Bug 1213504 (CVE-2023-38408)

Summary:	EMU: VUL-0: CVE-2023-38408: openssh: Remote Code Execution in OpenSSH's forwarded ssh-agent
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Thomas Leroy <thomas.leroy>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Critical
Priority:	P3 - Medium	CC:	aalzayed, cxiong, gianluca.gabrielli, joyeta.modak, logan.vance, mark.harvey, meissner, peter.simons, roger.whittaker, security-team, simonf.lees
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/372998/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-38408:7.5:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	1216874

Description Thomas Leroy 2023-07-20 07:01:04 UTC

CVE-2023-38408

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently
trustworthy search path, leading to remote code execution if an agent is
forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily
safe for loading into ssh-agent.) NOTE: this issue exists because of an
incomplete fix for CVE-2016-10009.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38408
https://bugs.chromium.org/p/project-zero/issues/detail?id=1009
https://bugs.chromium.org/p/project-zero/issues/detail?id=2266
https://www.cve.org/CVERecord?id=CVE-2023-38408
http://www.openwall.com/lists/oss-security/2023/07/19/9
https://seclists.org/oss-sec/2023/q3/49
https://www.openssh.com/security.html
https://www.qualys.com/research/security-advisories/
https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent
https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8
https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d
https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca
https://news.ycombinator.com/item?id=36790196
https://security.gentoo.org/glsa/202307-01
https://www.openssh.com/txt/release-9.3p2
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt

Comment 1 Thomas Leroy 2023-07-20 10:33:52 UTC

I fear all maintained codestreams are affected:

- SUSE:ALP:Source:Standard:1.0
- SUSE:SLE-12-SP2:Update
- SUSE:SLE-12-SP4:Update
- SUSE:SLE-12-SP5:Update
- SUSE:SLE-15-SP1:Update
- SUSE:SLE-15-SP2:Update
- SUSE:SLE-15-SP3:Update
- SUSE:SLE-15:Update

Comment 5 Thomas Leroy 2023-07-20 14:24:45 UTC

Thanks Marcus. SUSE:SLE-11-SP4:Update is also affected.

Comment 9 OBSbugzilla Bot 2023-07-21 08:15:02 UTC

This is an autogenerated message for OBS integration:
This bug (1213504) was mentioned in
https://build.opensuse.org/request/show/1099856 Factory / openssh

Comment 10 Maintenance Automation 2023-07-24 15:48:40 UTC

SUSE-SU-2023:2950-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1213504
CVE References: CVE-2023-38408
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssh-7.2p2-81.4.2, openssh-askpass-gnome-7.2p2-81.4.2
SUSE Linux Enterprise Server 12 SP5 (src): openssh-7.2p2-81.4.2, openssh-askpass-gnome-7.2p2-81.4.2
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssh-7.2p2-81.4.2, openssh-askpass-gnome-7.2p2-81.4.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Maintenance Automation 2023-07-24 15:48:52 UTC

SUSE-SU-2023:2947-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1213504
CVE References: CVE-2023-38408
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): openssh-askpass-gnome-7.9p1-150100.6.31.1, openssh-7.9p1-150100.6.31.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): openssh-askpass-gnome-7.9p1-150100.6.31.1, openssh-7.9p1-150100.6.31.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): openssh-askpass-gnome-7.9p1-150100.6.31.1, openssh-7.9p1-150100.6.31.1
SUSE CaaS Platform 4.0 (src): openssh-askpass-gnome-7.9p1-150100.6.31.1, openssh-7.9p1-150100.6.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Maintenance Automation 2023-07-24 15:49:03 UTC

SUSE-SU-2023:2946-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1213504
CVE References: CVE-2023-38408
Sources used:
SUSE Enterprise Storage 7 (src): openssh-askpass-gnome-8.1p1-150200.5.37.1, openssh-8.1p1-150200.5.37.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): openssh-askpass-gnome-8.1p1-150200.5.37.1, openssh-8.1p1-150200.5.37.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssh-askpass-gnome-8.1p1-150200.5.37.1, openssh-8.1p1-150200.5.37.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssh-askpass-gnome-8.1p1-150200.5.37.1, openssh-8.1p1-150200.5.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Maintenance Automation 2023-07-24 15:49:13 UTC

SUSE-SU-2023:2940-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1213504
CVE References: CVE-2023-38408
Sources used:
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): openssh-7.2p2-74.63.1, openssh-askpass-gnome-7.2p2-74.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Maintenance Automation 2023-07-24 15:49:24 UTC

SUSE-SU-2023:2945-1: An update that solves one vulnerability and has four fixes can now be installed.

Category: security (important)
Bug References: 1186673, 1209536, 1213004, 1213008, 1213504
CVE References: CVE-2023-38408
Sources used:
openSUSE Leap Micro 5.3 (src): openssh-8.4p1-150300.3.22.1
openSUSE Leap 15.4 (src): openssh-8.4p1-150300.3.22.1, openssh-askpass-gnome-8.4p1-150300.3.22.1
openSUSE Leap 15.5 (src): openssh-8.4p1-150300.3.22.1, openssh-askpass-gnome-8.4p1-150300.3.22.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): openssh-8.4p1-150300.3.22.1
SUSE Linux Enterprise Micro 5.3 (src): openssh-8.4p1-150300.3.22.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): openssh-8.4p1-150300.3.22.1
SUSE Linux Enterprise Micro 5.4 (src): openssh-8.4p1-150300.3.22.1
Basesystem Module 15-SP4 (src): openssh-8.4p1-150300.3.22.1
Basesystem Module 15-SP5 (src): openssh-8.4p1-150300.3.22.1
Desktop Applications Module 15-SP4 (src): openssh-askpass-gnome-8.4p1-150300.3.22.1
Desktop Applications Module 15-SP5 (src): openssh-askpass-gnome-8.4p1-150300.3.22.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): openssh-8.4p1-150300.3.22.1, openssh-askpass-gnome-8.4p1-150300.3.22.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssh-8.4p1-150300.3.22.1, openssh-askpass-gnome-8.4p1-150300.3.22.1
SUSE Linux Enterprise Real Time 15 SP3 (src): openssh-8.4p1-150300.3.22.1, openssh-askpass-gnome-8.4p1-150300.3.22.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssh-8.4p1-150300.3.22.1, openssh-askpass-gnome-8.4p1-150300.3.22.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssh-8.4p1-150300.3.22.1, openssh-askpass-gnome-8.4p1-150300.3.22.1
SUSE Manager Proxy 4.2 (src): openssh-8.4p1-150300.3.22.1
SUSE Manager Retail Branch Server 4.2 (src): openssh-8.4p1-150300.3.22.1
SUSE Manager Server 4.2 (src): openssh-8.4p1-150300.3.22.1
SUSE Enterprise Storage 7.1 (src): openssh-8.4p1-150300.3.22.1, openssh-askpass-gnome-8.4p1-150300.3.22.1
SUSE Linux Enterprise Micro 5.1 (src): openssh-8.4p1-150300.3.22.1
SUSE Linux Enterprise Micro 5.2 (src): openssh-8.4p1-150300.3.22.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): openssh-8.4p1-150300.3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Ali Abdallah 2023-08-02 06:21:12 UTC

*** Bug 1213536 has been marked as a duplicate of this bug. ***