Critical vulnerability in OpenSSH could expose Remote Code Execution
Take action: Check all your systems for active and exposed SSH. Everything running SSH should be upgraded ASAP to OpenSSH version 9.6p1, or to libssh versions 0.10.6 or 0.9.8. Locking down SSH in a VPN and not visible from the internet helps, but is not a perfect solution - and most organizations can't do it.
Learn More
A serious security flaw, tracked as CVE-2023-51385 (CVSS score 9.8), has been found in OpenSSH, potentially allowing attackers to run unauthorized commands on affected systems remotely.
This issue is particularly concerning in the ProxyCommand or ProxyJump functionalities of OpenSSH, where user-inputted hostnames aren't adequately checked for potentially harmful characters. This flaw affects all OpenSSH versions up to 9.6p1. It occurs when a hostname containing shell metacharacters is fed into the system and undergoes expansion via tokens like %h (hostname) or %u (username) in the said features.
Attackers exploiting this weakness can inject harmful code into these expanded parameters, leading to remote code execution on the targeted machine.
ProxyCommand and ProxyJump are OpenSSH features intended for routing connections through intermediate hosts. Nonetheless, when given hostnames from untrusted sources that haven't been properly sanitized, they could be used for malicious command execution. Vin01 Research's analysis revealed that the ProxyCommand feature's flexibility in defining custom proxy connection commands presents this vulnerability. For example, a specially crafted hostname embedded with shell metacharacters could trigger arbitrary command execution.
An effective proof-of-concept of this vulnerability was demonstrated on OSX, where a simple command (git clone https://github.com/vin01/poc-proxycommand-vulnerable –recurse-submodules) was used to open a calculator application, showcasing the potential for remote exploitation.
The scope of this vulnerability is extensive, impacting OpenSSH client and server users across Linux, macOS, BSD, and other systems, given OpenSSH's widespread adoption. If exploited, this vulnerability could enable unauthorized remote system access, bypassing security measures, and potentially lead to further attacks, privilege escalation, data theft, etc.
To counter this threat, users are strongly advised to upgrade immediately to OpenSSH version 9.6p1, or to libssh versions 0.10.6 or 0.9.8, where the issue is resolved. Organizations should promptly apply these updates across their networks to avoid exploitation risks. Caution is also recommended regarding hostnames from untrusted sources.
