Official forum for Utopia Community
You are not logged in.
Information about an OpenSSH vulnerability that has since been patched has become available. Under certain circumstances, this vulnerability may be used to remotely execute arbitrary commands on compromised hosts.
Saeed Abbasi, manager of vulnerability research at Qualys, stated in an analysis last week that "this vulnerability enables a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent.".
With a CVSS score of N/A, the vulnerability is being tracked as CVE-2023-38408.
Prior to 9.3p2, it affects all releases of OpenSSH.
With the SSH protocol, OpenSSH is a well-liked connectivity tool for remote login that encrypts all traffic to prevent listening in, connection hijacking, and other attacks.
The victim system must have specific libraries installed, and the SSH authentication agent must be forwarded to an attacker-controlled system for the exploitation to be successful. SSH agent is a background program that keeps users' keys in memory and enables remote logins to a server without requiring them to enter their passphrase again.
When looking through the ssh-agent source code, Qualys discovered that, if ENABLE_PKCS11 was used during compilation, a remote attacker with access to the remote server where Alice's ssh-agent is forwarded could load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice's workstation (via her forwarded ssh-agent), Qualys said.
The cybersecurity company claimed that its proof-of-concept (PoC) attack against the default Ubuntu Desktop 22.04 and 21.10 installations was successful, though other Linux distributions are anticipated to be equally vulnerable.
Users of OpenSSH are strongly encouraged to update to the most recent version in order to protect themselves from potential online threats.
Early in February, the OpenSSH developers released a patch to address a medium-severity security hole (CVE-2023-25136, CVSS score: 6.5) that could have allowed an unauthenticated remote attacker to change unexpected memory locations and potentially execute code.
Another security flaw that could be exploited by using a carefully crafted DNS response to read adjacent stack data outside of its bounds and deny service to the SSH client was fixed in a later release in March.
Offline