CVE-2023-43809

Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the `allow-keyless` setting, and the public key requires additional client-side verification for example using FIDO2 or GPG. This is due to insufficient validation procedures of the public key step during SSH request handshake, granting unauthorized access if the keyboard-interaction mode is utilized. An attacker could exploit this vulnerability by presenting manipulated SSH requests using keyboard-interactive authentication mode. This could potentially result in unauthorized access to the Soft Serve. Users should upgrade to the latest Soft Serve version `v0.6.2` to receive the patch for this issue. To workaround this vulnerability without upgrading, users can temporarily disable Keyboard-Interactive SSH Authentication using the `allow-keyless` setting.

Soft Serve es un servidor Git autohospedable para la línea de comandos. Antes de la versión 0.6.2, una vulnerabilidad de seguridad en Soft Serve podría permitir a un atacante remoto no autenticado eludir la autenticación de clave pública cuando la autenticación SSH interactiva con teclado está activa, a través de la configuración "allow-keyless", y la clave pública requiere verificación adicional del lado del cliente, por ejemplo, utilizando FIDO2 o GPG. Esto se debe a procedimientos de validación insuficientes del paso de la clave pública durante el protocolo de enlace de solicitud SSH, lo que otorga acceso no autorizado si se utiliza el modo de interacción con el teclado. Un atacante podría aprovechar esta vulnerabilidad presentando solicitudes SSH manipuladas utilizando el modo de autenticación interactivo con teclado. Potencialmente, esto podría resultar en un acceso no autorizado al Soft Serve. Los usuarios deben actualizar a la última versión de Soft Serve `v0.6.2` para recibir el parche para este problema. Como workaround esta vulnerabilidad sin realizar una actualización, los usuarios pueden desactivar temporalmente la autenticación SSH interactiva con teclado utilizando la configuración "allow-keyless".

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-09-22 CVE Reserved
2023-10-04 CVE Published
2024-09-20 CVE Updated
2024-09-20 First Exploit
2024-11-05 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-287: Improper Authentication

CAPEC

References (4)

URL	Tag	Source
https://github.com/charmbracelet/soft-serve/releases/tag/v0.6.2	Release Notes

URL	Date	SRC
https://github.com/charmbracelet/soft-serve/issues/389	2024-09-20

URL	Date	SRC
https://github.com/charmbracelet/soft-serve/commit/407c4ec72d1006cee1ff8c1775e5bcc091c2bc89	2023-10-10

URL	Date	SRC
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-mc97-99j4-vm2v	2023-10-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Charm Search vendor "Charm"		Soft Serve Search vendor "Charm" for product "Soft Serve"				< 0.6.2 Search vendor "Charm" for product "Soft Serve" and version " < 0.6.2"		go		Affected