A critical vulnerability (CVE-2023-2283) was discovered in the libSSH library, which enables attackers to bypass the client authentication check. The issue lies in the pki_verify_data_signature function where there are memory allocation problems. This vulnerability can potentially be exploited if there is insufficient memory or if memory usage is limited.

Details

The problem begins with the return value rc, which is initialized to SSH_ERROR. Later in the code, the variable is overwritten to store the return value of the function call pki_key_check_hash_compatible. However, the value of the variable remains unaltered between this point and the cryptographic verification, meaning that any error occurring between these stages will cause execution to jump to the goto error label, ultimately returning SSH_OK, irrespective of the error.

The following code snipplet demonstrates the problematic function

int pki_verify_data_signature(const ssh_signature sig, const ssh_key pubkey,
                              const unsigned char *hash,
                              size_t hlen) {
  int rc = SSH_ERROR;

  if (pubkey == NULL || sig == NULL) {
    return SSH_ERROR;
  }

  rc = pki_key_check_hash_compatible(pubkey, hlen);
  if (rc == SSH_ERROR) {
    goto error;
  }

  /* ... (omitted for brevity) ... */

  rc = pki_signature_verify(sig, pubkey, hash, hlen);
  if (rc != SSH_OK) {
    goto error;
  }

  return SSH_OK;

error:
  return SSH_OK;
}

Exploit Details

An attacker can exploit this vulnerability to bypass the authentication check while connecting to a vulnerable libSSH server. This allows unauthorized access to the system or network and can lead to further exploitation.

For example, a threat actor may be able to perform actions like executing arbitrary commands, reading sensitive data, or even pivoting into other parts of the network.

Original References

1. LibSSH's Official Security Advisory: https://www.libssh.org/security/advisories/CVE-2023-2283.txt
2. NVD - National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2023-2283

Mitigation

Users of libSSH should immediately update to the latest version (libssh-.9.8 or later), which includes fixes for this critical vulnerability. Moreover, they should monitor their systems for signs of unauthorized access or any unusual behavior.

Administrators are also advised to follow best practices for securing their servers and networks, which include strong, unique passwords, proper access control, and regular security patching. Additionally, they should consider segmenting their networks to limit the potential damage in case of an exploit.

Timeline

Published on: 05/26/2023 18:15:00 UTC
Last modified on: 06/06/2023 14:54:00 UTC