CVE Vulnerabilities

CVE-2023-38408

Unquoted Search Path or Element

Published: Jul 20, 2023 | Modified: Apr 04, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
9.8 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Weakness

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

Affected Software

Name Vendor Start Version End Version
Openssh Openbsd * 9.3 (excluding)
Openssh Openbsd 9.3 (including) 9.3 (including)
Openssh Openbsd 9.3-p1 (including) 9.3-p1 (including)
DEVWORKSPACE-1.0-RHEL-8 RedHat devworkspace/devworkspace-operator-bundle:0.22-2 *
DEVWORKSPACE-1.0-RHEL-8 RedHat devworkspace/devworkspace-project-clone-rhel8:0.22-2 *
DEVWORKSPACE-1.0-RHEL-8 RedHat devworkspace/devworkspace-rhel8-operator:0.22-2 *
Red Hat Enterprise Linux 6 Extended Lifecycle Support RedHat openssh-0:5.3p1-125.el6_10 *
Red Hat Enterprise Linux 7 RedHat openssh-0:7.4p1-23.el7_9 *
Red Hat Enterprise Linux 8 RedHat openssh-0:8.0p1-19.el8_8 *
Red Hat Enterprise Linux 8 RedHat openssh-0:8.0p1-19.el8_8 *
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions RedHat openssh-0:8.0p1-5.el8_1.1 *
Red Hat Enterprise Linux 8.2 Advanced Update Support RedHat openssh-0:8.0p1-5.el8_2 *
Red Hat Enterprise Linux 8.2 Telecommunications Update Service RedHat openssh-0:8.0p1-5.el8_2 *
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions RedHat openssh-0:8.0p1-5.el8_2 *
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support RedHat openssh-0:8.0p1-7.el8_4 *
Red Hat Enterprise Linux 8.4 Telecommunications Update Service RedHat openssh-0:8.0p1-7.el8_4 *
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions RedHat openssh-0:8.0p1-7.el8_4 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat openssh-0:8.0p1-15.el8_6 *
Red Hat Enterprise Linux 9 RedHat openssh-0:8.7p1-30.el9_2 *
Red Hat Enterprise Linux 9 RedHat openssh-0:8.7p1-30.el9_2 *
Red Hat Enterprise Linux 9.0 Extended Update Support RedHat openssh-0:8.7p1-11.el9_0 *
Openssh Ubuntu bionic *
Openssh Ubuntu devel *
Openssh Ubuntu esm-infra/bionic *
Openssh Ubuntu esm-infra/xenial *
Openssh Ubuntu fips-preview/jammy *
Openssh Ubuntu fips-updates/bionic *
Openssh Ubuntu fips-updates/focal *
Openssh Ubuntu fips-updates/jammy *
Openssh Ubuntu fips-updates/xenial *
Openssh Ubuntu fips/bionic *
Openssh Ubuntu fips/focal *
Openssh Ubuntu fips/xenial *
Openssh Ubuntu focal *
Openssh Ubuntu jammy *
Openssh Ubuntu kinetic *
Openssh Ubuntu lunar *
Openssh Ubuntu mantic *
Openssh Ubuntu noble *
Openssh Ubuntu oracular *
Openssh Ubuntu trusty *
Openssh Ubuntu trusty/esm *
Openssh Ubuntu upstream *
Openssh Ubuntu xenial *
Openssh-ssh1 Ubuntu bionic *
Openssh-ssh1 Ubuntu kinetic *
Openssh-ssh1 Ubuntu lunar *
Openssh-ssh1 Ubuntu mantic *
Openssh-ssh1 Ubuntu upstream *

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

References