CVE-2023-46117 – CVE-2023-46117 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2023-46117?

CVE-2023-46117 has a CVSS score of 8.8 (HIGH). CVE-2023-46117 is a remote code execution vulnerability in reconFTW caused by inadequate validation of retrieved subdomains. Attackers can exploit this by crafting malicious CSP entries on their own domains to execute arbitrary code within the application context. All users running reconFTW versions before 2.7.1.1 are affected.

📋 TL;DR

CVE-2023-46117 is a remote code execution vulnerability in reconFTW caused by inadequate validation of retrieved subdomains. Attackers can exploit this by crafting malicious CSP entries on their own domains to execute arbitrary code within the application context. All users running reconFTW versions before 2.7.1.1 are affected.

💻 Affected Systems

Products:

reconFTW

Versions: All versions before 2.7.1.1

Operating Systems: Linux, macOS, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the subdomain validation logic regardless of configuration.

📦 What is this software?

Reconftw by Six2dez

View all CVEs affecting Reconftw →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the reconFTW host, potentially leading to lateral movement within the network.

🟠

Likely Case

Execution of arbitrary commands on the reconFTW host, data exfiltration, and potential privilege escalation.

🟢

If Mitigated

Limited impact if reconFTW runs in isolated containers with minimal privileges and network access.

🌐 Internet-Facing: HIGH - reconFTW often scans external targets and could be exposed to malicious subdomains.

🏢 Internal Only: MEDIUM - Internal scanning could still encounter compromised or malicious subdomains.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires attacker to control a domain and craft malicious CSP entries, but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.1.1

Vendor Advisory: https://github.com/six2dez/reconftw/security/advisories/GHSA-fxwr-vr9x-wvjp

Restart Required: No

Instructions:

1. Stop any running reconFTW processes. 2. Update reconFTW using: git pull origin main. 3. Verify version is 2.7.1.1 or higher.

🔧 Temporary Workarounds

No workarounds available

all

The vulnerability is in core subdomain validation logic and cannot be mitigated without patching.

🧯 If You Can't Patch

Immediately stop using reconFTW and switch to alternative reconnaissance tools
Run reconFTW in isolated containers with minimal privileges and no network access to sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check reconFTW version: ./reconftw.sh -v or cat reconftw.cfg | grep VERSION

Check Version:

./reconftw.sh -v

Verify Fix Applied:

Confirm version is 2.7.1.1 or higher and check commit includes e639de356c0880fe5fe01a32de9d0c58afb5f086

📡 Detection & Monitoring

Log Indicators:

Unusual subdomain processing errors
Unexpected command execution in reconFTW logs
Processes spawned from reconFTW with unusual arguments

Network Indicators:

Outbound connections from reconFTW to unexpected domains
DNS queries for suspicious subdomains

SIEM Query:

process_name:"reconftw" AND (cmdline:*sh* OR cmdline:*curl* OR cmdline:*wget*)

📊 Metadata

CVE ID: CVE-2023-46117

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: October 20, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46117, you might also want to check these: