| Product & Affected Versions: OpenSSH, All versions before 9.3p2 |
| CVE Identifier: CVE-2023-38408 |
| Vulnerability: The vulnerability in OpenSSH allows a remote attacker to potentially execute arbitrary commands on a vulnerable system where OpenSSH’s forwarded ssh-agent is present. The ssh-agent is a background program that holds users’ keys in memory and enables remote logins to a server without requiring the passphrase again. The flaw specifically affects systems with forwarded ssh-agents that are compiled with ENABLE_PKCS11, which is the default option. |
| Attack Method: The attack involves a remote attacker who has access to the server where a user’s ssh-agent is forwarded to. The attacker can exploit the vulnerability by loading (dlopen()) and immediately unloading (dlclose()) a shared library located in /usr/lib* on the victim’s workstation via the forwarded ssh-agent. Impact: Successful exploitation of this vulnerability can allow the attacker to run arbitrary commands on the compromised hosts under specific conditions, potentially leading to further compromise or unauthorized access to the system. |
| Remediation: To safeguard against potential cyber threats, it is strongly advised that users of OpenSSH update to the most recent version, which is 9.3p2 or later. By updating to the latest version, users can protect themselves from this vulnerability. |
| References: Saeed Abbasi, manager of vulnerability research at Qualys, analysis CVE-2023-38408 |
