ALAS-2023-1802 --- opensshID: oval:org.secpod.oval:def:1601778 | Date: (C)2023-09-01 (M)2024-04-11 |
Class: PATCH | Family: unix |
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if the target user's ssh-agent is forwarded to an attacker-controlled system . Exploitation can also be prevented by starting ssh-agent with an empty PKCS#11/FIDO allowlist or by configuring an allowlist that contains only specific provider libraries. NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Platform: |
Amazon Linux AMI |
Product: |
openssh |
pam_ssh_agent_auth |