Skip to content

OSG-SEC-2023-07-28 HIGH OpenSSH remote code execution

Dear OSG Security Contacts,

A remote code execution vulnerability has been discovered in OpenSSH's forwarded ssh-agent. This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent. [1] [2]

IMPACTED VERSIONS:

OpenSSH 5.5 - 9.3p1 (inclusive) [3]

WHAT ARE THE VULNERABILITIES:

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary commands on vulnerable OpenSSH forwarded ssh-agent. It occurs where specific libraries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: [3]

  • Exploitation requires the presence of specific libraries on the victim system.

  • Remote exploitation requires that the agent was forwarded to an attacker-controlled system.

WHAT YOU SHOULD DO:

Upgrade to OpenSSH when updates are available for your Linux distributions. Presently there are no patched packages available for RHEL 6, 7, 8, or 9 based distributions [4].

A patched version of the OpenSSH project source, 9.3p2, is available from the OpenSSH project if you want to build your own binaries from source. [3]

The vulnerability can be mitigated by starting ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P "") or by configuring an allowlist that contains only specific provider libraries. [3]

REFERENCES

[1] https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent

[2] https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt

[3] https://www.openssh.com/releasenotes.html#9.3p2

[4] https://access.redhat.com/security/cve/cve-2023-38408

Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team