Huntress Acquires Inside Agent: A New Era for Identity Protection
Utility navigation bar redirect icon
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Free Trial
HomeThreat LibraryVulnerabilities
CVE-2023-28531

CVE-2023-28531 Vulnerability

Published: 01/20/2026

Written by: Nadine Rozell

Glitch effectGlitch effect

What is CVE-2023-28531 vulnerability?

CVE-2023-28531 is a logic error vulnerability in the OpenSSH suite, specifically affecting the ssh-add utility.

When was it discovered?

CVE-2023-28531 was publicly disclosed around March 16, 2023. It was identified as a regression introduced in OpenSSH version 8.9 and was addressed in the release of OpenSSH 9.3.

Affected products & versions

The vulnerability affects specific versions of OpenSSH that support the per-hop destination constraint feature for smartcards.

Product

Versions Affected

Fixed Versions / Patch Links

OpenSSH

8.9 through 9.2

Upgrade to 9.3 or later

Ubuntu Linux

22.04 LTS, 22.10

Update openssh-client packages

Debian Linux

Bookworm (12), Sid (Unstable)

Update openssh packages

Fedora Linux

Fedora 37, 38

Update openssh packages

CVE-2023-28531 technical description

The vulnerability lies within the ssh-add tool, which is used to load private keys into the ssh-agent authentication agent.

In OpenSSH 8.9, a feature was added to support "per-hop destination constraints" for keys stored on smartcards. This feature allows a user to load a key but restrict its usage to specific hosts (e.g., "allow this key only for ssh jump-host").

However, due to a logic flaw in the implementation, when a user executes the command to add a smartcard key with these constraints (e.g., ssh-add -h "constraint" ...), the constraints are never actually sent to the ssh-agent. The agent simply receives the key and stores it as an unrestricted key. This means the key can be used to authenticate to any server that accepts it, rather than just the intended targets.

Tactics, Techniques & Procedures (TTPs)

Attackers exploit CVE-2023-28531 primarily for Lateral Movement and Defense Evasion.

  • Lateral Movement: If an attacker compromises a machine where a user has forwarded their SSH agent (believing it was restricted), the attacker can hijack that agent to authenticate to other servers on the network that the user has access to, bypassing the intended destination limits.

  • Policy Bypass: The vulnerability inherently defeats security policies designed to compartmentalize access. Attackers leverage this to pivot through networks more freely than the administrator intended.

Indicators of compromise

Detecting active exploitation is difficult because the traffic appears as legitimate SSH authentication traffic. However, auditors can look for:

  • Configuration Audits: Scanning for ssh-add commands in shell history that utilize the -h flag in conjunction with smartcard libraries.

  • Agent Inspection: Users can run ssh-add -L to list keys currently in their agent. If a key was added with constraints but appears in the list without them, the vulnerability has triggered.

Known proof-of-concepts & exploits

There are no complex exploit scripts required for this vulnerability. The "exploit" is simply the standard usage of the tool in a vulnerable configuration.

Security researchers and vendors have confirmed that simply running the standard ssh-add command with constraints on a vulnerable version results in the failure, verifying the issue is widespread across unpatched Linux distributions.

How to detect CVE-2023-28531 vulnerability?

  • Version Scanning: The primary detection method is to check the installed version of OpenSSH. Run ssh -V on the endpoint. If the version reports between 8.9 and 9.2, the system is vulnerable.

  • Vulnerability Scanners: Tools like Tenable Nessus, Qualys, and Wiz have plugins to identify systems running vulnerable OpenSSH versions.

Impact & risk of CVE-2023-28531 vulnerability

The risk is categorized as Critical (CVSS 9.8) by the NVD, though strictly speaking, it impacts a specific subset of users (those using smartcards and constraints).

For organizations relying on these constraints for Zero Trust segmentation, the impact is severe. It allows for unauthorized access to sensitive systems and enables attackers to bypass network segmentation controls enacted at the application layer.

Mitigation & remediation strategies

Patching is the only effective solution for this software defect.

  • Update OpenSSH: Upgrade client and server packages to OpenSSH 9.3 or later immediately via your OS package manager (e.g., apt upgrade openssh-client, dnf update openssh).

  • Limit Agent Forwarding: As a general best practice, avoid using SSH agent forwarding (ssh -A) on untrusted hosts. If agent forwarding is not used, the risk of agent hijacking is significantly reduced.

CVE-2023-28531 Vulnerability FAQs

CVE-2023-28531 is a vulnerability in OpenSSH that ignores security restrictions when adding smartcard keys. When a user tries to limit where a key can be used, the software fails to apply those limits, allowing the key to be used anywhere.

It is not a virus that infects systems. It is a bug in the installed OpenSSH software. If a user has a vulnerable version installed, the software will simply fail to apply security settings correctly when they try to use them.

Yes, for systems that have not been updated. While the patch was released in 2023, legacy servers or neglected endpoints running OpenSSH 8.9–9.2 remain vulnerable to this policy bypass.

Organizations should ensure all Linux endpoints and servers are updated to OpenSSH version 9.3 or later. Security teams can also audit SSH usage to ensure agent forwarding is only used when necessary.

Glitch effectBlurry glitch effect

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free