CVE-2023-48643
📋 TL;DR
CVE-2023-48643 allows unauthenticated remote command execution in Shrubbery tac_plus TACACS+ servers by injecting commands through authorization request packets. This affects all tac_plus 2.x, 3.x, and 4.x through F4.0.4.28 installations that use pre-authorization commands and lack a pre-shared secret.
💻 Affected Systems
- Shrubbery tac_plus
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands as the tac_plus process user, potentially leading to privilege escalation, data theft, or deployment of persistent backdoors.
Likely Case
Remote code execution leading to unauthorized access, credential harvesting, or lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, authentication, and monitoring are in place to detect and contain exploitation attempts.
🎯 Exploit Status
Exploit requires knowledge of a username configured with pre-authorization commands. Public proof-of-concept code is available on GitHub.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: F4.0.4.29 and later
Vendor Advisory: https://github.com/takeshixx/tac_plus-pre-auth-rce
Restart Required: Yes
Instructions:
1. Download latest version from official repository. 2. Backup current configuration. 3. Install updated version. 4. Restart tac_plus service. 5. Verify service is running correctly.
🔧 Temporary Workarounds
Configure Pre-Shared Secret
allSet a strong pre-shared secret in tac_plus.cfg to require authentication before command execution
# In tac_plus.cfg, add: key = "your_strong_secret_here"
Remove Pre-Authorization Commands
allEliminate shell command configurations in authorization checks
# Remove or comment out any 'cmd=' lines in authorization sections of tac_plus.cfg
🧯 If You Can't Patch
- Implement strict network access controls to limit tac_plus server exposure
- Deploy host-based intrusion detection and monitor for unusual process execution
🔍 How to Verify
Check if Vulnerable:
Check tac_plus version and configuration for pre-authorization commands and missing pre-shared secretCheck Version:
tac_plus -vVerify Fix Applied:
Verify tac_plus version is F4.0.4.29 or later and test authorization requests📡 Detection & Monitoring
Log Indicators:
- Unusual authorization requests, unexpected shell command execution, failed authentication attempts
Network Indicators:
- TACACS+ packets with suspicious command strings, unusual outbound connections from tac_plus server
SIEM Query:
source="tac_plus" AND (event="authorization" AND command="*" OR process="sh" OR process="bash")