ISN 2023-14: IGEL OS OpenSSH Vulnerability

Updated 28 August 2023 (OS 11 fix version)

First published 26 July 2023

CVSS 3.1: 7.3 (High)

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

A vulnerability has been discovered in OpenSSH, a remote shell used in IGEL OS. This affects the following IGEL products:

• IGEL OS 12
• IGEL OS 11

Details

It has been found that specific libraries loaded via the PKCS#11 support in the ssh-agent command in OpenSSH could be abused by an attacker to achieve Remote Code Execution (RCE). This vulnerability (CVE-2023-38408) has been rated as high. The exploitation requires the presence of specific libraries on the victim system, and that the agent was forwarded to an attacker-controlled system. This is not done by default in IGEL OS, but customers could do this in a custom command or script.

Mitigation

• Customers usually do not utilize ssh-agent on IGEL OS.
• For those that use ssh-agent: According to the OpenSSH project, exploitation can be prevented by starting ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries.

Update Instructions

• OS 12: Update the IGEL OS Base System app to version 12.02.100 (available in September 2023)
• OS 11: Update to the IGEL OS version 11.08.440.

References

• OpenSSH: Release Notes for OpenSSH 9.3p2: https://www.openssh.com/txt/release-9.3p2
• Qualys: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent: https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt