In the ever-evolving landscape of cybersecurity, even the stalwarts of secure networking are not immune to the relentless ingenuity of malicious actors. Recently, OpenSSH, a cornerstone in safeguarding secure channel operations, faced a formidable challenge in the form of a now-patched security vulnerability with a CVSS score of 9.8, marked as CVE-2023-51385. This critical flaw threatened the very core of OpenSSH, affecting all versions before 9.6p1.
But the reach of this vulnerability didn’t stop at OpenSSH; it extended its tendrils into libssh, targeting versions before 0.10.6 or 0.9.8, identified as CVE-2023-6004 with a CVSS score of 3.9. The culprit, as revealed in an analysis by Vin01 research, lies in the ProxyCommand or ProxyJump features of SSH, where unchecked hostname syntax exploitation became the gateway for potential cyber threats.
Vin01 research elucidates on the matter, stating, “SSH’s ProxyCommand is a feature quite widely used to proxy SSH connections by allowing to specify custom commands to be used to connect to the server. Arguments to this directive may contain tokens like %h, %u which refer to hostname and username respectively.” The crux of the flaw lies in the ProxyCommand feature, which, when coming from untrusted sources, allows a malicious hostname to be exploited, injecting arbitrary commands remotely.
The ingenious manipulation involves injecting malicious code through the hostname parameter, as simple as enclosing a malicious command in backticks. This seemingly innocuous act turned a standard feature into a potential gateway for cybercriminals. The consequences of this vulnerability were demonstrated through a proof-of-concept (PoC), where a benign command like cloning a GitHub repository could lead to unexpected outcomes, such as popping a calculator on OS X:
git clone https://github.com/vin01/poc-proxycommand-vulnerable –recurse-submodules
This revelation serves as a stark reminder of the importance of continuous vigilance and the need for timely software updates. Users of OpenSSH are strongly advised to fortify their digital defenses by upgrading to the latest versions, namely OpenSSH 9.6p1 and libssh 0.10.6 or 0.9.8.
As the cybersecurity landscape continues to evolve, the discovery of vulnerabilities like CVE-2023-51385 and CVE-2023-6004 underscores the crucial role that proactive measures play in ensuring the security of our digital infrastructure. Cybersecurity professionals, system administrators, and organizations alike must remain vigilant, implementing best practices and staying abreast of the latest security updates to protect against such ingenious exploits that threaten the very fabric of secure networking.
