Technical Analysis Published for OpenSSH’s Agent Forwarding RCE Vulnerability

Security researchers have published a detailed technical analysis of a critical remote code execution (RCE) vulnerability (CVE-2023-38408) in OpenSSH’s agent forwarding feature that was disclosed in July 2023.

The Qualys Threat Research Unit discovered the vulnerability, which affected all OpenSSH versions prior to 9.3p2 and received a near-maximum CVE score of 9.8.

SSH agent forwarding allows users to authenticate to multiple servers without storing private keys on intermediate systems. When enabled, it creates a socket on remote servers that communicate with the local ssh-agent.

While convenient, this feature has long been recognized as potentially dangerous, with OpenSSH’s own documentation warning about its security implications.

Vulnerability Details

According to Vicarius’s technical analysis, the vulnerability stems from an “insufficiently trustworthy search path” that permits the unsafe loading of code from /usr/lib when an SSH agent is forwarded to an attacker-controlled system. This issue represents a security gap after a previous vulnerability (CVE-2016-10009) was patched in 2016.

The flaw exists in OpenSSH’s PKCS#11 functionality, enabling attackers to execute malicious code when an SSH agent is forwarded to a compromised system. This highlights significant security risks in a common feature that many system administrators and developers rely on daily.

The exploitation process is complex but devastating. An attacker with access to a server where a user’s SSH agent is forwarded can:

1. Make the ssh-pkcs11-helper’s stack executable by loading specific shared libraries.
2. Inject shellcode into the process memory.
3. Alter the memory layout and replace signal handlers.
4. Trigger a segmentation fault that executes the malicious code.

This execution chain allows attackers to run arbitrary commands with the privileges of the user who forwarded their SSH agent.

Security researchers estimate the vulnerability’s reach is substantial. According to Shodan search results mentioned in the analysis, over 8 million systems use potentially vulnerable versions of OpenSSH, with approximately 46,000 systems specifically exposing OpenSSH agents.

The actual impact may be even more significant as these numbers don’t account for internal network deployments.

The disclosure timeline shows responsible handling by all parties involved. Initial advisory drafts and patches were submitted to OpenSSH on July 6, 2023, followed by revisions and feedback exchanges.

OpenSSH announced a security-only release for July 19, when the coordinated disclosure took place.

Security Fixes

The fix implemented in OpenSSH 9.3p2 addresses the vulnerability through multiple security enhancements:

• Process termination for invalid PKCS#11 providers.
• Disallowing remote addition of FIDO/PKCS11 providers by default.
• Pre-verification of libraries to ensure they contain expected symbols.
• Creating separate helper processes for each PKCS11 module.

Security experts recommend several mitigation strategies:

• Upgrading to OpenSSH 9.3p2 or newer immediately.
• Limiting the use of PKCS#11 providers to trusted sources only.
• Using SSH agent forwarding with extreme caution and only in trusted environments.
• Implementing regular security scans to detect potential exploitation.

This vulnerability underscores the challenges in securing complex network protocols even after addressing previous vulnerabilities. The detailed technical analysis provides valuable insights while highlighting the importance of understanding the security implications of convenience features.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free