Presidents’ Day
Our office will be closed on Monday, February 19th for Presidents’ day.
If you should have an emergency, there will be an engineer to assist you in the ticketing system.
We will return to our regular hours on Tuesday, February 20th at 7:30am PT.
All Services Operational
Merry Christmas and Happy New Year !
Dynamic wishes you a wonderful Holiday Season. We had a great year working with all of you and are excited to get the next year started. Our offices will be closed on Monday the 25th of December and the following Monday the 1st of January. In case of any emergencies, we will have an engineer on duty; otherwise, we will take care of you as always during usual business hours, 7:30 am to 4 pm PT.
Happy Thanksgiving!
Wishing you a safe and festive Holiday Season from Dynamic Concepts!
Our offices will be closed from Wednesday the 22nd at 5pm PDT until Monday the 27th at 7:30am PDT.
If you should have an emergency and need assistance with a ticket please check the emergency box. An
Engineer will be paged and will help you asap. Other non emergency tickets will be addressed the following
Monday morning of the 27th.
Important: Action May Be Required – Vulnerability in SSH Agent Forwarding
Dear Valued Customer,
We are writing to bring your attention to a critical security matter regarding SSH Agent Forwarding, you may have received an email last week on this matter.
Who is affected?
Customers who use SSH connections from terminal emulator programs like dL4Term, PowerTerm, or Putty to log in to their systems with a user login and password are not vulnerable to the recent SSH vulnerability. However, if you utilize SSH Agent Forwarding, which is represented by the ‘-A’ flag in the following command: ‘ssh -A <user>@<servername>’, we strongly advise you to immediately discontinue using SSH Agent Forwarding and switch to an alternative solution.
What servers are affected?
The vulnerability affects:
- CentOS (Version 8.x and older)
- RHEL (Version 7.x or older)
- Amazon Linux servers
What is the root cause?
The root cause is a vulnerability in OpenSSH before version ‘9.3p2’. Additionally, because these OS’s have reached their “End-of-Life” (EOL) status, there are no official security patches available.
What to do if you’re affected?
To ensure the utmost security of your systems, we recommend taking the following actions:
- If you are currently using SSH Agent Forwarding, please refrain from using this feature immediately, as even non-privileged users may gain unauthorized access using forwarded keys on an affected OS.
- We also encourage customers on Linux operating systems that have reached “End-of-Life” to reach out to us to schedule an upgrade to RHEL 8 or Rocky8, which are currently supported Operating Systems offering improved security and regular updates for issues like these.
We understand that this may raise questions or concerns, and we are here to assist. If you have any inquiries or require further information, please do not hesitate to open a ticket at tickets.dynamic.com. Our support team will promptly address your concerns and provide guidance.
Your trust and security are of paramount importance to us, and we sincerely appreciate your prompt attention to this matter. By working together, we can ensure the continued protection of your valuable data and systems.
Thank you for your cooperation and ongoing partnership with us.
Best regards,
Engineering Team
Dynamic Concepts Inc.
Remote – SSH Exploit Discovered (Dynamic Customers please read this)
We are writing to inform you about a security vulnerability that affects customers using SSH and SSH forwarding. The vulnerability has been assigned CVE-2023-38408 and is related to Remote Code Execution (RCE) in OpenSSH’s forwarded ssh-agent. Systems with SSH servers open to unprotected networks are the most vulnerable.
SSH-agent is a program designed to store private keys used for public key authentication. It can be located and automatically used for authentication when logging in to other machines using SSH. Connections to ssh-agent can be forwarded from remote hosts using the -A option to SSH, which allows the remote host to access the local agent.
Despite warnings about enabling SSH-agent forwarding with caution, it is still widely used today. However, we have discovered a potential security risk related to the forwarding of ssh-agent. An attacker with access to the remote server where ssh-agent is forwarded to could load and immediately unload shared libraries from /usr/lib* on the local workstation. This may result in unexpected side effects, including remote code execution in ssh-agent.
Our research indicates that even though certain shared libraries are generally considered safe, chaining specific side effects could lead to a reliable one-shot remote code execution in ssh-agent. We are actively working to address this vulnerability in OpenSSH and will update you with more information as it becomes available.
Please note that this CVE affects versions older than OpenSSH 9.3p2. You can identify your current server version by running ‘ssh -V’ in your terminal.
Your security and privacy are of utmost importance to us, and we are committed to providing you with the best possible protection. If you have any questions or concerns, please open a ticket at tickets.dynamic.com.
Thank you for your attention to this matter.
Sincerely,
Engineering Team
Dynamic Concepts Inc.
