Vulnerability CVE-2023-38408: Information

Description

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-38408
Published: July 20, 2023
Modified: April 4, 2024
Error type identifier: CWE-428

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
openquantumsafe-opensshsisyphus8.9p1.202306-alt28.9p1.202310-alt2ALT-PU-2023-4480-3325215Fixed
opensshp107.9p1-alt4.p10.27.9p1-alt4.p10.6ALT-PU-2023-4471-3325211Fixed
opensshp10_e2k7.9p1-alt4.p10.27.9p1-alt4.p10.6ALT-PU-2023-4528-1-Fixed
opensshc10f17.9p1-alt4.p10.27.9p1-alt4.p10.6ALT-PU-2023-4472-3325212Fixed
opensshc9f27.9p1-alt4.p10.27.9p1-alt4.p10.6ALT-PU-2023-4654-3326190Fixed
openssh-gostcryptop107.9p1-alt4.gost.p10.17.9p1-alt4.gost.p10.3ALT-PU-2024-3921-3342647Fixed
openssh-gostcryptoc10f17.9p1-alt4.gost.p10.17.9p1-alt4.gost.p10.3ALT-PU-2024-4467-2342830Fixed
openssh-gostcryptoc9f27.9p1-alt4.gost.p10.17.9p1-alt4.gost.p10.3ALT-PU-2024-4077-2342832Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8
  • Patch
https://www.openssh.com/txt/release-9.3p2
  • Release Notes
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
  • Exploit
  • Third Party Advisory
https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent
  • Third Party Advisory
https://news.ycombinator.com/item?id=36790196
  • Issue Tracking
  • Patch
https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca
  • Patch
https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d
  • Patch
https://www.openssh.com/security.html
  • Vendor Advisory
GLSA-202307-01
  • Third Party Advisory
[oss-security] 20230719 Re: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent
  • Exploit
  • Mailing List
  • Third Party Advisory
[oss-security] 20230720 Re: Announce: OpenSSH 9.3p2 released
  • Mailing List
  • Third Party Advisory
http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html
  • Exploit
  • Third Party Advisory
  • VDB Entry
https://security.netapp.com/advisory/ntap-20230803-0010/
    [debian-lts-announce] 20230817 [SECURITY] [DLA 3532-1] openssh security update
      [oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list
        [oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list
          FEDORA-2023-878e04f4ae
            FEDORA-2023-79a18e1725
              https://support.apple.com/kb/HT213940
                https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408

                    1. Configuration 1

                      cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
                      End excliding
                      9.3
                      cpe:2.3:a:openbsd:openssh:9.3:p1:*:*:*:*:*:*
                      cpe:2.3:a:openbsd:openssh:9.3:-:*:*:*:*:*:*

                      Configuration 2

                      cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
                      cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
                  VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                  Version: v24.5.1
                  Back to top