Published Release OpenSSH 8.6 , open customer implementation and server for work on SSH 2.0 and SFTP protocols. The new version has a vulnerability in implementing the LogverBose directive that appeared in the past release and allows you to raise the level of debug information discharged into the log, including the possibility of filtering in templates, functions and files associated with the code executed with cut privileges in the SSHD process, isolated In the Sandbox-environment.
Attacking, achieving control over an unprivileged process using some other not known vulnerability, can use the problem associated with the LogVerbose problem to bypass the Sandbox-isolation and the attack on the process performed with elevated privileges. The use of vulnerability in LogverBose in practice is estimated as unlikely, since the LogverBose configuration is disabled by default and is usually used only during debugging. Also for attack you need to find a new vulnerability in an unprivileged process.
Changes in OpenSSH 8.6, not related to vulnerability:
- SFTP and SFTP-Server implemented the new [email protected] protocol extension, which gives the SFTP client, to get information about the limitations installed on the server, including limits to the maximum size of the package and write and read operations. In SFTP, a new extension is involved to select the optimal block size when data transmission.
- in SSHD_CONFIG for SSHD Added Setup Modulifile, which allows you to specify the path to the “moduli” file containing the group for DH-Gex.
- In Unit tests, the Test_SSH_ELAPSED_TIMES environment variable is added to turn on the output of the time that has passed since the start of each test.
- Interface For a password request for GNOME is divided into two options, one for GNOME2, and the second for GNOME3 (Contrib / GNOME-SSK-ASKPASS3.C). Option for GNOME3 To improve compatibility with Wayland, uses the GDK_SEAT_GRAB () call when controlling the keyboard and mouse capture.
- In the Sandbox-used Sandbox based on Seccomp-BPF added soft ban (Soft-DiSallow) system call Fstatat64.