5 days after the exploit publication of snowcra5h/CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent
Posted by jpluimers on 2023/07/26
TL;DR is at the bottom (;
5 days ago this exploit development got published: [Wayback/Archive] snowcra5h/CVE-2023-38408: CVE-2023-38408 Remote Code Execution in OpenSSH’s forwarded ssh-agent.
It is about [Wayback/Archive] NVD – CVE-2023-38408 which there at NIST isn’t rated (yet?), neither at [Wayback/Archive] CVE-2023-38408 : The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remot.
However at [Wayback/Archive] CVE-2023-38408- Red Hat Customer Portal it scores 7.3 and [Wayback/Archive] CVE-2023-38408 | SUSE it did get a rating of 7.5, so since I mainly use OpenSuSE I wondered what to do as the CVE is formulated densely at [Wayback/Archive] www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt: it mentions Alice, but no Bob or Mallory (see Alice and Bob – Wikipedia).
Luckily, others readly already did the fine reading and emphasised the important bits, especially at [Wayback/Archive] RCE Vulnerability in OpenSSH’s SSH-Agent Forwarding: CVE-2023-38408 (note that instead of Alex, they actually mean Alice)
“A system administrator (Alice) runs SSH-agent on her local workstation, connects to a remote server with ssh, and enables SSH-agent forwarding with the -A or ForwardAgent option, thus making her SSH-agent (which is running on her local workstation) reachable from the remote server.”
According to researchers from Qualys, a remote attacker who has control of the host, which Alex has connected to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice’s workstation (via her forwarded SSH-agent if it is compiled with ENABLE_PKCS11, which is the default).
The vulnerability lies in how SSH-agent handles forwarded shared libraries. When SSH-agent is compiled with ENABLE_PKCS11 (the default configuration), it forwards shared libraries from the user’s local workstation to the remote server. These libraries are loaded (dlopen()) and immediately unloaded (dlclose()) on the user’s workstation. The problem arises because certain shared libraries have side effects when loaded and unloaded, which can be exploited by an attacker who gains access to the remote server where SSH-agent is forwarded to.
Mitigations for the SSH-Agent Forwarding RCE Vulnerability
Given the potential risks associated with forwarding, users and system administrators should exercise caution when enabling this feature. While it offers convenience, it also increases the attack surface.Here are some steps to mitigate the risk:
- Minimize Agent Forwarding: Limit the use of forwarding to only when necessary. Avoid enabling forwarding for every SSH session and only use it on trusted remote servers.
- Use Jump Hosts: Consider using the -J option in SSH to specify a jump host. This approach allows you to access remote servers through an intermediary host, reducing the exposure of your SSH-agent.
- Disable PKCS#11 Support: If possible, compile the SSH-agent without ENABLE_PKCS11 to prevent forwarding shared libraries and reduce the potential attack surface.
- Keep Software Updated: Regularly update your operating system and SSH software to ensure you have the latest security patches: OpenSSH 9.3p2 or later
In addition, I learned they have an interesting [Wayback/Archive] External Attack Surface – SOCRadar LABS, definitely worth trying that out!
The best diagram of an almost identical situation I could find is at this post which only got published 3 weeks ago: [Wayback/Archive] Understanding SSH Agent and SSH Agent Hijacking: A Real-Life Scenario | by Nidal Mahmud | Jul, 2023 | Medium
…
consider deploying public keys directly, keeping your systems and SSH software updated, and limiting the time keys are loaded into the agent.
In addition, leveraging the principle of least privilege helps — each key should only have the access it needs, thereby limiting potential damage. Regular monitoring and logging of SSH access can help detect suspicious activities and prevent an SSH agent hijacking attempt before it wreaks havoc.
Definitely recommended reading that whole post.
Mitigation
Of course the best way is to upgrade to [Wayback/Archive] www.openssh.com/txt/release-9.3p2, but not all systems have that version available for installation yet and some that have cannot be upgraded at will.
So for me it was interesting to know that the actual vulnerability is on the local (client) side, depends on a compromised remote (server) side and the usage of ssh-agent on the local side.
