Headline
CVE-2023-42818: SSH public key login without private key challenge if mfa is enabled.
JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication against the SSH service This issue has been patched in versions 3.6.5 and 3.5.6. Users are advised to upgrade. There are no known workarounds for this issue.
Affected versions
< 3.6.4
Patched versions
3.6.5 3.5.6
Impact
When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication against the SSH service
Details
The user ‘foo’ generated an SSH public key named ‘test_id_rsa.pub’ for updating settings. An attacker could potentially exploit this by using the public key to attempt brute-force authentication against the SSH service.
ssh foo@<koko_ip> -p2222 -i test_id_rsa.pub
foo
Please Enter MFA Code.
(foo@<koko_ip>) [OTP Code]:
Patches
Safe versions: v3.6.5,v3.5.6
Workarounds
It is recommended to upgrade the safe versions.
After upgrade, use the following command to check whether the vulnerability is fixed:
ssh foo@<koko_ip> -p2222 -i test_id_rsa.pub
Load key "test_id_rsa.pub": invalid format
References
Thanks for Ethan Yang & Hui Song & pokerstarxy found and report this vulnerability