CVE-2023-38994 – This vulnerability in Univention Corporate Serv... (How to Fix)

Q: What is the severity of CVE-2023-38994?

CVE-2023-38994 has a CVSS score of 7.9 (HIGH). This vulnerability in Univention Corporate Server (UCS) monitoring scripts exposes the LDAP machine account password in plaintext in the process list. Attackers with local SSH access can capture this password to escalate privileges and perform further attacks. By default, UCS restricts local SSH access to regular users, limiting the attack surface.

📋 TL;DR

This vulnerability in Univention Corporate Server (UCS) monitoring scripts exposes the LDAP machine account password in plaintext in the process list. Attackers with local SSH access can capture this password to escalate privileges and perform further attacks. By default, UCS restricts local SSH access to regular users, limiting the attack surface.

💻 Affected Systems

Products:

Univention Corporate Server (UCS)

Versions: UCS 5.0 to 5.0-5

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Default UCS configuration restricts local SSH access for regular users, but misconfigurations or other vulnerabilities could provide the required access.

📦 What is this software?

Univention Corporate Server by Univention

View all CVEs affecting Univention Corporate Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local SSH access captures the LDAP machine account password, gains administrative privileges, and completely compromises the UCS domain controller, potentially leading to domain takeover and data exfiltration.

🟠

Likely Case

An attacker with existing local access (e.g., through another vulnerability or misconfiguration) escalates privileges to gain control over the UCS system and potentially other joined systems.

🟢

If Mitigated

With proper SSH access controls and monitoring, the risk is limited as attackers cannot easily obtain local access required to view the process list.

🌐 Internet-Facing: LOW - The vulnerability requires local SSH access, which is not typically exposed to the internet by default.

🏢 Internal Only: MEDIUM - Internal attackers with local SSH access (e.g., through compromised accounts or misconfigurations) can exploit this to escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local SSH access to view the process list; the password exposure is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UCS 5.0-6 and later

Vendor Advisory: https://forge.univention.org/bugzilla/show_bug.cgi?id=56324

Restart Required: No

Instructions:

1. Update UCS to version 5.0-6 or later via the Univention App Center or package manager. 2. Verify the update applied successfully. 3. No restart is required, but monitor for any issues.

🔧 Temporary Workarounds

Restrict SSH Access

linux

Ensure only authorized administrative users have local SSH access to UCS systems.

# Review and update /etc/ssh/sshd_config to restrict access
# Use AllowUsers or AllowGroups directives
# Example: AllowUsers admin1 admin2

Monitor Process List

linux

Implement monitoring to detect unauthorized access to process lists or suspicious activity.

# Use auditd or similar tools to monitor ps, top, or /proc access
# Example audit rule: -a always,exit -F arch=b64 -S execve -F path=/usr/bin/ps -F key=process_monitor

🧯 If You Can't Patch

Enforce strict SSH access controls to prevent unauthorized local access.
Implement continuous monitoring of process lists and alert on any access attempts.

🔍 How to Verify

Check if Vulnerable:

Check if UCS version is 5.0-5 or earlier: run 'univention-version' and verify output. Also, check if monitoring scripts like 'check_univention_joinstatus' are running and exposing passwords in 'ps aux' output.

Check Version:

univention-version

Verify Fix Applied:

After updating, confirm version is 5.0-6 or later with 'univention-version'. Ensure no plaintext passwords appear in 'ps aux' when monitoring scripts execute.

📡 Detection & Monitoring

Log Indicators:

SSH login attempts from unauthorized users
Access to process listing commands (e.g., ps, top) by non-admin users
Unusual LDAP authentication attempts from local system

Network Indicators:

Unusual SSH connections to UCS systems
Suspicious LDAP queries from internal hosts

SIEM Query:

source="ssh_logs" AND (event="Failed password" OR event="Accepted password") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2023-38994

CVSS v3 Score: 7.9 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-668

Published: October 31, 2023

Last Updated: April 15, 2025

🔗 References

https://forge.univention.org/bugzilla/show_bug.cgi?id=56324 Issue Tracking,Vendor Advisory
https://forge.univention.org/bugzilla/show_bug.cgi?id=56324#c0 Issue Tracking,Vendor Advisory
https://raeph123.github.io/BlogPosts/Univention/Simple_yet_effective_The_story_of_some_simple_bugs_that_led_to_the_complete_compromise_of_a_network_en.html
https://www.drive-byte.de/en/blog/simple-yet-effective-the-story-of-some-simple-bugs-that-led-to-the-complete-compromise-of-a-network Exploit,Technical Description,Third Party Advisory
https://forge.univention.org/bugzilla/show_bug.cgi?id=56324 Issue Tracking,Vendor Advisory
https://forge.univention.org/bugzilla/show_bug.cgi?id=56324#c0 Issue Tracking,Vendor Advisory
https://www.drive-byte.de/en/blog/simple-yet-effective-the-story-of-some-simple-bugs-that-led-to-the-complete-compromise-of-a-network Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38994, you might also want to check these: