Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2023-38408
CVE-2023-38408:
NixOS vulnerability analysis and mitigation
Overview
CVE-2023-38408 is a critical vulnerability in OpenSSH's PKCS#11 feature in ssh-agent before version 9.3p2, discovered by the Qualys Security Advisory team. The vulnerability allows remote code execution if an agent is forwarded to an attacker-controlled system. The issue exists due to an insufficiently trustworthy search path, which is an incomplete fix for CVE-2016-10009. The vulnerability was disclosed on July 19, 2023, and affects OpenSSH installations where agent forwarding is enabled (OpenSSH Security, OpenSSH Release Notes).
Technical details
The vulnerability stems from ssh-agent's ability to load and unload shared libraries from /usr/lib* via PKCS#11 support. When an SSH agent is forwarded, an attacker can exploit the dlopen() and dlclose() operations on shared libraries to achieve remote code execution. The attack chains multiple side effects of shared library loading, including executable stack requirements, NODELETE library flags, and signal handler registration, to bypass ASLR, PIE, and NX protections (Qualys Advisory). The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user who forwarded their SSH agent. This can lead to complete compromise of the user's workstation, potentially giving access to their email, other SSH hosts, Git repositories, and allowing persistent access without the victim's knowledge (Qualys Advisory).
Mitigation and workarounds
The vulnerability has been fixed in OpenSSH 9.3p2. The patch removes the ability for remote ssh-agent clients to load PKCS#11 modules by default. Users can mitigate the vulnerability by: 1) Upgrading to OpenSSH 9.3p2 or later, 2) Starting ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P ''), or 3) Configuring an allowlist that contains only specific provider libraries. Additionally, users can avoid using agent forwarding and instead use ProxyJump (-J) as a safer alternative (OpenSSH Release Notes).
Community reactions
The security community has recognized this as a significant vulnerability, with security researchers describing it as 'the bug of the year.' The discovery highlighted the risks associated with SSH agent forwarding, leading to increased advocacy for using alternative approaches like jump hosts (Hacker News).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management