OpenSSH versions prior to 9.3p2 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data.
CVE-2023-38408 affected Asustor products with ADM 4.2 and ADM 4.0. Updates with OpenSSH 9.5p1 will be released as soon as possible.
- OpenSSH 9.5p1 has been updated on ADM 4.2.5.RN33 to resolve the issue.
Fixed release availability
ADM 4.2 and 4.1
Upgrade to 4.2.5.RN33 or above
- Severity: Critical
- The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Initial public release
Release ADM 4.2.5.RN33 to update OpenSSH version for fixing the issue