CVE-2023-38408
published 2023-07-20CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
76.77%
99.5th percentile
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_sonoma | — | — |
| debian | openssh | < openssh 1:9.2p1-2+deb12u1 (bookworm) | openssh 1:9.2p1-2+deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_openssh_8.9p1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_openssh_8.9p1-3_on_cbl_mariner_1.0 | — | — |
| openbsd | openssh | < 9.3 | 9.3 |
| openbsd | openssh | — | — |
| openbsd | openssh | >= 0 < 1:8.4p1-5+deb11u2 | 1:8.4p1-5+deb11u2 |
| openbsd | openssh | >= 0 < 1:9.2p1-2+deb12u1 | 1:9.2p1-2+deb12u1 |
| openbsd | openssh | >= 0 < 1:9.3p2-1 | 1:9.3p2-1 |
| openbsd | openssh | >= 0 < 1:9.3p2-1 | 1:9.3p2-1 |
| paloalto | pan-os | — | — |
| paloalto | prisma_sd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target systems confirmed vulnerable for PoC exploit development: Ubuntu Desktop 22.04 and 21.10; other Linux distributions are likely vulnerable and probably exploitable. ↗
- →Exploitation requires ssh-agent forwarding to be active and the agent forwarded to an attacker-controlled system; detect/alert on ssh-agent forwarding sessions (ForwardAgent) to untrusted hosts. ↗
- →The vulnerability is in the PKCS#11 feature of ssh-agent; monitor for unexpected dlopen/library loads from /usr/lib into the ssh-agent process as an indicator of exploitation. ↗
- →Qualys QID 38904 (available from VULNSIGS-2.5.820-3) can be used to detect vulnerable OpenSSH instances. ↗
- ·Vulnerability only exploitable when ssh-agent forwarding is in use; instances not using agent forwarding are not exposed to remote exploitation. ↗
- ·This is an incomplete fix for CVE-2016-10009; environments that previously patched CVE-2016-10009 may still be vulnerable. ↗
- ·Fixed versions per Debian: bookworm fixed in 1:9.2p1-2+deb12u1, bullseye fixed in 1:8.4p1-5+deb11u2, forky/sid/trixie fixed in 1:9.3p2-1; upstream fix is OpenSSH 9.3p2. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv7.3HIGH
vulncheck7.3HIGH
vendor_msrc9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_debian7.3HIGH
vendor_redhat7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
ABB M2M Gateway
cisa_ics·2025-04-15
ABB M2M Gateway
ICS Advisory
##
ABB M2M Gateway
Release DateApril 15, 2025
Alert CodeICSA-25-105-08
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: ABB
- Equipment: M2M Gateway
- Vulnerabilities: Integer Overflow or Wraparound, Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), Unquoted Search Path or Element, Untrusted Search Path, Use After Free, Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Missing Release of Memory after Effective Lifetime, Allocation of Resources Without Limits or Throttling, Improper Privilege Management, Improper Limitati
Palo Alto
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2025-02-12·CVSS 7.1
CVE-2015-5312 [HIGH] PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS
T he Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2015-5312, CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, CVE-2016-4738, CVE-2018-1111, CVE-2018-14634, CVE-2018-18653, CVE-2019-0145, CVE-2019-8331, CVE-2020-0599, CVE-2020-14343, CVE-2020-14779, CVE-2020-27844, CVE-2020-29569, CVE-2021-21315, CVE-2021-27853, CVE-2021-27854, CVE-2021-27861, CVE-2021-27862, CVE-2021-3618, CVE-2021-3711, CVE-2022-2097, CVE-2022-22816, CVE-2022-40303, CVE-2022-41723, CVE-2022-41741, CVE-2022-41742, CVE-2023-3247, CVE-2023-38408, CVE-2023-44466, CVE-2023-50781, CVE-2023-50782, CVE-2024-12084, CV
Oracle
Oracle Oracle Communications Risk Matrix: System (OpenSSH) — CVE-2023-38408
vendor_oracle·2024-10-15·CVSS 9.8
CVE-2023-38408 [CRITICAL] Oracle Oracle Communications Risk Matrix: System (OpenSSH) — CVE-2023-38408
Oracle Oracle Communications Risk Matrix: System (OpenSSH) vulnerability
CVE: CVE-2023-38408
CVSS: 9.8
Protocol: TLS
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2024 (OCT 2024)
Palo Alto
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
vendor_paloalto·2024-04-05·CVSS 4.3
CVE-2007-2768 [MEDIUM] PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the
