Researchers at Qualys discovered a new Remote Code Execution flaw in the OpenSSH.
This flaw exists in OpenSSH’s forward ssh-agent. This flaw allows an attacker to execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent.
OpenSSH has been used in several servers and applications for remote login and file transfer, along with encryption. This vulnerability exists in the ssh-agent program that allows authentication to remote servers without entering the passphrase every time.
CVE-2023-38408: Remote Code Execution
This vulnerability exists in the ssh-agent due to the PKCS#11 feature in OpenSSH version 9.3p2 that has insufficient trustworthy search path. This issue exists due to an incomplete fix in CVE-2016-10009.
The CVSS Score for this vulnerability is yet to be confirmed.
The ssh-agent is a key manager who holds the PKCS#11 (Public-Key Cryptographic Standard) keys that are readily usable for remote server connections. An attacker can inject a malicious library in the ssh-agent, which makes the entire thread executable that remains even after the dclose().
In addition to this, many shared libraries are marked as “nodelete” by the loader, which makes this malicious library permanent until deleted by a superuser. These libraries exist in the /usr/lib* folder, which can allow the threat actor to dlopen() any library even when executing the SUID-root program.
Once the library is executed, the threat actor will get the same privilege as the user who initiated the ssh-agent. This vulnerability has been patched by OpenSSH.
A complete report has been published by Qualys which explains in detail the complete threat vector, background and the exploitation of this vulnerability.
Users of OpenSSH forward ssh-agent are recommended to upgrade to the latest version for preventing malicious activities.