A significant security flaw has been identified in OpenSSH, designated as CVE-2025-61984, which permits attackers to execute arbitrary code on a victim’s machine remotely. This vulnerability arises from the interaction between OpenSSH’s `ProxyCommand` feature and the system shell when processing specially crafted usernames.
Understanding the Vulnerability
The root cause of this issue is OpenSSH’s inadequate sanitization of control characters, such as newline characters, within usernames. An attacker can craft a username that includes a newline character followed by a malicious command. When this username is processed by the `ProxyCommand`, it is passed to the shell without proper filtering. While OpenSSH does filter many dangerous shell metacharacters, it fails to account for characters that can induce syntax errors in certain shells.
In shells like Bash, Fish, or csh, encountering a syntax error on the first line causes the command to fail, but the shell does not terminate. Instead, it proceeds to execute the subsequent line, which contains the attacker’s payload. This behavior effectively circumvents security measures designed to prevent unauthorized command execution, thereby enabling remote code execution (RCE).
Exploitation via Git Submodules
A practical exploitation scenario involves malicious Git repositories. An attacker can configure a submodule within their repository to use a URL containing the crafted, multi-line username. If a victim clones this repository recursively using the `git clone –recursive` command, Git attempts to connect via SSH to fetch the submodule. This action triggers the vulnerability in `ProxyCommand`, provided the user’s SSH configuration includes a `ProxyCommand` directive that utilizes the `%r` token to incorporate the remote username.
For the exploit to succeed, two conditions must be met on the victim’s machine:
1. The presence of a shell that continues execution after a syntax error (e.g., Bash).
2. An SSH configuration file (`~/.ssh/config`) containing a `ProxyCommand` directive that uses the `%r` token.
Notably, shells like Zsh are not vulnerable to this technique, as they terminate upon encountering such errors. However, tools like Teleport have been found to generate SSH configurations that use this vulnerable pattern, potentially increasing the attack surface.
Mitigation Strategies
The OpenSSH project has addressed this vulnerability in version 10.1 by disallowing control characters in usernames. Users are strongly encouraged to upgrade to this version or newer to mitigate the risk.
For systems that cannot be immediately updated, several mitigations can be implemented:
– Modify SSH Configurations: Users can edit their SSH configurations to enclose the `%r` token in single quotes (`’%r’`) within any `ProxyCommand` directive. This prevents the shell from interpreting special characters.
– Restrict Git’s Use of SSH for Submodules: Configuring Git to limit the automatic use of SSH for submodules can serve as an additional defense-in-depth measure.
This vulnerability underscores the complex security risks that can emerge from the interactions between trusted developer tools. It is imperative for users and organizations to stay vigilant and apply necessary updates and configurations to safeguard their systems.
