The Openssh announced the release of Version 9.8, which includes the client, SSH 2.0, and SFTP protocol server. This release addresses a critical vulnerability that allows remote code execution with Root rights before authentication. In addition to fixing this critical vulnerability, other less significant vulnerabilities have been patched and important safety enhancements have been implemented.
Two vulnerabilities have been resolved in the new version:
- The critical vulnerability CVE-2024-6387, which allows for remote code execution with ROOT rights before authentication, requiring approximately 6-8 hours of continuous formations. This vulnerability poses a risk to systems not using Glibc and the possibility of exploitation on 64-bit systems has not been ruled out.
- A vulnerability related to the circumvention of protection against attacks through third-party channels introduced in Openssh 9.5. This vulnerability could differentiate between keystroke-simulating packets and real ones, reducing the effectiveness of masking interactive input by analyzing delays between keystrokes to recreate entered text based on keyboard layout characteristics.
In Version 9.8, Openssh plans to fully phase out support for the DSA signature algorithm by early 2025. The DSA algorithm is now disabled by default during compilation due to its considered obsolescence and insecurity stemming from small key sizes and the use of Sha1 hash functions.
Furthermore, in this new release, the SSHD server will now block IP addresses of clients making repeated unsuccessful authentication attempts or causing server failures, complicating attacks on accounts with weak passwords or exploiting SSHD vulnerabilities.
In an effort to enhance security, the SSHD server has been split into two binary files: SSHD for the listener and SSHD-Session for each session, reducing the main file’s size and improving safety. Magazine reports are now labeled as originating from the SSHD-SESSION process instead of SSHD.
Version 9.8 focuses primarily on bug fixes, such as improving protocol documentation accuracy, fixing number processing errors, and resolving compatibility issues across various systems.
Additional features in this version include support for SystemD notifications, enhanced detection of ED25519 keys in Opensl, and the ability to enable SSH_ASKPASS with Wayland_Display environment presence.
The Openssh team remains committed to enhancing the safety and functionality of the project. The complete list of changes and fixes can be found in the