Dear valued customers,

We are writing to inform you about a security vulnerability that affects customers using SSH and SSH forwarding. The vulnerability has been assigned CVE-2023-38408 and is related to Remote Code Execution (RCE) in OpenSSH’s forwarded ssh-agent.

SSH-agent is a program designed to store private keys used for public key authentication. It can be located and automatically used for authentication when logging in to other machines using SSH. Connections to ssh-agent can be forwarded from remote hosts using the -A option to SSH, which allows the remote host to access the local agent.

Despite warnings about enabling SSH-agent forwarding with caution, it is still widely used today. However, we have discovered a potential security risk related to the forwarding of ssh-agent. An attacker with access to the remote server where ssh-agent is forwarded to could load and immediately unload shared libraries from /usr/lib* on the local workstation. This may result in unexpected side effects, including remote code execution in ssh-agent.

Our research indicates that even though certain shared libraries are generally considered safe, chaining specific side effects could lead to a reliable one-shot remote code execution in ssh-agent. We are actively working on a set of patches to address this vulnerability in OpenSSH, and we are working to upgrade the version of OpenSSH on your systems as soon as possible. We will coordinate with you when this upgrade is ready to ensure a seamless transition.

Please note that this CVE affects versions older than OpenSSH 9.3p2. You can identify your current server version by running ‘ssh -V’ in your terminal.

Your security and privacy are of utmost importance to us, and we are committed to providing you with the best possible protection. If you have any questions or concerns, please open a ticket at tickets.dynamic.com.

Thank you for your attention to this matter.

Sincerely,
Engineering Team
Dynamic Concepts Inc.