How to Fix CVE-2023-38408- A Remote Code Execution Vulnerability in OpenSSH’s forwarded ssh-agent?

On 19th July 2023, OpenSSH released the release notes of OpenSSH 9.3p2, which addressed a Remote Code Execution Vulnerability in OpenSSH’s forwarded ssh-agent. The flaw is tracked as CVE-2023-38408 allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. Since the flaw allows attackers to perform Remote Code Execution on the victim machine and its widespread use of OpenSSH’s forwarded ssh-agent, it is highly recommended to learn how to Fix CVE-2023-38408- a Remote Code Execution Vulnerability in OpenSSH’s forwarded ssh-agent. The Qualys Threat Research Unit (TRU) has been credited with the discovery of this vulnerability upon they reported the flaw on 7th July 2023. 

Before we jump in to learn how to Fix CVE-2023-38408- a Remote Code Execution Vulnerability in OpenSSH’s forwarded ssh-agent, let’s see a short intro about the ssh-agent and its agent forwarding feature, why it is needed, and what are the benefits of the agent forward feature.

A Short Introduction to ssh-agent

ssh-agent is a key component of the SSH (Secure Shell) protocol suite and serves as an authentication agent. It operates as a background process, intended to aid in managing private keys associated with public key authentication.

The primary role of the ssh-agent is to store private keys, eliminating the need for users to repeatedly enter their passphrase when using SSH to connect to different servers. When a session starts, the user adds their private key(s) to the ssh-agent. After the key has been added, the ssh-agent manages the key, supplying it whenever necessary, without requiring the user to manually enter their passphrase each time.

While interacting with an ssh-agent, users initiate an SSH client program that communicates with the agent and requests operations like user authentication. The communication between the SSH client and the agent is facilitated by a Unix-domain socket, secured by the operating system.

One notable feature of ssh-agent is ‘agent forwarding’. This allows an ssh-agent’s services to be forwarded to a remote system, via an SSH protocol connection. This essentially means that when you’re connected to a remote server, you can use your local ssh-agent to perform authentication tasks, without storing any private keys on the remote system. It’s a convenient feature but requires careful usage due to its potential security implications.

Some key points about ssh-agent:

So in summary, ssh-agent is a key manager for SSH authentication that allows agent forwarding to avoid storing keys on remote hosts. But care must be taken in how it handles requests to avoid security issues.

What is the Need for Agent Forwarding?

Agent forwarding is a prominent feature of the SSH (Secure Shell) protocol that enhances the convenience and efficiency of managing secure connections between different systems. It is an integral part of the ssh-agent utility.

In a typical SSH connection, a user connects from a local system to a remote system by entering their passphrase to unlock their private key, which is then used for authentication. However, if the user needs to establish an SSH connection from the remote system to another system, they would have to supply their passphrase again to unlock their private key, which can be cumbersome and pose security risks, especially if the remote system is not fully trusted.

This is where agent forwarding comes into play. Agent forwarding allows users to leverage their local ssh-agent on a remote system. This means that the private key used for authentication stays on the local machine and does not need to be stored on any remote system.

When a user establishes an SSH connection with agent forwarding enabled, the local ssh-agent creates a socket on the remote system. This socket serves as a forwarding channel, allowing the remote system to communicate with the local ssh-agent for operations requiring the user’s private key.

As a result, when a user initiates a subsequent SSH connection from the remote system to another system, the authentication request is forwarded back to the local ssh-agent. The local ssh-agent then handles the authentication using the stored private key, and the user doesn’t need to enter their passphrase again.

While agent forwarding significantly simplifies the handling of SSH connections and private keys, it should be used with caution due to potential security risks. If a malicious actor gains control over a remote system where agent forwarding is used, they could potentially use the forwarding channel to perform operations with the user’s private key. Therefore, agent forwarding is recommended only for trusted systems and secure networks.

Reasons to have Agent Forwarding are:

Benefits of Using the Agent Forwarding

This utility becomes indispensable in environments where users need to interact with multiple systems using SSH public key authentication.

