Potential CVE-2023-2283 Exploitation
Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
Sigma rule (View on GitHub)
1title: Potential CVE-2023-2283 Exploitation
2id: 8b244735-5833-4517-a45b-28d8c63924c0
3status: test
4description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
5references:
6 - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20
7 - https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420
8 - https://nvd.nist.gov/vuln/detail/CVE-2023-2283
9 - https://www.blumira.com/cve-2023-2283/
10 - https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283
11author: Florian Roth (Nextron Systems)
12date: 2023-06-09
13tags:
14 - attack.initial-access
15 - attack.t1190
16 - cve.2023-2283
17 - detection.emerging-threats
18logsource:
19 product: linux
20 service: sshd
21detection:
22 keywords:
23 - 'Failed to generate curve25519 keys'
24 condition: keywords
25falsepositives:
26 - Errors with the initialization or generation of the X25519 elliptic curve keys may generate the same error message
27level: medium
References
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt