CVE-2023-38408: OpenSSH RCE Vulnerability
Share this:
Researchers from Qualys Security has discovered a remote code execution vulnerability in OpenSSH’s forwarded ssh-agent tracked as CVE-2023-38408.
OpenSSH is an open-source implementation of the SSH protocol, offers a robust suite of services aimed at facilitating encrypted communications over an unsecured network in a client-server architecture.
A key actor in this context is the ssh-agent. This is a helper program that simplifies the user authentication process by maintaining records of users’ identity keys and passphrases. Once the keys are stored in ssh-agent, it allows users to log into other servers without needing to enter their password or passphrase again, thereby creating a seamless SSO experience. However, recent events have proven that even this well-intentioned system can harbor a potentially devastating vulnerability.
CVE-2023-38408 is a remote code execution vulnerability that lies within the ssh-agent’s forwarded feature, particularly in relation to the PKCS#11 providers. Essentially, the ssh-agent’s support for PKCS#11 can be exploited to enable remote code execution via a forwarded agent socket, under specific conditions.
The exploitation prerequisites include the presence of certain libraries on the victim system and the requirement for the agent to be forwarded to an attacker-controlled system. Consequently, if a cyber-criminal can meet these conditions, they can exploit the vulnerability and execute remote code.
There are protective measures to prevent it from being exploited. To protect yourself from this vulnerability, you should:
- Upgrade to OpenSSH 9.3p2 or later.
- Configure OpenSSH to only allow specific PKCS#11 providers.
- Be careful about forwarding your SSH agent to untrusted servers.
If you are concerned that your system may have been compromised, you should scan your system for malicious code. You can use a variety of tools to do this, such as ClamAV, Malwarebytes, or Avast.
If you think that your system may have been compromised, you should:
- Change your passwords.
- Scan your system for malicious code.
- Report the attack to the authorities.
