Vulnerability Details : CVE-2023-38408
Potential exploit
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Vulnerability category: Execute code
Products affected by CVE-2023-38408
- cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:9.3:-:*:*:*:*:*:*
- cpe:2.3:a:openbsd:openssh:9.3:p1:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
Threat overview for CVE-2023-38408
Top countries where our scanners detected CVE-2023-38408
Top open port discovered on systems with this issue
22
IPs affected by CVE-2023-38408 24,945,034
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2023-38408!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2023-38408
45.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-38408
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-10-15 |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
|
9.8
|
CRITICAL | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
N/A
|
N/A
|
Oracle:CPUOct2023 |
CWE ids for CVE-2023-38408
-
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2023-38408
-
http://www.openwall.com/lists/oss-security/2023/09/22/9
oss-security - Re: illumos (or at least danmcd) membership in the distros list
-
https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d
terminate process if requested to load a PKCS#11 provider that · openbsd/src@f03a4fa · GitHubPatch
-
https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca
Ensure FIDO/PKCS11 libraries contain expected symbols · openbsd/src@f8f5a6b · GitHubPatch
-
https://support.apple.com/kb/HT213940
About the security content of macOS Sonoma 14 - Apple Support
-
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
Exploit;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2023/07/20/2
oss-security - Re: Announce: OpenSSH 9.3p2 releasedMailing List;Third Party Advisory
-
https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8
Disallow remote addition of FIDO/PKCS11 provider libraries to · openbsd/src@7bc29a9 · GitHubPatch
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/
[SECURITY] Fedora 38 Update: openssh-9.0p1-16.fc38 - package-announce - Fedora Mailing-ListsMailing List
-
https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html
[SECURITY] [DLA 3532-1] openssh security update
-
http://www.openwall.com/lists/oss-security/2023/09/22/11
oss-security - Re: illumos (or at least danmcd) membership in the distros list
-
https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408
Exploring OpenSSH's Agent Forwarding RCE (CVE-2023-38408) - vsociety
-
http://www.openwall.com/lists/oss-security/2023/07/20/1
oss-security - Re: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agentExploit;Mailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html
OpenSSH Forwarded SSH-Agent Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/
[SECURITY] Fedora 37 Update: openssh-8.8p1-11.fc37 - package-announce - Fedora Mailing-Lists
-
https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent
CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent | Qualys Security BlogThird Party Advisory
-
https://www.openssh.com/security.html
OpenSSH: SecurityVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/
[SECURITY] Fedora 38 Update: openssh-9.0p1-16.fc38 - package-announce - Fedora Mailing-Lists
-
https://security.netapp.com/advisory/ntap-20230803-0010/
CVE-2023-38408 OpenSSH Vulnerability in NetApp Products | NetApp Product Security
-
https://security.gentoo.org/glsa/202307-01
OpenSSH: Remote Code Execution (GLSA 202307-01) — Gentoo securityThird Party Advisory
-
https://www.openssh.com/txt/release-9.3p2
Release Notes
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/
[SECURITY] Fedora 37 Update: openssh-8.8p1-11.fc37 - package-announce - Fedora Mailing-ListsMailing List
-
https://news.ycombinator.com/item?id=36790196
Remote code execution in OpenSSH’s forwarded SSH-agent | Hacker NewsIssue Tracking;Patch
Jump to