SB2023031706 - Multiple vulnerabilities in OpenSSH

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the getrrsetbyname(3) function within the VerifyHostKeyDNS feature. A remote attacker can send a specifically crafted DNS response to the ssh client, trigger an out-of-bounds read of adjacent stack data of the ssh client and perform a denial of service (DoS) attack.

2) Credentials management (CVE-ID: CVE-2023-28531)

The vulnerability allows a remote user to bypass implemented security restrictions.

the vulnerability exists due to a logic error in ssh-add when adding smartcard keys to ssh-agent with the per-hop destination constraints. As a result, the keys are added without constraints.

Remediation

Install update from vendor's website.

References

• http://www.openssh.com/txt/release-9.3
• https://www.openwall.com/lists/oss-security/2023/03/15/8