CVE-2023-38408
OpenSSH SSH-Agent Remote Code Execution via Insufficient Trust in Search Path
Description
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
INFO
Published Date :
July 20, 2023, 3:15 a.m.
Last Modified :
Nov. 21, 2024, 8:13 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Update OpenSSH to version 9.3p2 or later.
- Update the affected packages based on vendor guidance.
Public PoC/Exploit Available at Github
CVE-2023-38408 has a 198 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2023-38408.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2023-38408 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2023-38408
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Python
None
SOC Analyst portfolio — incident response, vulnerability assessment, GRC | Harness Projects | TryHackMe
blue-team cybersecurity incident-response soc-analyst vulnerability-assessment
None
Ymap (Yung Mapper) is a self-contained Python network scanner designed for pentesters, security researchers, students, and network administrators. It provides powerful network scanning capabilities through a small, easy-to-memorise set of flags, deliberately modelled to feel familiar to Nmap users while being much simpler to operate.
Python
Free Room of Try Hack Me
SSHield
HTML Rust TypeScript CSS
None
A simple Python script that scans a network for open ports and checks discovered services against the NVD database for known CVEs.
Python
None
Python HTML
Detects IOC type automatically (IPv4 vs MD5/SHA1/SHA256 hash) Queries all three APIs concurrently (async, like your Python script) Renders a live risk score (0–100), visual detection bar, abuse meter, and port list Generates a ticket-ready block you can copy directly into Jira/ServiceNow
Python
None
Python HTML
It's a .NET 8 WinForms penetration-testing toolkit that groups network scanning, SSH auditing, and web security auditing into a single desktop app. It supports CIDR host discovery, port enumeration with banner grabbing, SSH algorithm and version analysis, TLS inspection, HTTP header audits, and basic report viewing/export (CSV/TXT).
C# TSQL PowerShell
None
Python
None
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2023-38408 vulnerability anywhere in the article.
-
Daily CyberSecurity
OpenSSH 10.3 Patches Command Execution and “scp” Privilege Escalation
In the critical infrastructure of the internet, OpenSSH stands as one of the most vital gatekeepers for secure remote access. However, even the most trusted tools require constant refinement. A series ... Read more
-
Daily CyberSecurity
A Single Line of Code: Pre-Auth OpenSSH Flaw Exposes Ubuntu and Debian Servers
A flaw has been found in the machinery of OpenSSH. Security researcher Jeremy Brown recently uncovered a critical vulnerability lurking within the GSSAPI Key Exchange patch, a popular modification man ... Read more
-
Daily CyberSecurity
Industrial Alert: Critical Auth Bypass (CVSS 9.2) Hits Moxa Switches
Industrial networking giant Moxa has issued a high-severity security advisory urging customers to patch a wide range of Ethernet switches against a critical authentication bypass vulnerability. The fl ... Read more
-
CybersecurityNews
Critical OpenSSH Vulnerability Exposes Moxa Ethernet Switches to Remote Code Execution
Moxa has issued a critical security advisory regarding CVE-2023-38408, a severe vulnerability in OpenSSH affecting multiple Ethernet switch models. The flaw, with a CVSS 3.1 score of 9.8, allows unaut ... Read more
-
Daily CyberSecurity
Critical Alert: Moxa Switches Exposed to OpenSSH Remote Code Execution (CVSS 9.8)
A critical security vulnerability has been identified in Moxa’s industrial ethernet switches, threatening the integrity of operational technology (OT) networks. The vulnerability, tracked as CVE-2023- ... Read more
-
Help Net Security
Energy companies are blind to thousands of exposed services
Many of America’s largest energy providers are exposed to known and exploitable vulnerabilities, and most security teams may not even see them, according to a new report from SixMap. Researchers asses ... Read more
-
TheCyberThrone
CVE-2025-32433 impacts Erlang/OTP
The CVE-2025-32433 vulnerability, identified in the Erlang/OTP SSH library, is a severe remote code execution (RCE) flaw that allows unauthenticated attackers to execute arbitrary commands during SSH ... Read more
-
InfoSec Write-ups
HTB — Busqueda
HTB — BusquedaPhoto by Duncan Meyer on UnsplashAbout the machineBusqueda is an Easy Difficulty Linux machine that involves exploiting a command injection vulnerability present in a Python module. By l ... Read more
-
Cyber Security News
Technical Analysis Published for OpenSSH’s Agent Forwarding RCE Vulnerability
Security researchers have published a detailed technical analysis of a critical remote code execution (RCE) vulnerability (CVE-2023-38408) in OpenSSH’s agent forwarding feature that was disclosed in J ... Read more
-
Dark Reading
Targeted by Ransomware, Middle East Banks Shore Up Security
Source: VideoFlow via ShutterstockBanks and financial services firms across the Middle East weathered simulated attacks at the fourth annual Cyber Wargaming exercise in the United Arab Emirates last w ... Read more
-
The Register
QNAP and Veritas dump 30-plus vulns over the weekend
Taiwanese NAS maker QNAP addressed 24 vulnerabilities across various products over the weekend. The flaws include two critical and nine "high" severity vulnerabilities, potentially resulting in code e ... Read more
The following table lists the changes that have been made to the
CVE-2023-38408 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html Added Reference http://www.openwall.com/lists/oss-security/2023/07/20/1 Added Reference http://www.openwall.com/lists/oss-security/2023/07/20/2 Added Reference http://www.openwall.com/lists/oss-security/2023/09/22/11 Added Reference http://www.openwall.com/lists/oss-security/2023/09/22/9 Added Reference https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent Added Reference https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8 Added Reference https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d Added Reference https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca Added Reference https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html Added Reference https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ Added Reference https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ Added Reference https://news.ycombinator.com/item?id=36790196 Added Reference https://security.gentoo.org/glsa/202307-01 Added Reference https://security.netapp.com/advisory/ntap-20230803-0010/ Added Reference https://support.apple.com/kb/HT213940 Added Reference https://www.openssh.com/security.html Added Reference https://www.openssh.com/txt/release-9.3p2 Added Reference https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt Added Reference https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 15, 2024
