Amazon Linux AMI update for openssh

1) Improper input validation

EUVDB-ID: #VU2015

Risk: Low

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-10009

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on vulnerable ssh client.

The vulnerability exists due to incorrect handling of data passed to PKCS#11 module within ssh-agent. A remote attacker with control over sshd service can execute arbitrary code on vulnerable client.

Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on vulnerable client system but requires that client is connected to malicious SSH server.

Mitigation

Update the affected packages:

i686:
    openssh-ldap-7.4p1-22.80.amzn1.i686
    openssh-cavs-7.4p1-22.80.amzn1.i686
    openssh-server-7.4p1-22.80.amzn1.i686
    openssh-clients-7.4p1-22.80.amzn1.i686
    pam_ssh_agent_auth-0.10.3-2.22.80.amzn1.i686
    openssh-7.4p1-22.80.amzn1.i686
    openssh-keycat-7.4p1-22.80.amzn1.i686
    openssh-debuginfo-7.4p1-22.80.amzn1.i686

src:
    openssh-7.4p1-22.80.amzn1.src

x86_64:
    pam_ssh_agent_auth-0.10.3-2.22.80.amzn1.x86_64
    openssh-7.4p1-22.80.amzn1.x86_64
    openssh-debuginfo-7.4p1-22.80.amzn1.x86_64
    openssh-clients-7.4p1-22.80.amzn1.x86_64
    openssh-keycat-7.4p1-22.80.amzn1.x86_64
    openssh-cavs-7.4p1-22.80.amzn1.x86_64
    openssh-ldap-7.4p1-22.80.amzn1.x86_64
    openssh-server-7.4p1-22.80.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2023-1802.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Untrusted search path

EUVDB-ID: #VU78454

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2023-38408

CWE-ID: CWE-426 - Untrusted Search Path

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to usage of an insecure search path within the PKCS#11 feature in ssh-agent. A remote attacker can trick the victim into connecting to a malicious SSH server and execute arbitrary code on the system, if an agent is forwarded to an attacker-controlled system.

Note, this vulnerability exists due to incomplete fix for #VU2015 (CVE-2016-10009).

Mitigation

Update the affected packages:

i686:
    openssh-ldap-7.4p1-22.80.amzn1.i686
    openssh-cavs-7.4p1-22.80.amzn1.i686
    openssh-server-7.4p1-22.80.amzn1.i686
    openssh-clients-7.4p1-22.80.amzn1.i686
    pam_ssh_agent_auth-0.10.3-2.22.80.amzn1.i686
    openssh-7.4p1-22.80.amzn1.i686
    openssh-keycat-7.4p1-22.80.amzn1.i686
    openssh-debuginfo-7.4p1-22.80.amzn1.i686

src:
    openssh-7.4p1-22.80.amzn1.src

x86_64:
    pam_ssh_agent_auth-0.10.3-2.22.80.amzn1.x86_64
    openssh-7.4p1-22.80.amzn1.x86_64
    openssh-debuginfo-7.4p1-22.80.amzn1.x86_64
    openssh-clients-7.4p1-22.80.amzn1.x86_64
    openssh-keycat-7.4p1-22.80.amzn1.x86_64
    openssh-cavs-7.4p1-22.80.amzn1.x86_64
    openssh-ldap-7.4p1-22.80.amzn1.x86_64
    openssh-server-7.4p1-22.80.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2023-1802.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.