AI Score
Confidence
Low
EPSS
Percentile
71.4%
SSVC
Exploitation
poc
Automatable
yes
Technical Impact
total
Shrubbery tac_plus 2.x, 3.x. and 4.x through F4.0.4.28 allows unauthenticated Remote Command Execution. The product allows users to configure authorization checks as shell commands through the tac_plus.cfg configuration file. These are executed when a client sends an authorization request with a username that has pre-authorization directives configured. However, it is possible to inject additional commands into these checks because strings from TACACS+ packets are used as command-line arguments. If the installation lacks a a pre-shared secret (there is no pre-shared secret by default), then the injection can be triggered without authentication. (The attacker needs to know a username configured to use a pre-authorization command.) NOTE: this is related to CVE-2023-45239 but the issue is in the original Shrubbery product, not Meta’s fork.
[
{
"cpes": [
"cpe:2.3:a:shrubbery:tac_plus_2x:*:*:*:*:*:*:*:*"
],
"vendor": "shrubbery",
"product": "tac_plus_2x",
"versions": [
{
"status": "affected",
"version": "0",
"versionType": "custom",
"lessThanOrEqual": "f_4.0.4.28"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:a:shrubbery:tac_plus_3x:*:*:*:*:*:*:*:*"
],
"vendor": "shrubbery",
"product": "tac_plus_3x",
"versions": [
{
"status": "affected",
"version": "0",
"versionType": "custom",
"lessThanOrEqual": "f_4.0.4.28"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:a:shrubbery:tac_plus_4x:*:*:*:*:*:*:*:*"
],
"vendor": "shrubbery",
"product": "tac_plus_4x",
"versions": [
{
"status": "affected",
"version": "0",
"versionType": "custom",
"lessThanOrEqual": "f_4.0.4.28"
}
],
"defaultStatus": "unknown"
}
]