Bug 2255271 (CVE-2023-51385) - CVE-2023-51385 openssh: potential command injection via shell metacharacters
Summary: CVE-2023-51385 openssh: potential command injection via shell metacharacters
Keywords:
Status: NEW
Alias: CVE-2023-51385
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2255272
Blocks: 2255265
TreeView+ depends on / blocked
 
Reported: 2023-12-19 19:18 UTC by Robb Gatica
Modified: 2024-06-20 08:28 UTC (History)
21 users (show)

Fixed In Version: openssh 9.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenSSH. In certain circumstances, a remote attacker may be able to execute arbitrary OS commands by using expansion tokens, such as %u or %h, with user names or host names that contain shell metacharacters.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0429 0 None None None 2024-01-24 16:49:23 UTC
Red Hat Product Errata RHSA-2024:0455 0 None None None 2024-01-24 16:40:24 UTC
Red Hat Product Errata RHSA-2024:0594 0 None None None 2024-01-30 14:07:58 UTC
Red Hat Product Errata RHSA-2024:0606 0 None None None 2024-01-30 14:53:35 UTC
Red Hat Product Errata RHSA-2024:1130 0 None None None 2024-03-05 18:12:19 UTC

Description Robb Gatica 2023-12-19 19:18:17 UTC
Summary:
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations.

Description:
If an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive.

This situation could arise in the case of git submodules, where a repository could contain a submodule with shell characters in its user/hostname. Git does not ban shell metacharacters in user or host names when checking out repositories from untrusted sources.

Although we believe it is the user's responsibility to ensure validity of arguments passed to ssh(1), especially across a security boundary such as the git example above, OpenSSH 9.6 now bans most shell metacharacters from user and hostnames supplied via the command-line. This countermeasure is not guaranteed to be effective in all situations, as it is infeasible for ssh(1) to universally filter shell metacharacters potentially relevant to user-supplied commands.

User/hostnames provided via ssh_config(5) are not subject to these restrictions, allowing configurations that use strange names to continue to be used, under the assumption that the user knows what they are doing in their own configuration files.

References:
https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
https://www.openssh.com/txt/release-9.6
https://www.openwall.com/lists/oss-security/2023/12/18/2

Comment 1 Robb Gatica 2023-12-19 19:27:17 UTC
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 2255272]

Comment 6 errata-xmlrpc 2024-01-24 16:40:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0455 https://access.redhat.com/errata/RHSA-2024:0455

Comment 7 errata-xmlrpc 2024-01-24 16:49:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0429 https://access.redhat.com/errata/RHSA-2024:0429

Comment 8 errata-xmlrpc 2024-01-30 14:07:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0594 https://access.redhat.com/errata/RHSA-2024:0594

Comment 9 errata-xmlrpc 2024-01-30 14:53:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0606 https://access.redhat.com/errata/RHSA-2024:0606

Comment 11 errata-xmlrpc 2024-03-05 18:12:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1130 https://access.redhat.com/errata/RHSA-2024:1130


Note You need to log in before you can comment on or make changes to this bug.