CVE-2023-28531
Published: 17 March 2023
ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.
Notes
Author | Note |
---|---|
Priority reason: Only affects configurations using agent forwarding, smartcard keys, and per-hop destination constraints. Policy bypass only. |
|
seth-arnold | openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. |
sbeattie | introduced in openssh 8.9 |
Priority
Status
Package | Release | Status |
---|---|---|
openssh Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(only affects 8.9 and newer)
|
focal |
Not vulnerable
(only affects 8.9 and newer)
|
|
jammy |
Released
(1:8.9p1-3ubuntu0.5)
|
|
kinetic |
Ignored
(end of life)
|
|
lunar |
Released
(1:9.0p1-1ubuntu8.6)
|
|
mantic |
Not vulnerable
(1:9.3p1-1ubuntu1)
|
|
trusty |
Not vulnerable
(only affects 8.9 and newer)
|
|
upstream |
Released
(9.3)
|
|
xenial |
Not vulnerable
(only affects 8.9 and newer)
|
|
Patches: upstream: https://github.com/openssh/openssh-portable/commit/54ac4ab2b53ce9fcb66b8250dee91c070e4167ed |
||
openssh-ssh1 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(only affects 8.9 and newer)
|
focal |
Not vulnerable
(only affects 8.9 and newer)
|
|
jammy |
Not vulnerable
(only affects 8.9 and newer)
|
|
kinetic |
Not vulnerable
(only affects 8.9 and newer)
|
|
lunar |
Not vulnerable
(only affects 8.9 and newer)
|
|
mantic |
Not vulnerable
(only affects 8.9 and newer)
|
|
trusty |
Does not exist
|
|
upstream |
Ignored
(frozen on openssh 7.5p)
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |