CVE-2023-38408
Published: 19 July 2023
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Notes
Author | Note |
---|---|
seth-arnold | openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. |
Priority
Status
Package | Release | Status |
---|---|---|
openssh Launchpad, Ubuntu, Debian |
bionic |
Released
(1:7.6p1-4ubuntu0.7+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
focal |
Released
(1:8.2p1-4ubuntu0.8)
|
|
jammy |
Released
(1:8.9p1-3ubuntu0.3)
|
|
kinetic |
Ignored
(end of life)
|
|
lunar |
Released
(1:9.0p1-1ubuntu8.4)
|
|
mantic |
Released
(1:9.3p1-1ubuntu2)
|
|
noble |
Released
(1:9.3p1-1ubuntu2)
|
|
trusty |
Released
(1:6.6p1-2ubuntu2.13+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(9.3p2)
|
|
xenial |
Released
(1:7.2p2-4ubuntu2.10+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
Patches: upstream: https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc upstream: https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a upstream: https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77 upstream: https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755 |
||
openssh-ssh1 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Needs triage
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Needs triage
|
|
noble |
Needs triage
|
|
trusty |
Does not exist
|
|
upstream |
Ignored
(frozen on openssh 7.5p)
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |