CVE-2021-41617

Name of the Vulnerable Software and Affected Versions OpenSSH versions 6.2 through 8.x before 8.8

Description The issue is related to the management of privileges in OpenSSH, allowing privilege escalation when certain non-default configurations are used. This occurs because supplemental groups are not initialized as expected, potentially granting access to confidential data, disrupting data integrity, and causing denial of service. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process if the configuration specifies running the command as a different user.

Recommendations For OpenSSH versions 6.2 through 8.x before 8.8, update to version 8.8 or later to resolve the issue. As a temporary workaround, consider disabling the use of AuthorizedKeysCommand and AuthorizedPrincipalsCommand until a patch is available. Restrict access to helper programs for these commands to minimize the risk of exploitation. Avoid using configurations that specify running these commands as a non-root user until the issue is resolved.