CVE-2021-41393: 
Teleport vulnerability analysis and mitigation

CVE-2021-41393 affects Teleport versions before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1. The vulnerability allows forgery of SSH host certificates in some situations. This vulnerability was discovered during a routine security audit and was disclosed on September 18, 2021 (Teleport Release).

The vulnerability enables an attacker with privileged network position to forge SSH host certificates that Teleport would incorrectly validate in specific code paths. The vulnerability has a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability affects two specific paths: 1) When using tsh with an identity file (commonly used for service accounts), which could lead to leaking sensitive commands the service account runs or in proxy recording mode, allowing the attacker to gain control of the SSH agent being used. 2) Teleport agents could incorrectly connect to an attacker-controlled cluster, although this would not give the attacker access or control of resources as Teleport agents still reject connections without valid x509 or SSH user certificates (Teleport Release).

Users are recommended to upgrade all components of their Teleport cluster to the latest patch releases: Teleport 7.1.1, 6.2.12, 5.2.4, or 4.4.11. If upgrading all components is not possible, priority should be given to upgrading tsh and Teleport agents (including trusted cluster proxies) that use reverse tunnels. After the upgrade, users will no longer be able to connect to OpenSSH nodes that present public keys or certificates not signed by Teleport via web UI - OpenSSH client or tsh with insecure flag must be used for such connections (Teleport Release).