Cockpit Unauthenticated Remote Code Execution Vulnerability via SSH Command Injection

A vulnerability in Cockpit's remote login feature allows for unauthenticated remote code execution. This issue arises because user-supplied hostnames and usernames are sent to the SSH client without proper validation or sanitization. An attacker with network access to the Cockpit web service can inject malicious SSH options or commands, executing code on the Cockpit host without needing valid credentials. The vulnerability exists in Cockpit versions 327 and later, when used with OpenSSH versions prior to 9.6, and requires remote host login to be enabled, which is the default setting.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the Cockpit host.

Reproduction

To reproduce this vulnerability, send an HTTP request to the Cockpit login endpoint with a crafted 'Authorization: Basic' header containing any credentials. The injected username or hostname can include malicious SSH options or commands. If the OpenSSH version is prior to 9.6, the injection will succeed, leading to code execution on the host.

Remediation

Users can update to Cockpit version 327 or later and ensure OpenSSH is version 9.6 or later. For systems with OpenSSH 9.6 or later, no action is needed.