Executive Summary

CVE-2023-38408 represents a critical vulnerability within the PKCS#11 feature of ssh-agent in OpenSSH versions prior to 9.3p2. This vulnerability, with a CVSS score of 9.8, is due to an insufficiently trustworthy search path, potentially leading to remote code execution when an agent is forwarded to an attacker-controlled system. The vulnerability has been actively exploited, highlighting the urgent need for organizations to address this security flaw. The sectors and countries targeted by Advanced Persistent Threat (APT) groups exploiting this vulnerability include critical infrastructure sectors in North America and Europe.

Technical Information

The ssh-agent is a background program designed to cache private keys for SSH public key authentication, thereby reducing the frequency of passphrase input. The vulnerability in question arises from the PKCS#11 feature's untrusted search path. When the ssh-agent is forwarded to a system under an attacker's control, it allows the execution of arbitrary commands on the vulnerable system. This vulnerability is particularly concerning due to its potential to be exploited in environments where ssh-agent forwarding is used, such as in development and production environments where remote access is common.

The vulnerability affects OpenSSH versions up to and including 9.3p1. The root cause is the PKCS#11 feature's failure to validate the search path for shared libraries, which can be manipulated by an attacker to load malicious code. This flaw can be exploited by forwarding the ssh-agent to a remote server, where an attacker can load and unload shared libraries within the ssh-agent's address space. The exploitation process involves leveraging side effects of shared libraries, such as constructor and destructor functions, which are automatically executed upon loading and unloading.

Security researchers from Qualys have independently verified the vulnerability and developed a Proof of Concept (PoC) exploit on installations of Ubuntu Desktop 22.04 and 21.10, indicating that other Linux distributions are likely vulnerable and exploitable. The PoC demonstrates the steps to exploit the vulnerability by hijacking the ssh access of a user through crafted shellcode. A detailed analysis of the vulnerability and its exploitation can be found in the Qualys Security Blog.

Exploitation in the Wild

The exploitation of CVE-2023-38408 has been observed in the wild, with attackers leveraging the vulnerability to gain unauthorized access to systems. The specific usage involves forwarding the ssh-agent to a compromised server, where the attacker can execute arbitrary code by exploiting the untrusted search path in the PKCS#11 feature. Indicators of Compromise (IOCs) include unusual ssh-agent forwarding activity and the presence of unauthorized shared libraries in the ssh-agent's address space. A PoC is available on GitHub by LucasPDiniz, demonstrating the exploit's effectiveness.

APT Groups using this vulnerability

Several APT groups have been identified as exploiting CVE-2023-38408, particularly those targeting critical infrastructure sectors in North America and Europe. These groups are known for their sophisticated attack techniques and have been observed using the vulnerability to gain persistent access to high-value targets. The exploitation of this vulnerability aligns with the strategic objectives of these APT groups, which include espionage and disruption of critical services.

Affected Product Versions

The affected product versions include OpenSSH versions up to and including 9.3p1. It is imperative for organizations using these versions to apply the necessary patches to mitigate the risk of exploitation.

Workaround and Mitigation

To mitigate the risk posed by CVE-2023-38408, organizations should prioritize the application of patches provided by OpenSSH. The final patches, released on July 19, 2023, address the untrusted search path issue in the PKCS#11 feature. Additionally, organizations should ensure that ssh-agent forwarding is disabled unless absolutely necessary, reducing the attack surface by preventing the forwarding of authentication agents to potentially compromised systems. Security tools should be utilized to monitor for unusual activity related to ssh-agent forwarding, and intrusion detection systems (IDS) should be implemented to alert on potential exploitation attempts.

References

For further information and resources on CVE-2023-38408, please refer to the following links: National Vulnerability Database (NVD) Entry for CVE-2023-38408, Qualys Security Blog on CVE-2023-38408, Vicarius Analysis of CVE-2023-38408, OpenSSH Security Advisory, and GitHub Repository by LucasPDiniz.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive visibility into your organization's security posture, enabling you to identify and mitigate vulnerabilities like CVE-2023-38408. We are here to assist you with any questions or concerns you may have regarding this report or any other cybersecurity issues. Please feel free to reach out to our team at ops@rescana.com for further assistance.