cbcvebase.
CVE-2023-38408
published 2023-07-20

CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
76.77%
99.5th percentile
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Affected

14 ranges
VendorProductVersion rangeFixed in
applemacos_sonoma
debianopenssh< openssh 1:9.2p1-2+deb12u1 (bookworm)openssh 1:9.2p1-2+deb12u1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
msrccbl2_openssh_8.9p1-1_on_cbl_mariner_2.0
msrccm1_openssh_8.9p1-3_on_cbl_mariner_1.0
openbsdopenssh< 9.39.3
openbsdopenssh
openbsdopenssh>= 0 < 1:8.4p1-5+deb11u21:8.4p1-5+deb11u2
openbsdopenssh>= 0 < 1:9.2p1-2+deb12u11:9.2p1-2+deb12u1
openbsdopenssh>= 0 < 1:9.3p2-11:9.3p2-1
openbsdopenssh>= 0 < 1:9.3p2-11:9.3p2-1
paloaltopan-os
paloaltoprisma_sd

Detection & IOCsextracted from sources · hover to see the quote

path/usr/lib
  • Target systems confirmed vulnerable for PoC exploit development: Ubuntu Desktop 22.04 and 21.10; other Linux distributions are likely vulnerable and probably exploitable.
  • Exploitation requires ssh-agent forwarding to be active and the agent forwarded to an attacker-controlled system; detect/alert on ssh-agent forwarding sessions (ForwardAgent) to untrusted hosts.
  • The vulnerability is in the PKCS#11 feature of ssh-agent; monitor for unexpected dlopen/library loads from /usr/lib into the ssh-agent process as an indicator of exploitation.
  • Qualys QID 38904 (available from VULNSIGS-2.5.820-3) can be used to detect vulnerable OpenSSH instances.
  • ·Vulnerability only exploitable when ssh-agent forwarding is in use; instances not using agent forwarding are not exposed to remote exploitation.
  • ·This is an incomplete fix for CVE-2016-10009; environments that previously patched CVE-2016-10009 may still be vulnerable.
  • ·Fixed versions per Debian: bookworm fixed in 1:9.2p1-2+deb12u1, bullseye fixed in 1:8.4p1-5+deb11u2, forky/sid/trixie fixed in 1:9.3p2-1; upstream fix is OpenSSH 9.3p2.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv7.3HIGH
vulncheck7.3HIGH
vendor_msrc9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_debian7.3HIGH
vendor_redhat7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.