{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-051.pdf"
    },
    "title": "RCE Vulnerability in \"ssh-agent\" of OpenSSH",
    "serial_number": "2023-051",
    "publish_date": "20-07-2023 12:36:21",
    "description": "On July 19, 2023, OpenSSH released an update regarding a vulnerability, identified as \"CVE-2023-38408\". This vulnerability was discovered by the Qualys Security Advisory team and allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH\u2019s forwarded \"ssh-agent\". <br>\n\"ssh-agent\" is a program to hold private keys used for public key authentication. Through the use of environment variables, the agent can be located and automatically used for authentication when logging in to other machines using SSH.<br>\n",
    "url_title": "2023-051",
    "content_markdown": "---\ntitle: 'RCE Vulnerability in ssh-agent of OpenSSH'\nversion: '1.0'\nnumber: '2023-051'\noriginal_date: 'July 19, 2023'\ndate: 'July 20, 2023'\n---\n\n_History:_\n\n* _20/07/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn July 19, 2023, OpenSSH released an update regarding a vulnerability, identified as `CVE-2023-38408`. This vulnerability was discovered by the Qualys Security Advisory team and allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH\u2019s forwarded ssh-agent [1]. \n\nSsh-agent is a program to hold private keys used for public key authentication. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using SSH [2].\n\n# Technical Details\n\nThe PKCS#11 support ssh-agent could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met:\n- Exploitation requires the presence of specific libraries on the victim system.\n- Remote exploitation requires that the agent was forwarded to an attacker-controlled system [3].\n\n# Affected Products\n\nSsh-agent in OpenSSH between 5.5 and 9.3p1 (inclusive) [3].\n\n# Recommendations\n\nCERT-EU recommends to install the latest updated OpenSSH 9.3p2 version [3].\n\n# Workarounds\n\nExploitation can also be prevented by starting ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries [3]. \n\n# References\n\n[1] <https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent>\n\n[2] <https://man.openbsd.org/ssh-agent.1>\n\n[3] <https://www.openssh.com/security.html>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>20/07/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On July 19, 2023, OpenSSH released an update regarding a vulnerability, identified as <code>CVE-2023-38408</code>. This vulnerability was discovered by the Qualys Security Advisory team and allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH\u2019s forwarded ssh-agent [1]. </p><p>Ssh-agent is a program to hold private keys used for public key authentication. Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using SSH [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The PKCS#11 support ssh-agent could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: - Exploitation requires the presence of specific libraries on the victim system. - Remote exploitation requires that the agent was forwarded to an attacker-controlled system [3].</p><h2 id=\"affected-products\">Affected Products</h2><p>Ssh-agent in OpenSSH between 5.5 and 9.3p1 (inclusive) [3].</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends to install the latest updated OpenSSH 9.3p2 version [3].</p><h2 id=\"workarounds\">Workarounds</h2><p>Exploitation can also be prevented by starting ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries [3]. </p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent\">https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://man.openbsd.org/ssh-agent.1\">https://man.openbsd.org/ssh-agent.1</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.openssh.com/security.html\">https://www.openssh.com/security.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}