Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.
“This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent,” Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week.
It impacts all versions of OpenSSH before 9.3p2. OpenSSH is a popular connectivity tool for remote login with the SSH protocol that’s used for encrypting all traffic to eliminate eavesdropping, connection hijacking, and other attacks.
SSH agent is a background program that maintains users’ keys in memory and facilitates remote logins to a server without having to enter their passphrase again.
“While browsing through ssh-agent’s source code, we noticed that a remote attacker, who has access to the remote server where Alice’s ssh-agent is forwarded to, can load,” Qualys explained.
Earlier this February, OpenSSH maintainers released an update to remediate a medium-severity security flaw that could be exploited by an unauthenticated remote attacker to modify unexpected memory locations and theoretically achieve code execution.