What is CVE-2023-38408 OpenSSH's SSH-Agent RCE ?
SSH-Agent is a widely used program that securely stores private keys for accessing remote machines using SSH, enabling secure and convenient access. It is considered a secure and alternative method for encrypted login, particularly in situations where the exposure of command line history or the installation of a keylogger on the client is deemed dangerous.
One of the functionalities of this program is "agent forwarding," which allows users to access local SSH agents from remote servers. However, recent research conducted by Qualys has uncovered a security vulnerability so significant that it could lead to remote code execution on the client machine.
In this article, we will delve into this issue, its root cause, and what it means for users and system administrators.
Known Risks and Surprising Implications
The manual pages of SSH-Agent (man SSH-agent) caution users about potential dangers, while highlighting that SSH-agent forwarding is still commonly used.
"A system administrator (Alice) runs an SSH-agent on her local workstation, connects to a remote server using SSH, and enables SSH-agent forwarding with the -A or ForwardAgent option, making her locally running SSH-agent accessible from the remote server.
According to researchers at Qualys, a remote attacker who can control the host Alice is connecting to can load any shared library in the /usr/lib* directory on Alice's workstation using dlopen() and immediately unload it with dlclose() if SSH-agent forwarding is compiled with ENABLE_PKCS11, which is the default setting.
This vulnerability lies in how SSH-agent handles forwarded shared libraries. When SSH-agent is compiled with ENABLE_PKCS11 (the default configuration), it forwards shared libraries from the user's local workstation to the remote server. These libraries are loaded on the user's workstation (dlopen()) and immediately unloaded (dlclose()). The issue is that certain shared libraries have side effects when loaded and unloaded, which can be exploited by an attacker who gains access to the remote server where SSH-agent is forwarded."
Please note that technical terms and concepts may vary, so it's important to ensure that the context and terminology align with the specific technical audience or documentation you are targeting.
Root Causes of the SSH-Agent Vulnerability
The fundamental reason for this vulnerability is the combination of SSH-agent's forwarding mechanism and the side effects of shared libraries. It is assumed that the shared libraries in /usr/lib* come from official distribution packages, and processes other than dlopen() and dlclose() are not expected to be performed. Unfortunately, chaining certain side effects from these libraries allows an attacker to remotely execute code in SSH-agent.
Consequences
The consequences of this vulnerability are significant. An attacker who gains access to the remote server where SSH-agent is forwarded can potentially execute malicious code on the user's local workstation. This can lead to unauthorized access, data theft, or even the compromise of the user's system.
Mitigation Strategies for SSH-Agent Forwarding RCE Vulnerability
Considering the potential risks associated with forwarding, users and system administrators should exercise caution when enabling this feature. While it provides convenience, it also increases the attack surface. Here are some steps to mitigate the risk:
Limit Agent Forwarding: Restrict forwarding to only when necessary. Avoid enabling forwarding for all SSH sessions and use it only on trusted remote servers.
Use Jump Hosts: Consider using the -J option in SSH to specify an intermediary server. This approach allows you to reduce your SSH-agent's exposure while accessing remote servers via an intermediary key.
Disable PKCS#11 Support: If possible, compile SSH-agent without ENABLE_PKCS11 to avoid forwarding shared libraries and reduce the attack surface.
Keep Software Up-to-Date: Regularly update your operating system and SSH software, ensuring that you have the latest security patches. Use OpenSSH 9.3p2 or newer versions.
Please note that technical terms and concepts may vary, so it's important to ensure that the context and terminology align with the specific technical audience or documentation you are targeting.
CVE-2023-38408 Vulnerability Description (SOCRadar Vulnerability Intelligence)
SSH-Agent forwarding is a powerful feature that enhances the usability of SSH, but it also comes with certain risks. Recent research highlighting potential security vulnerabilities in SSH agent forwarding serves as a reminder of the importance of best security practices. Users and system administrators can establish a secure SSH environment and protect their systems from potential threats by understanding these risks and taking necessary precautions.
Source : https://www.turkhackteam.org/konular/cve-2023-38408-opensshnin-ssh-agent-rce-nedir.2046743/
