Description
Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Google Security Research · textremotelinux
https://www.exploit-db.com/exploits/40963
References (20)
Core 20
Core References
Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/40963/
Third Party Advisory, VDB Entry vdb-entry
http://www.securityfocus.com/bid/94968
Mailing List, Release Notes mailing-list
http://www.openwall.com/lists/oss-security/2016/12/19/2
Third Party Advisory, VDB Entry vdb-entry
http://www.securitytracker.com/id/1037490
Various Sources vendor-advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-17:01.openssh.asc
Vendor Advisory vendor-advisory
https://usn.ubuntu.com/3538-1/
Vendor Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2017:2029
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
Mailing List mailing-list
http://www.openwall.com/lists/oss-security/2023/07/19/9
Mailing List mailing-list
http://seclists.org/fulldisclosure/2023/Jul/31
Mailing List mailing-list
http://www.openwall.com/lists/oss-security/2023/07/20/1
Vendor Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03818en_us
Vendor Advisory
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637
Various Sources
https://www.openssh.com/txt/release-7.4
Vendor Advisory
https://security.netapp.com/advisory/ntap-20171130-0002/
Exploit, Third Party Advisory
http://packetstormsecurity.com/files/140261/OpenSSH-Arbitrary-Library-Loading.html
Exploit, Third Party Advisory
http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html
Scores
CVSS v3
7.3
EPSS
0.0158
EPSS Percentile
81.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-426
Status
published
Products (1)
openbsd/openssh
< 7.3
Published
Jan 05, 2017
Tracked Since
Feb 18, 2026