CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent

Saeed Abbasi

Last updated on: July 24, 2023

The Qualys Threat Research Unit (TRU) has discovered a remote code execution vulnerability in OpenSSH’s forwarded ssh-agent. This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. Given the widespread use of OpenSSH’s forwarded ssh-agent Qualys Research Unit recommends that security teams apply patches for this vulnerability on priority.

About OpenSSH’s Agent Forwarding 

The ssh-agent is a background program that caches private keys for SSH public key authentication, reducing the need for regular passphrase input. Initiated at the start of an X or login session, it operates by storing keys in memory and unloading only when the process ends. 

It’s instrumental in automation scripts or tasks requiring frequent server connections, as it prevents the need for insecure password storage or constant passphrase input. The connections to ssh-agent may be forwarded from further remote to avoid the need for authentication data to be stored on other machines. Nonetheless, it’s still crucial to secure the keys with robust passphrases.  

Potential Impact of OpenSSH’s Agent Forwarding 

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary commands on vulnerable OpenSSH forwarded ssh-agent.  Qualys security researchers have been able to independently verify the vulnerability, develop a PoC exploit on installations of Ubuntu Desktop 22.04 and 21.10. Other Linux distributions are likely vulnerable and probably exploitable. 

As soon as the Qualys research team confirmed the vulnerability, Qualys engaged in responsible vulnerability disclosure and coordinated with the vendor, OpenSSH, on this occasion to announce the vulnerability. 

Disclosure Timeline 

2023-07-06: Draft advisory and initial patch sent to OpenSSH. 

2023-07-07: OpenSSH sent refined patches. 

2023-07-09: Feedback on patches sent to OpenSSH. 

2023-07-11: Received final patches from OpenSSH; feedback sent. 

2023-07-14: OpenSSH plans for security-only release on July 19th. 

2023-07-19: Coordinated release. 

Technical Details

You can find the technical details of these vulnerabilities at:

Qualys QID Coverage  

Qualys has recently released a single QID 38904, which is available starting from the vulnsigs version VULNSIGS-2.5.820-3.

QID Title Qualys Release Versions 
38904 OpenSSH Remote Code Execution (RCE) Vulnerability in its forwarded ssh-agent VULNSIGS-2.5.820-3 


This newly uncovered ssh-agent vulnerability underlines the continuous need for rigorous security measures and immediate response. Even robust systems can harbor hidden vulnerabilities, as demonstrated by the shortcomings of the ssh-agent. Proactively rectifying such vulnerabilities through actions such as implementing patches is critical to maintaining the integrity of digital assets.  

Share your Comments


Your email address will not be published. Required fields are marked *