CVE-2023-34758: Silver vulnerable to MitM attack against implants due to a cryptography vulnerability
(updated )
The current cryptography implementation in Sliver up to version 1.5.39 allows a MitM with access to the corresponding implant binary to execute arbitrary codes on implanted devices via intercepted and crafted responses. (Reserved CVE ID: CVE-2023-34758)
References
- github.com/BishopFox/sliver
- github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/crypto.go
- github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go
- github.com/BishopFox/sliver/commit/2d1ea6192cac2ff9d6450b2d96043fdbf8561516
- github.com/BishopFox/sliver/releases/tag/v1.5.40
- github.com/BishopFox/sliver/security/advisories/GHSA-8jxm-xp43-qh3q
- github.com/advisories/GHSA-8jxm-xp43-qh3q
- github.com/tangent65536/Slivjacker
- nvd.nist.gov/vuln/detail/CVE-2023-34758
- nvd.nist.gov/vuln/detail/CVE-2023-35170
- pkg.go.dev/vuln/GO-2023-1866
- www.chtsecurity.com/news/04f41dcc-1851-463c-93bc-551323ad8091
Detect and mitigate CVE-2023-34758 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →