{"id":"CVE-2023-38408","details":"The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.","modified":"2026-04-16T09:25:06.356489Z","published":"2023-07-20T03:15:10.170Z","related":["ALSA-2023:4412","ALSA-2023:4419","CGA-frmw-hj73-jq63","SUSE-SU-2023:2940-1","SUSE-SU-2023:2945-1","SUSE-SU-2023:2946-1","SUSE-SU-2023:2947-1","SUSE-SU-2023:2950-1","openSUSE-SU-2024:13063-1"],"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/09/22/11"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/09/22/9"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/"},{"type":"WEB","url":"https://support.apple.com/kb/HT213940"},{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2023/07/20/2"},{"type":"ADVISORY","url":"https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230803-0010/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202307-01"},{"type":"ADVISORY","url":"https://www.openssh.com/security.html"},{"type":"ADVISORY","url":"https://www.openssh.com/txt/release-9.3p2"},{"type":"FIX","url":"https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8"},{"type":"FIX","url":"https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca"},{"type":"FIX","url":"https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d"},{"type":"FIX","url":"https://news.ycombinator.com/item?id=36790196"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"http://www.openwall.com/lists/oss-security/2023/07/20/1"},{"type":"EVIDENCE","url":"https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openbsd/src","events":[{"introduced":"0"},{"fixed":"7bc29a9d5cd697290aa056e94ecee6253d3425f8"},{"fixed":"f03a4faa55c4ce0818324701dadbf91988d7351d"},{"fixed":"f8f5a6b003981bb824329dc987d101977beda7ca"}]},{"type":"GIT","repo":"https://github.com/openssh/openssh-portable","events":[{"introduced":"0"},{"last_affected":"cb30fbdbee869f1ce11f06aa97e1cb8717a0b645"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"9.3-p1"}]}}],"versions":["ABOUT_TO_ADD_INET_ATON","AFTER_FREEBSD_PAM_MERGE","AFTER_KRB5_GSSAPI_MERGE","BEFORE_FREEBSD_PAM_MERGE","BEFORE_KRB5_GSSAPI_MERGE","POST_KRB4_REMOVAL","PRE-REORDER","PRE_CYGWIN_MERGE","PRE_DAN_PATCH_MERGE","PRE_FIXPATHS_INTEGRATION","PRE_HPUX_INTEGRATION","PRE_IPV6","PRE_KRB4_REMOVAL","PRE_NEW_LOGIN_CODE","PRE_SW_KRBV","V_1_2PRE17","V_1_2_1_PRE18","V_1_2_1_PRE19","V_1_2_1_PRE20","V_1_2_1_PRE21","V_1_2_1_PRE22","V_1_2_1_PRE23","V_1_2_1_PRE24","V_1_2_1_PRE25","V_1_2_1_PRE26","V_1_2_1_PRE27","V_1_2_2","V_1_2_2_P1","V_1_2_2_PRE28","V_1_2_2_PRE29","V_1_2_3","V_1_2_3_PRE1","V_1_2_3_PRE2","V_1_2_3_PRE3","V_1_2_3_PRE4","V_1_2_3_PRE5","V_1_2_3_TEST1","V_1_2_3_TEST2","V_1_2_3_TEST3","V_1_2_PRE10","V_1_2_PRE11","V_1_2_PRE12","V_1_2_PRE13","V_1_2_PRE14","V_1_2_PRE15","V_1_2_PRE16","V_1_2_PRE4","V_1_2_PRE5","V_1_2_PRE6","V_1_2_PRE7","V_1_2_PRE8","V_1_2_PRE9","V_2_0_0_BETA1","V_2_0_0_BETA2","V_2_0_0_TEST1","V_2_1_0","V_2_1_0_P1","V_2_1_0_P2","V_2_1_0_P3","V_2_1_1_P1","V_2_1_1_P2","V_2_1_1_P3","V_2_1_1_P4","V_2_2_0_P1","V_2_3_0_P1","V_2_5_0_P1","V_2_5_1_P1","V_2_5_1_P2","V_2_5_2_P1","V_3_0_1_P1","V_3_0_P1","V_3_1_P1","V_3_2_2_P1","V_3_4_P1","V_3_6_1_P1","V_3_8_P1","V_3_9_P1","V_4_2_P1","V_5_0_P1","V_5_1_P1","V_5_2_P1","V_5_5_P1","V_5_7_P1","V_6_0_P1","V_6_1_P1","V_6_2_P1","V_6_5_P1","V_6_6_P1","V_6_8_P1","V_6_9_P1","V_7_0_P1","V_7_1_P1","V_7_2_P1","V_7_3_P1","V_7_4_P1","V_7_5_P1","V_7_6_P1","V_7_7_P1","V_7_8_P1","V_7_9_P1","V_8_0_P1","V_8_1_P1","V_8_2_P1","V_8_4_P1","V_8_5_P1","V_8_6_P1","V_8_7_P1","V_8_8_P1","V_8_9_P1","V_9_0_P1","V_9_1_P1","V_9_2_P1","V_9_3_P1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38408.json","vanir_signatures_modified":"2026-04-16T09:25:06Z","vanir_signatures":[{"id":"CVE-2023-38408-0e1bd16c","source":"https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca","signature_version":"v1","digest":{"line_hashes":["55725163042805392808609753741105633240","128285159618758502962072805470695625192","116587942781857791499400324026044176520","116950959552597726222022209976458084177","166390061282163298106044366523387592453"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"usr.bin/ssh/ssh-pkcs11.c"}},{"id":"CVE-2023-38408-1b7fe2ad","source":"https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca","signature_version":"v1","digest":{"line_hashes":["245460714767665081683172703272227756490","154898809948973226043331289679083724583","77397090139273800238042145169749086301","190441682610337999482858680156181833541","61249771291454899113495469699607840047"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"usr.bin/ssh/misc.h"}},{"id":"CVE-2023-38408-38072bcc","source":"https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca","signature_version":"v1","digest":{"line_hashes":["212889176108583557153764785879829373553","199957646585614272140038170333640429763