Westwp logo web security

A Critical OpenSSH Vulnerability: How to Protect Yourself

Table of Contents

The recent discovery of the critical OpenSSH vulnerability can expose systems to hackers. This could potentially lead to data breaches and other harmful consequences. One such vulnerability that demands immediate attention is CVE-2023-38408. It affects OpenSSH, a widely used open-source software for secure remote logins.

Critical OpenSSH Vulnerability - How to Protect Yourself

Understanding CVE-2023-38408: The OpenSSH vulnerability

2.1 What is CVE-2023-38408?

CVE-2023-38408 is a vulnerability in the PKCS#11 feature of OpenSSH. PKCS#11 facilitates access to cryptographic hardware devices, such as smart cards and USB tokens. The vulnerability arises from OpenSSH’s inadequate validation of the shared library path loaded to the SSH agent. This flaw enables attackers to load malicious shared libraries into the SSH agent. Later, it can be executed when the victim connects to a remote server.

2.2 How does it work?

Exploiting this vulnerability requires access to the victim’s SSH agent. Attackers may achieve this by tricking the victim into connecting to a malicious SSH server. Or compromising the victim’s system through other means. Once the attacker gains access to the SSH agent, they can load a malicious shared library into it. The shared library will then be executed when the victim connects to a remote server. By this granting the attacker unauthorized access.

2.3 Impacts of the Vulnerability

The consequences of CVE-2023-38408 can be devastating. It enables attackers to execute arbitrary code on the victim’s system. That may leads to potential data theft, malware installation, or even control of the entire system.

What is PKCS#11 and Its Significance in the Context of OpenSSH

PKCS#11, which stands for Public-Key Cryptography Standards #11. It is a widely adopted cryptographic interface standard. It plays a crucial role in facilitating access to cryptographic hardware devices. Such as smart cards, hardware security modules (HSMs), and USB tokens. The primary purpose of PKCS#11 is to provide a unified and standardized API (Application Programming Interface). Which allows software applications to interact with cryptographic devices securely.

In the context of OpenSSH, PKCS#11 is utilized to enhance the security and usability of SSH (Secure Shell) connections. SSH is a popular protocol used for secure remote logins, file transfers, and various other network services. OpenSSH is an open-source implementation of SSH used across different operating systems & platforms.

The Role of PKCS#11 in OpenSSH:

Secure Key Management: One of the core functionalities of PKCS#11 in OpenSSH is to securely manage cryptographic keys. Cryptographic keys are essential for secure communication in SSH. Where both the client and server must have the appropriate key pairs. PKCS#11 provides a standardized way for OpenSSH to access private keys stored in hardware devices. Keeping them protected from unauthorized access and potential theft.

Enhanced Security: By utilizing hardware devices like smart cards and HSMs, PKCS#11 helps mitigate the risks. Associated with storing private keys on the local system. Hardware devices provide physical security features and tamper resistance. Making it more challenging for attackers to extract or misuse cryptographic keys.

Strong Authentication: PKCS#11 enables strong authentication mechanisms in OpenSSH. So users can use smart cards or USB tokens for authentication. This adds an extra layer of security. As it requires possession of the physical hardware token along with user’s PIN or passphrase.

Reduced Key Exposure: When using PKCS#11 with OpenSSH, the private keys never leave the hardware device. They are used on the device itself. And only the necessary cryptographic operations are performed. That to without exposing the sensitive keys externally. This reduces the risk of key exposure due to software vulnerabilities or malicious code.

Ease of Use: PKCS#11 provides a standardized interface for cryptographic devices. Making it easier for OpenSSH to work with different hardware devices. This standardization streamlines the integration process and improves the overall user experience

Note, PKCS#11 is a critical standard for facilitating access to cryptographic hardware devices in a secure and standardized manner. In the context of OpenSSH, PKCS#11 enhances security by securely managing cryptographic keys, providing strong authentication mechanisms, and reducing the risk of key exposure. By leveraging PKCS#11, OpenSSH can offer a more robust and reliable platform for secure remote logins and data transfers.

Real-life examples of the CVE-2023-38408 vulnerability:

Example 1: Malicious SSH Server Attack:

In this scenario, an attacker sets up a malicious SSH server, disguised to look like a legitimate one. The attacker sends phishing emails or messages to potential victims, enticing them to connect to the server for various reasons, such as accessing sensitive files or receiving special offers. Unaware of the threat, some users fall for the trap and connect to the malicious server using their SSH client.

Once the victim connects, the attacker exploits the CVE-2023-38408 vulnerability to inject a malicious shared library into the victim’s SSH agent. The next time the victim connects to any remote server using SSH, the compromised SSH agent executes the malicious code, allowing the attacker to gain unauthorized access to the victim’s system and potentially steal sensitive information or install malware.

Example 2: Compromised System with PKCS#11 Enabled:

In this scenario, the victim’s system has PKCS#11 enabled in their SSH agent. The attacker gains unauthorized access to the victim’s computer through a separate security flaw, such as a software vulnerability or a successful phishing attack. Once inside the victim’s system, the attacker identifies the presence of PKCS#11 in the SSH agent.

