CVE-2021-41617
Published: 26 September 2021
sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.
Notes
| Author | Note |
|---|---|
Priority reason: Cannot be reproduced on Ubuntu since sshd drops groups early |
|
| seth-arnold | openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. |
| mdeslaur | Only applies to non-default configurations where AuthorizedKeysCommand or AuthorizedPrincipalsCommand are used. |
| sespiros | Cannot reproduce since sshd for all releases drops supplementary groups early when it starts with setgroups(0, NULL). |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openssh Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Released
(1:8.2p1-4ubuntu0.11)
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Not vulnerable
(1:8.9p1-3)
|
|
| kinetic |
Not vulnerable
(1:9.0p1-1ubuntu7)
|
|
| lunar |
Not vulnerable
(1:9.0p1-1ubuntu7)
|
|
| mantic |
Not vulnerable
(1:9.0p1-1ubuntu7)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(8.8)
|
|
| xenial |
Released
(1:7.2p2-4ubuntu2.10+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
Patches: upstream: https://github.com/openssh/openssh-portable/commit/f3cbe43e28fe71427d41cfe3a17125b972710455 upstream: https://github.com/openssh/openssh-portable/commit/bf944e3794eff5413f2df1ef37cddf96918c6bde |
||
|
openssh-ssh1 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Needed
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needed
|
|
| kinetic |
Ignored
(end of life, was needed)
|
|
| lunar |
Ignored
(end of life, was needed)
|
|
| mantic |
Needed
|
|
| trusty |
Does not exist
|
|
| upstream |
Ignored
(frozen on openssh 7.5p)
|
|
| xenial |
Does not exist
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.0 |
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
- https://www.openwall.com/lists/oss-security/2021/09/26/1
- https://www.openssh.com/txt/release-8.8
- https://www.openssh.com/security.html
- https://ubuntu.com/security/notices/USN-5666-1
- https://ubuntu.com/security/notices/USN-6565-1
- https://www.cve.org/CVERecord?id=CVE-2021-41617
- NVD
- Launchpad
- Debian