Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.
"This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent," Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week.
The vulnerability is being tracked under the CVE identifier CVE-2023-38408 (CVSS score: N/A). It impacts all versions of OpenSSH before 9.3p2.
OpenSSH is a popular connectivity tool for remote login with the SSH protocol that's used for encrypting all traffic to eliminate eavesdropping, connection hijacking, and other attacks.
Successful exploitation requires the presence of certain libraries on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system. SSH agent is a background program that maintains users' keys in memory and facilitates remote logins to a server without having to enter their passphrase again.
"While browsing through ssh-agent's source code, we noticed that a remote attacker, who has access to the remote server where Alice's ssh-agent is forwarded to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice's workstation (via her forwarded ssh-agent, if it is compiled with ENABLE_PKCS11, which is the default)," Qualys explained.
The cybersecurity firm said it was able to devise a successful proof-of-concept (PoC) against default installations of Ubuntu Desktop 22.04 and 21.10, although other Linux distributions are expected to be vulnerable as well.
It is strongly advised that users of OpenSSH update to the most recent version in order to safeguard against potential cyber threats.
Earlier this February, OpenSSH maintainers released an update to remediate a medium-severity security flaw (CVE-2023-25136, CVSS score: 6.5) that could be exploited by an unauthenticated remote attacker to modify unexpected memory locations and theoretically achieve code execution.
A subsequent release in March addressed another security issue that could be abused by means of a specifically crafted DNS response to perform an out-of-bounds read of adjacent stack data and cause a denial-of- service to the SSH client.
