|Description||The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
The information below is based on the following data on fixed versions.
[bookworm] - openssh <no-dsa> (Minor issue; needs specific conditions and forwarding was always subject to caution warning)
[bullseye] - openssh <no-dsa> (Minor issue; needs specific conditions and forwarding was always subject to caution warning)
Exploitation requires the presence of specific libraries on the victim system.
Remote exploitation requires that the agent was forwarded to an attacker-controlled