{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-38408", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-15T18:33:21.591Z", "dateReserved": "2023-07-17T00:00:00.000Z", "datePublished": "2023-07-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-04-04T05:50:59.479Z"}, "descriptions": [{"lang": "en", "value": "The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://news.ycombinator.com/item?id=36790196"}, {"url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent"}, {"url": "https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt"}, {"url": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca"}, {"url": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8"}, {"url": "https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d"}, {"url": "https://www.openssh.com/txt/release-9.3p2"}, {"url": "https://www.openssh.com/security.html"}, {"name": "GLSA-202307-01", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202307-01"}, {"name": "[oss-security] 20230719 Re: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/07/20/1"}, {"name": "[oss-security] 20230720 Re: Announce: OpenSSH 9.3p2 released", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/07/20/2"}, {"url": "http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html"}, {"name": "FEDORA-2023-878e04f4ae", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/"}, {"name": "FEDORA-2023-79a18e1725", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/"}, {"url": "https://security.netapp.com/advisory/ntap-20230803-0010/"}, {"name": "[debian-lts-announce] 20230817 [SECURITY] [DLA 3532-1] openssh security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html"}, {"name": "[oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/09/22/9"}, {"name": "[oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/09/22/11"}, {"url": "https://support.apple.com/kb/HT213940"}, {"url": "https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:39:13.525Z"}, "title": "CVE Program Container", "references": [{"url": "https://news.ycombinator.com/item?id=36790196", "tags": ["x_transferred"]}, {"url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent", "tags": ["x_transferred"]}, {"url": "https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt", "tags": ["x_transferred"]}, {"url": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca", "tags": ["x_transferred"]}, {"url": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8", "tags": ["x_transferred"]}, {"url": "https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d", "tags": ["x_transferred"]}, {"url": "https://www.openssh.com/txt/release-9.3p2", "tags": ["x_transferred"]}, {"url": "https://www.openssh.com/security.html", "tags": ["x_transferred"]}, {"name": "GLSA-202307-01", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202307-01"}, {"name": "[oss-security] 20230719 Re: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/07/20/1"}, {"name": "[oss-security] 20230720 Re: Announce: OpenSSH 9.3p2 released", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/07/20/2"}, {"url": "http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html", "tags": ["x_transferred"]}, {"name": "FEDORA-2023-878e04f4ae", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/"}, {"name": "FEDORA-2023-79a18e1725", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/"}, {"url": "https://security.netapp.com/advisory/ntap-20230803-0010/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230817 [SECURITY] [DLA 3532-1] openssh security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html"}, {"name": "[oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/09/22/9"}, {"name": "[oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/09/22/11"}, {"url": "https://support.apple.com/kb/HT213940", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-428", "lang": "en", "description": "CWE-428 Unquoted Search Path or Element"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-15T17:36:21.400489Z", "id": "CVE-2023-38408", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T18:33:21.591Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://news.ycombinator.com/item?id=36790196", "tags": ["x_transferred"]}, {"url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent", "tags": ["x_transferred"]}, {"url": "https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt", "tags": ["x_transferred"]}, {"url": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca", "tags": ["x_transferred"]}, {"url": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8", "tags": ["x_transferred"]}, {"url": "https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d", "tags": ["x_transferred"]}, {"url": "https://www.openssh.com/txt/release-9.3p2", "tags": ["x_transferred"]}, {"url": "https://www.openssh.com/security.html", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202307-01", "name": "GLSA-202307-01", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/20/1", "name": "[oss-security] 20230719 Re: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/20/2", "name": "[oss-security] 20230720 Re: Announce: OpenSSH 9.3p2 released", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/", "name": "FEDORA-2023-878e04f4ae", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/", "name": "FEDORA-2023-79a18e1725", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230803-0010/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html", "name": "[debian-lts-announce] 20230817 [SECURITY] [DLA 3532-1] openssh security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/22/9", "name": "[oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/22/11", "name": "[oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://support.apple.com/kb/HT213940", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:39:13.525Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-38408", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-15T17:36:21.400489Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-428", "description": "CWE-428 Unquoted Search Path or Element"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T18:02:42.738Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://news.ycombinator.com/item?id=36790196"}, {"url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent"}, {"url": "https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt"}, {"url": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca"}, {"url": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8"}, {"url": "https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d"}, {"url": "https://www.openssh.com/txt/release-9.3p2"}, {"url": "https://www.openssh.com/security.html"}, {"url": "https://security.gentoo.org/glsa/202307-01", "name": "GLSA-202307-01", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/20/1", "name": "[oss-security] 20230719 Re: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent", "tags": ["mailing-list"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/20/2", "name": "[oss-security] 20230720 Re: Announce: OpenSSH 9.3p2 released", "tags": ["mailing-list"]}, {"url": "http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/", "name": "FEDORA-2023-878e04f4ae", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/", "name": "FEDORA-2023-79a18e1725", "tags": ["vendor-advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20230803-0010/"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html", "name": "[debian-lts-announce] 20230817 [SECURITY] [DLA 3532-1] openssh security update", "tags": ["mailing-list"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/22/9", "name": "[oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list", "tags": ["mailing-list"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/22/11", "name": "[oss-security] 20230922 Re: illumos (or at least danmcd) membership in the distros list", "tags": ["mailing-list"]}, {"url": "https://support.apple.com/kb/HT213940"}, {"url": "https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408"}], "descriptions": [{"lang": "en", "value": "The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-04-04T05:50:59.479Z"}}}, "cveMetadata": {"cveId": "CVE-2023-38408", "state": "PUBLISHED", "dateUpdated": "2024-10-15T18:33:21.591Z", "dateReserved": "2023-07-17T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-07-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF546253-FE80-4416-A138-D79D7288229F", "versionEndExcluding": "9.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:openbsd:openssh:9.3:-:*:*:*:*:*:*", "matchCriteriaId": "031E80CD-A7CF-447A-AEEF-EB97EB99A762", "vulnerable": true}, {"criteria": "cpe:2.3:a:openbsd:openssh:9.3:p1:*:*:*:*:*:*", "matchCriteriaId": "97FEC052-52ED-464F-AF19-3621775292D6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009."}, {"lang": "es", "value": "La caracter\u00edstica PKCS#11 en ssh-agent en OpenSSH anterior a 9.3p2 tiene una ruta de b\u00fasqueda insuficientemente confiable, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo si un agente se reenv\u00eda a un sistema controlado por un atacante. (El c\u00f3digo en /usr/lib no es necesariamente seguro para cargar en ssh-agent). NOTA: este problema existe debido a una soluci\u00f3n incompleta para CVE-2016-10009."}], "id": "CVE-2023-38408", "lastModified": "2024-11-21T08:13:30.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-07-20T03:15:10.170", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/07/20/1"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/07/20/2"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2023/09/22/11"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2023/09/22/9"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://news.ycombinator.com/item?id=36790196"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202307-01"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20230803-0010/"}, {"source": "cve@mitre.org", "url": "https://support.apple.com/kb/HT213940"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.openssh.com/security.html"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://www.openssh.com/txt/release-9.3p2"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt"}, {"source": "cve@mitre.org", "url": "https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/07/20/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/07/20/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/09/22/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/09/22/9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://news.ycombinator.com/item?id=36790196"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202307-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20230803-0010/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT213940"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.openssh.com/security.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.openssh.com/txt/release-9.3p2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-428"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-428"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:4889", "cpe": "cpe:/a:redhat:devworkspace:1.0::el8", "package": "devworkspace/devworkspace-operator-bundle:0.22-2", "product_name": "DEVWORKSPACE-1.0-RHEL-8", "release_date": "2023-08-30T00:00:00Z"}, {"advisory": "RHSA-2023:4889", "cpe": "cpe:/a:redhat:devworkspace:1.0::el8", "package": "devworkspace/devworkspace-project-clone-rhel8:0.22-2", "product_name": "DEVWORKSPACE-1.0-RHEL-8", "release_date": "2023-08-30T00:00:00Z"}, {"advisory": "RHSA-2023:4889", "cpe": "cpe:/a:redhat:devworkspace:1.0::el8", "package": "devworkspace/devworkspace-rhel8-operator:0.22-2", "product_name": "DEVWORKSPACE-1.0-RHEL-8", "release_date": "2023-08-30T00:00:00Z"}, {"advisory": "RHSA-2023:4428", "cpe": "cpe:/o:redhat:rhel_els:6", "package": "openssh-0:5.3p1-125.el6_10", "product_name": "Red Hat Enterprise Linux 6 Extended Lifecycle Support", "release_date": "2023-08-02T00:00:00Z"}, {"advisory": "RHSA-2023:4382", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "openssh-0:7.4p1-23.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4419", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "openssh-0:8.0p1-19.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4419", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "openssh-0:8.0p1-19.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4383", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "openssh-0:8.0p1-5.el8_1.1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4384", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "openssh-0:8.0p1-5.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4384", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "openssh-0:8.0p1-5.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4384", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "openssh-0:8.0p1-5.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4381", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "openssh-0:8.0p1-7.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4381", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "openssh-0:8.0p1-7.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4381", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "openssh-0:8.0p1-7.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4413", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "openssh-0:8.0p1-15.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4412", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "openssh-0:8.7p1-30.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4412", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "openssh-0:8.7p1-30.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-08-01T00:00:00Z"}, {"advisory": "RHSA-2023:4329", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "openssh-0:8.7p1-11.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-07-31T00:00:00Z"}], "bugzilla": {"description": "openssh: Remote code execution in ssh-agent PKCS#11 support", "id": "2224173", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224173"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-94", "details": ["The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.", "A vulnerability was found in OpenSSH. The PKCS#11 feature in the ssh-agent in OpenSSH has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system (the code in /usr/lib is not necessarily safe for loading into ssh-agent). This flaw allows an attacker with control of the forwarded agent-socket on the server and the ability to write to the filesystem of the client host to execute arbitrary code with the privileges of the user running the ssh-agent."], "mitigation": {"lang": "en:us", "value": "Remote exploitation required that a user establishes an SSH connection to a compromised or malicious SSH server with agent forwarding enabled. The agent forwarding is disabled by default. Review your ssh client configuration files for the use of ForwardAgent configuration directive and invocations of ssh client for the use of -A command line argument to see if agent forwarding is enabled for specific connections.\nExploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries."}, "name": "CVE-2023-38408", "public_date": "2023-07-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-38408\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-38408\nhttps://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt"], "statement": "This issue is marked as Important as we successfully identified that it can do a Remote Code Execution atleast at some circumstances in Red Hat Enterprise Linux 6, 7, 8 and 9 and It can easily compromise the confidentiality, integrity or availability of resources.", "threat_severity": "Important"}

{}