Bug 2250329 (CVE-2023-46446) - CVE-2023-46446 python-asyncssh: Rogue Session Attack
Summary: CVE-2023-46446 python-asyncssh: Rogue Session Attack
Keywords:
Status: NEW
Alias: CVE-2023-46446
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2255432 2265141 2250330 2250331
Blocks: 2250320
TreeView+ depends on / blocked
 
Reported: 2023-11-17 18:22 UTC by Borja Tarraso
Modified: 2024-02-20 16:23 UTC (History)
9 users (show)

Fixed In Version: python-asyncssh 2.14.1
Doc Type: ---
Doc Text:
A flaw was found in python-synch before the 2.14.1 versions, where the client can log in to the attacker's account without the client being able to detect this. This flaw allows an attacker to control the remote end of the SSH session completely, resulting in a complete break of the confidentiality and integrity of the secure channel, which could cause more issues depending on the application logic implemented by the AsyncSSH server.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Borja Tarraso 2023-11-17 18:22:46 UTC
An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.

The rogue session attack targets any SSH client connecting to an AsyncSSH server, on which the attacker must have a shell account. The goal of the attack is to log the client into the attacker's account without the client being able to detect this. At that point, due to how SSH sessions interact with shell environments, the attacker has complete control over the remote end of the SSH session. The attacker receives all keyboard input by the user, completely controls the terminal output of the user's session, can send and receive data to/from forwarded network ports, and is able to create signatures with a forwarded SSH Agent, if any. The result is a complete break of the confidentiality and integrity of the secure channel, providing a strong vector for a targeted phishing campaign against the user. For example, the attacker can display a password prompt and wait for the user to enter the password, elevating the attacker's position to a MitM at the application layer and enabling perfect shell emulation.

The attacks work by the attacker injecting a chosen authentication request before the client's NewKeys. The authentication request sent by the attacker must be a valid authentication request containing his credentials. The attacker can use any authentication mechanism that does not require exchanging additional messages between client and server, such as password or publickey. Due to a state machine flaw, the AsyncSSH server accepts the unauthenticated user authentication request message and defers it until the client has requested the authentication protocol.

Comment 1 Borja Tarraso 2023-11-17 18:23:04 UTC
Created python-asyncssh tracking bugs for this issue:

Affects: epel-8 [bug 2250330]
Affects: fedora-all [bug 2250331]


Note You need to log in before you can comment on or make changes to this bug.