A high-severity vulnerability has been discovered in OpenSSH that could potentially be exploited by an attacker to execute arbitrary commands on a targeted system.
The vulnerability tracked as CVE-2023-51385, stems from insufficient validation of user-supplied input in certain situations when using the ProxyCommand or ProxyJump features in OpenSSH.
The vulnerability, which carries a severity score of 9.8 out of 10 on the CVSS scale, impacts all versions of OpenSSH before 9.6p1. The flaw arises when a hostname with shell metacharacters is provided as user input and is then expanded using a token like %h or %u in ProxyCommand or ProxyJump.
This could allow an attacker to inject malicious code into the expanded parameter and achieve remote code execution on the targeted host. The same vulnerable pattern also affects libssh versions before 0.10.6 or 0.9.8 (tracked as CVE-2023-6004, CVSS 3.9).
ProxyCommand and ProxyJump are useful features in OpenSSH that enable connections to be proxied through intermediate hosts. However, insufficient sanitization of user-supplied hostnames provided to these features can be leveraged to achieve malicious command execution.
According to an analysis by Vin01 Research, the vulnerability arises because SSH's ProxyCommand feature allows custom commands to be specified to connect through proxies. The directives for this feature can contain tokens like %h for hostname and %u for username.
When originating from untrusted sources, a crafted hostname with embedded shell metacharacters could lead to arbitrary command execution. The researcher was able to develop a simple proof-of-concept on OSX to pop a calculator using the vulnerable feature:
git clone https://github.com/vin01/poc-proxycommand-vulnerable –recurse-submodules
This demonstrates that the vulnerability is real and exploitable in the right circumstances by a remote attacker.
Impact on Users
This vulnerability affects all users of OpenSSH client and server implementations on Linux, macOS, BSD as well as other operating systems. The impact is quite broad since OpenSSH is one of the most widely used SSH implementations.
If successfully exploited, the flaw could be leveraged to bypass authentication and gain unauthorized remote access to systems running the vulnerable OpenSSH versions. Attackers could launch further attacks, escalate privileges, steal data, and more.
Recommended Mitigations
To mitigate this vulnerability, all affected users should urgently update to the latest OpenSSH version 9.6p1 which contains the fix for this flaw. For libssh, version 0.10.6 or 0.9.8 resolves the issue.
Organizations are advised to deploy the patched releases across their infrastructure to eliminate any exposure to attacks leveraging this vulnerability. Users should also be cautious about trusting hostnames from untrusted sources.
The maintainers have credited security researcher Vin01 for responsibly reporting this flaw so it could be addressed promptly before any exploits surfaced in the wild. This incident highlights the importance of prompt patching to ensure vulnerabilities do not lead to damaging incidents.
This critical vulnerability in widely used OpenSSH software could have enabled remote code execution in certain scenarios. Thanks to responsible disclosure and patching by the OpenSSH team, the risk has now been mitigated for users who update to the latest secure versions.