","104255286907295786427889062166350281187","115009805797771706544464707642295063611","129285339640906578826404216174930229758","293458422494043100795111688876212186380","158184544829091383528505314573683842298","141142978561658504241622758231208165624","261354179858232412412223785435861205101","272211793939171938655602293807909585244","26312110325341625339236976058409048896","37222675372245245516667306127403666209","231893991694577093191465781901120692399","208944525142893471893429544502409167621"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"usr.bin/ssh/ssh-sk.c"}},{"id":"CVE-2023-38408-477a87a4","source":"https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca","signature_version":"v1","digest":{"line_hashes":["123728030011908799690508130257531630145","309320613159800543722057427906030885293","88551071913815231098859714061627564583","255716208541812258235985042308243123018","327713260949006026913669588332977405706","195026673253470011006274772763615138419"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"usr.bin/ssh/misc.c"}},{"id":"CVE-2023-38408-4c8fc60e","source":"https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d","signature_version":"v1","digest":{"line_hashes":["55725163042805392808609753741105633240","132403242283107965528557055591865070823","145711729613275442506525195537586480099","81698505837951782601199886233863780510","164975228933773000300492059888318553713","203760564816490794400113698258768785600","87744079937004542252727256443966031343","233201331787054679358425020029285230149"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"usr.bin/ssh/ssh-pkcs11.c"}},{"id":"CVE-2023-38408-548fc75b","source":"https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8","signature_version":"v1","digest":{"function_hash":"176282625954728589418260577592136122934","length":1790},"signature_type":"Function","deprecated":false,"target":{"function":"process_add_smartcard_key","file":"usr.bin/ssh/ssh-agent.c"}},{"id":"CVE-2023-38408-63a621a6","source":"https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8","signature_version":"v1","digest":{"line_hashes":["142483365029668147691457446802921276205","338183608448739778899193325290408274327","215742378688413246027441518061584069043","34199311701557504296485376417782017829","264814179936733595673977523540311910896","48107387833747494942141378138305335526","311430354134093433623203190391857462306","322112388604258461414191286219043701982","187077904320853389933675193085424106859","119536953480021437428967222865166673018","300272016207263626724188131418314932382","185434096474314764300222071171674739821","242914950751014010650316723974235697586","111874031984715289587838461750616793356","314524614974619895120979930351770212331","207219957535858364281635286727481124690"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"usr.bin/ssh/ssh-agent.c"}},{"id":"CVE-2023-38408-65d1ca36","source":"https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8","signature_version":"v1","digest":{"function_hash":"69408485039866777726565847449831891868","length":5787},"signature_type":"Function","deprecated":false,"target":{"function":"main","file":"usr.bin/ssh/ssh-agent.c"}},{"id":"CVE-2023-38408-93d5cc3a","source":"https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca","signature_version":"v1","digest":{"function_hash":"20785282191647117378483749664361515635","length":4408},"signature_type":"Function","deprecated":false,"target":{"function":"pkcs11_register_provider","file":"usr.bin/ssh/ssh-pkcs11.c"}},{"id":"CVE-2023-38408-b20aa0ae","source":"https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca","signature_version":"v1","digest":{"function_hash":"86622299653523171526230085861346440775","length":1945},"signature_type":"Function","deprecated":false,"target":{"function":"sshsk_open","file":"usr.bin/ssh/ssh-sk.c"}},{"id":"CVE-2023-38408-d35307ad","source":"https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8","signature_version":"v1","digest":{"function_hash":"263025605123250630080940306656039656526","length":2430},"signature_type":"Function","deprecated":false,"target":{"function":"process_add_identity","file":"usr.bin/ssh/ssh-agent.c"}},{"id":"CVE-2023-38408-e2f7b684","source":"https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d","signature_version":"v1","digest":{"function_hash":"157551009127729258625712862157649782138","length":4424},"signature_type":"Function","deprecated":false,"target":{"function":"pkcs11_register_provider","file":"usr.bin/ssh/ssh-pkcs11.c"}}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"9.3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"37"}]},{"events":[{"introduced":"0"},{"last_affected":"38"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}