OpenSSH Versions Prior to 9.3p2 are Susceptible to a Vulnerability Which When Successfully Exploited Could Lead to Disclosure of Sensitive Information, Addition or Modification of Data, or Denial of Service (DoS)
Content

Priority:  ● Critical

Status: In Progress- Undergoing Analysis

 

First Published:  08 December 2023

Advisory Version: 1.0

References:  CVE-2023-38408

 

Summary

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) 

Affected Products

Vulnerable Products

 

The following matrix lists Hitachi Vantara products and solutions which have been confirmed to be affected by either of these vulnerabilities. If a Fixed Release Version is accompanied by a future date, the date is the best estimate we can provide based on current information and mitigation testing progress. If no Fixed Release Version is indicated for an affected product, Hitachi Vantara is continuing to evaluate the fix, and will update this advisory as additional information becomes available.

Product Fixed Release Version
Content Products
Content Platform Anywhere Enterprise This is fixed in portal image 8.0.1315.7.1 or later

 

Products Confirmed Not Vulnerable

At the time of this advisory's publication, only products listed in the Vulnerable Products section above are confirmed to be affected by this vulnerability.

Product Notes
Content Products
Content Platform S Series Not vulnerable
Content Intelligence Not vulnerable
Content Software for File Not vulnerable
Content Platform Anywhere Not vulnerable
Hitachi Data Ingestor Not vulnerable
Content Platform Gateway Not vulnerable
HCP for Cloud Scale

Not vulnerable.  The HCPCS 2.x.x container OS does NOT include openSSL.

Regarding RedHat OS, it does bundle a vulnerable version, but its NOT used directly by HCPCS software. Two paths being worked

1) short term workaround, develop instructions to manually uninstall openssh from our appliances.
2) long term workaround, work with RHEL to develop a security OS upgrade/patch, that can be delivered as a regular OS update tool.

Content Platform Not vulnerable.  HCP ships a vulnerable version of the SSH-AGENT third-party package, but the way SSH-AGENT is utilized on an HCP system negates the risk of exploitation.  An HCP system never opens SSH connection to any other system, or any IP address that is not that HCP system’s back-end IP address, outside of the realm of that HCP systemThus, the condition described in the CVE, does not occur in an HCP system.   In order to ensure that HCP customers' security scans no longer flag this CVE, a future release of HCP  will ship a version of SSH-AGENT that includes resolution for this CVE.

Recommended Actions

 

If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.

The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.

Attachments
CXone Metadata

CVE; CVE-2023-38408; OpenSSH