- local side: [Wayback/Archive] ssh: OpenSSH remote login client | openssh-clients Commands | Man Pages | ManKier
- local side: [Wayback/Archive] ssh-agent: OpenSSH authentication agent | openssh-clients Commands | Man Pages | ManKier
- remote side: [Wayback/Archive] sshd: OpenSSH daemon | openssh-server System Administration | Man Pages | ManKier
Since the client side never knows if a server side is compromise, the next best from upgrade is to disable or minimise ssh-agent forwarding::
- avoid the
ssh -Aswitch in [Wayback/Archive] ssh -A: OpenSSH remote login client | openssh-clients Commands | Man Pages | ManKier
Enables forwarding of connections from an authentication agent such as ssh-agent(1). This can also be specified on a per-host basis in a configuration file.
Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent’s UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. A safer alternative may be to use a jump host (see -J).
- avoid enabling
ForwardAgentin [Wayback/Archive] ssh_config: OpenSSH client configuration file | openssh-clients File Formats | Man Pages | ManKier
Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument may be
yes,no(the default), an explicit path to an agent socket or the name of an environment variable (beginning with ‘$’) in which to find the path.Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent’s Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.
What you see here is that agent forwarding is both discouraged at the client side and server side.
Disabling this on the remote side (even if you can trust it: remember Mallory can only abuse the ssh-agent vulnerability when controlling the remote) is not possible as you can see in [Wayback/Archive] sshd_config: OpenSSH daemon configuration file | openssh-server File Formats | Man Pages | ManKier
Specifies whether ssh-agent(1) forwarding is permitted. The default isyes. Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
Forbids authentication agent forwarding when this key is used for authentication.
…
Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation and execution of
~/.ssh/rc. If any future restriction capabilities are added to authorized_keys files, they will be included in this set.
This means you need to raise ssh client usage awareness among the users in your organisation to favour Jump Host over agent-forwarding.
ssh Jump Hosts
Both AgentForwarding and Jump Host were new for me (as I always had fresh sets of identities for each local or intermediate use case), so here are some links I might learn a thing or two from:
- [Wayback/Archive] ssh -J: OpenSSH remote login client | openssh-clients Commands | Man Pages | ManKier
-JdestinationConnect to the target host by first making a ssh connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there. Multiple jump hops may be specified separated by comma characters. This is a shortcut to specify a
ProxyJumpconfiguration directive. Note that configuration directives supplied on the command-line generally apply to the destination host and not any specified jump hosts. Use~/.ssh/configto specify configuration for jump hosts.
- [Wayback/Archive] SSH jump host – Gentoo Wiki explains both the route via the ssh config file as well as the ssh command-line options.
- [Wayback/Archive] How to setup OpenSSH for Windows for ProxyJumping (with tips for using
PowerShellinstead ofbash) - [Wayback/Archive] SSH ProxyCommand example: Going through one host to reach another server – nixCraft (which also provides examples for older ssh versions which do not support either the
-Jor alternative-Woptions).
Some links to skip (with reasons why):
- [Wayback/Archive] OpenSSH jump-host and file-transfer – Kudelski Security Research which is not a Jump Host in the ssh sense, more like a relay tunnel host using reverse ssh tunnel.
- [Wayback/Archive] How to Set Up an SSH Jump Server in Linux: skip this as it combines the
ssh -A -Joptions (which is odd as the article was from fall 2022, when the warnings against-Ashould have been well known).
Don’t use, but know about Agent Forwarding
Some links so I at least know more about Agent Forwarding (and why users love it despite they should be discouraged from using it):
- [Wayback/Archive] How to use SSH properly and what is SSH Agent Forwarding – DEV Community 👩💻👨💻 sort of visualises the sharing of keys from the
ssh-agentto the remote server:
- [Wayback/Archive] What is SSH Agent Forwarding and How Do You Use It? encourages to re-use your local keys whereas one should hand out keys for each specific use case with access control tailored to that use case.
