CVE-2023-38408

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

References

Affected packages

Git / github.com/openbsd/src

Affected ranges

Type: GIT
Repo: https://github.com/openbsd/src
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7bc29a9d5cd697290aa056e94ecee6253d3425f8

Fixed

f03a4faa55c4ce0818324701dadbf91988d7351d

Fixed

f8f5a6b003981bb824329dc987d101977beda7ca

Type

GIT

Repo

https://github.com/openssh/openssh-portable

Events

Introduced

Last affected

cb30fbdbee869f1ce11f06aa97e1cb8717a0b645

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.3-p1"
        }
    ]
}

Affected versions

Other

ABOUT_TO_ADD_INET_ATON

AFTER_FREEBSD_PAM_MERGE

AFTER_KRB5_GSSAPI_MERGE

BEFORE_FREEBSD_PAM_MERGE

BEFORE_KRB5_GSSAPI_MERGE

POST_KRB4_REMOVAL

PRE-REORDER

PRE_CYGWIN_MERGE

PRE_DAN_PATCH_MERGE

PRE_FIXPATHS_INTEGRATION

PRE_HPUX_INTEGRATION

PRE_IPV6

PRE_KRB4_REMOVAL

PRE_NEW_LOGIN_CODE

PRE_SW_KRBV

V_1_2PRE17

V_1_2_1_PRE18

V_1_2_1_PRE19

V_1_2_1_PRE20

V_1_2_1_PRE21

V_1_2_1_PRE22

V_1_2_1_PRE23

V_1_2_1_PRE24

V_1_2_1_PRE25

V_1_2_1_PRE26

V_1_2_1_PRE27

V_1_2_2

V_1_2_2_P1

V_1_2_2_PRE28

V_1_2_2_PRE29

V_1_2_3

V_1_2_3_PRE1

V_1_2_3_PRE2

V_1_2_3_PRE3

V_1_2_3_PRE4

V_1_2_3_PRE5

V_1_2_3_TEST1

V_1_2_3_TEST2

V_1_2_3_TEST3

V_1_2_PRE10

V_1_2_PRE11

V_1_2_PRE12

V_1_2_PRE13

V_1_2_PRE14

V_1_2_PRE15

V_1_2_PRE16

V_1_2_PRE4

V_1_2_PRE5

V_1_2_PRE6

V_1_2_PRE7

V_1_2_PRE8

V_1_2_PRE9

V_2_0_0_BETA1

V_2_0_0_BETA2

V_2_0_0_TEST1

V_2_1_0

V_2_1_0_P1

V_2_1_0_P2

V_2_1_0_P3

V_2_1_1_P1

V_2_1_1_P2

V_2_1_1_P3

V_2_1_1_P4

V_2_2_0_P1

V_2_3_0_P1

V_2_5_0_P1

V_2_5_1_P1

V_2_5_1_P2

V_2_5_2_P1

V_3_0_1_P1

V_3_0_P1

V_3_1_P1

V_3_2_2_P1

V_3_4_P1

V_3_6_1_P1

V_3_8_P1

V_3_9_P1

V_4_2_P1

V_5_0_P1

V_5_1_P1

V_5_2_P1

V_5_5_P1

V_5_7_P1

V_6_0_P1

V_6_1_P1

V_6_2_P1

V_6_5_P1

V_6_6_P1

V_6_8_P1

V_6_9_P1

V_7_0_P1

V_7_1_P1

V_7_2_P1

V_7_3_P1

V_7_4_P1

V_7_5_P1

V_7_6_P1

V_7_7_P1

V_7_8_P1

V_7_9_P1

V_8_0_P1

V_8_1_P1

V_8_2_P1

V_8_4_P1

V_8_5_P1

V_8_6_P1

V_8_7_P1

V_8_8_P1

V_8_9_P1

V_9_0_P1

V_9_1_P1

V_9_2_P1

V_9_3_P1

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "9.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.3-NA"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "37"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "38"
            }
        ]
    }
]

