Alastair Beresford

Name of the Vulnerable Software and Affected Versions: OpenSSH versions 9.5 through 9.7 Description: The issue is related to a logic error in the ObscureKeystrokeTiming function, which can lead to timing attacks against echo-off password entry, such as those used for su and Sudo. This could potentially allow an attacker to gain unauthorized access to protected information by exploiting the timing discrepancy. Similarly, other timing attacks against keystroke entry could occur due to this logic error. Recommendations: For OpenSSH versions 9.5 through 9.7, update to version 9.8 or later to resolve the issue. As a temporary workaround, consider disabling the `ObscureKeystrokeTiming` function until a patch is available. Restrict access to sensitive information and limit the use of su and Sudo commands to minimize the risk of exploitation.