I. Vulnerability summary
Publication:
July 19, 2023
Description:
CVE-2023-38408: A vulnerability exists in the OpenSSH encryption suite and tool collection. The issue is based on an insufficient fix to the CVE-2016-10009 vulnerability, which OpenSSH 7.4 was supposed to patch in 2017. The PKCS#11 function in the ssh-agent in OpenSSH before 9.3p2 uses an untrusted search path, allowing attackers to inject and execute malicious code if an ssh-agent is forwarded to an attacker-controlled system. Version 9.3p2 closes the vulnerability.
July 19, 2023
Description:
CVE-2023-38408: A vulnerability exists in the OpenSSH encryption suite and tool collection. The issue is based on an insufficient fix to the CVE-2016-10009 vulnerability, which OpenSSH 7.4 was supposed to patch in 2017. The PKCS#11 function in the ssh-agent in OpenSSH before 9.3p2 uses an untrusted search path, allowing attackers to inject and execute malicious code if an ssh-agent is forwarded to an attacker-controlled system. Version 9.3p2 closes the vulnerability.
II. Impact on our products
TA Triumph-Adler products are not affected by this vulnerability.