Lucene search

Saeed AbbasiQUALYSBLOG:E4D9DA8BEF6F1DD4ABE7E998804BB42A

HistoryJul 19, 2023 - 3:53 p.m.

CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent

2023-07-1915:53:27

Saeed Abbasi

blog.qualys.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.037 Low

EPSS

Percentile

90.5%

JSON

The Qualys Threat Research Unit (TRU) has discovered a remote code execution vulnerability in OpenSSH's forwarded ssh-agent. This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. Given the widespread use of OpenSSH’s forwarded ssh-agent Qualys Research Unit recommends that security teams apply patches for this vulnerability on priority.

About OpenSSH's Agent Forwarding

The ssh-agent is a background program that caches private keys for SSH public key authentication, reducing the need for regular passphrase input. Initiated at the start of an X or login session, it operates by storing keys in memory and unloading only when the process ends.

It's instrumental in automation scripts or tasks requiring frequent server connections, as it prevents the need for insecure password storage or constant passphrase input. The connections to ssh-agent may be forwarded from further remote to avoid the need for authentication data to be stored on other machines. Nonetheless, it's still crucial to secure the keys with robust passphrases.

Potential Impact of OpenSSH's Agent Forwarding

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary commands on vulnerable OpenSSH forwarded ssh-agent. Qualys security researchers have been able to independently verify the vulnerability, develop a PoC exploit on installations of Ubuntu Desktop 22.04 and 21.10. Other Linux distributions are likely vulnerable and probably exploitable.

As soon as the Qualys research team confirmed the vulnerability, Qualys engaged in responsible vulnerability disclosure and coordinated with the vendor, OpenSSH, on this occasion to announce the vulnerability.

Disclosure Timeline

2023-07-06: Draft advisory and initial patch sent to OpenSSH.

2023-07-07: OpenSSH sent refined patches.

2023-07-09: Feedback on patches sent to OpenSSH.

2023-07-11: Received final patches from OpenSSH; feedback sent.

2023-07-14: OpenSSH plans for security-only release on July 19th.

2023-07-19: Coordinated release.

Technical Details

You can find the technical details of these vulnerabilities at:

<https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt>

<https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.tar.gz>

Qualys QID Coverage

Qualys has recently released a single QID 38904, which is available starting from the vulnsigs version VULNSIGS-2.5.820-3.

QID	Title	Qualys Release Versions
38904	OpenSSH Remote Code Execution (RCE) Vulnerability in its forwarded ssh-agent	VULNSIGS-2.5.820-3

Conclusion

This newly uncovered ssh-agent vulnerability underlines the continuous need for rigorous security measures and immediate response. Even robust systems can harbor hidden vulnerabilities, as demonstrated by the shortcomings of the ssh-agent. Proactively rectifying such vulnerabilities through actions such as implementing patches is critical to maintaining the integrity of digital assets.