SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2023-38408

CVE-2023-38408: OpenBSD OpenSSH ssh-agent RCE Vulnerability

CVE-2023-38408 is a remote code execution vulnerability in OpenSSH ssh-agent due to an insecure PKCS#11 search path. Attackers can exploit forwarded agents to execute malicious code. This article covers technical details, versions before 9.3p2, and patches.

Updated:

CVE-2023-38408 Overview

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Critical Impact

This vulnerability allows for remote code execution through agent forwarding, potentially giving attackers full control over affected systems.

Affected Products

  • openbsd openssh
  • fedoraproject fedora

Discovery Timeline

  • 2023-07-20 - CVE CVE-2023-38408 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-38408

Vulnerability Analysis

This vulnerability in the PKCS#11 feature allows an attacker, through improper library path handling, to execute arbitrary code by leveraging a forwarded SSH agent to a vulnerable system.

Root Cause

The path where libraries are searched by ssh-agent can include untrusted paths leading to potential code execution when the feature is exploited.

Attack Vector

The attack is carried out over the network via a forwarded SSH agent. By controlling the agent's environment, a malicious actor can inject code.

bash
# Example exploitation code (sanitized)
function attacker_controlled_code() {
    echo "This is an attack!"
    malicious_operation
}
attacker_controlled_code

Detection Methods for CVE-2023-38408

Indicators of Compromise

  • Unusual library loading via ssh-agent
  • Unexpected processes spawned by sshd
  • Suspicious SSH configurations or environment variables

Detection Strategies

Network monitoring for unexpected traffic patterns from SSH agents, and auditing library load operations.

Monitoring Recommendations

Utilize SentinelOne's behavioral AI to detect anomalous operations and unauthorized library loads leveraged by ssh-agent across networked environments.

How to Mitigate CVE-2023-38408

Immediate Actions Required

  • Disable SSH agent forwarding
  • Limit PKCS#11 use to trusted environments
  • Review and audit configurations on affected systems

Patch Information

Apply the patches provided by OpenBSD. Reference the following URL for patches: OpenBSD Patch.

Workarounds

Avoid using agent forwarding or direct sensitive commands through restricted, monitored environments.

bash
# Configuration example to disable agent forwarding
Match Host *
    ForwardAgent no

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne