CVSS 9.8 CVE-2023-38408
CVSS 9.8 Pending CVSS Score
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.)
NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
A critical vulnerability in OpenSSH versions prior to 9.3p2 allowed remote code execution by forwarding the SSH agent.
SSH-agent is a program used to hold private keys for public key authentication. Through the use of environment variables, the agent can be located and automatically used for authentication when logging into other machines using SSH. Connections to SSH-agent may be forwarded from further remote hosts using the -A option to SSH, avoiding the need for authentication data to be stored on other machines.
Typically, a system administrator runs SSH-agent on their local workstation, connects to a remote server with SSH, and enables SSH-agent forwarding with the -A or ForwardAgent option, thus making their SSH-agent (which is running on their local workstation) reachable from the remote server.
An attacker with access to the remote server where the SSH agent is forwarded can load and immediately unload any shared library in /usr/lib* on the user’s workstation, if the SSH agent is compiled with ENABLE_PKCS11, which is the default.
Many shared libraries have constructor and destructor functions that are automatically executed by dlopen() and dlclose(), respectively.
The vulnerability has been patched in OpenSSH 9.3p2. It is highly recommended to update to this version or later to mitigate the risk. The patch prevents the forwarding of the SSH agent, thus eliminating the possibility of remote code execution through this vulnerability.
Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P ‘’) or by configuring an allowlist that contains only specific provider libraries.
Release Notes 9.3p2
Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction.