A critical vulnerability (CVE-2023-2283) was discovered in the libSSH library, which enables attackers to bypass the client authentication check. The issue lies in the pki_verify_data_signature function where there are memory allocation problems. This vulnerability can potentially be exploited if there is insufficient memory or if memory usage is limited.
Details
The problem begins with the return value rc, which is initialized to SSH_ERROR. Later in the code, the variable is overwritten to store the return value of the function call pki_key_check_hash_compatible. However, the value of the variable remains unaltered between this point and the cryptographic verification, meaning that any error occurring between these stages will cause execution to jump to the goto error label, ultimately returning SSH_OK, irrespective of the error.
The following code snipplet demonstrates the problematic function
int pki_verify_data_signature(const ssh_signature sig, const ssh_key pubkey,
const unsigned char *hash,
size_t hlen) {
int rc = SSH_ERROR;
if (pubkey == NULL || sig == NULL) {
return SSH_ERROR;
}
rc = pki_key_check_hash_compatible(pubkey, hlen);
if (rc == SSH_ERROR) {
goto error;
}
/* ... (omitted for brevity) ... */
rc = pki_signature_verify(sig, pubkey, hash, hlen);
if (rc != SSH_OK) {
goto error;
}
return SSH_OK;
error:
return SSH_OK;
}
Exploit Details
An attacker can exploit this vulnerability to bypass the authentication check while connecting to a vulnerable libSSH server. This allows unauthorized access to the system or network and can lead to further exploitation.
For example, a threat actor may be able to perform actions like executing arbitrary commands, reading sensitive data, or even pivoting into other parts of the network.
Original References
1. LibSSH's Official Security Advisory: https://www.libssh.org/security/advisories/CVE-2023-2283.txt
2. NVD - National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2023-2283
Mitigation
Users of libSSH should immediately update to the latest version (libssh-.9.8 or later), which includes fixes for this critical vulnerability. Moreover, they should monitor their systems for signs of unauthorized access or any unusual behavior.
Administrators are also advised to follow best practices for securing their servers and networks, which include strong, unique passwords, proper access control, and regular security patching. Additionally, they should consider segmenting their networks to limit the potential damage in case of an exploit.
Timeline
Published on: 05/26/2023 18:15:00 UTC
Last modified on: 06/06/2023 14:54:00 UTC