David Leadbeater

**Name of the Vulnerable Software and Affected Versions** OpenSSH versions prior to 10.1 **Description** OpenSSH contains a flaw where the '0' character within an ssh:// URI can be processed, potentially leading to code execution when a `ProxyCommand` is utilized. This occurs because the presence of a null byte allows for manipulation of the command execution process. **Recommendations** Update to OpenSSH version 10.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenSSH versions prior to 10.1 Alma Linux (affected versions not specified) SUSE (affected versions not specified) IBM AIX (affected versions not specified) Fortinet FortiWeb (affected versions not specified) **Description** OpenSSH before version 10.1 contains a command injection flaw within the `ProxyCommand` functionality. This issue arises from the improper handling of control characters within usernames, potentially allowing an attacker to execute arbitrary code. The vulnerability is triggered when a `ProxyCommand` is used and the username contains control characters originating from untrusted sources, such as the command line or through %-sequence expansion in a configuration file. Successful exploitation could lead to remote code execution. The vulnerability is actively being exploited, and proof-of-concept exploits are publicly available. The `ProxyCommand` feature is used in various environments, including bastions, CI/CD pipelines, and helper scripts, increasing the potential attack surface. **Recommendations** Upgrade OpenSSH to version 10.1 or later. Disable or limit the use of the `ProxyCommand` functionality if it is not essential. If `ProxyCommand` must be used, avoid building SSH commands from untrusted input. Set a literal `User` in the ssh config to avoid unsafe % expansions. Hunt for unusual `ProxyCommand` invocations in auth.log. Rotate SSH keys and tighten ingress access control lists. Treat potentially compromised hosts as such until proven otherwise.

**Name of the Vulnerable Software and Affected Versions** iTerm2 versions 3.5.x through 3.5.1 **Description** An issue was discovered in iTerm2 that allows an attacker to inject arbitrary code into the terminal by abusing title reporting and tmux integration. This is possible due to the unfiltered use of an escape sequence to report a window title, in combination with the built-in tmux integration feature, which is enabled by default. **Recommendations** For iTerm2 versions 3.5.x through 3.5.1, update to version 3.5.2 or later to resolve the issue. As a temporary workaround, consider disabling the tmux integration feature until a patch is available. Restrict access to the terminal to minimize the risk of exploitation. Avoid using the title reporting feature in the affected versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** iTerm2 versions prior to 3.5.2 **Description** The issue arises because the "Terminal may report window title" setting is not honored, potentially leading to remote code execution, although it is noted that exploitation is not trivial. **Recommendations** For versions prior to 3.5.2, update to version 3.5.2 or later to resolve the issue. As a temporary workaround, consider disabling the "Terminal may report window title" setting until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.21.5 Go versions prior to 1.20.12 **Description** The issue is related to the use of the "go get" command to fetch modules with the ".git" suffix. If the module is unavailable via secure protocols, it may fallback to the insecure "git://" protocol, even if GOINSECURE is not set for the module. This affects users who are not using the module proxy and are fetching modules directly. The vulnerability is related to the transmission of data in open form, which can allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For Go versions prior to 1.21.5, update to Go 1.21.5 to fix the issue. For Go versions prior to 1.20.12, update to Go 1.20.12 to fix the issue. As a temporary workaround, consider setting GOPROXY to a secure proxy or enabling GOINSECURE for the affected modules to minimize the risk of exploitation. Restrict direct fetching of modules using "go get" until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Mintty versions 3.6.4 and earlier **Description** An issue in Mintty allows a remote attacker to execute arbitrary code via crafted commands to the terminal. **Recommendations** For Mintty versions 3.6.4 and earlier, update to a version later than 3.6.4 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mintty versions prior to 3.6.3 **Description** The issue allows code execution via unescaped output to the terminal. This is due to terminal character injection in Mintty. **Recommendations** For versions prior to 3.6.3, update to version 3.6.3 or later to resolve the issue. As a temporary workaround, consider restricting the output to the terminal to minimize the risk of code execution.

