U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A flaw in OpenSSH forwarded ssh-agent allows remote code execution

A new flaw in OpenSSH could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions. Researchers from the Qualys Threat Research Unit (TRU) have discovered a remote code execution vulnerability in OpenSSH’s forwarded ssh-agent. OpenSSH (Open Secure Shell) is a set of open-source tools and utilities that provide secure encrypted […]

OpenSSH server

Verschluesselte Kommunikation mit OpenSSH

A new flaw in OpenSSH could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.

Researchers from the Qualys Threat Research Unit (TRU) have discovered a remote code execution vulnerability in OpenSSH’s forwarded ssh-agent.

OpenSSH (Open Secure Shell) is a set of open-source tools and utilities that provide secure encrypted communication over a network. It is a widely used implementation of the SSH (Secure Shell) protocol, which allows users to establish secure remote connections to other computers or servers over an insecure network, such as the internet.

The now-patched vulnerability, tracked as CVE-2023-38408, can be exploited by a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. Qualys Research Unit recommends addressing the issue immediately due to the widespread use of OpenSSH’s forwarded ssh-agent.

The ssh-agent is a program that caches private keys for SSH public key authentication, reducing the need for regular passphrase input. The program stores keys in memory at the start of an X or login session. The program allows remote logins to a server without having to enter their passphrase again.

“Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary commands on vulnerable OpenSSH forwarded ssh-agent.  Qualys security researchers have been able to independently verify the vulnerability, develop a PoC exploit on installations of Ubuntu Desktop 22.04 and 21.10. Other Linux distributions are likely vulnerable and probably exploitable.” reads the advisory published by Qualys. “As soon as the Qualys research team confirmed the vulnerability, Qualys engaged in responsible vulnerability disclosure and coordinated with the vendor, OpenSSH, on this occasion to announce the vulnerability.”

The vulnerability impacts all versions of OpenSSH before 9.3p2.

The vulnerability can be exploited only if certain libraries are installed on systems running the vulnerable versions and the SSH authentication agent is forwarded to an attacker-controlled system.

“Although this seems safe at first (because every shared library in /usr/lib* comes from an official distribution package, and no operation besides dlopen() and dlclose() is generally performed by ssh-agent on a shared library), many shared libraries have unfortunate side effects when dlopen()ed and dlclose()d, and are therefore unsafe to be loaded and unloaded in a security-sensitive program such as ssh-agent. For example, many shared libraries have constructor and destructor functions that are automatically executed by dlopen() and dlclose(), respectively.” reads the advisory. “Surprisingly, by chaining four common side effects of shared libraries from official distribution packages, we were able to transform this very limited primitive (the dlopen() and dlclose() of shared libraries from /usr/lib*) into a reliable, one-shot remote code execution in ssh-agent (despite ASLR, PIE, and NX).”

Below is the disclosure timeline for this vulnerability: 

  • 2023-07-06: Draft advisory and initial patch sent to OpenSSH. 
  • 2023-07-07: OpenSSH sent refined patches. 
  • 2023-07-09: Feedback on patches sent to OpenSSH. 
  • 2023-07-11: Received final patches from OpenSSH; feedback sent. 
  • 2023-07-14: OpenSSH plans for security-only release on July 19th. 
  • 2023-07-19: Coordinated release. 

In February, the maintainers of OpenSSH addressed a number of security vulnerabilities with the release of version 9.2.

One of the issues addressed by the maintainers is a memory safety bug in the OpenSSH server (sshd) tracked as CVE-2023-25136

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, OpenSSH)