security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add rule related to potential exploitation of CVE-2023-2283 (#4303)

Browse Source
This commit is contained in:
Florian Roth
2023-06-12 10:17:47 +02:00
committed by GitHub
parent c178292529
commit 79817eaa4d
1 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml
+26
View File
@@ -0,0 +1,26 @@
title: Potential CVE-2023-2283 Exploitation
id: 8b244735-5833-4517-a45b-28d8c63924c0
status: experimental
description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
references:
- https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20
- https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420
- https://nvd.nist.gov/vuln/detail/CVE-2023-2283
- https://www.blumira.com/cve-2023-2283/
- https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283
author: Florian Roth (Nextron Systems)
date: 2023/06/09
tags:
- attack.initial_access
- attack.t1190
- cve.2023.2283
logsource:
product: linux
service: sshd
detection:
keywords:
- 'Failed to generate curve25519 keys'
condition: keywords
falsepositives:
- Errors with the initialization or generation of the X25519 elliptic curve keys may generate the same error message
level: medium