Security researchers have uncovered a vulnerability, tracked as CVE-2023-38408, in the secure networking suite OpenSSH which would allow hackers to remotely execute code using simple commands.
Exploitation of the vulnerability makes use of a commonly-used helper program in OpenSSH called ssh-agent, which holds a user’s private keys for use in frequent, often automated, SSH public key authentication.
Administrators managing remote servers often enable ‘ssh-agent forwarding’, which enables the ssh-agent to be accessed from a chosen server so that local SSH keys to be used without storing keys on the server itself.
Qualys researchers discovered that when a forwarded agent is set up using default settings, with PKCS11 enabled, it’s possible for a threat actor with a connection to the same remote server to load and unload shared libraries on a victim’s machine with malicious side effects.
Security researchers used this technique to achieve one-shot, remote code execution (RCE) by combining just four side effects of loading and unloading common shared libraries.
Once an attacker has achieved RCE, a host of malicious actions can be undertaken including the installation of malware, carrying out a data breach, or total system takeover.
“This newly uncovered ssh-agent vulnerability underlines the continuous need for rigorous security measures and immediate response,” wrote Saeed Abbasi, manager, Vulnerability Signatures at Qualys.
State of ransomware readiness 2022
Find out how organizations are defending against ransomware attacks today
“Even robust systems can harbor hidden vulnerabilities, as demonstrated by the shortcomings of the ssh-agent. Proactively rectifying such vulnerabilities through actions such as implementing patches is critical to maintaining the integrity of digital assets.”
OpenSSH is a widely-used solution for encrypted data transfer and remote logins, particularly by administrators seeking to easily manage SSH keys. It is used worldwide for secure connections.
Researchers found the default installations of Ubuntu Desktop 22.04 and 21.10 to be vulnerable and warned that other Linux distributions or operating systems could also be exploited if left unpatched.
Vulnerable OpenSSH releases include:
- 1:7.9p1-10+deb10u2
- 1:7.9p1-10+deb10u1
- 1:8.4p1-5+deb11u1
- 1:9.2p1-2
- 1:9.3p1-1
The issue has been fixed as of version 1:9.3p2-1.
OpenSSH noted that the flaw can only be exploited if specific libraries are present in the victim’s system, and that if agents are not forwarded to a hacker-compromised network, attacks cannot be achieved remotely.
