Debian and Ubuntu have released security updates for their respective OS versions, addressing five flaws discovered in the openssh package. In this article, we will delve into the intricacies of these vulnerabilities, shedding light on their nature and the recommended measures to safeguard your OpenSSH environment.
Cvss 3 Severity Score: 7.0 High
One of the vulnerabilities, tracked under CVE-2021-41617, exposes a flaw in the initialization of supplemental groups when executing AuthorizedKeysCommand or AuthorizedPrincipalsCommand. Specifically, when a directive such as AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser is set to run the command as a different user, sshd fails to correctly initialize supplemental groups. This oversight results in these commands inheriting the groups that sshd was originally started with, potentially leading to unintended access.
Cvss 3 Severity Score: 9.8 Critical
Luci Stanescu identified a OpenSSH vulnerability that stems from an error preventing the communication of constraints to the ssh-agent when adding smartcard keys. The issue occurs when per-hop destination constraints are in place, causing keys to be added to the agent without the intended constraints. This could potentially lead to unauthorized access or misuse of keys.
Cvss 3 Severity Score: 5.9 Medium
Fabian Baeumer, Marcus Brinkmann, and Joerg Schwenk uncovered the vulnerability known as the Terrapin attack. This attack exploits a prefix truncation weakness in the SSH protocol, allowing a Man-in-the-Middle (MITM) attacker to compromise the integrity of the early encrypted SSH transport protocol. By sending extra messages before encryption starts and deleting an equal number of consecutive messages immediately after encryption begins, an attacker can achieve a limited break in the system’s security.
For more detailed information about the Terrapin attack, you can refer to https://terrapin-attack.com/.
Cvss 3 Severity Score: 5.5 Medium
This OpenSSH vulnerability highlights an issue with PKCS#11-hosted private keys. When adding these keys while specifying destination constraints and the PKCS#11 token returns multiple keys, only the first key has the constraints applied. This oversight could potentially lead to unintended access or misuse of keys.
Cvss 3 Severity Score: 9.8 Critical
This flaw exposes a potential command injection risk when an invalid user or hostname containing shell metacharacters is passed to ssh. If a ProxyCommand, LocalCommand directive, or match exec predicate references the user or hostname via expansion tokens, an attacker who can supply arbitrary user/hostnames to ssh might exploit this vulnerability. This scenario could arise, for instance, in git repositories with submodules containing shell characters in user or hostname information.
In the light of these flaws, it is crucial to take proactive measures to secure your OpenSSH environment. Updating your OpenSSH packages is highly recommended to patch these vulnerabilities and ensure the ongoing security of your systems. A reboot will be required after the update to apply the changes.
For rebootless vulnerability patching, you can utilize KernelCare Enterprise live patching solution. Moreover, it automatically applies all security updates so you don’t have to worry about missing patches. KernelCare supports all popular enterprise distributions, including Ubuntu, Debian, RHEL, CentOS, AlmaLinux, Rocky Linux, Oracle Linux, and more.
The post Debian and Ubuntu Fixed OpenSSH Vulnerabilities appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/debian-and-ubuntu-fixed-openssh-vulnerabilities/