- [Wayback/Archive] Using SSH agent forwarding – GitHub Docs
Exploit
The exploit repository has these files:
- [Wayback/Archive] CVE-2023-38408/README.md at main · snowcra5h/CVE-2023-38408
- [Wayback/Archive] CVE-2023-38408/gpl-3.0.txt at main · snowcra5h/CVE-2023-38408
- [Wayback/A] CVE-2023-38408/step1.sh at main · snowcra5h/CVE-2023-38408
./step1.sh /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_jammy_main_binary-amd64_Packages ./step1.sh /var/lib/apt/lists/us.archive.ubuntu.com_ubuntu_dists_jammy_universe_binary-amd64_Packages - [Wayback/Archive] CVE-2023-38408/step2.c at main · snowcra5h/CVE-2023-38408
./step2 - [Wayback/Archive] CVE-2023-38408/step3.sh at main · snowcra5h/CVE-2023-38408
./step3.sh /tmp/step2* - [Wayback/Archive] CVE-2023-38408/step4.c at main · snowcra5h/CVE-2023-38408
./step4 /tmp/step3* - [Wayback/Archive] CVE-2023-38408/step5.c at main · snowcra5h/CVE-2023-38408
XSTACK=/tmp/step3*?/xstack.maps ./step5 /tmp/step4*?/?*?/logger - [Wayback/Archive] CVE-2023-38408/step6.c at main · snowcra5h/CVE-2023-38408
for i in /tmp/step5*?/?*?/logger; do TRIES=16 ./step6 "$i"; done
Further reading
- [Wayback/Archive] How to fix CVE-2023-38408 in OpenSSH | Vulcan Cyber has a nice “Deeper Dive” section explaining the above exploit in more detail.
- [Wayback/A] Digging Into An Interesting New CVE – Deepfactor has a nice “How was this vulnerability discovered?” section explaining the tedious work Qualys people had to do in order to find an exploitable sequence of library load/unload behaviour.
- [Wayback/Archive] OpenSSH Forwarded SSH-Agent Remote Code Execution ≈ Packet Storm official publication/disclosure of the vulnerability.
- [Wayback/Archive] How to fix CVE-2023-38408 in OpenSSH | Vulcan Cyber explains in more technical terms (but far less than the disclosure) how the exploit works.
- PKCS #11 – Wikipedia
- [Wayback/Archive] OpenSSH: Security has the list of security problems fixed in OpenSSH.
- Parts of the Twitter thread that coerced me to write this blog post:
- [Wayback/Archive] mRr3b00t on Twitter: “################################ CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent ################################ now.. first questions… how many devices in your enterprise do you have running a vulnerable version of SSH? How many of these are internet…”
- [Wayback/Archive] mRr3b00t on Twitter: “so with CVE-2023-38408: if we wanted to find the client we would need to run something like this no?
ssh -Vso my client version… has the vulnerable component.” - [Wayback/Archive] mRr3b00t on Twitter: “and just to show: the sshd server version also is this: OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022 It’s not a garentee but if the sshd server is version X it’s less likely SSH client will be version Z (i would imagine!) anyway hope that clears that part up!”
Queries
- [Wayback/Archive] CVE-2023-38408 – Google Search
- [Wayback/Archive] CVE-2023-38408 – Google Image Search
- [Wayback/Archive] CVE-2023-38408 proof of concept – Google Search
- [Wayback/Archive] openssh sshd disable PKCS11 – Google Search
- [Wayback/Archive] openssh agent forwarding – Google Search
- [Wayback/Archive] openssh agent forwarding – Google Image Search
- [Wayback/Archive] cve-2023-38408 · GitHub Topics
- [Wayback/Archive] CVE-2023-38408 rating – Google Search
- [Wayback/Archive] CVE-2023-38408 score – Google Search
- [Wayback/Archive] ssh jump host – Google Search
- [Wayback/Archive] ssh jump host – Google Image Search
- [Wayback/Archive] “ssh -J” – Google Search
- [Wayback/Archive] ssh ProxyJump – Google Search
- [Wayback/Archive] esxi ssh keyfile – Google Search
TL;DR
- There is a vulnerability in the local
ssh-agentbecause the remote server can load arbitrary dynamic libraries on it and have their load/unload logic cause trouble. - Despite
ssh-agentforwarging is discouraged, users still use it because it is convenient for them. - Forcing client and server systems to upgrade to the latest OpenSSH releases is really important but not always possible. Still try this as much as possible as it is the best solution.
- There is no way to fully disable
ssh-agentforwarding on the local client with thessh -Aoption orForwardAgentconfig setting, andallowagentforwardingor settings on the remote server: perform as many discouragement steps as possible, as then only the very persistent users will be able to shoot themselves in the foot. - This means that unpatched systems will stay vulnerable, as coercing users into not using
ssh-agentforwarding is hard: they are stubborn humans.
This again means you need to raise ssh client usage awareness among the users in your organisation to favour Jump Host over agent-forwarding.
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment