SSH ProxyCommand is vulnerable to a code execution flaw, CVE-2023-51385, that may allow an attacker to perform shell injection on vulnerable servers.
SSH ProxyCommand allows users to proxy an SSH connection to a target. SSH ProxyCommand specifies the command to use to connect to the server. Arguments to this directive may contain tokens like %h and %u, which refer to hostname and username, respectively. The SSH Proxy feature also provides visibility into SSH traffic and control over the commands users execute in the SSH channel.
Vulnerability Details
The vulnerability arises when an invalid user or hostname containing shell metacharacters is passed to SSH, and a ProxyCommand, LocalCommand directive, or “match exec” predicate referenced the use or hostname via expansion tokens. An attacker supplying arbitrary user/hostnames to SSH may perform a command injection. Exploitation is possible in an untrusted Git repository containing a submodule with shell metacharacters in a username or hostname.
Mitigation
Vendors/maintainers of affected implementation applications such as LibSSH, OpenSSH, Debian, and others have been pushing out fixes. Customers may refer to the individual vendor advisory for their operating system and install the patches.
Qualys Detection
Qualys customers can scan their devices with QID 6000398 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://lists.debian.org/debian-security-announce/2023/msg00283.html
https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html