Action Type Old Value New Value Added CWE CISA-ADP CWE-428 Added CVSS V3.1 CISA-ADP AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
CVE Modified by [email protected]
Apr. 04, 2024
Action Type Old Value New Value Added Reference MITRE https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408 [No types assigned] -
CVE Modified by [email protected]
Dec. 22, 2023
Action Type Old Value New Value Added Reference MITRE https://support.apple.com/kb/HT213940 [No types assigned] -
CVE Modified by [email protected]
Nov. 07, 2023
Action Type Old Value New Value Added Reference MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ [No types assigned] Added Reference MITRE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ [No types assigned] Removed Reference MITRE https://lists.fedoraproject.org/archives/list/[email protected]/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ Removed Reference MITRE https://lists.fedoraproject.org/archives/list/[email protected]/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ -
CVE Modified by [email protected]
Sep. 23, 2023
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2023/09/22/11 [No Types Assigned] -
CVE Modified by [email protected]
Sep. 22, 2023
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2023/09/22/9 [No Types Assigned] -
CVE Modified by [email protected]
Aug. 17, 2023
Action Type Old Value New Value Added Reference https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html [No Types Assigned] -
CVE Modified by [email protected]
Aug. 03, 2023
Action Type Old Value New Value Added Reference https://security.netapp.com/advisory/ntap-20230803-0010/ [No Types Assigned] -
Initial Analysis by [email protected]
Jul. 31, 2023
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Changed Reference Type http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html No Types Assigned http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html Exploit, Third Party Advisory, VDB Entry Changed Reference Type http://www.openwall.com/lists/oss-security/2023/07/20/1 No Types Assigned http://www.openwall.com/lists/oss-security/2023/07/20/1 Exploit, Mailing List, Third Party Advisory Changed Reference Type http://www.openwall.com/lists/oss-security/2023/07/20/2 No Types Assigned http://www.openwall.com/lists/oss-security/2023/07/20/2 Mailing List, Third Party Advisory Changed Reference Type https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent No Types Assigned https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent Third Party Advisory Changed Reference Type https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8 No Types Assigned https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8 Patch Changed Reference Type https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d No Types Assigned https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d Patch Changed Reference Type https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca No Types Assigned https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca Patch Changed Reference Type https://lists.fedoraproject.org/archives/list/[email protected]/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ No Types Assigned https://lists.fedoraproject.org/archives/list/[email protected]/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ Mailing List Changed Reference Type https://lists.fedoraproject.org/archives/list/[email protected]/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ No Types Assigned https://lists.fedoraproject.org/archives/list/[email protected]/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ Mailing List Changed Reference Type https://news.ycombinator.com/item?id=36790196 No Types Assigned https://news.ycombinator.com/item?id=36790196 Issue Tracking, Patch Changed Reference Type https://security.gentoo.org/glsa/202307-01 No Types Assigned https://security.gentoo.org/glsa/202307-01 Third Party Advisory Changed Reference Type https://www.openssh.com/security.html No Types Assigned https://www.openssh.com/security.html Vendor Advisory Changed Reference Type https://www.openssh.com/txt/release-9.3p2 No Types Assigned https://www.openssh.com/txt/release-9.3p2 Release Notes Changed Reference Type https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt No Types Assigned https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt Exploit, Third Party Advisory Added CWE NIST CWE-428 Added CPE Configuration OR *cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:* versions up to (excluding) 9.3 *cpe:2.3:a:openbsd:openssh:9.3:-:*:*:*:*:*:* *cpe:2.3:a:openbsd:openssh:9.3:p1:*:*:*:*:*:* Added CPE Configuration OR *cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* *cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* -
CVE Modified by [email protected]
Jul. 28, 2023
Action Type Old Value New Value Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/ [No Types Assigned] -
CVE Modified by [email protected]
Jul. 23, 2023
Action Type Old Value New Value Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/ [No Types Assigned] -
CVE Modified by [email protected]
Jul. 20, 2023
Action Type Old Value New Value Added Reference http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html [No Types Assigned] -
CVE Modified by [email protected]
Jul. 20, 2023
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2023/07/20/2 [No Types Assigned] -
CVE Modified by [email protected]
Jul. 20, 2023
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2023/07/20/1 [No Types Assigned] -
CVE Modified by [email protected]
Jul. 20, 2023
Action Type Old Value New Value Added Reference https://security.gentoo.org/glsa/202307-01 [No Types Assigned]