OpenSSH vulnerability uncovered by researchers, RCE exploit developed

Attackers can remotely manipulate common libraries to execute arbitrary code

OpenSSH vulnerability: A red warning sign on a background of code, denoting malware and cyber attacks
(Image credit: Getty Images)
Rory Bathgate's avatar
By
published
in News

Security researchers have uncovered a vulnerability, tracked as CVE-2023-38408, in the secure networking suite OpenSSH which would allow hackers to remotely execute code using simple commands.

Exploitation of the vulnerability makes use of a commonly-used helper program in OpenSSH called ssh-agent, which holds a user’s private keys for use in frequent, often automated, SSH public key authentication.

Administrators managing remote servers often enable ‘ssh-agent forwarding’, which enables the ssh-agent to be accessed from a chosen server so that local SSH keys to be used without storing keys on the server itself.

Qualys researchers discovered that when a forwarded agent is set up using default settings, with PKCS11 enabled, it’s possible for a threat actor with a connection to the same remote server to load and unload shared libraries on a victim’s machine with malicious side effects.

Security researchers used this technique to achieve one-shot, remote code execution (RCE) by combining just four side effects of loading and unloading common shared libraries.

Once an attacker has achieved RCE, a host of malicious actions can be undertaken including the installation of malware, carrying out a data breach, or total system takeover.

“This newly uncovered ssh-agent vulnerability underlines the continuous need for rigorous security measures and immediate response,” wrote Saeed Abbasi, manager, Vulnerability Signatures at Qualys.

RELATED RESOURCE

Whitepaper cover with red and white title over a black and white image of a businessman stood looking out of an office window

(Image credit: Mimecast)

State of ransomware readiness 2022

Find out how organizations are defending against ransomware attacks today

DOWNLOAD FOR FREE

“Even robust systems can harbor hidden vulnerabilities, as demonstrated by the shortcomings of the ssh-agent. Proactively rectifying such vulnerabilities through actions such as implementing patches is critical to maintaining the integrity of digital assets.”

OpenSSH is a widely-used solution for encrypted data transfer and remote logins, particularly by administrators seeking to easily manage SSH keys. It is used worldwide for secure connections.

Researchers found the default installations of Ubuntu Desktop 22.04 and 21.10 to be vulnerable and warned that other Linux distributions or operating systems could also be exploited if left unpatched.

Vulnerable OpenSSH releases include:

  • 1:7.9p1-10+deb10u2
  • 1:7.9p1-10+deb10u1
  • 1:8.4p1-5+deb11u1
  • 1:9.2p1-2
  • 1:9.3p1-1

The issue has been fixed as of version 1:9.3p2-1.

OpenSSH noted that the flaw can only be exploited if specific libraries are present in the victim’s system, and that if agents are not forwarded to a hacker-compromised network, attacks cannot be achieved remotely.

Rory Bathgate
Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.

Latest
You might also like
View More ▸