CVE-2023-38408 – PKCS#11 OpenSSH Security Vulnerability: Insufficient Search Path in ssh-agent Leads to Remote Code Execution

CVE-2023-38408 is a security vulnerability that affects the PKCS#11 feature in ssh-agent in OpenSSH versions before 9.3p2. This vulnerability is caused by an insufficiently trustworthy search path, which can lead to remote code execution if an agent is forwarded to an attacker-controlled system.

Background

This issue exists because of an incomplete fix for CVE-2016-10009, a previously-discovered security vulnerability in OpenSSH. Although the patch for CVE-2016-10009 aimed to address the problem, it was discovered that the fix was not comprehensive enough, leaving OpenSSH still vulnerable.

Exploit Details

The PKCS#11 security feature in ssh-agent is designed to allow users to perform public-key operations with their private keys stored on a hardware device, like a smart card or a USB token. However, the search path for the required shared library in ssh-agent was found to be insufficiently trustworthy. In some circumstances, an attacker could exploit this weakness to execute malicious code on the victim's system.

When ssh-agent attempts to load a required library, it first searches the directories specified in the environment variable, LD_LIBRARY_PATH, and then the directories specified in the /etc/ld.so.conf configuration file. Finally, it checks the directories in a compiled-in library search path.

The vulnerability lies in the fact that the code in /usr/lib, which is part of the default search path, is not necessarily safe for loading into ssh-agent. An attacker who can forward an agent to an attacker-controlled system and place a malicious shared library in /usr/lib could potentially exploit this vulnerability for remote code execution.

Here is a code snippet illustrating the library-loading process

/* Load the PKCS#11 shared library */
if ((handle = dlopen(pkcs11provider, RTLD_NOW)) == NULL) {
    error("dlopen %s failed: %s", pkcs11provider, dlerror());
    goto fail;
}

/* Find the required functions in the shared library */
if (find_pkcs11_functions(handle) != ) {
    error("Failed to find required PKCS#11 functions");
    goto fail;
}

Mitigation

The best solution to address this vulnerability is to upgrade OpenSSH to version 9.3p2 or later. This version includes a comprehensive fix for CVE-2023-38408.

Original References

1. Commit with the fix in OpenSSH: a3d13b10
2. NIST National Vulnerability Database: CVE-2023-38408
3. Original CVE-2016-10009 vulnerability: CVE-2016-10009

Conclusion

CVE-2023-38408 is a critical security vulnerability present in the PKCS#11 feature in ssh-agent in OpenSSH versions before 9.3p2. The insufficiently trustworthy library search path could potentially allow an attacker to perform a remote code execution attack, compromising the victim's system. Upgrading to OpenSSH 9.3p2 or later is the recommended mitigation to protect against this vulnerability.

Timeline

Published on: 07/20/2023 03:15:10 UTC
Last modified on: 11/07/2023 04:17:17 UTC