Florian Kohnhäuser

**Name of the Vulnerable Software and Affected Versions** OpenSSH versions prior to 10.3 **Description** When using the `-O` option with the legacy scp protocol as root without the `-p` option, a downloaded file may be installed with setuid or setgid permissions, which may not align with user expectations. **Recommendations** Update to version 10.3 or later.

**Name of the Vulnerable Software and Affected Versions** OpenSSH versions prior to 10.3 **Description** OpenSSH versions before 10.3 incorrectly handle ECDSA algorithms. Specifically, the software misinterprets the listing of any ECDSA algorithm in the `PubkeyAcceptedAlgorithms` or `HostbasedAcceptedAlgorithms` configurations as an acceptance of all ECDSA algorithms. **Recommendations** Update to version 10.3 or later.

**Name of the Vulnerable Software and Affected Versions** Cockpit versions prior to 360 **Description** The remote login feature in Cockpit fails to validate or sanitize user-supplied hostnames and usernames passed from the web interface to the SSH client. An attacker with network access to the web service can send a single HTTP request to the login endpoint to inject malicious SSH options or shell commands, such as via `ProxyCommand`, leading to remote code execution on the host. This process occurs during the authentication flow before credential verification, allowing the attack to be performed without valid credentials. Approximately 1.3 million services are estimated to be affected worldwide. **Recommendations** Update to version 360. As a temporary workaround, restrict network access to the login endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Keylime versions prior to 7.5.0 **Description** A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database. The security issue allows an attacker to pass the challenge-response protocol during registration with arbitrary registration data, including a valid EK Certificate and EK, while using a compromised AIK. The attacker can deliberately fail the initial activation call to get to know the correct `auth tag` and then provide it in a subsequent activation call, resulting in an agent which is incorrectly registered with a valid EK Certificate, but with a compromised/unrelated AIK. **Recommendations** For versions prior to 7.5.0, users should upgrade to release 7.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the registrar to minimize the risk of exploitation. Avoid using compromised AIKs in the registration process until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** The issue is related to the `CURLOPT CERTINFO` option in libcurl, which allows applications to request details about a server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information. This could allow a remote attacker to cause a denial of service by consuming all available system resources. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the `CURLOPT CERTINFO` option to minimize the risk of exploitation. Restrict access to libcurl built with NSS to minimize the risk of exploitation. Avoid using the `CURLOPT CERTINFO` option in libcurl until the issue is resolved.