A now-resolved vulnerability in OpenSSH was discovered that could potentially be exploited to execute arbitrary commands remotely on vulnerable hosts under specific circumstances, details of which have surfaced recently.
“The detected vulnerability could possibly enable a remote attacker to execute arbitrary commands on OpenSSH’s vulnerable forwarded ssh-agent,” Saeed Abbasi, the manager of vulnerability research at Qualys, stated in an analysis last week.
OpenSSH, a widely-used tool for remote login employing the SSH protocol, encrypts all traffic to prevent eavesdropping, connection hijacking, and other forms of cyberattacks.
The successful exploitation of this vulnerability hinges on the presence of specific libraries on the compromised system and the forwarding of the SSH authentication agent to an attacker-controlled system. The SSH agent, a background program, stores user keys in memory and simplifies remote server logins by eliminating the need to re-enter passphrases.
Qualys explained that upon examining the source code of the ssh-agent, they noticed that a remote attacker with access to the remote server (where the victim’s ssh-agent has been forwarded) can load and immediately unload any shared library in /usr/lib* on the victim’s workstation, via the forwarded ssh-agent. This is possible if the ssh-agent is compiled with ENABLE_PKCS11, which is the default setting.
A successful proof-of-concept (PoC) against default installations of Ubuntu Desktop 22.04 and 21.10 was executed by the cybersecurity firm. It is anticipated that other Linux distributions could also be vulnerable.
OpenSSH users are urged to promptly update to the latest version as a protective measure against potential cybersecurity threats.
This revelation follows a sequence of updates released by OpenSSH maintainers this year to address vulnerabilities. In February, an update was issued to fix a medium-severity security flaw (CVE-2023-25136, CVSS score: 6.5) that could be potentially manipulated by an unauthenticated remote attacker to modify unexpected memory locations and possibly achieve code execution. Another update in March remediated a separate security problem that could be leveraged via a uniquely crafted DNS response to perform an out-of-bounds read of adjacent stack data, leading to a denial-of-service to the SSH client.