Debian and Ubuntu Fix More OpenSSH Vulnerabilities

24.Key Code Esm W900

In the wake of the infamous “Terrapin vulnerability,” which allows a man-in-the-middle (MITM) attacker to access impacted users’ sensitive information in transit, Debian and Ubuntu have released security updates addressing five OpenSSH flaws. Let's explore the intricacies of these vulnerabilities, how they work, and recommended measures to fortify your OpenSSH environment.

What Are These New OpenSSH Vulnerabilities?

CVE-2021-41617

Cvss 3 Severity Score: 7.0 High

This issue involves a flaw in initializing supplemental groups when executing AuthorizedKeysCommand or AuthorizedPrincipalsCommand. Specifically, when a directive such as AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser is set to run the command as a different user, sshd fails to initialize supplemental groups correctly. This oversight results in these commands inheriting the groups that sshd was originally started with, potentially leading to unintended access. 

This issue could result in privilege escalation attacks, enabling malicious hackers to view additional infrastructure to attack, add or delete users, or modify permissions of files or other users.

CVE-2023-28531

Cvss 3 Severity Score: 9.8 Critical

This OpenSSH vulnerability stems from an error preventing the communication of constraints to the ssh-agent when adding smartcard keys. The issue occurs when per-hop destination constraints are in place, causing keys to be added to the agent without the intended constraints. This could potentially lead to unauthorized access or misuse of keys.

CVE-2023-48795

Cvss 3 Severity Score: 5.9 Medium

Known as the Terrapin attack, this flaw exploits a prefix truncation weakness in the SSH protocol, allowing a Man-in-the-Middle (MITM) attacker to compromise the integrity of the early encrypted SSH transport protocol. By sending extra messages before encryption starts and deleting an equal number of consecutive messages immediately after encryption begins, an attacker can achieve a limited break in the system’s security.

This issue could result in privilege escalation attacks, enabling malicious hackers to view additional infrastructure to attack, add or delete users, or modify permissions of files or other users.

CVE-2023-51384

Cvss 3 Severity Score: 5.5 Medium

This OpenSSH bug highlights an issue with PKCS#11-hosted private keys. When adding these keys while specifying destination constraints and the PKCS#11 token returns multiple keys, only the first key has the constraints applied. This oversight could potentially lead to unintended access or misuse of keys.

CVE-2023-51385

Cvss 3 Severity Score: 9.8 Critical

This flaw exposes a potential command injection threat when an invalid user or hostname containing shell metacharacters is passed to ssh. If a ProxyCommand, LocalCommand directive, or match exec predicate references the user or hostname via expansion tokens, an attacker who can supply arbitrary user/hostnames to ssh might exploit this vulnerability. This scenario could arise, for example, in git repositories with submodules containing shell characters in user or hostname information.

What Can I Do to Secure My Systems Against These OpenSSH Bugs?OpenSSH Esm W190

It is crucial to take proactive measures to secure your OpenSSH environment. Updating your OpenSSH packages to patch these vulnerabilities is highly recommended to ensure the ongoing security of your systems.

Other mitigation strategies, such as using multi-factor authentication, network segmentation, and monitoring for compromise, are also highly recommended.

Be sure to subscribe to our weekly newsletters to stay up-to-date on the latest advisories, information, and insights impacting the security of your Linux systems. 

Stay safe out there, OpenSSH users!