overview

A vulnerability was found (CVE-2023-38408) in OpenSSH, the widely used secure networking suite for encrypted data transfer and remote logins. Exploiting the vulnerability will allow attackers to execute code remotely using simple commands.

CVE-2023-38408 stems from the widely used ssh-agent helper program, which holds users' private keys for SSH public key authentication. Enabling 'ssh-agent forwarding' allows remote servers to access the ssh-agent, facilitating the use of local SSH keys without storing them on the server.

Researchers from Qualys discovered that when a forwarded agent is set up with default settings and PKCS11 enabled, threat actors connected to the same remote server can manipulate shared libraries on the victim's machine, achieving one-shot, remote code execution (RCE). This technique involves combining just four side effects of loading and unloading common shared libraries.

Once RCE is achieved, attackers can install malware, execute data breaches, or gain complete control of the victim's system. It is important to note that exploitation relies on specific libraries being present on the victim's system and requires ssh-agent forwarding to a compromised network controlled by the attacker to achieve remote access.

The vulnerability affects default installations of Ubuntu Desktop 22.04 and 21.10, and other Linux distributions or operating systems could also be at risk if left unpatched. Vulnerable OpenSSH releases include versions:

  • 1:7.9p1-10+deb10u2
  • 1:7.9p1-10+deb10u1
  • 1:8.4p1-5+deb11u1
  • 1:9.2p1-2
  • 1:9.3p1-1

OpenSSH has addressed this vulnerability in version 1:9.3p2-1. All users should apply the appropriate updates to their installations as soon as possible to protect against potential attacks.

 

 

avertium's recommendationS

  • Ensure that all OpenSSH installations are updated to version 1:9.3p2-1 or newer. This update contains the fix for the security flaw. For more information, please see the OpenSSH release notes.
  • Administrators should carefully evaluate the necessity of enabling ssh-agent forwarding. If it's not essential, it is safer to disable this feature to reduce the attack surface.
  • Adopt security best practices for SSH key management and user access control. Limit the use of privileged accounts, use strong passwords or SSH keys, and implement multi-factor authentication wherever possible.
  • Implement IDS/IPS solutions to detect and prevent any potential attacks exploiting the OpenSSH vulnerability.

 

 

INDICATORS OF COMPROMISE (IoCs)

  • The researchers at Qualys observed four surprising behaviors while syscall-tracing (strace) dlopen() and dlclose() of shared libraries in Ubuntu Desktop installations:
     
    • These behaviors include shared libraries requiring an executable stack, some libraries being marked as "nodelete," signal handlers not being deregistered upon dlclose(), and some libraries crashing upon dlopen() due to being loaded in an incorrect context.
    • These behaviors could be exploited.

  • Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.

 

 

How Avertium is Protecting Our CUSTOMERS

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
     
    • Risk Assessments
    • Pen Testing and Social Engineering
    • Infrastructure Architecture and Integration
    • Zero Trust Network Architecture
    • Vulnerability Management
  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.

  • Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.







SUPPORTING DOCUMENTATION

CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent | Qualys Security Blog          

OpenSSH vulnerability uncovered by researchers, RCE exploit developed | ITPro

OpenSSH: Release Notes

New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection (thehackernews.com)

qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
Chat With One of Our Experts



remote code execution RCE Remote Code Execution (RCE) vulnerabilities Flash Notice Open-Source Vulnerability Blog