Cyber Resilience

CVE-2023-38408

CriticalPublic PoC

Published: 20 July 2023

Published
20 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6435 98.5th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38408 is a critical-severity Unquoted Search Path or Element (CWE-428) vulnerability in Openbsd Openssh. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is an insufficiently trustworthy search path in the PKCS#11 feature of ssh-agent within OpenSSH versions prior to 9.3p2. This stems from an incomplete remediation of CVE-2016-10009 and allows code in directories such as /usr/lib to be loaded into the agent even when that code cannot be assumed safe. The issue is tracked as CWE-428 and carries a CVSS 3.1 score of 9.8.

An attacker who can arrange for a victim’s ssh-agent to be forwarded to a system under their control can supply a malicious PKCS#11 module that ssh-agent will load, resulting in remote code execution on the victim’s host with the privileges of the agent process. No authentication or user interaction is required once the agent forwarding occurs.

Upstream advisories and the OpenSSH 9.3p2 release notes direct users to upgrade immediately; the fix restricts the search path used for PKCS#11 providers when an agent is forwarded. Public exploit code has been posted, and the EPSS score has reached a peak of 0.6999 with a current value of 0.6435, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.)…

more

NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openbsd
openssh
9.3 · ≤ 9.3
fedoraproject
fedora
37, 38

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References