vanir_signatures

[
    {
        "target": {
            "file": "usr.bin/ssh/ssh-pkcs11.c"
        },
        "id": "CVE-2023-38408-0e1bd16c",
        "digest": {
            "line_hashes": [
                "55725163042805392808609753741105633240",
                "128285159618758502962072805470695625192",
                "116587942781857791499400324026044176520",
                "116950959552597726222022209976458084177",
                "166390061282163298106044366523387592453"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "usr.bin/ssh/misc.h"
        },
        "id": "CVE-2023-38408-1b7fe2ad",
        "digest": {
            "line_hashes": [
                "245460714767665081683172703272227756490",
                "154898809948973226043331289679083724583",
                "77397090139273800238042145169749086301",
                "190441682610337999482858680156181833541",
                "61249771291454899113495469699607840047"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "usr.bin/ssh/ssh-sk.c"
        },
        "id": "CVE-2023-38408-38072bcc",
        "digest": {
            "line_hashes": [
                "212889176108583557153764785879829373553",
                "199957646585614272140038170333640429763",
                "104255286907295786427889062166350281187",
                "115009805797771706544464707642295063611",
                "129285339640906578826404216174930229758",
                "293458422494043100795111688876212186380",
                "158184544829091383528505314573683842298",
                "141142978561658504241622758231208165624",
                "261354179858232412412223785435861205101",
                "272211793939171938655602293807909585244",
                "26312110325341625339236976058409048896",
                "37222675372245245516667306127403666209",
                "231893991694577093191465781901120692399",
                "208944525142893471893429544502409167621"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "usr.bin/ssh/misc.c"
        },
        "id": "CVE-2023-38408-477a87a4",
        "digest": {
            "line_hashes": [
                "123728030011908799690508130257531630145",
                "309320613159800543722057427906030885293",
                "88551071913815231098859714061627564583",
                "255716208541812258235985042308243123018",
                "327713260949006026913669588332977405706",
                "195026673253470011006274772763615138419"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "usr.bin/ssh/ssh-pkcs11.c"
        },
        "id": "CVE-2023-38408-4c8fc60e",
        "digest": {
            "line_hashes": [
                "55725163042805392808609753741105633240",
                "132403242283107965528557055591865070823",
                "145711729613275442506525195537586480099",
                "81698505837951782601199886233863780510",
                "164975228933773000300492059888318553713",
                "203760564816490794400113698258768785600",
                "87744079937004542252727256443966031343",
                "233201331787054679358425020029285230149"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "target": {
            "function": "process_add_smartcard_key",
            "file": "usr.bin/ssh/ssh-agent.c"
        },
        "id": "CVE-2023-38408-548fc75b",
        "digest": {
            "function_hash": "176282625954728589418260577592136122934",
            "length": 1790.0
        },
        "source": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "target": {
            "file": "usr.bin/ssh/ssh-agent.c"
        },
        "id": "CVE-2023-38408-63a621a6",
        "digest": {
            "line_hashes": [
                "142483365029668147691457446802921276205",
                "338183608448739778899193325290408274327",
                "215742378688413246027441518061584069043",
                "34199311701557504296485376417782017829",
                "264814179936733595673977523540311910896",
                "48107387833747494942141378138305335526",
                "311430354134093433623203190391857462306",
                "322112388604258461414191286219043701982",
                "187077904320853389933675193085424106859",
                "119536953480021437428967222865166673018",
                "300272016207263626724188131418314932382",
                "185434096474314764300222071171674739821",
                "242914950751014010650316723974235697586",
                "111874031984715289587838461750616793356",
                "314524614974619895120979930351770212331",
                "207219957535858364281635286727481124690"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "target": {
            "function": "main",
            "file": "usr.bin/ssh/ssh-agent.c"
        },
        "id": "CVE-2023-38408-65d1ca36",
        "digest": {
            "function_hash": "69408485039866777726565847449831891868",
            "length": 5787.0
        },
        "source": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "target": {
            "function": "pkcs11_register_provider",
            "file": "usr.bin/ssh/ssh-pkcs11.c"
        },
        "id": "CVE-2023-38408-93d5cc3a",
        "digest": {
            "function_hash": "20785282191647117378483749664361515635",
            "length": 4408.0
        },
        "source": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "target": {
            "function": "sshsk_open",
            "file": "usr.bin/ssh/ssh-sk.c"
        },
        "id": "CVE-2023-38408-b20aa0ae",
        "digest": {
            "function_hash": "86622299653523171526230085861346440775",
            "length": 1945.0
        },
        "source": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "target": {
            "function": "process_add_identity",
            "file": "usr.bin/ssh/ssh-agent.c"
        },
        "id": "CVE-2023-38408-d35307ad",
        "digest": {
            "function_hash": "263025605123250630080940306656039656526",
            "length": 2430.0
        },
        "source": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "target": {
            "function": "pkcs11_register_provider",
            "file": "usr.bin/ssh/ssh-pkcs11.c"
        },
        "id": "CVE-2023-38408-e2f7b684",
        "digest": {
            "function_hash": "157551009127729258625712862157649782138",
            "length": 4424.0
        },
        "source": "https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38408.json"