SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2023-51384

CVE-2023-51384: OpenSSH Privilege Escalation Vulnerability

CVE-2023-51384 is a privilege escalation vulnerability in OpenSSH ssh-agent that allows incomplete constraint application on PKCS#11 keys. This article covers technical details, affected versions, security implications, and mitigation strategies.

Updated:

CVE-2023-51384 Overview

In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during the addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.

Critical Impact

Incomplete application of PKCS#11 constraints can lead to exposure of sensitive private keys.

Affected Products

  • openbsd openssh
  • debian debian_linux

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to openbsd
  • Not Available - CVE CVE-2023-51384 assigned
  • Not Available - openbsd releases security patch
  • 2023-12-18 - CVE CVE-2023-51384 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-51384

Vulnerability Analysis

The vulnerability arises in the ssh-agent component of OpenSSH due to incorrect application of PKCS#11 destination constraints. This could potentially lead to unauthorized use of multiple keys when only one was intended to be available.

Root Cause

The root cause is an implementation flaw where destination constraints are only applied to a single key retrieved from a PKCS#11 token, neglecting any additional keys that might be returned.

Attack Vector

The attack vector is local, requiring the attacker to have access to the machine where ssh-agent is running.

c
// Example exploitation code (sanitized)

#include <stdio.h>

int main() {
    char *pkcs11_keys[] = {"key1", "key2"};
    printf("Applying constraints to %s...\n", pkcs11_keys[0]);
    // Error: Constraints not applied to pkcs11_keys[1]
    return 0;
}

Detection Methods for CVE-2023-51384

Indicators of Compromise

  • Unexpected use of PKCS#11 keys
  • Unusual ssh-agent behavior
  • Logs indicating multiple key usages

Detection Strategies

Monitor logs for any anomalies in ssh-agent key usages. Cross-reference with expected behavior when keys are retrieved via PKCS#11.

Monitoring Recommendations

Continuous monitoring of ssh-agent processes with emphasis on PKCS#11 key retrieval actions can expose unusual key allocations.

How to Mitigate CVE-2023-51384

Immediate Actions Required

  • Limit ssh-agent usage to trusted users only
  • Regularly review access and usage logs
  • Apply the latest patches from openbsd

Patch Information

Patches correcting this issue have been released and are available from the OpenSSH repository. Refer to the following link for patch details: OpenSSH Patch

Workarounds

Immediate workaround involves manually ensuring destination constraints on all retrieved keys.

bash
# Example of manually applying constraints via configuration
ssh-add -s /path/to/pkcs11.so -C "force-command="echo 'constraint'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne