Details of a currently patched OpenSSH flaw have been revealed that can be exploited to remotely execute arbitrary commands on a compromised host under certain conditions.
“This vulnerability could allow a remote attacker to execute arbitrary commands on a vulnerable OpenSSH forwarded ssh agent,” Said Abbasi, Vulnerability Research Manager at Qualys, said in an analysis last week.
Vulnerabilities are tracked by CVE identifier CVE-2023-38408 (CVSS score: N/A). This affects all versions of his OpenSSH prior to 9.3p2.
OpenSSH is a popular connection tool for remote login using the SSH protocol, used to encrypt all traffic to eliminate eavesdropping, connection hijacking, and other attacks.
Successful exploitation requires the presence of a specific library on the victim’s system and the SSH authentication agent to be forwarded to the attacker-controlled system. An SSH agent is a background program that keeps a user’s keys in memory and facilitates her remote login to a server without having to enter her passphrase again.
“While browsing the ssh-agent source code, we noticed that a remote attacker with access to the remote server to which Alice’s ssh-agent was forwarded could load (dlopen()) and quickly unload (dlclose()) a shared library located in /usr/lib* on Alice’s workstation (via the forwarded ssh-agent, provided it was compiled with the default ENABLE_PKCS11),” Qualys said. I explained.
The company announced that it had successfully completed a proof of concept (PoC) against default installs of Ubuntu Desktop 22.04 and 21.10, although other Linux distributions are expected to be vulnerable as well.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
We strongly recommend that users of OpenSSH update to the latest version to protect against potential cyber threats.
Earlier this February, the OpenSSH maintainers released an update that fixes a moderate severity security flaw (CVE-2023-25136, CVSS score: 6.5). This flaw could be exploited by an unauthenticated, remote attacker to change unexpected memory locations and theoretically execute code.
A subsequent release in March addressed another security issue that could be exploited by specially crafted DNS responses to perform out-of-bounds reads of adjacent stack data and cause denial of service to SSH clients.
