CVE-2023-51385: OpenSSH OS command injection vulnerability

Details have emerged about a now-patched security vulnerability in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions.

The vulnerability is tracked under the CVE identifier CVE-2023-51385 (CVSS score: 9.8). It impacts all versions of OpenSSH before 9.6p1.

Also, with the same conditions, libssh before 0.10.6 or before 0.9.8 are vulnerable. This flaw is tracked as CVE-2023-6004 (CVSS 3.9). “Using the ProxyCommand or the ProxyJump feature enables users to exploit unchecked hostname syntax on the client, which enables to inject malicious code into the command of the above-mentioned features through the hostname parameter,” read the security advisory.

“SSH’s ProxyCommand is a feature quite widely used to proxy ssh connections by allowing to specify custom commands to be used to connect to the server. Arguments to this directive may contain tokens like %h, %u which refer to hostname and username respectively,” Vin01 research wrote in an analysis.

“When coming from untrusted sources, a hostname can be malicious and look something like `malicious-command` (backticks would allow a command to be executed in shell).”

OpenSSH is a suite of secure networking utilities based on the Secure Shell protocol, which provides a secure channel over an unsecured network in a client–server architecture.

Successful exploitation requires a user name or hostname that has shell metacharacters, and this name is referenced by an expansion token in certain situations.

The security researcher was able to devise a successful proof-of-concept (PoC) with a simple command to pop a calculator on OS X:

git clone https://github.com/vin01/poc-proxycommand-vulnerable –recurse-submodules

It is strongly advised that users of OpenSSH update to the most recent version (OpenSSH 9.6p1, libssh 0.10.6, and 0.9.8) to safeguard against potential cyber threats.