Bug 2224173 (CVE-2023-38408) - CVE-2023-38408 openssh: Remote code execution in ssh-agent PKCS#11 support
Summary: CVE-2023-38408 openssh: Remote code execution in ssh-agent PKCS#11 support
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-38408
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2224179 2224180 2224181 2224182 2224183 2224184 2224186 2224187 2224188 2224189 2224190 2224191
Blocks: 2224174
TreeView+ depends on / blocked
 
Reported: 2023-07-20 06:12 UTC by Avinash Hanwate
Modified: 2023-09-05 13:41 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in OpenSSH. The PKCS#11 feature in the ssh-agent in OpenSSH has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system (the code in /usr/lib is not necessarily safe for loading into ssh-agent). This flaw allows an attacker with control of the forwarded agent-socket on the server and the ability to write to the filesystem of the client host to execute arbitrary code with the privileges of the user running the ssh-agent.
Clone Of:
Environment:
Last Closed: 2023-08-02 12:10:08 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:4422 0 None None None 2023-08-01 15:19:21 UTC
Red Hat Product Errata RHBA-2023:4433 0 None None None 2023-08-02 13:34:02 UTC
Red Hat Product Errata RHBA-2023:4434 0 None None None 2023-08-02 14:18:15 UTC
Red Hat Product Errata RHBA-2023:4435 0 None None None 2023-08-02 14:18:12 UTC
Red Hat Product Errata RHBA-2023:4436 0 None None None 2023-08-02 15:05:11 UTC
Red Hat Product Errata RHBA-2023:4450 0 None None None 2023-08-03 08:46:10 UTC
Red Hat Product Errata RHBA-2023:4451 0 None None None 2023-08-03 08:41:40 UTC
Red Hat Product Errata RHBA-2023:4452 0 None None None 2023-08-03 08:41:33 UTC
Red Hat Product Errata RHBA-2023:4453 0 None None None 2023-08-03 09:07:39 UTC
Red Hat Product Errata RHBA-2023:4454 0 None None None 2023-08-03 09:06:12 UTC
Red Hat Product Errata RHBA-2023:4467 0 None None None 2023-08-03 13:41:42 UTC
Red Hat Product Errata RHBA-2023:4477 0 None None None 2023-08-03 22:47:27 UTC
Red Hat Product Errata RHBA-2023:4478 0 None None None 2023-08-03 22:51:52 UTC
Red Hat Product Errata RHBA-2023:4479 0 None None None 2023-08-03 22:52:57 UTC
Red Hat Product Errata RHBA-2023:4480 0 None None None 2023-08-03 22:53:13 UTC
Red Hat Product Errata RHBA-2023:4481 0 None None None 2023-08-03 22:53:58 UTC
Red Hat Product Errata RHBA-2023:4482 0 None None None 2023-08-03 22:54:51 UTC
Red Hat Product Errata RHBA-2023:4483 0 None None None 2023-08-03 22:55:02 UTC
Red Hat Product Errata RHBA-2023:4484 0 None None None 2023-08-03 22:56:03 UTC
Red Hat Product Errata RHBA-2023:4502 0 None None None 2023-08-07 11:42:25 UTC
Red Hat Product Errata RHBA-2023:4503 0 None None None 2023-08-07 13:39:39 UTC
Red Hat Product Errata RHBA-2023:4504 0 None None None 2023-08-07 13:39:44 UTC
Red Hat Product Errata RHBA-2023:4510 0 None None None 2023-08-07 15:10:28 UTC
Red Hat Product Errata RHBA-2023:4542 0 None None None 2023-08-08 08:10:27 UTC
Red Hat Product Errata RHBA-2023:4589 0 None None None 2023-08-09 09:09:19 UTC
Red Hat Product Errata RHBA-2023:4593 0 None None None 2023-08-09 15:09:53 UTC
Red Hat Product Errata RHBA-2023:4695 0 None None None 2023-08-22 05:59:15 UTC
Red Hat Product Errata RHBA-2023:4709 0 None None None 2023-08-22 18:58:04 UTC
Red Hat Product Errata RHBA-2023:4975 0 None None None 2023-09-05 13:41:31 UTC
Red Hat Product Errata RHBA-2023:4976 0 None None None 2023-09-05 13:41:36 UTC
Red Hat Product Errata RHSA-2023:4329 0 None None None 2023-07-31 09:23:13 UTC
Red Hat Product Errata RHSA-2023:4381 0 None None None 2023-08-01 09:16:27 UTC
Red Hat Product Errata RHSA-2023:4382 0 None None None 2023-08-01 09:33:26 UTC
Red Hat Product Errata RHSA-2023:4383 0 None None None 2023-08-01 09:26:10 UTC
Red Hat Product Errata RHSA-2023:4384 0 None None None 2023-08-01 09:31:36 UTC
Red Hat Product Errata RHSA-2023:4412 0 None None None 2023-08-01 14:02:01 UTC
Red Hat Product Errata RHSA-2023:4413 0 None None None 2023-08-01 14:11:15 UTC
Red Hat Product Errata RHSA-2023:4419 0 None None None 2023-08-01 14:29:59 UTC
Red Hat Product Errata RHSA-2023:4428 0 None None None 2023-08-02 07:56:24 UTC
Red Hat Product Errata RHSA-2023:4889 0 None None None 2023-08-30 21:20:48 UTC

Description Avinash Hanwate 2023-07-20 06:12:13 UTC 
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Comment 1 Sandipan Roy 2023-07-20 07:03:28 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 2224179]
Comment 10 errata-xmlrpc 2023-07-31 09:23:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4329 https://access.redhat.com/errata/RHSA-2023:4329
Comment 11 errata-xmlrpc 2023-08-01 09:16:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4381 https://access.redhat.com/errata/RHSA-2023:4381
Comment 12 errata-xmlrpc 2023-08-01 09:26:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4383 https://access.redhat.com/errata/RHSA-2023:4383
Comment 13 errata-xmlrpc 2023-08-01 09:31:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4384 https://access.redhat.com/errata/RHSA-2023:4384
Comment 14 errata-xmlrpc 2023-08-01 09:33:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4382 https://access.redhat.com/errata/RHSA-2023:4382
Comment 15 errata-xmlrpc 2023-08-01 14:01:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4412 https://access.redhat.com/errata/RHSA-2023:4412
Comment 16 errata-xmlrpc 2023-08-01 14:11:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4413 https://access.redhat.com/errata/RHSA-2023:4413
Comment 17 errata-xmlrpc 2023-08-01 14:29:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4419 https://access.redhat.com/errata/RHSA-2023:4419
Comment 18 errata-xmlrpc 2023-08-02 07:56:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2023:4428 https://access.redhat.com/errata/RHSA-2023:4428
Comment 19 Product Security DevOps Team 2023-08-02 12:10:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-38408
Comment 20 errata-xmlrpc 2023-08-30 21:20:46 UTC 
This issue has been addressed in the following products:

  DEVWORKSPACE-1.0-RHEL-8

Via RHSA-2023:4889 https://access.redhat.com/errata/RHSA-2023:4889
Note You need to log in before you can comment on or make changes to this bug.