CVE-2023-45239 – CVE-2023-45239 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2023-45239?

CVE-2023-45239 has a CVSS score of 9.8 (CRITICAL). CVE-2023-45239 is a critical remote code execution vulnerability in tac_plus authentication server. Attackers can inject shell commands through username, rem-addr, or NAC address fields when pre/post auth commands are enabled, allowing complete system compromise. Organizations using tac_plus for network device authentication are affected.

📋 TL;DR

CVE-2023-45239 is a critical remote code execution vulnerability in tac_plus authentication server. Attackers can inject shell commands through username, rem-addr, or NAC address fields when pre/post auth commands are enabled, allowing complete system compromise. Organizations using tac_plus for network device authentication are affected.

💻 Affected Systems

Products:

tac_plus (Facebook's TACACS+ server implementation)

Versions: All versions prior to commit 4fdf178

Operating Systems: All operating systems running tac_plus

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when pre or post authentication commands are enabled in configuration.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Tac Plus by Facebook

View all CVEs affecting Tac Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root privileges, installing persistent backdoors, pivoting to other systems, and exfiltrating sensitive data.

🟠

Likely Case

Remote code execution leading to service disruption, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, potentially only service disruption if commands are filtered.

🌐 Internet-Facing: HIGH - tac_plus servers exposed to internet are directly exploitable by remote attackers.

🏢 Internal Only: HIGH - Internal attackers or compromised devices can exploit this to gain privileged access and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted TACACS+ packets with shell command injection in username, rem-addr, or NAC address fields.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 4fdf178 or later

Vendor Advisory: https://github.com/facebook/tac_plus/security/advisories/GHSA-p334-5r3g-4vx3

Restart Required: Yes

Instructions:

1. Update tac_plus to commit 4fdf178 or later. 2. Pull latest changes from GitHub repository. 3. Recompile and reinstall tac_plus. 4. Restart tac_plus service.

🔧 Temporary Workarounds

Disable pre/post auth commands

all

Remove or comment out preauth-cmd and postauth-cmd directives in tac_plus configuration

# Edit /etc/tac_plus/tac_plus.conf
# Remove lines containing: preauth-cmd or postauth-cmd

Network access restrictions

linux

Restrict TACACS+ port access to only trusted management networks

iptables -A INPUT -p tcp --dport 49 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 49 -j DROP

🧯 If You Can't Patch

Disable preauth-cmd and postauth-cmd features in configuration immediately
Implement strict network segmentation to isolate tac_plus servers from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check tac_plus version: tac_plus --version and verify it's older than commit 4fdf178. Also check configuration for preauth-cmd or postauth-cmd directives.

Check Version:

tac_plus --version 2>/dev/null || strings $(which tac_plus) | grep -i version

Verify Fix Applied:

Verify tac_plus version shows commit 4fdf178 or later. Test with safe input validation by attempting command injection in test environment.

📡 Detection & Monitoring

Log Indicators:

Unusual shell commands in tac_plus logs
Multiple failed authentication attempts with unusual usernames
System logs showing unexpected processes spawned by tac_plus user

Network Indicators:

TACACS+ packets containing shell metacharacters (;, |, &, $, etc.)
Unusual outbound connections from tac_plus server

SIEM Query:

source="tac_plus" AND ("preauth-cmd" OR "postauth-cmd") AND ("|" OR ";" OR "$" OR "&" OR "`")

📊 Metadata

CVE ID: CVE-2023-45239

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-790

Published: October 6, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/facebook/tac_plus/pull/41 Exploit,Patch
https://github.com/facebook/tac_plus/security/advisories/GHSA-p334-5r3g-4vx3 Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4J7ZYMFZB4G4OU5EDJPQLP6F6RKDGIH/ Mailing List,Third Party Advisory
https://github.com/facebook/tac_plus/pull/41 Exploit,Patch
https://github.com/facebook/tac_plus/security/advisories/GHSA-p334-5r3g-4vx3 Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4J7ZYMFZB4G4OU5EDJPQLP6F6RKDGIH/ Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45239, you might also want to check these: