--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'RCE Vulnerability in ssh-agent of OpenSSH' version: '1.0' number: '2023-051' original_date: 'July 19, 2023' date: 'July 20, 2023' --- _History:_ * _20/07/2023 --- v1.0 -- Initial publication_ # Summary On July 19, 2023, OpenSSH released an update regarding a vulnerability, identified as `CVE-2023-38408`. This vulnerability was discovered by the Qualys Security Advisory team and allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent [1]. Ssh-agent is a program to hold private keys used for public key authentication. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using SSH [2]. # Technical Details The PKCS#11 support ssh-agent could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: - Exploitation requires the presence of specific libraries on the victim system. - Remote exploitation requires that the agent was forwarded to an attacker-controlled system [3]. # Affected Products Ssh-agent in OpenSSH between 5.5 and 9.3p1 (inclusive) [3]. # Recommendations CERT-EU recommends to install the latest updated OpenSSH 9.3p2 version [3]. # Workarounds Exploitation can also be prevented by starting ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries [3]. # References [1] [2] [3]