Taking advantage of CVE-2023-38408, the attacker loads a malicious shared library into the SSH agent, exploiting the lack of proper validation in OpenSSH’s PKCS#11 implementation. Now, whenever the victim initiates an SSH session to connect to a remote server, the malicious code is automatically executed by the SSH agent. This grants the attacker persistent access to the victim’s system, allowing them to carry out further malicious activities without detection.

In both of these examples, the vulnerability in OpenSSH’s PKCS#11 feature (CVE-2023-38408) is exploited by attackers to compromise the security of SSH connections and gain unauthorized access to systems, leading to potential data theft, unauthorized control, and other harmful consequences. It underscores the importance of promptly updating OpenSSH and taking necessary precautions to protect against such vulnerabilities.

How to Protect Yourself from CVE-2023-38408

3.1 Update OpenSSH to the Latest Version

The first line of defense against this vulnerability is to ensure you are using the latest version of OpenSSH. At the time of writing, the most recent version is 9.3p2. You can download it from the official OpenSSH website.

3.2 Mitigate Risk by Disabling PKCS#11 Feature

If you cannot immediately update to the latest OpenSSH version, you can reduce the risk of exploitation by disabling the PKCS#11 feature. This can be achieved by editing the sshd_config file and setting the UsePKCS11 option to no.

Latest Updates on CVE-2023-38408

As of July 19, 2023, the vulnerability was disclosed, prompting OpenSSH to release a patch. Most Linux distributions have already issued updated packages. However, to ensure you are protected, make sure that you are running the latest version of OpenSSH.

Steps for Updating OpenSSH to Latest Version

Updating OpenSSH to the latest version and disabling the PKCS#11 feature will help protect your system from the CVE-2023-38408 vulnerability. Below are step-by-step instructions to achieve this:

Step 1: Check Current OpenSSH Version

Open a terminal or command prompt on your system. For Linux or macOS, run the following command:

ssh -V

For Windows, use this command:

ssh -V

This command will display the current version of OpenSSH installed on your system.

Step 2: Download the Latest Version of OpenSSH

Visit the official OpenSSH website to download the latest version of OpenSSH. Ensure that you download the appropriate version for your operating system.

Website: https://www.openssh.com/

Step 3: Install the Latest Version

For Linux:

If you are using a package manager, check if the latest version of OpenSSH is available for your distribution. For example, on Debian/Ubuntu-based systems, you can use the following command:

sudo apt-get update

sudo apt-get install openssh-server

This will update your OpenSSH to the latest version available in the repository.

For macOS: On macOS, OpenSSH is usually pre-installed. However, you can use package managers like Homebrew to update it to the latest version:

brew update

brew upgrade openssh

For Windows: Download the latest version of OpenSSH from the official website and follow the provided installation instructions.

Disabling the PKCS#11 Feature

Step 4: Disable the PKCS#11 Feature

For Linux and macOS:

Open the sshd_config file using a text editor with administrative privileges. For example: bash

sudo nano /etc/ssh/sshd_config

Look for the line that contains the UsePKCS11 option. If it is set to yes, change it to no. If the line is not present, you can add it at the end of the file:

UsePKCS11 no

Save the changes and exit the text editor.

Restart the OpenSSH service to apply the changes:

sudo service ssh restart

For Windows:

  1. Locate the sshd_config file in the OpenSSH installation directory (usually C:\ProgramData\ssh).
  2. Open the file with a text editor with administrative privileges.
  3. Find the line that contains the UsePKCS11 option. If it is set to yes, change it to no. If the line is not present, add it at the end of the file:

UsePKCS11 no

Save the changes and close the text editor.

Restart the OpenSSH service to apply the changes. You can do this from the “Services” application or by using the following command in Command Prompt with administrative privileges:

net stop sshd

net start sshd

Step 5: Verify the Changes

To ensure that the latest version of OpenSSH is installed and the PKCS#11 feature is disabled, run the following commands:

ssh -V

This should display the version number of the updated OpenSSH. Additionally, you can check if PKCS#11 is disabled in the sshd_config file:

cat /etc/ssh/sshd_config | grep UsePKCS11

The output should show UsePKCS11 no indicating that the feature is disabled.

Congratulations! You have successfully updated OpenSSH to the latest version. Also disabled the PKCS#11 feature. This makes your system more secure against the CVE-2023-38408 vulnerability.

Taking cybersecurity seriously is paramount in today’s digital landscape. CVE-2023-38408 poses a significant threat to OpenSSH users. And prompt action is necessary to safeguard against potential attacks. By updating OpenSSH to the latest version and disabling the PKCS#11 feature, users can strengthen their defenses. Also, protect their systems from this critical vulnerability.


Q: What is the severity of this vulnerability?

A: This vulnerability is considered critical. As it allows attackers to execute arbitrary code on the victim’s system. Which may lead to severe consequences.

Q: How can I tell if I am vulnerable to this vulnerability?

 A: Check the version of OpenSSH you are using by running the following command:

ssh -V

If your version is older than 9.3p2, you are vulnerable.

 Q: What should I do if I am vulnerable to this vulnerability?

A: If you are vulnerable, update OpenSSH to the latest version as soon as possible. Additionally, consider disabling the PKCS#11 feature to mitigate risk.

 Q: What are the next steps for this vulnerability

A: OpenSSH is actively investigating the vulnerability. And will release further updates as necessary.