OSG-SEC-2023-07-28 HIGH OpenSSH remote code execution
Dear OSG Security Contacts,
A remote code execution vulnerability has been discovered in OpenSSH's forwarded ssh-agent. This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent.  
OpenSSH 5.5 - 9.3p1 (inclusive) 
WHAT ARE THE VULNERABILITIES:
Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary commands on vulnerable OpenSSH forwarded ssh-agent. It occurs where specific libraries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: 
Exploitation requires the presence of specific libraries on the victim system.
Remote exploitation requires that the agent was forwarded to an attacker-controlled system.
WHAT YOU SHOULD DO:
Upgrade to OpenSSH when updates are available for your Linux distributions. Presently there are no patched packages available for RHEL 6, 7, 8, or 9 based distributions .
A patched version of the OpenSSH project source, 9.3p2, is available from the OpenSSH project if you want to build your own binaries from source. 
The vulnerability can be mitigated by starting ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P "") or by configuring an allowlist that contains only specific provider libraries. 
Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team