CVE-2023-28531

Vulnerability

ssh-add in OpenSSH versions 8.9 through 9.2 does not apply the intended per-hop destination constraints when adding smartcard keys to ssh-agent [2]. This means that keys added via ssh-add are not restricted to specific hosts or destinations as designed. The earliest affected version is 8.9 [2]. Siemens SIMATIC S7-1500 CPU family (including related ET 200 CPUs and SIPLUS variants) is also affected [1].

Exploitation

An attacker with network access to the ssh-agent socket or the ability to use the added keys (e.g., through a compromised host) can leverage the unrestricted keys to authenticate to any host that accepts them. No special authentication is required beyond access to the agent socket. The attacker can use the keys without the intended destination restrictions, potentially authenticating to unintended systems.

Impact

Successful exploitation allows an attacker to use the smartcard keys to authenticate to unintended destinations, potentially gaining unauthorized access to systems. This can lead to information disclosure, privilege escalation, or lateral movement within a network. The CVSS v3 score of 9.8 (Critical) reflects the high potential for widespread compromise.

Mitigation

The fix is included in OpenSSH 9.3, released on 2023-03-15 [2]. Users should upgrade to OpenSSH 9.3 or later. For affected Siemens products, refer to the vendor advisory [1] for specific remediation steps. No workaround is mentioned in the available references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) as of the publication date.