CVEs: CVE-2007-2768, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-20012, CVE-2016-8858, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111, CVE-2020-12062, CVE-2021-41617, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-28531, CVE-2023-38408, CVE-2023-51384, CVE-2023-51385, CVE-2023-51767
Affected products: Prisma SD
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-02-14·CVSS 9.8
CVE-2017-18342 [CRITICAL] PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-18342, CVE-2017-8923, CVE-2017-9120, CVE-2019-1551, CVE-2019-16865, CVE-2019-16905, CVE-2019-19523, CVE-2019-19528, CVE-2019-19911, CVE-2020-0404, CVE-2020-0431, CVE-2020-0466, CVE-2020-10379, CVE-2020-11538, CVE-2020-11608, CVE-2020-12114, CVE-2020-12321, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-13757, CVE-2020-14314, CVE-2020-14351, CVE-2020-15778, CVE-2020-1967, CVE-2020-24394, CVE-2020-24504, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25717, CVE-2020-26541, CVE-2020-2715
CISA ICS
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
cisa_ics·2023-12-14
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
ICS Advisory
##
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
Release DateDecember 14, 2023
Alert CodeICSA-23-348-10
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
- Vulnerabilities: Improper Restriction of XML External Entity Reference, Time-of-check Time-of-use (TOCTOU) Race Condition, Command Injection, Miss
Oracle
Oracle Oracle Communications Risk Matrix: Install/Upgrade (OpenSSH) — CVE-2023-38408
vendor_oracle·2023-10-15·CVSS 9.8
CVE-2023-38408 [CRITICAL] Oracle Oracle Communications Risk Matrix: Install/Upgrade (OpenSSH) — CVE-2023-38408
Oracle Oracle Communications Risk Matrix: Install/Upgrade (OpenSSH) vulnerability
CVE: CVE-2023-38408
CVSS: 9.8
Protocol: HTTPS
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2023 (OCT 2023)
Apple
CVE-2023-38408: macOS Sonoma 14
vendor_apple·2023-09-26·CVSS 9.8
CVE-2023-38408 [CRITICAL] CVE-2023-38408: macOS Sonoma 14
Apple Security Update: About the security content of macOS Sonoma 14
Product: macOS Sonoma
Version: 14
CVE: CVE-2023-38408
Component: OpenSSH
Impact: A vulnerability was discovered in OpenSSHs remote forwarding
Description: This issue was addressed by updating OpenSSH to 9.3p2
BSD
FreeBSD-SA-23:08.ssh: Potential remote code execution via ssh-agent forwarding
bsd_advisories·2023-08-01·CVSS 9.8
CVE-2023-38408 [CRITICAL] FreeBSD-SA-23:08.ssh: Potential remote code execution via ssh-agent forwarding
FreeBSD-SA-23:08.ssh Security Advisory
The FreeBSD Project
Topic: Potential remote code execution via ssh-agent forwarding
Category: contrib
Module: OpenSSH
Announced: 2023-08-01
Credits: Qualys
Affects: All supported versions of FreeBSD.
Corrected: 2023-07-21 14:41:41 UTC (stable/13, 13.2-STABLE)
2023-08-01 19:50:47 UTC (releng/13.2, 13.2-RELEASE-p2)
2023-08-01 19:48:26 UTC (releng/13.1, 13.1-RELEASE-p9)
2023-07-21 16:25:51 UTC (stable/12, 12.4-STABLE)
2023-08-01 19:47:00 UTC (releng/12.4, 12.4-RELEASE-p4)
CVE Name: CVE-2023-38408
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
ssh-agent is a program to hold private keys used for OpenSSH public key
au
Ubuntu
OpenSSH vulnerability
vendor_ubuntu·2023-07-31
CVE-2023-38408 OpenSSH vulnerability
Title: OpenSSH vulnerability
Summary: OpenSSH could be made to run programs as your login when using ssh-agent
forwarding.
USN-6242-1 fixed a vulnerability in OpenSSH. This update provides
the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS,
and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that OpenSSH incorrectly handled loading certain PKCS#11
providers. If a user forwarded their ssh-agent to an untrusted system, a
remote attacker could possibly use this issue to load arbitrary libraries
from the user's system and execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
OpenSSH vulnerability
vendor_ubuntu·2023-07-24
CVE-2023-38408 OpenSSH vulnerability
Title: OpenSSH vulnerability
Summary: OpenSSH could be made to run programs as your login when using ssh-agent
forwarding.
