FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenSSH -- OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand

Affected packages
6.2.p1,1 <= openssh-portable < 8.7.p1_2,1
6.2.p1,1 <= openssh-portable-gssapi < 8.7.p1_2,1
6.2.p1,1 <= openssh-portable-hpn < 8.7.p1_2,1

Details

VuXML ID 2a1b931f-2b86-11ec-8acd-c80aa9043978
Discovery 2021-09-26
Entry 2021-10-12

OpenBSD Project reports:

sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with.

Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privilege.

Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled by default in sshd_config(5).

References

CVE Name CVE-2021-41617
URL https://www.openssh.com/txt/release-8.8