Potential CVE-2023-2283 Exploitation

Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.

Sigma rule (View on GitHub)

 1title: Potential CVE-2023-2283 Exploitation
 2id: 8b244735-5833-4517-a45b-28d8c63924c0
 3status: test
 4description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
 5references:
 6    - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20
 7    - https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420
 8    - https://nvd.nist.gov/vuln/detail/CVE-2023-2283
 9    - https://www.blumira.com/cve-2023-2283/
10    - https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283
11author: Florian Roth (Nextron Systems)
12date: 2023-06-09
13tags:
14    - attack.initial-access
15    - attack.t1190
16    - cve.2023-2283
17    - detection.emerging-threats
18logsource:
19    product: linux
20    service: sshd
21detection:
22    keywords:
23        - 'Failed to generate curve25519 keys'
24    condition: keywords
25falsepositives:
26    - Errors with the initialization or generation of the X25519 elliptic curve keys may generate the same error message
27level: medium

References

Related rules

to-top