It was discovered that OpenSSH incorrectly handled loading certain PKCS#11
providers. If a user forwarded their ssh-agent to an untrusted system, a
remote attacker could possibly use this issue to load arbitrary libraries
from the user's system and execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
openssh: Remote code execution in ssh-agent PKCS#11 support
vendor_redhat·2023-07-19·CVSS 7.3
CVE-2023-38408 [HIGH] CWE-94 openssh: Remote code execution in ssh-agent PKCS#11 support
openssh: Remote code execution in ssh-agent PKCS#11 support
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
A vulnerability was found in OpenSSH. The PKCS#11 feature in the ssh-agent in OpenSSH has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system (the code in /usr/lib is not necessarily safe for loading into ssh-agent). This flaw allows an attacker with control of the forwarded agent-socket on the server and the abili
Microsoft
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code
vendor_msrc·2023-07-11·CVSS 9.8
CVE-2023-38408 [HIGH] CWE-428 The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publis
Debian
CVE-2023-38408: openssh - The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently t...
vendor_debian·2023·CVSS 7.3
CVE-2023-38408 [HIGH] CVE-2023-38408: openssh - The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently t...
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Scope: local
bookworm: resolved (fixed in 1:9.2p1-2+deb12u1)
bullseye: resolved (fixed in 1:8.4p1-5+deb11u2)
forky: resolved (fixed in 1:9.3p2-1)
sid: resolved (fixed in 1:9.3p2-1)
trixie: resolved (fixed in 1:9.3p2-1)
OSV
CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9
osv·2023-07-20·CVSS 7.3
CVE-2023-38408 [HIGH] CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
GHSA
GHSA-px36-p9hv-7h2v: The PKCS#11 feature in ssh-agent in OpenSSH before 9
ghsa_unreviewed·2023-07-20·CVSS 7.3
CVE-2023-38408 [HIGH] CWE-428 GHSA-px36-p9hv-7h2v: The PKCS#11 feature in ssh-agent in OpenSSH before 9
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
VulnCheck
OpenBSD openssh Unquoted Search Path or Element
vulncheck·2023·CVSS 7.3
CVE-2023-38408 [HIGH] OpenBSD openssh Unquoted Search Path or Element
OpenBSD openssh Unquoted Search Path or Element
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Affected: OpenBSD openssh
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://sosintel.co.uk/flash-alert-cves-of-note-being-exploited-in-the-wild/; https://thorcert.notion.site/TTPs-11-Operation-An-Octopus-d875862055ca4b7b815b5e496b219671; https://content.kaspersky-labs.
No detection rules found.
No public exploits indexed.
Qualys
Oracle Critical Patch Update, October 2024 Security Update Review
blogs_qualys·2024-10-16
Oracle Critical Patch Update, October 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle released the last quarterly edition of this year’s Critical Patch Update. The update contains patches for 334 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 100 constituting about 30% of the total patches released. Oracle MySQL and Oracle Fusion Middleware followed, with 45 and 32 security patches, respectively.
244
Qualys
Oracle Critical Patch Security Update: October 2024 | Qualys
blogs_qualys·2024-10-16
Oracle Critical Patch Security Update: October 2024 | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle released the last quarterly edition of this year’s Critical Patch Update. The update contains patches for 334 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 100 constituting about 30% of the total patches released. Oracle MySQL and Oracle Fusion Middleware followed, with 45 and 32 security patches, respectively.
Wiz
Eight questions to measure vulnerability remediation "pain" | Wiz Blog
blogs_wiz·2023-11-03
Eight questions to measure vulnerability remediation "pain" | Wiz Blog
A few weeks ago I saw this tweet from Dr. Anton Chuvakin , where he asked which vulnerabilities in recent memory have inflicted the most pain to security teams. This was a good question, and it got me thinking: what actually makes a vulnerability “painful”?
Certainly the most obvious factor is a vulnerability’s severity , often determined by its CVSS score ( which isn’t always a reliable metric but is arguably still very useful). If a severe vulnerability is exploited in an organization’s environment, the impact could be significant, and the harm caused to both the organization itself and its customers could be very bad. Beyond severity, there are also other various factors to consider that can help us determine whether a vulnerability is worth our time and effort.
However, putting aside
Wiz
Eight questions to measure vulnerability remediation "pain" | Wiz Blog
blogs_wiz·2023-11-03
Eight questions to measure vulnerability remediation "pain" | Wiz Blog
A few weeks ago I saw this tweet from Dr. Anton Chuvakin, where he asked which vulnerabilities in recent memory have inflicted the most pain to security teams. This was a good question, and it got me thinking: what actually makes a vulnerability “painful”?
Certainly the most obvious factor is a vulnerability’s severity, often determined by its CVSS score (which isn’t always a reliable metric but is arguably still very useful). If a severe vulnerability is exploited in an organization’s environment, the impact could be significant, and the harm caused to both the organization itself and its customers could be very bad. Beyond severity, there are also other various factors to consider that can help us determine whether a vulnerability is worth our time and effort.
