The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. Source Definition: CVE-2023-38408 at MITRE
One should be cautious while using SSH agent forwarding. If possible, refrain the forwarding of SSH (in SSH client) agent to untrusted servers. Considering the potential risks associated with CVE-2023-38408 one should evaluate the security risk and enable the ssh agent forwarding only if target environment like GitHub or remote servers are trustworthy.
Most of Linux distro vendors have not released patches yet for addressing this vulnerability hence there is workaround which I found for mitigating this vulnerability is that to disable the SSH agent forwarding in SSH client Linux machines which is applicable to all Linux distro such as Ubuntu, Red Hat, Suse, CentOS, Oracle Linux machines as OpenSSH is a Posix service for all Linux distros.
By default, SSH agent forwarding is disable in most of Linux OSs, but if you want to check whether ssh agent forwarding is disabled or not run below command for checking it:
root@charanjit-ubuntu:~# ssh -G localhost | grep forwardagent
forwardagent no
root@charanjit-ubuntu:~#
Alternatively you can also run this command echo “$SSH_AUTH_SOCK” to check if ssh agent forwarding is enabled you may find similar output as below in case it is enabled in your Linux server:
$ echo “$SSH_AUTH_SOCK”
# Print out the SSH_AUTH_SOCK variable
> /tmp/…
If you find it is enabled change the ForwardAgent value yes to no in file /etc/ssh/ssh_config:
root@charanjit-ubuntu:~# egrep “ForwardAgent” /etc/ssh/ssh_config
ForwardAgent no
root@charanjit-ubuntu:~#
Note: This setting will be implemented on the fly, so you need not to restart any services. Also, this setting will be applicable on ssh client service not on ssh server daemon or service. Second thing ensure you should only configure /etc/ssh/ssh_config file not /etc/ssh/sshd_config file as both files usage are different first is used for ssh client configuration and latter used for ssh server configuration.
He is a lazy System Administrator who likes to Automate his task through Shell scripts and Ansible playbooks. He has contributed his many Automations work in Kyndryl and also maintain his own internal company Github repo.
His hobby is researching on new technologies and sharing this through his blog but if he is not researching or writing blog then you will find him listening music while sipping cup of coffee and enjoying the nature view.
You can find him on Twitter, Facebook, Linkedin or send him an email at charanjit.cheema@cjcheema.com