SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2023-51385

CVE-2023-51385: OpenBSD OpenSSH RCE Vulnerability

CVE-2023-51385 is a remote code execution vulnerability in OpenBSD OpenSSH that enables OS command injection through shell metacharacters in user or host names. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2023-51385 Overview

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

Critical Impact

This vulnerability allows for potential OS command injection via carefully-crafted input.

Affected Products

  • openbsd openssh
  • debian debian_linux

Discovery Timeline

  • 2023-12-18 - CVE CVE-2023-51385 published to NVD
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2023-51385

Vulnerability Analysis

This vulnerability arises from improper sanitization of user-controlled input, allowing shell metacharacters in user or host names to be processed unsafely. This can lead to command injection under certain conditions when these names are leveraged as expansion tokens within the application.

Root Cause

The root cause is the lack of input validation for shell metacharacters, allowing these characters to be executed in certain configurations.

Attack Vector

The attack vector is network-based, exploiting the vulnerability via SSH with crafted input that includes shell metacharacters.

bash
# Example exploitation code (sanitized)
ssh user@'host;malicious_command'

Detection Methods for CVE-2023-51385

Indicators of Compromise

  • Unusual command execution logs
  • SSH logs with suspect metacharacter sequences
  • Abnormal network traffic patterns

Detection Strategies

Network monitoring can reveal abnormal SSH session patterns, particularly those originating from unknown hosts or containing metacharacters in user or host fields. Utilize threat intelligence feeds to uncover known exploit payloads.

Monitoring Recommendations

Monitoring SSH connection logs for suspicious attempts and using tools capable of identifying command injection attempts in real-time is advised.

How to Mitigate CVE-2023-51385

Immediate Actions Required

  • Update to OpenSSH version 9.6 or later.
  • Regularly review and sanitize input strings.
  • Disable any unused SSH features or configurations.

Patch Information

A security patch addressing this issue has been released. Refer to the OpenSSH commit patch for details.

Workarounds

Implementing strict input validation and escaping metacharacters in SSH configurations can mitigate potential exploits.

bash
# Configuration example
sed -i 's/.*AcceptEnv.*/#&/' /etc/ssh/sshd_config
systemctl restart sshd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne