to previous rsh-related vulnerabilities with known exploitation patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: rsh-client 0.17-25 or later

Vendor Advisory: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039689

Restart Required: No

Instructions:

1. Update package: sudo apt update && sudo apt upgrade rsh-client
2. Verify installation: dpkg -l | grep rsh-client
3. Check version is 0.17-25 or higher

🔧 Temporary Workarounds

Disable rsh services

linux

Remove or disable rsh-client and related services if not required

sudo apt remove rsh-client
sudo systemctl disable rsh.socket rlogin.socket rexec.socket

Restrict file permissions

linux

Limit execution of netkit-rcp to trusted users only

sudo chmod 750 /usr/bin/rcp
sudo chown root:trustedgroup /usr/bin/rcp

🧯 If You Can't Patch

Implement strict input validation and sanitization for any user-supplied filenames before passing to netkit-rcp
Use network segmentation to isolate systems with rsh-client from critical assets and internet-facing systems

🔍 How to Verify

Check if Vulnerable:

Check rsh-client version: dpkg -l | grep rsh-client | grep 0.17-24

Check Version:

dpkg -l | grep rsh-client

Verify Fix Applied:

Verify updated version: dpkg -l | grep rsh-client | grep -v 0.17-24

📡 Detection & Monitoring

Log Indicators:

Unusual rcp command executions with suspicious filename patterns
Failed authentication attempts followed by rsh/rcp activity

Network Indicators:

Unexpected rsh/rcp traffic from untrusted sources
Anomalous outbound connections following rcp usage

SIEM Query:

source="*auth.log*" AND (process="rcp" OR process="rsh") AND (command="*;*" OR command="*|*" OR command="*`*")

📊 Metadata

CVE ID: CVE-2023-38336

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: July 14, 2023

Last Updated: November 21, 2024

🔗 References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039689 Exploit,Issue Tracking
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039689 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38336, you might also want to check these: