OpenSSH Security Update: Mitigating CVE-2023-38408

OpenSSH, a widely used implementation of the Secure Shell protocol (SSH), has released its latest version, OpenSSH 9.3p2. This update addresses a significant security bug, CVE-2023-38408, which could potentially be exploited for remote code execution under specific conditions. This article provides an in-depth analysis of the issue, its implications, and best practices for securing SSH.

(Updated: 26 July 2023)

Understanding CVE-2023-38408

CVE-2023-38408 is a security vulnerability that affects OpenSSH’s ssh-agent(1)’s PKCS#11 support. Under certain conditions, specific libraries loaded via this support could be exploited to achieve remote code execution via a forwarded agent socket. The conditions for exploitation include the presence of specific libraries on the victim system and the forwarding of the agent to an attacker-controlled system.

This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. The OpenSSH 9.3p2 update removes the main precondition for exploitation and, by default, removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules.

The CVE-2023-38408 vulnerability can be found on the National Vulnerability Database (NVD) and the SUSE security advisory.

A Closer Look at the Vulnerability

The vulnerability lies in the SSH-agent’s source code, enabling a remote attacker with access to the remote server where a user’s SSH-agent is forwarded to load and unload shared libraries in /usr/lib* on the user’s workstation. This vulnerability exists when SSH-agent is compiled with ENABLE_PKCS11, which is the default configuration.

By chaining together four common side effects of shared libraries from official distribution packages, an attacker can transform this limited primitive (dlopen() and dlclose() of shared libraries from /usr/lib*) into a reliable, one-shot remote code execution in SSH-agent.


The exploitation of this vulnerability maps to the Remote Services: SSH (T1021.004) technique in the MITRE ATT&CK framework. This technique involves an adversary using Secure Shell (SSH) for remote access to systems.

Best Practices for Securing SSH

To mitigate the risk of such vulnerabilities and secure your SSH, consider the following best practices:

  1. Upgrade to OpenSSH 9.3p2 or later: This version includes critical patches to mitigate the vulnerability.
  2. Restrict PKCS#11 providers: Configure OpenSSH to allow only specific and trusted PKCS#11 providers.
  3. Exercise caution when forwarding SSH agent: Avoid forwarding your SSH agent to untrusted servers or environments.
  4. Conduct system scans: Regularly scan your systems using reputable antivirus and malware detection tools like ClamAV, Malwarebytes, or Avast.

For more detailed information on these practices, refer to the Teleport’s guide on SSH best practices.


The OpenSSH 9.3p2 update addresses a critical security vulnerability, reinforcing the importance of regular updates and robust security practices. By understanding the nature of such vulnerabilities and implementing best practices for securing SSH, users can significantly enhance their cybersecurity posture.

Further Reading