{
  "threat_severity" : "Important",
  "public_date" : "2023-07-19T00:00:00Z",
  "bugzilla" : {
    "description" : "openssh: Remote code execution in ssh-agent PKCS#11 support",
    "id" : "2224173",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2224173"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-94",
  "details" : [ "The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.", "A vulnerability was found in OpenSSH. The PKCS#11 feature in the ssh-agent in OpenSSH has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system (the code in /usr/lib is not necessarily safe for loading into ssh-agent). This flaw allows an attacker with control of the forwarded agent-socket on the server and the ability to write to the filesystem of the client host to execute arbitrary code with the privileges of the user running the ssh-agent." ],
  "statement" : "This issue is marked as Important as we successfully identified that it can do a Remote Code Execution atleast at some circumstances in Red Hat Enterprise Linux 6, 7, 8 and 9 and It can easily compromise the confidentiality, integrity or availability of resources.",
  "affected_release" : [ {
    "product_name" : "DEVWORKSPACE-1.0-RHEL-8",
    "release_date" : "2023-08-30T00:00:00Z",
    "advisory" : "RHSA-2023:4889",
    "cpe" : "cpe:/a:redhat:devworkspace:1.0::el8",
    "package" : "devworkspace/devworkspace-operator-bundle:0.22-2"
  }, {
    "product_name" : "DEVWORKSPACE-1.0-RHEL-8",
    "release_date" : "2023-08-30T00:00:00Z",
    "advisory" : "RHSA-2023:4889",
    "cpe" : "cpe:/a:redhat:devworkspace:1.0::el8",
    "package" : "devworkspace/devworkspace-project-clone-rhel8:0.22-2"
  }, {
    "product_name" : "DEVWORKSPACE-1.0-RHEL-8",
    "release_date" : "2023-08-30T00:00:00Z",
    "advisory" : "RHSA-2023:4889",
    "cpe" : "cpe:/a:redhat:devworkspace:1.0::el8",
    "package" : "devworkspace/devworkspace-rhel8-operator:0.22-2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6 Extended Lifecycle Support",
    "release_date" : "2023-08-02T00:00:00Z",
    "advisory" : "RHSA-2023:4428",
    "cpe" : "cpe:/o:redhat:rhel_els:6",
    "package" : "openssh-0:5.3p1-125.el6_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4382",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "openssh-0:7.4p1-23.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4419",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "openssh-0:8.0p1-19.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4419",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "openssh-0:8.0p1-19.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4383",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.1",
    "package" : "openssh-0:8.0p1-5.el8_1.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4384",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.2",
    "package" : "openssh-0:8.0p1-5.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4384",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.2",
    "package" : "openssh-0:8.0p1-5.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4384",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.2",
    "package" : "openssh-0:8.0p1-5.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4381",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.4",
    "package" : "openssh-0:8.0p1-7.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4381",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.4",
    "package" : "openssh-0:8.0p1-7.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4381",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.4",
    "package" : "openssh-0:8.0p1-7.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4413",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.6",
    "package" : "openssh-0:8.0p1-15.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4412",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "openssh-0:8.7p1-30.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-08-01T00:00:00Z",
    "advisory" : "RHSA-2023:4412",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "openssh-0:8.7p1-30.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support",
    "release_date" : "2023-07-31T00:00:00Z",
    "advisory" : "RHSA-2023:4329",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.0",
    "package" : "openssh-0:8.7p1-11.el9_0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-38408\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-38408\nhttps://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt" ],
  "name" : "CVE-2023-38408",
  "mitigation" : {
    "value" : "Remote exploitation required that a user establishes an SSH connection to a compromised or malicious SSH server with agent forwarding enabled.  The agent forwarding is disabled by default.  Review your ssh client configuration files for the use of ForwardAgent configuration directive and invocations of ssh client for the use of -A command line argument to see if agent forwarding is enabled for specific connections.\nExploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries.",
    "lang" : "en:us"
  },
  "csaw" : false
}