PatchSiren

PatchSiren cyber security CVE debrief

CVE-2023-51384 Debian CVE debrief

CVE-2023-51384 is a medium-severity OpenSSH ssh-agent issue published on 2023-12-18. When destination constraints are added for PKCS#11-hosted private keys, ssh-agent may apply those constraints only to the first key returned by a token. That means later keys from the same token may not receive the intended destination restriction, reducing the protection those constraints are supposed to provide.

Vendor
Debian
Product
CVE-2023-51384
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2023-12-18
Original CVE updated
2026-05-12
Advisory published
2023-12-18
Advisory updated
2026-05-12

Who should care

Administrators and users who rely on OpenSSH ssh-agent with PKCS#11 tokens or smartcard-backed keys should pay attention, especially where destination constraints are used to limit where keys can be used. Debian-listed OpenSSH packages and other downstream builds that incorporate OpenSSH 9.6-era fixes are relevant to review.

Technical summary

The issue is in ssh-agent handling of destination constraints for PKCS#11-hosted private keys. According to the supplied NVD description, if a PKCS#11 token returns multiple keys during addition, ssh-agent only applies the destination constraint to the first key. The NVD vector indicates local access with low privileges and no user interaction, with confidentiality impact rated high and no integrity or availability impact (CVSS 3.1: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). NVD lists OpenSSH versions before 9.6 as vulnerable and includes Debian 11 and 12 CPEs in its affected set.

Defensive priority

Medium. The issue is not marked as KEV and the supplied record does not indicate active exploitation, but it affects credential protection controls and can weaken assumptions about constrained key use. Organizations using ssh-agent with PKCS#11 should validate patch level and configuration.

Recommended defensive actions

  • Upgrade OpenSSH to version 9.6 or later, or to a downstream package that includes the upstream fix.
  • Review any ssh-agent workflows that add PKCS#11-hosted private keys with destination constraints.
  • Confirm affected systems against the supplied NVD CPEs and vendor advisories, including Debian 11/12 and OpenSSH before 9.6.
  • Track downstream security advisories for your platform, such as Debian, Apple, NetApp, and other OpenSSH consumers listed in the references.
  • If destination constraints are part of your key-use policy, verify that operational guidance and monitoring reflect the possibility of multiple keys from a single token.

Evidence notes

Primary evidence comes from the supplied NVD description and CVSS data for CVE-2023-51384. NVD lists OpenSSH versions before 9.6 as vulnerable and includes Debian 11/12 CPEs. The supplied references also include the OpenSSH 9.6 release notes, the upstream patch commit, and downstream advisories from Debian, Apple, and NetApp. This debrief does not assume details beyond what is present in the provided corpus and official links.

Official resources

Publicly disclosed on 2023-12-18, per the supplied CVE publication timestamp. The supplied record was later modified on 2026-05-12, but that does not change the original disclosure date.