CVE-2023-45239
Description
Input validation flaw in tac_plus before commit 4fdf178 allows remote code execution via shell injection in username, rem-addr, or NAC address.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Input validation flaw in tac_plus before commit 4fdf178 allows remote code execution via shell injection in username, rem-addr, or NAC address.
Vulnerability
A lack of input validation exists in tac_plus prior to commit 4fdf178. When pre or post authentication commands are enabled, an attacker who can control the username, rem-addr, or NAC address fields in a TACACS+ authorization request can inject arbitrary shell commands. The affected versions are all commits before 4fdf178. The vulnerable code path is triggered only if the configuration includes a before authorization or after authorization directive with a service specified [1][2].
Exploitation
An attacker with network access to the tac_plus server can craft a TACACS+ authorization packet containing shell metacharacters in the username, rem-addr, or NAC address fields. When the server processes this packet and executes the configured pre/post authorization command, the unsanitized field value is passed to exec(), resulting in arbitrary command execution. No prior authentication is required if the server accepts packets from the attacker [1][2].
Impact
Successful exploitation allows remote code execution on the tac_plus server with the privileges of the tac_plus process. This leads to complete compromise of the server, including potential data exfiltration, lateral movement, or further attacks on the network [2].
Mitigation
The fix is included in commit 4fdf178 (Pull Request #41), which validates the fields as alphanumeric strings and returns "unknown" for invalid values. Users should upgrade to the fixed version. As a workaround, disabling pre and post authentication commands in the tac_plus configuration effectively mitigates the vulnerability [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Meta/tac_plusv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A lack of input validation in tac_plus allows for shell command injection via crafted username, rem-addr, or NAC address fields."
Attack vector
An attacker can exploit this vulnerability by controlling the username, rem-addr, or NAC address fields sent to tac_plus. If the server configuration includes a 'before authorization' directive and specifies a service, these fields are passed to the exec() function without proper validation. This allows an attacker to inject shell commands, leading to remote code execution on the tac_plus server. The vulnerability is present when pre or post authentication commands are enabled [ref_id=1].
Affected code
The vulnerability exists in tac_plus prior to commit 4fdf178. Specifically, the 'before authorization' directive and the handling of fields like 'rem-addr' within a tacacs authorization packet are implicated. The patch modifies the validation logic for these fields to prevent command injection [ref_id=1].
What the fix does
The fix validates username and NAC address fields as alphanumeric strings, returning 'unknown' if validation fails. This prevents malicious input from being directly passed to the exec() function. The responsibility of handling the 'unknown' string is left to the remote system called by tac_plus. Additional validations were added for other fields as well [ref_id=1].
Preconditions
- configThe tac_plus server must have pre or post authentication commands enabled.
- configThe user configuration must include a 'before authorization' directive.
- configA service must be specified in the configuration.
- inputThe attacker must be able to control the username, rem-addr, or NAC address sent to tac_plus.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.