Bug 2255271 (CVE-2023-51385)

Summary: CVE-2023-51385 openssh: potential command injection via shell metacharacters
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, caswilli, dfreiber, drow, fjansen, hkataria, jburrell, jmitchel, jsamir, jsherril, jtanner, kaycoth, kshier, mvanderw, orabin, psegedy, rmetrich, sthirugn, tsasak, vkrizan, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh 9.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenSSH. In certain circumstances, a remote attacker may be able to execute arbitrary OS commands by using expansion tokens, such as %u or %h, with user names or host names that contain shell metacharacters.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2255272    
Bug Blocks: 2255265    

Description Robb Gatica 2023-12-19 19:18:17 UTC 
Summary:
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations.

Description:
If an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive.

This situation could arise in the case of git submodules, where a repository could contain a submodule with shell characters in its user/hostname. Git does not ban shell metacharacters in user or host names when checking out repositories from untrusted sources.

Although we believe it is the user's responsibility to ensure validity of arguments passed to ssh(1), especially across a security boundary such as the git example above, OpenSSH 9.6 now bans most shell metacharacters from user and hostnames supplied via the command-line. This countermeasure is not guaranteed to be effective in all situations, as it is infeasible for ssh(1) to universally filter shell metacharacters potentially relevant to user-supplied commands.

User/hostnames provided via ssh_config(5) are not subject to these restrictions, allowing configurations that use strange names to continue to be used, under the assumption that the user knows what they are doing in their own configuration files.

References:
https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
https://www.openssh.com/txt/release-9.6
https://www.openwall.com/lists/oss-security/2023/12/18/2
Comment 1 Robb Gatica 2023-12-19 19:27:17 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 2255272]
Comment 6 errata-xmlrpc 2024-01-24 16:40:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0455 https://access.redhat.com/errata/RHSA-2024:0455
Comment 7 errata-xmlrpc 2024-01-24 16:49:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0429 https://access.redhat.com/errata/RHSA-2024:0429
Comment 8 errata-xmlrpc 2024-01-30 14:07:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0594 https://access.redhat.com/errata/RHSA-2024:0594
Comment 9 errata-xmlrpc 2024-01-30 14:53:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0606 https://access.redhat.com/errata/RHSA-2024:0606
Comment 11 errata-xmlrpc 2024-03-05 18:12:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1130 https://access.redhat.com/errata/RHSA-2024:1130