Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f4a0fa7f299ca02b5cf46a805d9c989c@ucc.asn.au>
Date: Tue, 13 May 2025 08:47:58 +0800
From: Matt Johnston <matt@....asn.au>
To: oss-security@...ts.openwall.com
Cc: Albert Veli <albert.veli@...il.com>
Subject: Re: Dropbear SSH 2025.88 fixes CVE-2025-47203

Hi Albert,

2024.86 is affected.

On 2025-05-13 2:47 am, Albert Veli wrote:

> I'm currently triaging CVE-2025-47203 to determine whether an embedded
> system we maintain is actually affected. It runs 2024.86, and is built
> with DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_MULTIHOP enabled.
> 
> However, despite attempting various multihop hostname inputs
> containing shell metacharacters (e.g. semicolons, backticks, pipes,
> $(cmd)), I’ve been unable to trigger any shell execution or command
> injection. All such inputs are interpreted literally as hostnames.
> 
> I have two main questions:
> 
> 1. Is there a reliable way to confirm from the command line whether
> I'm vulnerable?

dbclient 'localhost,|touch 123 '

stdout is captured, stderr isn't.

> 2. Both dbclient and ssh are symlinks to the same dropbear binary.
> Does this CVE apply equally to both, or is it specific to dbclient?

It applies to both.

Cheers,
Matt

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.