Emerging Threatmediumtest

Potential CVE-2023-2283 Exploitation

Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Fri Jun 098b244735-5833-4517-a45b-28d8c63924c02023

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Linuxsshd

ProductLinux← raw: linux

Servicesshd← raw: sshd

Detection Logic

detection:
    keywords:
        - 'Failed to generate curve25519 keys'
    condition: keywords

False Positives

Errors with the initialization or generation of the X25519 elliptic curve keys may generate the same error message

References

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1190 · Exploit Public-Facing Application

Other

cve.2023-2283detection.emerging-threats

Rule Metadata

Rule ID

8b244735-5833-4517-a45b-28d8c63924c0

Status

test

Level

medium

Type

Emerging Threat

Created

Fri Jun 09

Author

Florian Roth (Nextron Systems)

Path

rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml

Raw Tags

attack.initial-accessattack.t1190cve.2023-2283detection.emerging-threats

View on GitHub