The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
References
Link Providers
http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2023/07/20/1 cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2023/07/20/2 cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2023/09/22/11 cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2023/09/22/9 cve-icon cve-icon
https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent cve-icon cve-icon
https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8 cve-icon cve-icon
https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d cve-icon cve-icon
https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ cve-icon cve-icon
https://news.ycombinator.com/item?id=36790196 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2023-38408 cve-icon
https://security.gentoo.org/glsa/202307-01 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20230803-0010/ cve-icon cve-icon
https://support.apple.com/kb/HT213940 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2023-38408 cve-icon
https://www.openssh.com/security.html cve-icon cve-icon
https://www.openssh.com/txt/release-9.3p2 cve-icon cve-icon
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt cve-icon cve-icon cve-icon
https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408 cve-icon cve-icon
History

Tue, 15 Oct 2024 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-07-20T00:00:00

Updated: 2024-10-15T18:33:21.591Z

Reserved: 2023-07-17T00:00:00

Link: CVE-2023-38408

cve-icon Vulnrichment

Updated: 2024-08-02T17:39:13.525Z

cve-icon NVD

Status : Modified

Published: 2023-07-20T03:15:10.170

Modified: 2024-11-21T08:13:30.520

Link: CVE-2023-38408

cve-icon Redhat

Severity : Important

Publid Date: 2023-07-19T00:00:00Z

Links: CVE-2023-38408 - Bugzilla