The latest release of OpenSSH, version 9.8, has been published, introducing new client and server software for working with SSH 2.0 and SFTP protocols. This release addresses a critical vulnerability (CVE-2024-6387) that allows for remote execution of ROOT code before authentication. Additionally, a less severe vulnerability has been fixed in this version, along with several important changes aimed at enhancing security.
The second vulnerability addressed in OpenSSH 9.8 involves circumventing the protection introduced in version 9.5, which aimed to defend against attacks by third-party channels analyzing keyboard press delays to recreate input. This vulnerability allows for the distinction between packages creating background activity through simulated keystrokes and packages sent from actual key presses, undermining the mechanism for concealing interactive input features in SSH traffic. Attackers could potentially analyze delays between key presses to recreate text input, exploiting differences in reaction times based on the keyboard layout.
Furthermore, it was discovered that the method of sending packages with real and simulated key presses in OpenSSH 9.8 affected the reliability of another protection mechanism against third-party channel attacks. Starting from OpenSSH 9.9, the server sends packages with simulated key presses during console input in Echo-OFF mode, such as when entering passwords for SU or SUDO. The new approach to sending simulated packages allows for the separate analysis of real key press packages in Echo-OFF mode, though the accuracy of timing information is limited by fixed time intervals.
Alongside these security enhancements, OpenSSH 9.8 introduces other changes aimed at improving functionality and safety.