CVSS 9.8 CVE-2023-38408

CVSS 9.8 Pending CVSS Score

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.)

NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Affected Software:

• OpenSSH < 9.3p2

Description

A critical vulnerability in OpenSSH versions prior to 9.3p2 allowed remote code execution by forwarding the SSH agent.

SSH-agent is a program used to hold private keys for public key authentication. Through the use of environment variables, the agent can be located and automatically used for authentication when logging into other machines using SSH. Connections to SSH-agent may be forwarded from further remote hosts using the -A option to SSH, avoiding the need for authentication data to be stored on other machines.

Typically, a system administrator runs SSH-agent on their local workstation, connects to a remote server with SSH, and enables SSH-agent forwarding with the -A or ForwardAgent option, thus making their SSH-agent (which is running on their local workstation) reachable from the remote server.

An attacker with access to the remote server where the SSH agent is forwarded can load and immediately unload any shared library in /usr/lib* on the user’s workstation, if the SSH agent is compiled with ENABLE_PKCS11, which is the default.

Many shared libraries have constructor and destructor functions that are automatically executed by dlopen() and dlclose(), respectively.

Mitigation

The vulnerability has been patched in OpenSSH 9.3p2. It is highly recommended to update to this version or later to mitigate the risk. The patch prevents the forwarding of the SSH agent, thus eliminating the possibility of remote code execution through this vulnerability.

Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P ‘’) or by configuring an allowlist that contains only specific provider libraries.

Release Notes 9.3p2

Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:

* Exploitation requires the presence of specific libraries on
  the victim system.
* Remote exploitation requires that the agent was forwarded
  to an attacker-controlled system.

Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.

This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.

In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).

Potentially-incompatible changes
--------------------------------

* ssh-agent(8): the agent will now refuse requests to load PKCS#11
  modules issued by remote clients by default. A flag has been added
  to restore the previous behaviour "-Oallow-remote-pkcs11".

Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-38408

• https://www.openssh.com/txt/release-9.3p2

• https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt

• https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent