Lucene search

DebianDEBIAN:DLA-3694-1:FAAE2

HistoryDec 26, 2023 - 2:22 a.m.

[SECURITY] [DLA 3694-1] openssh security update

2023-12-2602:22:30

lists.debian.org

prefix truncation attack

cve-2021-41617

cve-2023-48795

ssh protocol

openssh

debian 10 buster

command injection

security update

cve-2023-51385

4.4 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.963 High

EPSS

Percentile

99.5%

JSON

Debian LTS Advisory DLA-3694-1 [email protected]
https://www.debian.org/lts/security/ Santiago Ruano Rincón
December 25, 2023 https://wiki.debian.org/LTS

Package : openssh
Version : 1:7.9p1-10+deb10u4
CVE ID : CVE-2021-41617 CVE-2023-48795 CVE-2023-51385
Debian Bug : 995130

Several vulnerabilities have been discovered in OpenSSH, an implementation of
the SSH protocol suite.

CVE-2021-41617

It was discovered that sshd failed to correctly initialise supplemental
groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the command
as a different user. Instead these commands would inherit the groups that
sshd was started with.

CVE-2023-48795

Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH
protocol is prone to a prefix truncation attack, known as the &quot;Terrapin
attack&quot;. This attack allows a MITM attacker to effect a limited break of the
integrity of the early encrypted SSH transport protocol by sending extra
messages prior to the commencement of encryption, and deleting an equal
number of consecutive messages immediately after encryption starts.

Details can be found at https://terrapin-attack.com/

CVE-2023-51385

It was discovered that if an invalid user or hostname that contained shell
metacharacters was passed to ssh, and a ProxyCommand, LocalCommand
directive or &quot;match exec&quot; predicate referenced the user or hostname via
expansion tokens, then an attacker who could supply arbitrary
user/hostnames to ssh could potentially perform command injection. The
situation could arise in case of git repositories with submodules, where the
repository could contain a submodule with shell characters in its user or
hostname.

For Debian 10 buster, these problems have been fixed in version
1:7.9p1-10+deb10u4.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssh

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian11arm64openssh-tests< 1:8.4p1-5+deb11u3openssh-tests_1:8.4p1-5+deb11u3_arm64.deb
Debian10allssh< 1:7.9p1-10+deb10u4ssh_1:7.9p1-10+deb10u4_all.deb
Debian12mips64elopenssh-client-dbgsym< 1:9.2p1-2+deb12u2openssh-client-dbgsym_1:9.2p1-2+deb12u2_mips64el.deb
Debian12i386openssh-sftp-server-dbgsym< 1:9.2p1-2+deb12u2openssh-sftp-server-dbgsym_1:9.2p1-2+deb12u2_i386.deb
Debian10arm64ssh-askpass-gnome-dbgsym< 1:7.9p1-10+deb10u4ssh-askpass-gnome-dbgsym_1:7.9p1-10+deb10u4_arm64.deb
Debian12amd64openssh-client< 1:9.2p1-2+deb12u2openssh-client_1:9.2p1-2+deb12u2_amd64.deb
Debian11ppc64elopenssh-client< 1:8.4p1-5+deb11u3openssh-client_1:8.4p1-5+deb11u3_ppc64el.deb
Debian10armhfopenssh-tests< 1:7.9p1-10+deb10u4openssh-tests_1:7.9p1-10+deb10u4_armhf.deb
Debian11armelopenssh-server-udeb< 1:8.4p1-5+deb11u3openssh-server-udeb_1:8.4p1-5+deb11u3_armel.deb
Debian12arm64openssh-client-udeb< 1:9.2p1-2+deb12u2openssh-client-udeb_1:9.2p1-2+deb12u2_arm64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	arm64	openssh-tests	< 1:8.4p1-5+deb11u3	openssh-tests_1:8.4p1-5+deb11u3_arm64.deb
Debian	10	all	ssh	< 1:7.9p1-10+deb10u4	ssh_1:7.9p1-10+deb10u4_all.deb
Debian	12	mips64el	openssh-client-dbgsym	< 1:9.2p1-2+deb12u2	openssh-client-dbgsym_1:9.2p1-2+deb12u2_mips64el.deb
Debian	12	i386	openssh-sftp-server-dbgsym	< 1:9.2p1-2+deb12u2	openssh-sftp-server-dbgsym_1:9.2p1-2+deb12u2_i386.deb
Debian	10	arm64	ssh-askpass-gnome-dbgsym	< 1:7.9p1-10+deb10u4	ssh-askpass-gnome-dbgsym_1:7.9p1-10+deb10u4_arm64.deb
Debian	12	amd64	openssh-client	< 1:9.2p1-2+deb12u2	openssh-client_1:9.2p1-2+deb12u2_amd64.deb
Debian	11	ppc64el	openssh-client	< 1:8.4p1-5+deb11u3	openssh-client_1:8.4p1-5+deb11u3_ppc64el.deb
Debian	10	armhf	openssh-tests	< 1:7.9p1-10+deb10u4	openssh-tests_1:7.9p1-10+deb10u4_armhf.deb
Debian	11	armel	openssh-server-udeb	< 1:8.4p1-5+deb11u3	openssh-server-udeb_1:8.4p1-5+deb11u3_armel.deb
Debian	12	arm64	openssh-client-udeb	< 1:9.2p1-2+deb12u2	openssh-client-udeb_1:9.2p1-2+deb12u2_arm64.deb