Qualys has revealed a remote code execution vulnerability in the SSH-Agent implementation from the Openssh composition. This vulnerability, identified as CVE-2023-38408, allows attackers to execute code in the system that provides access to the SSH-Agent for the host at the other end of the SSH connection. The attack can only be carried out if the user is connected through SSH to a system controlled by the attacker and has enabled the sketch of the socket to SSH-Agent using the “-a” flag or the Forwardagent settings in the configuration file. Additionally, certain libraries must be present in the victim’s system for a successful attack. Researchers have developed prototypes of exploits and demonstrated their functionality on Ubuntu 04.22 and 21.10.
The SSH-Agent process, used for caching closed keys for open keys, supports an optional passage mode that allows the remote side of the SSH-Agent to access the SSH-Agent on the local system without storing authentication data on other hosts. The vulnerability is related to the presence of PKCS#11 modules in SSH-Agent, which can be initiated through the Unix-School of the Unix Schit to SSH-Agent. This allows the attacker, the host to which the connection is made, to load and immediately unload separate libraries from the /usr/lib* directories on the victim’s system. This behavior is exhibited in SSH-Agent assembled with the Enable_pkcs11 parameter, which is enabled by default.
Initially, loading of separate libraries was not considered a security threat since loading was only possible from the official system directories, /usr/lib*. Furthermore, operations with these libraries were limited to Dlopen() and DLCLOSE() calls, without executing library functions. However, it was overlooked that some libraries have constructor and destructor functions that are automatically triggered by Dlopen() and Dlclose() operations. This can be exploited to select specific libraries and facilitate remote code execution.