New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection
Particulars have emerged a couple of now-patched flaw in OpenSSH that may very well be doubtlessly exploited to run arbitrary instructions remotely on compromised hosts beneath particular situations.
“This vulnerability permits a distant attacker to doubtlessly execute arbitrary instructions on susceptible OpenSSH’s forwarded ssh-agent,” Saeed Abbasi, supervisor of vulnerability analysis at Qualys, said in an evaluation final week.
The vulnerability is being tracked beneath the CVE identifier CVE-2023-38408 (CVSS rating: N/A). It impacts all variations of OpenSSH earlier than 9.3p2.
OpenSSH is a well-liked connectivity instrument for distant login with the SSH protocol that is used for encrypting all site visitors to get rid of eavesdropping, connection hijacking, and different assaults.
Profitable exploitation requires the presence of sure libraries on the sufferer system and that the SSH authentication agent is forwarded to an attacker-controlled system. SSH agent is a background program that maintains customers’ keys in reminiscence and facilitates distant logins to a server with out having to enter their passphrase once more.
“Whereas searching by means of ssh-agent’s supply code, we observed {that a} distant attacker, who has entry to the distant server the place Alice’s ssh-agent is forwarded to, can load (dlopen()) and instantly unload (dlclose()) any shared library in /usr/lib* on Alice’s workstation (by way of her forwarded ssh-agent, whether it is compiled with ENABLE_PKCS11, which is the default),” Qualys defined.
The cybersecurity agency mentioned it was in a position to devise a profitable proof-of-concept (PoC) towards default installations of Ubuntu Desktop 22.04 and 21.10, though different Linux distributions are anticipated to be susceptible as nicely.
It’s strongly suggested that customers of OpenSSH replace to the latest model with the intention to safeguard towards potential cyber threats.
Earlier this February, OpenSSH maintainers released an replace to remediate a medium-severity safety flaw (CVE-2023-25136, CVSS rating: 6.5) that may very well be exploited by an unauthenticated distant attacker to modify unexpected memory locations and theoretically obtain code execution.
A subsequent launch in March addressed one other safety concern that may very well be abused by the use of a particularly crafted DNS response to carry out an out-of-bounds learn of adjoining stack information and trigger a denial-of- service to the SSH consumer.
