An open-source version of the Secure Shell (SSH) protocol, OpenSSH, provides a powerful suite of services designed to provide encrypted communications across an unsecured network in a client-server architecture. These services are offered by OpenSSH. OpenSSH is an essential weapon in the cyber security inventory of innumerable businesses and organizations because it provides the foundation for safe interactions inside secure networks. The most popular implementation of the Secure Shell protocol in the world has released an update to fix the most recent vulnerability, which is known as CVE-2023-38408. The Qualys Security Advisory team was the one who uncovered this vulnerability, which is caused by the possibility of remote code execution in OpenSSH’s forwarded ssh-agent.
The ssh-agent is an important player to consider in this setting. This is a helper software that streamlines the process of user authentication by keeping a record of the identity keys and passphrases used by users. It is possible for users to connect into different servers without having to re-enter their password or passphrase after the keys have been saved in ssh-agent, which results in a smooth single sign-on (SSO) experience. Recent happenings, on the other hand, have shown that even a system with good intentions might contain a flaw that could lead to catastrophic consequences.
CVE-2023-38408 is a vulnerability that allows remote code execution and is located inside the forwarded function of the ssh-agent. This vulnerability is especially pertinent to the PKCS#11 providers. Under some circumstances, the ssh-agent’s support for PKCS#11 may be abused to allow remote code execution by way of a forwarded agent socket. This can only be done if certain requirements are met.
The availability of certain libraries on the target system is one of the conditions for exploiting the vulnerability. Another criterion is that the agent must be sent to a system under the control of the attacker. Therefore, a cybercriminal who is able to satisfy these prerequisites may exploit the vulnerability and execute remote code if they have the opportunity to do so.
There are safeguards in place to prevent this vulnerability from being taken advantage of, despite the fact that it may seem to be rather dangerous. In order to safeguard yourself against the risk posed by this vulnerability, you should:
- Upgrade to OpenSSH 9.3p2 or later.
- You may restrict OpenSSH to only accept certain PKCS#11 providers by configuring the server.
- When sending your SSH agent to servers that are not trusted, use caution.
- You should do a scan of your system for malicious malware if you have any reason to believe that the security of your system may have been breached.
- It is strongly advised that users of OpenSSH forward ssh-agent update to the most recent version in order to protect themselves from fraudulent activity.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
