CVE-2023-48643

Name of the Vulnerable Software and Affected Versions Shrubbery tac plus versions 2.x through 4.x and versions up to F4.0.4.28

Description The issue allows unauthenticated Remote Command Execution. It is caused by the product's ability to configure authorization checks as shell commands through the tac plus.cfg configuration file. These checks are executed when a client sends an authorization request with a username that has pre-authorization directives configured. The problem arises because strings from TACACS+ packets are used as command-line arguments, making it possible to inject additional commands into these checks. If the installation lacks a pre-shared secret, the injection can be triggered without authentication, provided the attacker knows a username configured to use a pre-authorization command.

Recommendations For versions 2.x through 4.x and versions up to F4.0.4.28, consider disabling the execution of shell commands through the tac plus.cfg configuration file as a temporary workaround until a patch is available. Restrict access to the tac plus.cfg file to minimize the risk of exploitation. Avoid using usernames configured with pre-authorization directives in authorization requests until the issue is resolved. Configure a pre-shared secret to add an extra layer of security.