CVE-2023-38408
OpenSSH SSH-Agent Remote Code Execution via Insufficient Trust in Search Path
Description
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
INFO
Published Date :
July 20, 2023, 3:15 a.m.
Last Modified :
Nov. 21, 2024, 8:13 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Update OpenSSH to version 9.3p2 or later.
- Update the affected packages based on vendor guidance.
Public PoC/Exploit Available at Github
CVE-2023-38408 has a 172 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2023-38408.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2023-38408 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2023-38408
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Kill ports, scan services, fix vulns — AI-powered via Ollama
cli devops hardening ollama pentesting port security
PowerShell Batchfile
Kill ports, scan services, fix vulns — AI-powered via Ollama
cli devops hardening ollama pentesting port security
Shell
Kill ports, scan services, fix vulns — AI-powered via Ollama
cli devops hardening ollama pentesting port security
Ruby Shell
None
None
Python
Tryhackme free rooms with links
Knowledge Mapper
Makefile C++ C M4 Shell CMake Assembly Roff HTML Lex
Found 200+ vulnerabilities on scanme.nmap.org including CVE-2023-38408 (9.8 critical)
Nmap vulnerability scanning lab using Kali Linux and Debian to identify open ports, services, and potiential vulnerabilities.
Python network scanner with host discovery, service detection, multi-threading, and CVE lookup via NIST NVD API
Python
A production-grade, async network vulnerability scanner built in Python. Designed for security professionals, network administrators, and penetration testers.
Dockerfile Python
AI-powered CLI tool that scans external-facing systems for vulnerabilities, analyzes findings via Claude AI, and automates remediation
Python
Audits OpenSSH sshd_config for CVE-related issues, insecure settings, and hardening weaknesses, with optional auto-fix support.
Python
None
Dockerfile Python Batchfile Shell
My penetration testing dashboard - runs nmap scans, msf exploitation, and loot the information in an easily digestible browser-based workflow.
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2023-38408 vulnerability anywhere in the article.
-
Daily CyberSecurity
OpenSSH 10.3 Patches Command Execution and “scp” Privilege Escalation
In the critical infrastructure of the internet, OpenSSH stands as one of the most vital gatekeepers for secure remote access. However, even the most trusted tools require constant refinement. A series ... Read more
-
Daily CyberSecurity
A Single Line of Code: Pre-Auth OpenSSH Flaw Exposes Ubuntu and Debian Servers
A flaw has been found in the machinery of OpenSSH. Security researcher Jeremy Brown recently uncovered a critical vulnerability lurking within the GSSAPI Key Exchange patch, a popular modification man ... Read more
-
Daily CyberSecurity
Industrial Alert: Critical Auth Bypass (CVSS 9.2) Hits Moxa Switches
Industrial networking giant Moxa has issued a high-severity security advisory urging customers to patch a wide range of Ethernet switches against a critical authentication bypass vulnerability. The fl ... Read more
-
CybersecurityNews
Critical OpenSSH Vulnerability Exposes Moxa Ethernet Switches to Remote Code Execution
Moxa has issued a critical security advisory regarding CVE-2023-38408, a severe vulnerability in OpenSSH affecting multiple Ethernet switch models. The flaw, with a CVSS 3.1 score of 9.8, allows unaut ... Read more
-
Daily CyberSecurity
Critical Alert: Moxa Switches Exposed to OpenSSH Remote Code Execution (CVSS 9.8)
A critical security vulnerability has been identified in Moxa’s industrial ethernet switches, threatening the integrity of operational technology (OT) networks. The vulnerability, tracked as CVE-2023- ... Read more
-
Help Net Security
Energy companies are blind to thousands of exposed services
Many of America’s largest energy providers are exposed to known and exploitable vulnerabilities, and most security teams may not even see them, according to a new report from SixMap. Researchers asses ... Read more
-
TheCyberThrone
CVE-2025-32433 impacts Erlang/OTP
The CVE-2025-32433 vulnerability, identified in the Erlang/OTP SSH library, is a severe remote code execution (RCE) flaw that allows unauthenticated attackers to execute arbitrary commands during SSH ... Read more
-
InfoSec Write-ups
HTB — Busqueda
HTB — BusquedaPhoto by Duncan Meyer on UnsplashAbout the machineBusqueda is an Easy Difficulty Linux machine that involves exploiting a command injection vulnerability present in a Python module. By l ... Read more
-
Cyber Security News
Technical Analysis Published for OpenSSH’s Agent Forwarding RCE Vulnerability
Security researchers have published a detailed technical analysis of a critical remote code execution (RCE) vulnerability (CVE-2023-38408) in OpenSSH’s agent forwarding feature that was disclosed in J ... Read more
-
Dark Reading
Targeted by Ransomware, Middle East Banks Shore Up Security
Source: VideoFlow via ShutterstockBanks and financial services firms across the Middle East weathered simulated attacks at the fourth annual Cyber Wargaming exercise in the United Arab Emirates last w ... Read more
-
The Register
QNAP and Veritas dump 30-plus vulns over the weekend
Taiwanese NAS maker QNAP addressed 24 vulnerabilities across various products over the weekend. The flaws include two critical and nine "high" severity vulnerabilities, potentially resulting in code e ... Read more
The following table lists the changes that have been made to the
CVE-2023-38408 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html Added Reference http://www.openwall.com/lists/oss-security/2023/07/20/1 Added Reference http://www.openwall.com/lists/oss-security/2023/07/20/2 Added Reference http://www.openwall.com/lists/oss-security/2023/09/22/11 Added Reference http://www.openwall.com/lists/oss-security/2023/09/22/9 Added Reference https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent Added Reference https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8 Added Reference https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d Added Reference https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca Added Reference https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html Added Reference https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ Added Reference https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ Added Reference https://news.ycombinator.com/item?id=36790196 Added Reference https://security.gentoo.org/glsa/202307-01 Added Reference https://security.netapp.com/advisory/ntap-20230803-0010/ Added Reference https://support.apple.com/kb/HT213940 Added Reference https://www.openssh.com/security.html Added Reference https://www.openssh.com/txt/release-9.3p2 Added Reference https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt Added Reference https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 15, 2024
