Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

OpenSSH ssh-agent RCE Vulnerability

A tricky vulnerability for systems administrators to contemplate: a newly-discovered vulnerability in the ssh-agent component of OpenSSH can allow an attacker who has access to a remote server to then execute code on the administrator's workstation. The vulnerability, CVE-2023-38408, was discovered  by Qualys researchers while 'browsing through ssh-agent's source code'.

OpenSSH is widely used for command-line administration of remote hosts; the ssh-agent is particularly useful, as it caches the admins' private keys, eliminating the need for constant retyping of passwords, especially when remote commands are invoked from within scripts (remember, scripting and automation is the holy grail for admins).

And in complex environments, especially cloud, it can be useful to enable agent forwarding; this allows an admin - say, Alice - to log into a remote host (Bob) and then connect from it to yet another host behind Bob (Carol) without having to load a private key on Bob. Instead, the authentication challenge from Carol to Bob is automatically forwarded to Alice, for the ssh-agent to handle. This eliminates the need for private keys to live on Internet-facing hosts, and also eliminates the need for yet more password typing. The result is the ability for scripts on Alice to invoke scripts on Bob which can, in turn, invoke commands on Carol, Dave, etc. Bliss! I have used this in the past to achieve automated remote backups through an intermediate firewall, for example.

However, the Qualys researchers' interest was piqued by a comment in the ssh man page:

Based on their reading of the ssh-agent source code, they found that a remote attacker, who has access to the remote server to which Alice's ssh-agent is forwarded, can load (via dlopen()) and unload (via dlclose()) any shared library in /usr/lib* on the Alice workstation, via the forwarded ssh-agent (if it is compiled with ENABLE_PKCS11, which is the default).

From there, they were able to develop a proof-of-concept which achieves remote code execution by exploiting the side-effects of loading and unloading the shared libraries of some standard Linux distribution packages - and while they started with only one approach in mind, they came up with six other cominations of shared libraries that may well work. This work was done using Ubuntu Desktop 22.04 and 21.10, but other distributions and OS's are quite probably vulnerable.

The Qualys blog post provides basic information, but their full security advisory digs deeper and makes a fascinating read for Linux sysadmins and developers. The researchers submitted their findings, along with an initial patch, to the OpenSSH project, who refined the patch and released a fix on 19 July. This should be rolling out to the various Linux distributions in the coming days.

Abbasi, Saeed, CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent, blog post, 19-24 July 2023. Available online at https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent.

Uncredited, CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent, security advisory, 19 July 2023. Available online at https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt.

Detailed Rundown on Cl0p

A longish blog post from Fortiguard Labs Threat Research provides a comprehensive high-level analysis of the operations of the Cl0p ransomware gang. Cl0p is significant as it is the most successful of the current ransomware gangs, in part due to its focus on large enterprises which could pay large extortion demands - resulting in a median ransom payment of close to $US2 million.

According to the Fortiguard researchers, Cl0p has been more active this year than in 2021/22, in part due to the arrest of some members in June 2021 perhaps causing a hiatus. As of 15 July, the Cl0p ransomware data leak site lists 419 victims, primarily in the US. The group also appears to have shifted from holding encrypted files ransom to exfiltrating data which they threaten to make public if an extortion demand is not met. In the case of their recent exploitation of the MOVEit Transfer SQL injection vulnerability, the Cl0p ransomware was not deployed at all - this was purely an information exfiltration attack.

However, the group claims "We have never attacked hospitals, orphanages, nursing gomes, charitable foundations, and we will not . . . If an attack mistakenly occurs on one of the foregoing organizations, we will provide the decryptor for free, apologise and help fix the vulnerabilities". Their goodwill does not extend to pharmaceutical firms, though.

Imano, Shunichi and James Slaughter, Ransomware Roundup - Cl0p, blog post, 21 July 2023. Available online at https://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p.

Apple Threatens to Pull FaceTime, iMessage from UK

As the UK government seeks to update the Investigatory Powers Act (IPA) 2016, Apple has fought back, threatening to withdraw services such as FaceTime and iMessage from the UK rather than weaken their security.

The IPA allows the Home Office to demand that security features, such as end-to-end encryption and authentication, are disabled without any notification to the public, in order to permit surveillance by police and intelligence agencies. This has long been a goal of governments - the UK, in particular, targeted Facebook for its decision to enable encryption in Facebook Messenger, relying heavily on the argument that improved encryption would hamper efforts to tackle child exploitation online (the same argument used by the US government against PGP in the 1980's).

The fact is that this legislation is only going to weaken the security of legitimate users while not achieving the intended goal - the cryptologic cat is well and truly out of the bag, with many third-party secure messaging services available. For this and other reasons, proposals by governments to weaken device security have long been opposed by the academic and industrial cryptologic community (Abelson et. al., 2015).

The most recent UK government is also opposed by WhatsApp and Signal, and comes as Google - and undoubtedly others- move to adopt the IETF's Message Layer Security Protocol (RFC 9420), which will provide end-to-end encryption across multiple platforms (Hogben, 2023). Google will implement MLS into Google Messages (its Android SMS app) and open-source its implementation in the Android codebase.

Abelson, Harold, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, et al., Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications. Technical Report, CSAIL Technical Reports, Cambridge, MA: MIT, July 6, 2015. Available online at http://dspace.mit.edu/handle/1721.1/97690.

Hogben, Giles, An important step towards secure and interoperable messaging, Google Security blog, 19 July 2023. Available online at https://security.googleblog.com/2023/07/an-important-step-towards-secure-and.html.

Kleinman, Zoe, Apple slams UK surveillance-bill proposals, BBC News, 21 July 2023. Available online at https://www.bbc.com/news/technology-66256081.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.