openssh vulnerability

[bgroper]

Recent vulnerability described here

New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection

A recently patched flaw in OpenSSH (CVE-2023-38408) could allow remote attackers to run arbitrary commands on vulnerable hosts.

thehackernews.com

Would it be reasonable to anticipate an updated openssh package sometime soon~ish ?
Or, does this wait to be included in some quarterly update/s ?

 

[sko]

From the release notes of OpenSSH 9.3p2:

Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:

* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.

Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.

So the attack scenario is *VERY* specific and requires a previous compromitation of the victim system to inject a malicious library in /usr/lib AND an attacker-controlled target system where the agent is forwarded to.

Given this is still a security-related patch (and openssh/ssh-agent is in base, not in ports/packages), I suspect we will se a patch against the supported RELEASE versions (12.4 & 13.2) in the next few days.

 

[subnetspider]

If you use security/openssh-portable/, it is already updated to version 9.3.p2.

 

[SirDice]

This one? https://www.freebsd.org/security/advisories/FreeBSD-SA-23:05.openssh.asc

 

[Charlie_]

This one?

SA-23:05.openssh is CVE-2023-28531.
9.3p2 fix CVE-2023-38408.
Current is updated to 9.3p2 6 days ago.
Stable/13, Stable/12 is 4 days ago.
Releng/13.2, 12.4 is not yet.

 

[sko]

This one? https://www.freebsd.org/security/advisories/FreeBSD-SA-23:05.openssh.asc

different CVE and different problem:

CVE Name: CVE-2023-28531

[...]

II. Problem Description

When using ssh-add(1) to add smartcard keys to ssh-agent(1) with per-hop
destination constraints, a logic error prevented the constraints from being
sent to the agent resulting in keys being added to the agent without
constraints.

 

[SirDice]

Right, it does also seem to be related to the ssh-agent(1). Anyway, according to the article disabling agent forwarding is a mitigation you could implement, at least until a patch is released.

     AllowAgentForwarding
             Specifies whether ssh-agent(1) forwarding is permitted.  The
             default is yes.  Note that disabling agent forwarding does not
             improve security unless users are also denied shell access, as
             they can always install their own forwarders.

See sshd_config(5)