CVE-2023-46446: 
Python vulnerability analysis and mitigation

An issue in AsyncSSH before version 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, known as a 'Rogue Session Attack'. The vulnerability was discovered in late 2023 and is tracked as CVE-2023-46446. The vulnerability affects AsyncSSH versions 2.14.0 and earlier (GitHub Advisory, NVD).

The vulnerability works by allowing attackers to inject a chosen authentication request before the client's NewKeys. The authentication request must contain valid attacker credentials and can use any authentication mechanism that doesn't require exchanging additional messages between client and server, such as password or publickey. Due to a state machine flaw, the AsyncSSH server accepts the unauthenticated user authentication request message and defers it until the client has requested the authentication protocol. The vulnerability has been assigned a CVSS v3.1 base score of 6.8 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N (GitHub Advisory, NVD).

The impact heavily depends on the application logic implemented by the AsyncSSH server. In the worst case, when the AsyncSSH server starts a shell for the authenticated user upon connection, the attacker can prepare a modified shell beforehand to perform perfect phishing attacks and become a Man-in-the-Middle at the application layer. The attacker receives all keyboard input by the user, completely controls the terminal output of the user's session, can send and receive data to/from forwarded network ports, and is able to create signatures with a forwarded SSH Agent, if any (GitHub Advisory).

The vulnerability has been fixed in AsyncSSH version 2.14.1. Users are advised to upgrade to this version or later to protect against this vulnerability. The fix includes hardening of the AsyncSSH state machine against potential message injection attacks (AsyncSSH Changes).

Multiple vendors and distributions have responded to this vulnerability by releasing security advisories and patches. NetApp has issued an advisory for their affected products (NetApp Advisory), and Fedora has released updated packages to address the vulnerability (Fedora Update).