Remote Code Execution in OpenSSH ssh-agent (CVE-2023-38408)

[Fleury, Terry]

CI Operators:

The OpenSSH project has released v9.3p2 [1] to address a vulnerability in ssh-agent [2] which could be abused to achieve remote code execution via a forwarded agent socket. This issue is tracked as CVE-2023-38408 [3] and has a CVSSv3 score of 7.3. 

 

Impact:

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. Note that the host doesn't need to be root-compromised, only account-compromised, i.e., the account the victim is logging in to. 

 

Affected Software: 

Open SSH < v9.3p2 - all distributions

 

Recommendation:

Update to a patched version of OpenSSH when one becomes available for your distribution. The vulnerability can be worked around by avoiding connecting to untrusted servers with an SSH agent. Exploitation can also be prevented by starting ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries.

 

References:

[1] https://www.openssh.com/txt/release-9.3p2

[2] https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt

[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38408

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.