Version 9.3p2 of the OpenSSH encryption suite and tool collection has addressed a security vulnerability that has been classified as high-risk by the Federal Office for Security (WID-BSI). The vulnerability, known as CVE-2016-10009, was supposed to be fixed in OpenSSH 7.4 in 2017 but was never properly corrected. The issue arises from an untrusted search path in the PKCS#11 feature of ssh-agent, which allows attackers to inject and execute malicious code when forwarding an ssh-agent to a system controlled by the attacker.
In order for the vulnerability to be exploited remotely, certain libraries must be present on the victim’s system. The OpenSSH developers recommend starting the ssh-agent with an empty PKCS#11/FIDO allowlist or configuring an allowlist that only includes specific provider libraries as a countermeasure. Qualys IT security researchers have published a detailed analysis of the vulnerability, and the OpenSSH developers have disabled the loading of PKCS#11 modules by default on remote clients. However, administrators can enable this feature if necessary by using a specific flag when calling the program.
IT managers are advised to download the updated software from the OpenSSH project’s Portable Release website or obtain it through their Linux distribution’s software management. It is important for them to check if updates are available for their systems and apply them promptly. The OpenSSH developers released version 9.3 at the end of March, which included fixes for two other security vulnerabilities and addressed minor errors.