Action Type Old Value New Value Added CWE CISA-ADP CWE-428 Added CVSS V3.1 CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
CVE Modified by [email protected]
Apr. 04, 2024
Action Type Old Value New Value Added Reference MITRE https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408 [No types assigned] -
CVE Modified by [email protected]
Dec. 22, 2023
Action Type Old Value New Value Added Reference MITRE https://support.apple.com/kb/HT213940 [No types assigned] -
CVE Modified by [email protected]
Nov. 07, 2023
Action Type Old Value New Value Added Reference MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ [No types assigned] Added Reference MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ [No types assigned] Removed Reference MITRE https://lists.fedoraproject.org/archives/list/[email protected]/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ Removed Reference MITRE https://lists.fedoraproject.org/archives/list/[email protected]/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ -
CVE Modified by [email protected]
Sep. 23, 2023
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2023/09/22/11 [No Types Assigned] -
CVE Modified by [email protected]
Sep. 22, 2023
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2023/09/22/9 [No Types Assigned] -
CVE Modified by [email protected]
Aug. 17, 2023
Action Type Old Value New Value Added Reference https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html [No Types Assigned] -
CVE Modified by [email protected]
Aug. 03, 2023
Action Type Old Value New Value Added Reference https://security.netapp.com/advisory/ntap-20230803-0010/ [No Types Assigned] -
Initial Analysis by [email protected]
Jul. 31, 2023
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Changed Reference Type http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html No Types Assigned http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html Exploit, Third Party Advisory, VDB Entry Changed Reference Type http://www.openwall.com/lists/oss-security/2023/07/20/1 No Types Assigned http://www.openwall.com/lists/oss-security/2023/07/20/1 Exploit, Mailing List, Third Party Advisory Changed Reference Type http://www.openwall.com/lists/oss-security/2023/07/20/2 No Types Assigned http://www.openwall.com/lists/oss-security/2023/07/20/2 Mailing List, Third Party Advisory Changed Reference Type https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent No Types Assigned https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent Third Party Advisory Changed Reference Type https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8 No Types Assigned https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8 Patch Changed Reference Type https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d No Types Assigned https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d Patch Changed Reference Type https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca No Types Assigned https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca Patch Changed Reference Type https://lists.fedoraproject.org/archives/list/[email protected]/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ No Types Assigned https://lists.fedoraproject.org/archives/list/[email protected]/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ Mailing List Changed Reference Type https://lists.fedoraproject.org/archives/list/[email protected]/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ No Types Assigned https://lists.fedoraproject.org/archives/list/[email protected]/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ Mailing List Changed Reference Type https://news.ycombinator.com/item?id=36790196 No Types Assigned https://news.ycombinator.com/item?id=36790196 Issue Tracking, Patch Changed Reference Type https://security.gentoo.org/glsa/202307-01 No Types Assigned https://security.gentoo.org/glsa/202307-01 Third Party Advisory Changed Reference Type https://www.openssh.com/security.html No Types Assigned https://www.openssh.com/security.html Vendor Advisory Changed Reference Type https://www.openssh.com/txt/release-9.3p2 No Types Assigned https://www.openssh.com/txt/release-9.3p2 Release Notes Changed Reference Type https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt No Types Assigned https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt Exploit, Third Party Advisory Added CWE NIST CWE-428 Added CPE Configuration OR *cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:* versions up to (excluding) 9.3 *cpe:2.3:a:openbsd:openssh:9.3:-:*:*:*:*:*:* *cpe:2.3:a:openbsd:openssh:9.3:p1:*:*:*:*:*:* Added CPE Configuration OR *cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* *cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* -
CVE Modified by [email protected]
Jul. 28, 2023
Action Type Old Value New Value Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ [No Types Assigned] -
CVE Modified by [email protected]
Jul. 23, 2023
Action Type Old Value New Value Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ [No Types Assigned] -
CVE Modified by [email protected]
Jul. 20, 2023
Action Type Old Value New Value Added Reference http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html [No Types Assigned] -
CVE Modified by [email protected]
Jul. 20, 2023
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2023/07/20/2 [No Types Assigned] -
CVE Modified by [email protected]
Jul. 20, 2023
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2023/07/20/1 [No Types Assigned] -
CVE Modified by [email protected]
Jul. 20, 2023
Action Type Old Value New Value Added Reference https://security.gentoo.org/glsa/202307-01 [No Types Assigned]