CVE-2023-43631
📋 TL;DR
CVE-2023-43631 allows attackers to gain root access to EVE OS devices by adding their SSH public key to an unprotected config file. This bypasses measured boot security mechanisms, enabling persistent control without detection. Affects EVE OS devices using the Pillar container with vulnerable configurations.
💻 Affected Systems
- EVE OS with Pillar container
📦 What is this software?
Edge Virtualization Engine by Linuxfoundation
Edge Virtualization Engine by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Full root compromise of device, persistent backdoor access, complete control over device functions and data, ability to manipulate other security mechanisms.
Likely Case
Unauthorized root access leading to data theft, device manipulation, and potential lateral movement in connected networks.
If Mitigated
Limited impact with proper network segmentation and access controls, though device integrity remains compromised.
🎯 Exploit Status
Exploitation requires ability to write to /config partition. Physical access or existing system access needed. Simple SSH key injection technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions with commits aa3501d6c57206ced222c33aea15a9169d629141 and 5fef4d92e75838cc78010edaed5247dfbdae1889
Vendor Advisory: https://asrg.io/security-advisories/cve-2023-43631/
Restart Required: Yes
Instructions:
1. Update EVE OS to version containing the fix commits. 2. Ensure config partition measurement is included in PCR13/PCR14. 3. Reboot device to apply changes and enable measured boot protection.
🔧 Temporary Workarounds
Remove authorized_keys file
linuxDelete or secure the vulnerable config file to prevent SSH key injection
rm -f /config/authorized_keys
chmod 000 /config/authorized_keys
Disable SSH service
linuxPrevent SSH from starting even if authorized_keys file exists
systemctl disable sshd
killall sshd
🧯 If You Can't Patch
- Physically secure devices to prevent unauthorized access to config partition
- Implement strict network segmentation and firewall rules to limit SSH access to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check if /config/authorized_keys file exists and is writable: ls -la /config/authorized_keys && test -w /config/authorized_keys && echo 'VULNERABLE'Check Version:
eve-version or check EVE OS documentation for version informationVerify Fix Applied:
Verify config partition is measured in PCR13/PCR14 and check that authorized_keys file permissions are restricted📡 Detection & Monitoring
Log Indicators:
- Unexpected SSH root login attempts
- Changes to /config/authorized_keys file
- SSH service starting unexpectedly
Network Indicators:
- Unexpected SSH connections to port 22 from unauthorized sources
- SSH traffic patterns inconsistent with normal operations
SIEM Query:
source="eve-os" AND (event="ssh_root_login" OR file_change="/config/authorized_keys")