On July 19, 2023, OpenSSH, the widely used implementation of the Secure Shell protocol (SSH), released an update to address the recently identified threat, CVE-2023-38408. The Qualys Security Advisory team discovered this flaw, which originates from the potential for remote code execution within OpenSSH’s SSH-agent feature.
What is CVE-2023-38408?
CVE-2023-38408 is a vulnerability that enables remote code execution and resides in the SSH-agent’s forwarded feature, particularly in relation to the PKCS#11 providers. Exploiting the SSH-agent’s support for PKCS#11 under specific conditions allows attackers to execute remote code through a forwarded agent socket.
OpenSSH is an open-source implementation of the Secure Shell (SSH) protocol, providing a comprehensive set of services to facilitate encrypted communications over an insecure network in a client-server environment. As a vital component for secure network interactions, OpenSSH is crucial for the cybersecurity strategies of numerous organizations.
The SSH-agent plays a significant role by simplifying user authentication through the management of identity keys and passphrases. Storing keys in the SSH-agent eliminates the need for users to re-enter their password or passphrase when logging into other servers, creating a seamless single sign-on (SSO) experience.
However, recent events have exposed a potentially severe vulnerability in this well-intentioned system.
The vulnerability lies in the SSH-agent’s source code, enabling a remote attacker with access to the remote server where a user’s SSH-agent is forwarded to load and unload shared libraries in /usr/lib* on the user’s workstation. This vulnerability exists when SSH-agent is compiled with ENABLE_PKCS11, which is the default configuration.
Although this action initially seems safe since shared libraries in /usr/lib* originate from official distribution packages and SSH-agent generally performs only dlopen() and dlclose() operations on them, many shared libraries have unintended side effects when loaded and unloaded in a security-sensitive program like SSH-agent. For example, some shared libraries execute constructor and destructor functions automatically through dlopen() and dlclose(), respectively.
By chaining together four common side effects of shared libraries from official distribution packages, an attacker can transform this limited primitive (dlopen() and dlclose() of shared libraries from /usr/lib*) into a reliable, one-shot remote code execution in SSH-agent.
The initial idea of the Proof of Concept (PoC) for remotely exploiting SSH-agent followed these steps:
- Make the SSH-agent’s stack executable by dlopen()ing one of the “execstack” libraries and store shellcode in this executable stack.
- Register a signal handler for SIGSEGV and immediately munmap() its code by dlopen()ing and dlclose()ing one of the shared libraries from “surprising behavior 3/,” retaining a dangling pointer to the unmapped signal handler in the kernel.
- Replace the unmapped signal handler’s code with code from another shared library by dlopen()ing (mmap()ing) one of the “nodelete” libraries (“surprising behavior 2/”).
- Raise a SIGSEGV by dlopen()ing one of the shared libraries from “surprising behavior 4/,” causing the unmapped signal handler to be called by the kernel but executing the replacement code from the “nodelete” library instead (a use-after-free scenario).
- Hope that the replacement code, which is mapped where the signal handler was mapped, acts as a useful gadget that jumps into the executable stack where the shellcode is stored.
Does CVE-2023-38408 affect me?
The vulnerability primarily affects systems where OpenSSH’s SSH-agent is in use and the agent’s forwarding feature is enabled. Organizations and individuals relying on OpenSSH should promptly assess their configurations to determine potential exposure. If your system meets the mentioned conditions, it is crucial to take immediate action to mitigate the risk associated with CVE-2023-38408.
Keep in mind that agent forwarding should always be used cautiously, as users with the ability to bypass file permissions on the remote host may be able to access the local agent through the forwarded connection.
Has CVE-2023-38408 been actively exploited in the wild?
Exploiting the vulnerability requires specific libraries to be present on the victim’s system and the forwarding of the agent to an attacker-controlled system. While proof-of-concept exploits exist, there is currently no definitive evidence to suggest widespread exploitation of CVE-2023-38408 in real-world scenarios.
However, due to the severity of the vulnerability, it is crucial to prioritize preventive measures and apply the recommended fixes to protect your systems.
How to fix CVE-2023-38408
Although the vulnerability is concerning, there are preventive measures available to avoid exploitation. If you suspect your system may have been compromised, you should scan it for malicious code using tools such as ClamAV, Malwarebytes, or Avast.
To effectively address and safeguard against CVE-2023-38408, follow these comprehensive steps:
- Upgrade to OpenSSH 9.3p2 or later: Upgrading to the latest version of OpenSSH is crucial as it includes critical patches to mitigate the vulnerability. Ensure that all relevant systems and servers are promptly updated to the recommended version or a higher one.
- Restrict PKCS#11 providers: Configure OpenSSH to allow only specific and trusted PKCS#11 providers. By limiting the use of PKCS#11 providers to known and verified sources, you can reduce the potential attack surface and minimize the risk of exploitation.
- Exercise caution when forwarding SSH agent: Be cautious when using agent forwarding in SSH. Avoid forwarding your SSH agent to untrusted servers or environments. Evaluate the security implications and only enable agent forwarding when necessary, considering the potential risks associated with CVE-2023-38408.
- Conduct system scans: Regularly scan your systems using reputable antivirus and malware detection tools like ClamAV, Malwarebytes, or Avast. These scans help identify and mitigate potential threats or any malicious code that may have already affected your system.
By diligently following these preventive measures, promptly updating OpenSSH, and implementing secure configurations, you can enhance your cybersecurity posture and protect your systems from the potential risks associated with CVE-2023-38408.
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- CVSS v4.0 – what you need to know
- Can you trust ChatGPT’s package recommendations?
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- OWASP Top 10 vulnerabilities 2022: what we learned
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.