However, putting aside th
Qualys
Oracle Patch Tuesday, October 2023 Security Update Review | Qualys
blogs_qualys·2023-10-18
Oracle Patch Tuesday, October 2023 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle has released its fourth quarterly edition of Critical Patch Update, which contains a group of patches for 387 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During the Q4 2023 Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of 103 patches, constituting 26% of the total patches released. Oracle Communications and Oracle Fusion Middleware fo
Qualys
Oracle Patch Tuesday, October 2023 Security Update Review
blogs_qualys·2023-10-18
Oracle Patch Tuesday, October 2023 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle has released its fourth quarterly edition of Critical Patch Update, which contains a group of patches for 387 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During the Q4 2023 Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of 103 patches, constituting 26% of the total patches released. Oracle Communications and Oracle Fusion Middleware followed,
Wiz
Crying Out Cloud - July Newsletter | Wiz
blogs_wiz·2023-08-01·CVSS 4.3
CVE-2023-2640 [MEDIUM] Crying Out Cloud - July Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights for July!
## ✨ Highlights
## GameOver (lay): local privilege escalation vulnerabilities in Ubuntu Linux
Wiz Research discovered CVE-2023-2640 and CVE-2023-32629, two easy-to-exploit privilege escalation vulnerabilities in the OverlayFS module in Ubuntu affecting 40% of Ubuntu cloud workloads.
CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. Successful
Qualys
CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent
blogs_qualys·2023-07-19·CVSS 9.8
[CRITICAL] CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent
## Table of Contents
About OpenSSHs Agent Forwarding
Potential Impact of OpenSSHs Agent Forwarding
Disclosure Timeline
Technical Details
Qualys QID Coverage
Conclusion
The Qualys Threat Research Unit (TRU) has discovered a remote code execution vulnerability in OpenSSH’s forwarded ssh-agent. This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. Given the widespread use of OpenSSH’s forwarded ssh-agent Qualys Research Unit recommends that security teams apply patches for this vulnerability on priority.
## About OpenSSH’s Agent Forwarding
The ssh-agent is a background program that caches private keys for SSH public key authentication, reducing the need for regular passphrase input. Initiated at the start of
Qualys
CVE-2023-38408 OpenSSH Exploit & Vulnerability Details | Qualys
blogs_qualys·2023-07-19·CVSS 9.8
CVE-2023-38408 [CRITICAL] CVE-2023-38408 OpenSSH Exploit & Vulnerability Details | Qualys
#### Table of Contents
- About OpenSSHs Agent Forwarding
- Potential Impact of OpenSSHs Agent Forwarding
- Disclosure Timeline
- Technical Details
- Qualys QID Coverage
- Conclusion
The Qualys Threat Research Unit (TRU) has discovered a remote code execution vulnerability in OpenSSH’s forwarded ssh-agent. This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. Given the widespread use of OpenSSH’s forwarded ssh-agent Qualys Research Unit recommends that security teams apply patches for this vulnerability on priority.
## About OpenSSH’s Agent Forwarding
The ssh-agent is a background program that caches private keys for SSH public key authentication, reducing the need for regular passphrase input. Initiated at the
http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2023/07/20/1http://www.openwall.com/lists/oss-security/2023/07/20/2http://www.openwall.com/lists/oss-security/2023/09/22/11http://www.openwall.com/lists/oss-security/2023/09/22/9https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agenthttps://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351dhttps://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7cahttps://lists.debian.org/debian-lts-announce/2023/08/msg00021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/https://news.ycombinator.com/item?id=36790196https://security.gentoo.org/glsa/202307-01https://security.netapp.com/advisory/ntap-20230803-0010/https://support.apple.com/kb/HT213940https://www.openssh.com/security.htmlhttps://www.openssh.com/txt/release-9.3p2https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txthttps://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.htmlhttp://www.openwall.com/lists/oss-security/2023/07/20/1http://www.openwall.com/lists/oss-security/2023/07/20/2http://www.openwall.com/lists/oss-security/2023/09/22/11http://www.openwall.com/lists/oss-security/2023/09/22/9https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agenthttps://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351dhttps://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7cahttps://lists.debian.org/debian-lts-announce/2023/08/msg00021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/https://news.ycombinator.com/item?id=36790196https://security.gentoo.org/glsa/202307-01https://security.netapp.com/advisory/ntap-20230803-0010/https://support.apple.com/kb/HT213940https://www.openssh.com/security.htmlhttps://www.openssh.com/txt/release-9.3p2https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txthttps://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408
2023-07-20
Published
Exploited in the wild