In July 2023, a critical remote code execution (RCE) vulnerability, identified as CVE-2023-38408, was discovered in OpenSSH's agent forwarding feature. This flaw allowed remote attackers to execute arbitrary commands on systems where the SSH agent was forwarded. The vulnerability resided in the SSH-agent's support for PKCS#11 providers, which, under specific conditions, could be exploited to load and unload shared libraries, leading to unauthorized code execution.
Affected Versions: OpenSSH versions from 5.5 up to, but not
including, 9.3p2 were vulnerable to this exploit.
Mitigation Steps:
- Update OpenSSH: Upgrade to OpenSSH version 9.3p2 or later, where this vulnerability has been addressed.
- Restrict Agent Forwarding: Disable SSH agent forwarding if it's not essential for your operations.
- Configure PKCS#11 Allow-Lists: Start the SSH
agent with an empty PKCS#11/FIDO allow-list using the command
ssh-agent -P '', or specify only trusted provider libraries.
Implementing these measures is crucial to protect systems from potential
exploits related to this vulnerability.
👇Sources👇
https://cert.europa.eu/publications/security-advisories/2023-051/pdf?utm_source=chatgpt.com
https://vulcan.io/blog/how-to-fix-cve-2023-38408-in-openssh/?utm_source=chatgpt.com
https://phoenix.security/openssh-agent-38408/?utm_source=chatgpt.com
https://cybersecuritynews.com/opensshs-agent-forwarding-rce-vulnerability/
https://cyberhoot.com/blog/critical-advisory-openssh-remote-code-execution-vulnerability/