**Name of the Vulnerable Software and Affected Versions** OpenBSD versions 7.3 before errata 014 **Description** The issue is related to a missing argument-count bounds check in console terminal emulation, which could cause incorrect memory access and a kernel crash after receiving crafted DCS or CSI terminal escape sequences. **Recommendations** For OpenBSD version 7.3 before errata 014, apply errata 014 to resolve the issue. As a temporary workaround, consider restricting the use of console terminal emulation until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** ConEmu versions prior to 220807 Cmder versions prior to 1.3.21 **Description** The issue allows an attacker to change the title of the terminal, including control characters, which can then be executed as commands. This is related to the handling of ASCII escape sequences, which can alter terminal states, including executing commands in affected terminals. **Recommendations** For ConEmu versions prior to 220807, update to version 220807 or later to resolve the issue. For Cmder versions prior to 1.3.21, update to version 1.3.21 or later to resolve the issue. As a temporary workaround, consider restricting the use of control characters in terminal titles to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Less versions prior to 609 **Description** The issue is related to incorrect filtering of ANSI escape sequences when processing the -R element. This can be exploited by an attacker to elevate privileges using a specially crafted hyperlink with OSC 8 support. Crafted data can result in "less -R" not filtering ANSI escape sequences sent to the terminal. **Recommendations** For versions prior to 609, update to version 609 or later to resolve the issue. As a temporary workaround, consider disabling the use of the -R option until a patch is available. Restrict access to potentially malicious hyperlinks to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Windows Terminal (affected versions not specified) **Description** The issue is related to insufficient input validation in the Windows Terminal emulator, which can be exploited to execute arbitrary code using a specially crafted file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SwiftTerm versions prior to a94e6b24d24ce9680ad79884992e1dff8e150a31 **Description** The issue allows an attacker to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal. This could happen when the user views a file containing the malicious sequence, potentially allowing the attacker to execute arbitrary commands. **Recommendations** For versions prior to a94e6b24d24ce9680ad79884992e1dff8e150a31, update to version a94e6b24d24ce9680ad79884992e1dff8e150a31 or later, which contains a patch for this issue. As a temporary workaround, consider avoiding viewing files that may contain malicious character escape sequences until the update is applied.

**Name of the Vulnerable Software and Affected Versions** xterm versions prior to 375 **Description** The issue is related to the lack of input validation in the xterm terminal emulator, which can be exploited by a remote attacker to gain access to confidential data, compromise its integrity, and cause a denial of service. The vulnerability can be exploited via font operations, for example, because an OSC 50 response may contain Ctrl-g, leading to command execution within the vi line-editing mode of Zsh. It is noted that font operations are not allowed in the xterm default configurations of some Linux distributions. **Recommendations** For xterm versions prior to 375, update to version 375 or later to resolve the issue. As a temporary workaround, consider disabling font operations until a patch is available. Restrict access to the `vi` line-editing mode of Zsh to minimize the risk of exploitation. Avoid using the `Ctrl-g` character in OSC 50 responses until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** rxvt-unicode versions 9.25 through 9.26 **Description** The issue allows for remote code execution in the Perl background extension of the rxvt-unicode package. This occurs when an attacker can control the data written to the user's terminal and certain options are set. **Recommendations** For rxvt-unicode versions 9.25 and 9.26, consider disabling the Perl background extension as a temporary workaround until a patch is available. Restrict access to the terminal to minimize the risk of exploitation. Avoid using options that allow an attacker to control the data written to the user's terminal in the affected versions.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** An issue in the Linux kernel's nf conntrack irc module can cause message handling confusion, leading to incorrect message matching. This can potentially allow a firewall to be bypassed when users are using unencrypted IRC with nf conntrack irc configured. The vulnerability is related to improper message processing and matching, which may enable an attacker to circumvent firewall restrictions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IRCD-hybrid versions 7.2.2 through 7.2.3 ircd-ratbox versions prior to 2.2.9 oftc-hybrid versions prior to 1.6.8 **Description** The issue allows remote attackers to execute arbitrary code or cause a denial of service via a LINKS command, due to an integer underflow in the clean string function when flatten links is disabled. **Recommendations** For IRCD-hybrid versions 7.2.2 through 7.2.3, update to a version later than 7.2.3. For ircd-ratbox versions prior to 2.2.9, update to version 2.2.9 or later. For oftc-hybrid versions prior to 1.6.8, update to version 1.6.8 or later.