OpenSSH Control Character Injection Vulnerability in Usernames Allowing Code Execution via ProxyCommand

A vulnerability in OpenSSH prior to 10.1 allows control characters to be included in usernames from certain potentially untrusted sources, which could lead to code execution when a ProxyCommand is used. The untrusted sources include the command line and %-sequence expansions from configuration files. However, configuration files that provide a complete literal username are considered trusted.

Impact

Exploitation of this vulnerability could allow for arbitrary code execution on the host where OpenSSH is running, by injecting shell commands that are executed when the specified proxy command is initiated.

Reproduction

To reproduce this vulnerability, create an SSH command that includes a username or URI obtained from an untrusted source, such as the command line or a configuration file with %-sequence expansions. Ensure that a ProxyCommand is configured to use the %u expansion, which will trigger the execution of any injected shell expressions.

Remediation

Users can upgrade to OpenSSH 10.1 or later, where this vulnerability has been addressed. Instructions for downloading OpenSSH 10.1 are available on the OpenSSH website.