Remote – SSH Exploit Discovered (please read)
| Dear Dynamic Concepts Customers,We are writing to inform you about a security vulnerability that affects customers using SSH and SSH forwarding. The vulnerability has been assigned CVE-2023-38408 and is related to Remote Code Execution (RCE) in OpenSSH’s forwarded ssh-agent. Systems with SSH servers open to unprotected networks are the most vulnerable. SSH-agent is a program designed to store private keys used for public key authentication. It can be located and automatically used for authentication when logging in to other machines using SSH. Connections to ssh-agent can be forwarded from remote hosts using the -A option to SSH, which allows the remote host to access the local agent. Despite warnings about enabling SSH-agent forwarding with caution, it is still widely used today. However, we have discovered a potential security risk related to the forwarding of ssh-agent. An attacker with access to the remote server where ssh-agent is forwarded to could load and immediately unload shared libraries from /usr/lib* on the local workstation. This may result in unexpected side effects, including remote code execution in ssh-agent. Our research indicates that even though certain shared libraries are generally considered safe, chaining specific side effects could lead to a reliable one-shot remote code execution in ssh-agent. We are actively working to address this vulnerability in OpenSSH and will update you with more information as it becomes available. Please note that this CVE affects versions older than OpenSSH 9.3p2. You can identify your current server version by running ‘ssh -V’ in your terminal. Your security and privacy are of utmost importance to us, and we are committed to providing you with the best possible protection. If you have any questions or concerns, please open a ticket at tickets.dynamic.com. Thank you for your attention to this matter. Sincerely, Engineering Team Dynamic Concepts Inc. |
Remo – SSH Exploit Discovered
| We are writing to inform you about a security vulnerability that affects customers using SSH and SSH forwarding. The vulnerability has been assigned CVE-2023-38408 and is related to Remote Code Execution (RCE) in OpenSSH’s forwarded ssh-agent. Systems with SSH servers open to unprotected networks are the most vulnerable. SSH-agent is a program designed to store private keys used for public key authentication. It can be located and automatically used for authentication when logging in to other machines using SSH. Connections to ssh-agent can be forwarded from remote hosts using the -A option to SSH, which allows the remote host to access the local agent. Despite warnings about enabling SSH-agent forwarding with caution, it is still widely used today. However, we have discovered a potential security risk related to the forwarding of ssh-agent. An attacker with access to the remote server where ssh-agent is forwarded to could load and immediately unload shared libraries from /usr/lib* on the local workstation. This may result in unexpected side effects, including remote code execution in ssh-agent. Our research indicates that even though certain shared libraries are generally considered safe, chaining specific side effects could lead to a reliable one-shot remote code execution in ssh-agent. We are actively working to address this vulnerability in OpenSSH and will update you with more information as it becomes available. Please note that this CVE affects versions older than OpenSSH 9.3p2. You can identify your current server version by running ‘ssh -V’ in your terminal. Your security and privacy are of utmost importance to us, and we are committed to providing you with the best possible protection. If you have any questions or concerns, please open a ticket at tickets.dynamic.com. Thank you for your attention to this matter. Sincerely, Engineering Team Dynamic Concepts Inc. |
Remote-SSH Exploit Discovered
Dear valued customers,
We are writing to inform you about a security vulnerability that affects customers using SSH and SSH forwarding. The vulnerability has been assigned CVE-2023-38408 and is related to Remote Code Execution (RCE) in OpenSSH’s forwarded ssh-agent.
SSH-agent is a program designed to store private keys used for public key authentication. It can be located and automatically used for authentication when logging in to other machines using SSH. Connections to ssh-agent can be forwarded from remote hosts using the -A option to SSH, which allows the remote host to access the local agent.
Despite warnings about enabling SSH-agent forwarding with caution, it is still widely used today. However, we have discovered a potential security risk related to the forwarding of ssh-agent. An attacker with access to the remote server where ssh-agent is forwarded to could load and immediately unload shared libraries from /usr/lib* on the local workstation. This may result in unexpected side effects, including remote code execution in ssh-agent.
Our research indicates that even though certain shared libraries are generally considered safe, chaining specific side effects could lead to a reliable one-shot remote code execution in ssh-agent. We are actively working on a set of patches to address this vulnerability in OpenSSH, and we are working to upgrade the version of OpenSSH on your systems as soon as possible. We will coordinate with you when this upgrade is ready to ensure a seamless transition.
Please note that this CVE affects versions older than OpenSSH 9.3p2. You can identify your current server version by running ‘ssh -V’ in your terminal.
Your security and privacy are of utmost importance to us, and we are committed to providing you with the best possible protection. If you have any questions or concerns, please open a ticket at tickets.dynamic.com.
Thank you for your attention to this matter.
Sincerely,
Engineering Team
Dynamic Concepts Inc.
DynamicStat.us 