MOVEit bug impacts state governments. Johns Hopkins suffers data breach. Choosing the right cyber insurance. Read More
The CyberWire
MOVEit bug impacts state governments. Johns Hopkins suffers data breach.
Related Posts
Change Healthcare hackers gained access via stolen credentials and a lack of MFA.
Change Healthcare hackers gained access via stolen credentials and a lack of MFA.
Muddling Meerkat uses China’s Great Firewall to manipulate DNS queries. FCC fines mobile carriers nearly $200 million. Read More
The CyberWire
RCE bug in widely used Ghostscript library now exploited in attacks
RCE bug in widely used Ghostscript library now exploited in attacks
A remote code execution vulnerability in the Ghostscript document conversion toolkit, widely used on Linux systems, is currently being exploited in attacks. […] Read More
OpenSSH Agent RCE Flaw Let Attackers Execute Arbitrary Commands
OpenSSH Agent RCE Flaw Let Attackers Execute Arbitrary Commands
Researchers at Qualys discovered a new Remote Code Execution flaw in the OpenSSH.
This flaw exists in OpenSSH’s forward ssh-agent. This flaw allows an attacker to execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent.
OpenSSH has been used in several servers and applications for remote login and file transfer, along with encryption. This vulnerability exists in the ssh-agent program that allows authentication to remote servers without entering the passphrase every time.
CVE-2023-38408: Remote Code Execution
This vulnerability exists in the ssh-agent due to the PKCS#11 feature in OpenSSH version 9.3p2 that has insufficient trustworthy search path. This issue exists due to an incomplete fix in CVE-2016-10009.
The CVSS Score for this vulnerability is yet to be confirmed.
The ssh-agent is a key manager who holds the PKCS#11 (Public-Key Cryptographic Standard) keys that are readily usable for remote server connections. An attacker can inject a malicious library in the ssh-agent, which makes the entire thread executable that remains even after the dclose().
In addition to this, many shared libraries are marked as “nodelete” by the loader, which makes this malicious library permanent until deleted by a superuser. These libraries exist in the /usr/lib* folder, which can allow the threat actor to dlopen() any library even when executing the SUID-root program.
Once the library is executed, the threat actor will get the same privilege as the user who initiated the ssh-agent. This vulnerability has been patched by OpenSSH.
A complete report has been published by Qualys which explains in detail the complete threat vector, background and the exploitation of this vulnerability.
Users of OpenSSH forward ssh-agent are recommended to upgrade to the latest version for preventing malicious activities.
Stay up-to-date with the latest Cyber Security News; follow us on GoogleNews, Linkedin, Twitter, and Facebook.
The post OpenSSH Agent RCE Flaw Let Attackers Execute Arbitrary Commands appeared first on Cyber Security News.
Cyber Security News