Let’s explore some key reasons that necessitate the use of agent forwarding:

Summary of the CVE-2023-38408 Vulnerability

The CVE-2023-38408 vulnerability is a Remote Code Execution Vulnerability in OpenSSH’s forwarded ssh-agent. This vulnerability was uncovered by the Qualys Threat Research Unit (TRU), which specializes in identifying and analyzing various security vulnerabilities.

The main issue with this vulnerability is that it allows a remote attacker to execute arbitrary commands on systems running the vulnerable version of OpenSSH’s forwarded ssh-agent. This means that a hacker could potentially take control of a system and perform unauthorized actions.

This vulnerability poses a significant risk due to the widespread use of OpenSSH’s forwarded ssh-agent in many networked systems, particularly within Unix-based environments like Linux. OpenSSH is a critical tool used for securely accessing remote machines, and the ssh-agent forwarding feature is often utilized to handle authentication details when making multiple SSH connections.

Qualys team said that were able to independently verify this vulnerability and even developed a Proof of Concept (PoC) exploit on certain installations of Ubuntu Desktop (versions 22.04 and 21.10). They suspect that this vulnerability would be existing in other Linux distributions.

We recommend seeing the complete technical details of the CVE-2023-38408 vulnerability here. Well, the attack vector and CVSS scores are yet to analyze.

OpenSSH Versions Vulnerable to CVE-2023-38408

The flaw affects all the versions, which are equal to and lower than v9.3p2.. Please check the version of OpenSSH that your machine is running. Run this command to check the OpenSSH version.

ssh -V

In this case, we have OpenSSH v9.2p1 on our server, which is vulnerable.

How to Fix CVE-2023-38408- A Remote Code Execution Vulnerability in OpenSSH’s forwarded ssh-agent?

OpenSSH has responded to this vulnerability by rolling out a patched version of OpenSSH. This Remote Code Execution Vulnerability in OpenSSH’s forwarded ssh-agent is fixed in OpenSSH v 9.3p2. We suggest finding out the current version of OpenSSH on your machines and upgrading to v9.3p2.

How to Fix CVE-2023-25136?

The installation process is quite simple if your distribution has a compelled version of OpenSSH-server. If not, you may need to download the package and compel the package using make and install it using the make install commands.

Step 1. Check the OpenSSH version

Run this command to check the version of OpenSSH:

$ ssh -V

Step 2. Download the latest OpenSSH package

Download the latest package. In this case, since we have OpenSSH v9.2p1 which is vulnerable to this flaw, we need to download v9.3p2.

$ wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
$ chmod +x openssh-9.3p2.tar.gz

Step 3. Extract the OpenSSH package

Extract the downloaded package to a folder and change it into the extracted directory.

$ tar -xf openssh-9.3p2.tar.gz
$ cd openssh-9.3p2/

Step 4. Manually compile OpenSSH

Run ./configure to configure the build settings for your system architecture. If you want to enable PAM and SELinux support, add the –with-pam and –with-selinux flags respectively. Just make sure you have all the necessary header files for them to work.

$ sudo apt install libpam0g-dev libselinux1-dev
$ ./configure --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh

Step 5. Install/upgrade OpenSSH

Install or upgrade the OpenSSH build using make and make install commands

$ make
$ make install

Note: You may need to install make and gcc utilities before you install or upgrade the OpenSSH.
Run this command to install the required packages if not preinstalled.

$ sudo apt install make gcc

Step 6. Check the OpenSSH version after the installation process gets completed

Run this command to check the version of OpenSSH:

$ ssh -V

How to Fix the “configure: error: no acceptable C compiler found in $PATH” Error?

If you get configure: error: no acceptable C compiler found in $PATH error when you try compile the before building any source code, then no gcc compiler is installed on your computer or gcc compiler is not set to $PATH veritable. One simple solution to this problem is to install build-essential or development tools on your server.

To install gcc use this: (run as root)

    Redhat base:

yum groupinstall "Development Tools"

    Debian base:

apt-get install build-essential

    openSUSE base:

zypper install --type pattern devel_basis

    Alpine:

apk add build-base

We hope this post helps you know how to fix CVE-2023-38408- A Remote Code Execution Vulnerability in OpenSSH’s forwarded ssh-agent. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.