CVE-2023-38408

openssh: Remote code execution in ssh-agent PKCS#11 support

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

La característica PKCS#11 en ssh-agent en OpenSSH anterior a 9.3p2 tiene una ruta de búsqueda insuficientemente confiable, lo que lleva a la ejecución remota de código si un agente se reenvía a un sistema controlado por un atacante. (El código en /usr/lib no es necesariamente seguro para cargar en ssh-agent). NOTA: este problema existe debido a una solución incompleta para CVE-2016-10009.

A vulnerability was found in OpenSSH. The PKCS#11 feature in the ssh-agent in OpenSSH has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system (the code in /usr/lib is not necessarily safe for loading into ssh-agent). This flaw allows an attacker with control of the forwarded agent-socket on the server and the ability to write to the filesystem of the client host to execute arbitrary code with the privileges of the user running the ssh-agent.

The PKCS#11 feature in ssh-agent in OpenSSH versions prior to 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system.

*Credits: N/A

CVSS Scores

NISTv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-07-17 CVE Reserved
2023-07-20 CVE Published
2023-07-25 First Exploit
2024-10-15 CVE Updated
2024-11-10 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-428: Unquoted Search Path or Element

CAPEC

References (27)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2023/07/20/2	Mailing List
http://www.openwall.com/lists/oss-security/2023/09/22/11	Mailing List
http://www.openwall.com/lists/oss-security/2023/09/22/9	Mailing List
https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html	Mailing List
https://security.netapp.com/advisory/ntap-20230803-0010
https://support.apple.com/kb/HT213940
https://www.openssh.com/txt/release-9.3p2	Release Notes
https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408

URL	Date	SRC
https://github.com/kali-mx/CVE-2023-38408	2023-08-10
https://github.com/LucasPDiniz/CVE-2023-38408	2024-06-30
https://github.com/classic130/CVE-2023-38408	2023-07-25
https://github.com/mrtacojr/CVE-2023-38408	2024-07-17
https://github.com/wxrdnx/CVE-2023-38408	2024-02-16
http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html	2024-10-15
http://www.openwall.com/lists/oss-security/2023/07/20/1	2024-10-15
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt	2024-10-15

URL	Date	SRC
https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8	2024-04-04
https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d	2024-04-04
https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca	2024-04-04
https://news.ycombinator.com/item?id=36790196	2024-04-04

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ	2024-04-04
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU	2024-04-04
https://security.gentoo.org/glsa/202307-01	2024-04-04
https://www.openssh.com/security.html	2024-04-04
https://access.redhat.com/security/cve/CVE-2023-38408	2023-08-30
https://bugzilla.redhat.com/show_bug.cgi?id=2224173	2023-08-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				< 9.3 Search vendor "Openbsd" for product "Openssh" and version " < 9.3"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				9.3 Search vendor "Openbsd" for product "Openssh" and version "9.3"		-		Affected
Openbsd Search vendor "Openbsd"		Openssh Search vendor "Openbsd" for product "Openssh"				9.3 Search vendor "Openbsd" for product "Openssh" and version "9.3"		p1		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				38 Search vendor "Fedoraproject" for product "Fedora" and version "38"		-		Affected