1. Ubuntu Security Notices
  2. USN-6242-2

USN-6242-2: OpenSSH vulnerability

Publication date

31 July 2023

Overview

OpenSSH could be made to run programs as your login when using ssh-agent forwarding.

Releases

Packages

  • openssh - secure shell (SSH) for secure access to remote machines

Details

USN-6242-1 fixed a vulnerability in OpenSSH. This update provides
the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS,
and Ubuntu 18.04 LTS.

Original advisory details:

It was discovered that OpenSSH incorrectly handled loading certain PKCS#11
providers. If a user forwarded their ssh-agent to an untrusted system, a
remote attacker could possibly use this issue to load arbitrary libraries
from the user’s system and execute arbitrary code.

USN-6242-1 fixed a vulnerability in OpenSSH. This update provides
the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS,
and Ubuntu 18.04 LTS.

Original advisory details:

It was discovered that OpenSSH incorrectly handled loading certain PKCS#11
providers. If a user forwarded their ssh-agent to an untrusted system, a
remote attacker could possibly use this issue to load arbitrary libraries
from the user’s system and execute arbitrary code.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
18.04 bionic openssh-client –  1:7.6p1-4ubuntu0.7+esm1  
16.04 xenial openssh-client –  1:7.2p2-4ubuntu2.10+esm3  
14.04 trusty openssh-client –  1:6.6p1-2ubuntu2.13+esm1  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›