CVE-2023-38408
- Source
- https://cve.org/CVERecord?id=CVE-2023-38408
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38408.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-38408
- Downstream
- Related
- Published
- 2023-07-20T03:15:10.170Z
- Modified
- 2026-02-14T07:57:09.648665Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
- References
-
- http://www.openwall.com/lists/oss-security/2023/09/22/11
- http://www.openwall.com/lists/oss-security/2023/09/22/9
- https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/
- https://support.apple.com/kb/HT213940
- https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408
- http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2023/07/20/1
- http://www.openwall.com/lists/oss-security/2023/07/20/2
- https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent
- https://security.gentoo.org/glsa/202307-01
- https://security.netapp.com/advisory/ntap-20230803-0010/
- https://www.openssh.com/security.html
- https://www.openssh.com/txt/release-9.3p2
- https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
- https://news.ycombinator.com/item?id=36790196
- https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8
- https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d
- https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca
- https://news.ycombinator.com/item?id=36790196
- http://www.openwall.com/lists/oss-security/2023/07/20/1
- http://www.openwall.com/lists/oss-security/2023/07/20/2
- http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2023/07/20/1
- https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
Affected packages
Git / github.com/openbsd/src
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openbsd/src
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38408.json"
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"55725163042805392808609753741105633240",
"128285159618758502962072805470695625192",
"116587942781857791499400324026044176520",
"116950959552597726222022209976458084177",
"166390061282163298106044366523387592453"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2023-38408-0e1bd16c",
"source": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",
"target": {
"file": "usr.bin/ssh/ssh-pkcs11.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"245460714767665081683172703272227756490",
"154898809948973226043331289679083724583",
"77397090139273800238042145169749086301",
"190441682610337999482858680156181833541",
"61249771291454899113495469699607840047"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2023-38408-1b7fe2ad",
"source": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",
"target": {
"file": "usr.bin/ssh/misc.h"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"212889176108583557153764785879829373553",
"199957646585614272140038170333640429763",
"104255286907295786427889062166350281187",
"115009805797771706544464707642295063611",
"129285339640906578826404216174930229758",
"293458422494043100795111688876212186380",
"158184544829091383528505314573683842298",
"141142978561658504241622758231208165624",
"261354179858232412412223785435861205101",
"272211793939171938655602293807909585244",
"26312110325341625339236976058409048896",
"37222675372245245516667306127403666209",
"231893991694577093191465781901120692399",
"208944525142893471893429544502409167621"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2023-38408-38072bcc",
"source": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",
"target": {
"file": "usr.bin/ssh/ssh-sk.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"123728030011908799690508130257531630145",
"309320613159800543722057427906030885293",
"88551071913815231098859714061627564583",
"255716208541812258235985042308243123018",
"327713260949006026913669588332977405706",
"195026673253470011006274772763615138419"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2023-38408-477a87a4",
"source": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",
"target": {
"file": "usr.bin/ssh/misc.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"55725163042805392808609753741105633240",
"132403242283107965528557055591865070823",
"145711729613275442506525195537586480099",
"81698505837951782601199886233863780510",
"164975228933773000300492059888318553713",
"203760564816490794400113698258768785600",
"87744079937004542252727256443966031343",
"233201331787054679358425020029285230149"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2023-38408-4c8fc60e",
"source": "https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d",
"target": {
"file": "usr.bin/ssh/ssh-pkcs11.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 1790.0,
"function_hash": "176282625954728589418260577592136122934"
},
"signature_type": "Function",
"id": "CVE-2023-38408-548fc75b",
"source": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8",
"target": {
"function": "process_add_smartcard_key",
"file": "usr.bin/ssh/ssh-agent.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"142483365029668147691457446802921276205",
"338183608448739778899193325290408274327",
"215742378688413246027441518061584069043",
"34199311701557504296485376417782017829",
"264814179936733595673977523540311910896",
"48107387833747494942141378138305335526",
"311430354134093433623203190391857462306",
"322112388604258461414191286219043701982",
"187077904320853389933675193085424106859",
"119536953480021437428967222865166673018",
"300272016207263626724188131418314932382",
"185434096474314764300222071171674739821",
"242914950751014010650316723974235697586",
"111874031984715289587838461750616793356",
"314524614974619895120979930351770212331",
"207219957535858364281635286727481124690"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2023-38408-63a621a6",
"source": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8",
"target": {
"file": "usr.bin/ssh/ssh-agent.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 5787.0,
"function_hash": "69408485039866777726565847449831891868"
},
"signature_type": "Function",
"id": "CVE-2023-38408-65d1ca36",
"source": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8",
"target": {
"function": "main",
"file": "usr.bin/ssh/ssh-agent.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 4408.0,
"function_hash": "20785282191647117378483749664361515635"
},
"signature_type": "Function",
"id": "CVE-2023-38408-93d5cc3a",
"source": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",
"target": {
"function": "pkcs11_register_provider",
"file": "usr.bin/ssh/ssh-pkcs11.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 1945.0,
"function_hash": "86622299653523171526230085861346440775"
},
"signature_type": "Function",
"id": "CVE-2023-38408-b20aa0ae",
"source": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",
"target": {
"function": "sshsk_open",
"file": "usr.bin/ssh/ssh-sk.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 2430.0,
"function_hash": "263025605123250630080940306656039656526"
},
"signature_type": "Function",
"id": "CVE-2023-38408-d35307ad",
"source": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8",
"target": {
"function": "process_add_identity",
"file": "usr.bin/ssh/ssh-agent.c"
}
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 4424.0,
"function_hash": "157551009127729258625712862157649782138"
},
"signature_type": "Function",
"id": "CVE-2023-38408-e2f7b684",
"source": "https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d",
"target": {
"function": "pkcs11_register_provider",
"file": "usr.bin/ssh/ssh-pkcs11.c"
}
}
]