CVE-2023-45168 – This vulnerability allows a non-privileged loca... (How to Fix)

📋 TL;DR

This vulnerability allows a non-privileged local user on IBM AIX and VIOS systems to exploit the invscout command to execute arbitrary commands with elevated privileges. It affects IBM AIX 7.2, 7.3, and VIOS 3.1 systems. This is a local privilege escalation vulnerability that could lead to full system compromise.

💻 Affected Systems

Products:

IBM AIX
IBM VIOS

Versions: AIX 7.2, 7.3; VIOS 3.1

Operating Systems: IBM AIX, IBM VIOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The invscout command is typically installed by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

A local attacker gains root privileges and takes complete control of the system, potentially accessing sensitive data, installing persistent backdoors, or pivoting to other systems.

🟠

Likely Case

A local user with standard privileges escalates to root and performs unauthorized actions on the affected system.

🟢

If Mitigated

With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local user access, not directly exploitable over the network.

🏢 Internal Only: HIGH - Any local user on affected systems can potentially gain root privileges, posing significant risk to internal environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access but appears to be straightforward based on the vulnerability description. No public exploit code has been identified at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the security fix from IBM's advisory

Vendor Advisory: https://www.ibm.com/support/pages/node/7086090

Restart Required: Yes

Instructions:

1. Review IBM advisory at https://www.ibm.com/support/pages/node/7086090
2. Download and apply the appropriate fix for your AIX/VIOS version
3. Reboot the system as required
4. Verify the fix is properly installed

🔧 Temporary Workarounds

Remove invscout execute permissions

linux

Temporarily remove execute permissions from the invscout command to prevent exploitation

chmod -x /usr/sbin/invscout

Restrict invscout access

linux

Remove invscout from non-privileged users' PATH or restrict access via permissions

chmod 750 /usr/sbin/invscout
chown root:system /usr/sbin/invscout

🧯 If You Can't Patch

Implement strict access controls to limit local user accounts on affected systems
Monitor for suspicious invscout command execution and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if invscout exists and is executable: ls -la /usr/sbin/invscout

Check Version:

lslpp -L | grep invscout

Verify Fix Applied:

Check the version of invscout and verify it matches the patched version from IBM's advisory

📡 Detection & Monitoring

Log Indicators:

Unusual invscout command execution by non-privileged users
Sudden privilege escalation events
Suspicious command execution following invscout

Network Indicators:

None - this is a local exploit

SIEM Query:

Search for invscout execution events followed by privilege changes or suspicious command execution

📊 Metadata

CVE ID: CVE-2023-45168

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: December 1, 2023

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/267966 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/7086090 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/267966 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/7086090 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45168, you might also want to check these: