A recently identified and now rectified vulnerability in OpenSSH had raised concerns due to its potential for remote exploitation under certain conditions.
Saeed Abbasi, a leading expert in vulnerability research at Qualys, highlighted in a recent analysis that this flaw could have allowed attackers to execute arbitrary commands on systems with vulnerable versions of OpenSSH’s ssh-agent forwarding feature.
The issue has been designated as CVE-2023-38408, though its CVSS score is currently not available. It affects all OpenSSH versions prior to 9.3p2.
Widely used for secure remote logins via the SSH protocol, OpenSSH ensures traffic encryption to prevent eavesdropping, hijacking, and similar threats.
Exploiting this vulnerability would require specific libraries on the target system and the forwarding of the SSH authentication agent to a system under the attacker’s control. The SSH agent, typically running in the background, keeps user keys in memory, aiding in remote server logins without repeated passphrase entries.
Qualys discovered that an attacker with access to a server where a user’s ssh-agent is forwarded could exploit the vulnerability. They could load and unload any shared library in the user’s /usr/lib* directory via the forwarded ssh-agent, assuming it’s compiled with ENABLE_PKCS11, which is typically the default setting.
The cybersecurity firm successfully demonstrated a proof-of-concept attack against default installations of Ubuntu Desktop 22.04 and 21.10, with indications that other Linux distributions could be similarly vulnerable.
Users are urged to update to the latest OpenSSH version to protect against such cyber threats.
Earlier in February, OpenSSH maintainers addressed a medium-severity flaw (CVE-2023-25136, CVSS score: 6.5) that could have allowed an unauthenticated remote attacker to modify memory locations unexpectedly, potentially leading to code execution.
A subsequent March update resolved another issue that could be exploited through a specially crafted DNS response, causing an out-of-bounds stack data read and potentially leading to a denial-of-service for the SSH client.