New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection

July 24, 2023thnLinux / Network Security

Details have emerged about a now-patched flaw in OpenSSH that could potentially be exploited to remotely execute arbitrary commands on compromised hosts under certain conditions.

“This vulnerability could allow a remote attacker to potentially execute arbitrary commands on a vulnerable OpenSSH forwarded ssh agent,” Saeed Abbasi, vulnerability research manager at Qualys, said in last week’s analysis.

The vulnerability is being tracked under the CVE identifier CVE-2023-38408 (CVSS score: N/A). This affects all previous versions of OpenSSH 9.3p2.

OpenSSH is a popular connectivity tool for remote login with the SSH protocol used to encrypt all traffic to eliminate eavesdropping, connection hijacking and other attacks.

A successful exploit requires the presence of certain libraries on the victim’s system and an SSH authentication agent continued to an attacker-controlled system. SSH agent is a background programs which stores the user’s key in memory and facilitates remote login to the server without having to enter their password again.

“While browsing the source code of ssh-agent, we noticed that a remote attacker, having access to the remote server where Alice’s ssh-agent was routed, could load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice’s workstation (via the ssh-agent it passed, if it was compiled with ENABLE_PKCS11, which is the default),” explains Qualys.

The cybersecurity firm says it was able to build a successful proof-of-concept (PoC) against default installations of Ubuntu Desktop 22.04 and 21.10, though other Linux distributions are thought to be vulnerable as well.

It is strongly recommended that OpenSSH users update to the latest version to protect against potential cyber threats.

Earlier this February, the OpenSSH maintainers released an update to remedy a moderate severity security flaw (CVE-2023-25136, CVSS score: 6.5) that could be exploited by unauthenticated remote attackers to modify an unexpected memory location and theoretically achieve code execution.

The next release in March addressed another security issue that could be abused through custom-tailored DNS responses to perform reads outside the bounds of contiguous stack data and cause a denial of service to SSH clients.