CVE-2023-51385 and CVE-2023-6004 – A Dual OpenSSH Threat

OpenSSH, a critical component in secure networking, has recently faced a formidable challenge. A now-patched security vulnerability, with a CVSS score of 9.8, threatened the very core of its secure channel operations. Identified as CVE-2023-51385, this vulnerability affected all OpenSSH versions before 9.6p1.

CVE-2023-51385 & CVE-2023-6004

A Dual Threat: CVE-2023-51385 and CVE-2023-6004

Not content with targeting just OpenSSH, this vulnerability extended its reach to libssh, specifically versions before 0.10.6 or 0.9.8, tracked as CVE-2023-6004 (CVSS score 3.9). The root cause of this flaw lies in the ProxyCommand or ProxyJump features of SSH, allowing for unchecked hostname syntax exploitation.

SSH’s ProxyCommand is a feature quite widely used to proxy ssh connections by allowing to specify custom commands to be used to connect to the server. Arguments to this directive may contain tokens like %h, %u which refer to hostname and username respectively,” Vin01 research wrote in an analysis.

When coming from untrusted sources, a hostname can be malicious and look something like `malicious-command` (backticks would allow a command to be executed in shell).

The ProxyCommand Peril

The ProxyCommand feature, widely used in SSH connections, became the unwitting enabler of this exploit. By injecting malicious code through the hostname parameter, attackers could run arbitrary commands remotely. This manipulation of the hostname, as simple as enclosing a malicious command in backticks, turned a standard feature into a potential gateway for cybercriminals.

The Proof is in the PoC

A proof-of-concept (PoC) demonstrated the vulnerability‘s potency, where a seemingly innocuous command, like cloning a GitHub repository, could lead to unexpected outcomes, such as popping a calculator on OS X.

git clone https://github.com/vin01/poc-proxycommand-vulnerable –recurse-submodules

A Call to Action: Update Now

Users of OpenSSH are strongly advised to upgrade to the latest versions — OpenSSH 9.6p1 and libssh 0.10.6 or 0.9.8 — to fortify their digital defenses against such ingenious exploits.