The Qualys Threat Research Unit (TRU) has identified a critical remote code execution vulnerability in OpenSSH’s forwarded ssh-agent. This flaw could potentially allow remote attackers to execute arbitrary commands on vulnerable instances of OpenSSH’s forwarded ssh-agent. Given the widespread usage of OpenSSH’s forwarded ssh-agent, the Qualys Research Unit strongly advises security teams to prioritize the application of patches for this vulnerability.
About OpenSSH’s Agent Forwarding: The ssh-agent is a background utility that caches private keys for SSH public key authentication, reducing the need for repetitive passphrase input. It is initiated at the beginning of an X or login session, working by storing keys in memory and unloading them only when the associated process terminates. This functionality is particularly valuable in automating scripts or tasks that involve frequent server connections, eliminating the necessity for storing passwords insecurely or repeatedly entering passphrases. Furthermore, connections to ssh-agent can be forwarded from remote locations to avoid storing authentication data on other machines. Nevertheless, it is vital to secure these keys with strong passphrases.
Potential Impact of OpenSSH’s Agent Forwarding: The successful exploitation of this vulnerability enables remote attackers to execute arbitrary commands on vulnerable instances of OpenSSH’s forwarded ssh-agent. Qualys security researchers have independently confirmed the vulnerability and developed a proof of concept (PoC) exploit on installations of Ubuntu Desktop 22.04 and 21.10. Other Linux distributions are likely to be vulnerable and potentially exploitable.
Upon confirming the vulnerability, the Qualys research team engaged in responsible vulnerability disclosure and coordinated with the vendor, OpenSSH, to announce the issue.
Disclosure Timeline:
- 2023-07-06: Draft advisory and initial patch sent to OpenSSH.
- 2023-07-07: Refined patches sent by OpenSSH.
- 2023-07-09: Feedback on patches sent to OpenSSH.
- 2023-07-11: Received final patches from OpenSSH; feedback sent.
- 2023-07-14: OpenSSH scheduled a security-only release for July 19th.
- 2023-07-19: Coordinated release.
For more in-depth technical information about these vulnerabilities, you can refer to the following links:
Qualys QID Coverage: Qualys has recently introduced a single QID 38904, available starting from vulnsigs version VULNSIGS-2.5.820-3.
QID Title Qualys Release Versions 38904 OpenSSH Remote Code Execution (RCE) Vulnerability in its forwarded ssh-agent VULNSIGS-2.5.820-3
In conclusion, this newly uncovered ssh-agent vulnerability underscores the ongoing need for rigorous security measures and swift responses. It serves as a reminder that even robust systems may harbor hidden vulnerabilities, as evidenced by the flaws in the ssh-agent. Proactively addressing such vulnerabilities through actions like patch implementation is crucial to safeguarding the integrity of digital assets.