You are probably already aware, but Cloudflare is throwing error 525 pages for Dropbear-related sites failing to establish connections to the origin servers:
https://matt.ucc.asn.au/dropbear/dropbear.html https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q2/002385.html No need to follow up with me, just FYI. Cheers, Dave Hart On Tue, May 13, 2025 at 5:56 AM Matt Johnston <m...@ucc.asn.au> wrote: > Hi Albert, > > 2024.86 is affected. > > On 2025-05-13 2:47 am, Albert Veli wrote: > > > I'm currently triaging CVE-2025-47203 to determine whether an embedded > > system we maintain is actually affected. It runs 2024.86, and is built > > with DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_MULTIHOP enabled. > > > > However, despite attempting various multihop hostname inputs > > containing shell metacharacters (e.g. semicolons, backticks, pipes, > > $(cmd)), I’ve been unable to trigger any shell execution or command > > injection. All such inputs are interpreted literally as hostnames. > > > > I have two main questions: > > > > 1. Is there a reliable way to confirm from the command line whether > > I'm vulnerable? > > dbclient 'localhost,|touch 123 ' > > stdout is captured, stderr isn't. > > > 2. Both dbclient and ssh are symlinks to the same dropbear binary. > > Does this CVE apply equally to both, or is it specific to dbclient? > > It applies to both. > > Cheers, > Matt >
