From 79817eaa4d290eb291ac19c461526c5c3ca771e2 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 12 Jun 2023 10:17:47 +0200
Subject: [PATCH] feat: add rule related to potential exploitation of
 CVE-2023-2283 (#4303)

---
 ...2023_2283_libssh_authentication_bypass.yml | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml

diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml
new file mode 100644
index 000000000..f1a3fd561
--- /dev/null
+++ b/rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml
@@ -0,0 +1,26 @@
+title: Potential CVE-2023-2283 Exploitation
+id: 8b244735-5833-4517-a45b-28d8c63924c0
+status: experimental
+description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
+references:
+    - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20
+    - https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-2283
+    - https://www.blumira.com/cve-2023-2283/
+    - https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283
+author: Florian Roth (Nextron Systems)
+date: 2023/06/09
+tags:
+    - attack.initial_access
+    - attack.t1190
+    - cve.2023.2283
+logsource:
+    product: linux
+    service: sshd
+detection:
+    keywords:
+        - 'Failed to generate curve25519 keys'
+    condition: keywords
+falsepositives:
+    - Errors with the initialization or generation of the X25519 elliptic curve keys may generate the same error message
+level: medium