CVE-2023-28531: 
NixOS vulnerability analysis and mitigation

OpenSSH versions before 9.3 contain a vulnerability (CVE-2023-28531) where ssh-add adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The vulnerability affects versions from 8.9 to versions prior to 9.3, and was discovered in March 2023 (OpenWall List).

The vulnerability stems from a logic error that prevented constraints from being communicated to the ssh-agent when adding smartcard keys with per-hop destination constraints. This issue specifically affects the ssh-add functionality when used with smartcard keys and per-hop destination constraints. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

When exploited, this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The common cases of non-smartcard keys and keys without destination constraints are unaffected (NetApp Advisory).

The vulnerability has been fixed in OpenSSH version 9.3. Users are advised to upgrade to this version or later to address the security issue. Multiple vendors have released patches for their respective products, including Debian (version 1:8.4p1-5+deb11u3 for bullseye and 1:9.2p1-2+deb12u2 for bookworm) (Debian Security) and other affected distributions.