A flaw in OpenSSH forwarded ssh-agent allows remote code execution

A new flaw in OpenSSH could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.

Researchers from the Qualys Threat Research Unit (TRU) have discovered a remote code execution vulnerability in OpenSSH’s forwarded ssh-agent.

OpenSSH (Open Secure Shell) is a set of open-source tools and utilities that provide secure encrypted communication over a network. It is a widely used implementation of the SSH (Secure Shell) protocol, which allows users to establish secure remote connections to other computers or servers over an insecure network, such as the internet.

The now-patched vulnerability, tracked as CVE-2023-38408, can be exploited by a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. Qualys Research Unit recommends addressing the issue immediately due to the widespread use of OpenSSH’s forwarded ssh-agent.

The ssh-agent is a program that caches private keys for SSH public key authentication, reducing the need for regular passphrase input. The program stores keys in memory at the start of an X or login session. The program allows remote logins to a server without having to enter their passphrase again.

“Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary commands on vulnerable OpenSSH forwarded ssh-agent.  Qualys security researchers have been able to independently verify the vulnerability, develop a PoC exploit on installations of Ubuntu Desktop 22.04 and 21.10. Other Linux distributions are likely vulnerable and probably exploitable.” reads the advisory published by Qualys. “As soon as the Qualys research team confirmed the vulnerability, Qualys engaged in responsible vulnerability disclosure and coordinated with the vendor, OpenSSH, on this occasion to announce the vulnerability.”

The vulnerability impacts all versions of OpenSSH before 9.3p2.

The vulnerability can be exploited only if certain libraries are installed on systems running the vulnerable versions and the SSH authentication agent is forwarded to an attacker-controlled system.

“Although this seems safe at first (because every shared library in /usr/lib* comes from an official distribution package, and no operation besides dlopen() and dlclose() is generally performed by ssh-agent on a shared library), many shared libraries have unfortunate side effects when dlopen()ed and dlclose()d, and are therefore unsafe to be loaded and unloaded in a security-sensitive program such as ssh-agent. For example, many shared libraries have constructor and destructor functions that are automatically executed by dlopen() and dlclose(), respectively.” reads the advisory. “Surprisingly, by chaining four common side effects of shared libraries from official distribution packages, we were able to transform this very limited primitive (the dlopen() and dlclose() of shared libraries from /usr/lib*) into a reliable, one-shot remote code execution in ssh-agent (despite ASLR, PIE, and NX).”

Below is the disclosure timeline for this vulnerability: 

• 2023-07-06: Draft advisory and initial patch sent to OpenSSH.
• 2023-07-07: OpenSSH sent refined patches.
• 2023-07-09: Feedback on patches sent to OpenSSH.
• 2023-07-11: Received final patches from OpenSSH; feedback sent.
• 2023-07-14: OpenSSH plans for security-only release on July 19th.
• 2023-07-19: Coordinated release.

In February, the maintainers of OpenSSH addressed a number of security vulnerabilities with the release of version 9.2.

One of the issues addressed by the maintainers is a memory safety bug in the OpenSSH server (sshd) tracked as CVE-2023-25136

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, OpenSSH)