Cyber Resilience

CVE-2023-45239

CriticalPublic PoC

Published: 06 October 2023

Published
06 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2869 96.7th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-45239 is a critical-severity Improper Filtering of Special Elements (CWE-790) vulnerability in Facebook Tac Plus. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A lack of input validation in tac_plus prior to commit 4fdf178 permits command injection when pre-auth or post-auth commands are enabled. The affected component is the Facebook-maintained tac_plus TACACS+ server, which processes untrusted values for username, rem-addr, and NAC address fields without sanitization.

An unauthenticated network attacker who can influence any of those three fields can inject arbitrary shell commands and obtain remote code execution on the tac_plus server. The vulnerability carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.

Advisories published with the GitHub security notice GHSA-p334-5r3g-4vx3 and the associated pull request recommend upgrading to a build that includes commit 4fdf178; downstream distributions such as Fedora have issued corresponding package updates that apply the same fix.

EPSS for the CVE rose from a low baseline to a peak of 0.3589, indicating increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands…

more

and gain remote code execution on the tac_plus server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

facebook
tac plus
≤ 2023-10-05
fedoraproject
fedora
39

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References