OpenSSH Remote Code Execution vulnerability reported, PoC published
Take action: A very unpleasant vulnerability if your OpenSSH is set up with ssh-agent forwarding. Don't panic but do take the time to review your OpenSSH setup and check whether it matches the conditions of exploitability. If it does and is in the vulnerable versions, plan to patch.
Learn More
Security researchers recently uncovered a critical vulnerability in OpenSSH, tracked as CVE-2023-38408 (provisional CVSS score of 7.3). This vulnerability could allow hackers to remotely execute arbitrary code on a victim's machine using simple commands. The exploit takes advantage of the ssh-agent helper program, commonly used for SSH public key authentication, especially in scenarios where administrators enable 'ssh-agent forwarding' to manage SSH keys on remote servers without storing them on the server itself.
Researchers discovered that when a forwarded agent is set up with default settings and PKCS11 enabled, a threat actor with access to the same remote server can manipulate shared libraries on the victim's machine to achieve malicious outcomes. By exploiting just four side effects of loading and unloading these libraries, the researchers were able to achieve one-shot remote code execution (RCE).
Once an attacker gains RCE, they can carry out a range of nefarious activities, including deploying malware, conducting data breaches, or even gaining complete control over the target system. As OpenSSH is widely used for encrypted data transfer and remote logins, including by administrators for easy SSH key management, this vulnerability poses a significant threat.
The researchers tested the default installations of Ubuntu Desktop 22.04 and 21.10 and found them to be vulnerable. They also cautioned that other Linux distributions or operating systems could be at risk if left unpatched.
Vulnerable OpenSSH releases include:
- 1:7.9p1-10+deb10u2
- 1:7.9p1-10+deb10u1
- 1:8.4p1-5+deb11u1
- 1:9.2p1-2
- 1:9.3p1-1
OpenSSH has confirmed the issue and provided a fix in version 1:9.3p2-1.
Although the vulerability is deemed critical, OpenSSH notes that the vulnerability can only be exploited if specific libraries are present on the victim's system and ssh-agent forwarding is set to a compromised system/network. If agents are not forwarded to a hacker-compromised network, remote attacks cannot be achieved.
