PT-2024-6687 · Openssh+7 · Openssh+7

Alastair Beresford

Published

2024-06-24

Updated

2025-05-07

CVE-2024-39894

CVSS v2.0

7.6

High

Vector

AV:N/AC:H/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: OpenSSH versions 9.5 through 9.7

Description: The issue is related to a logic error in the ObscureKeystrokeTiming function, which can lead to timing attacks against echo-off password entry, such as those used for su and Sudo. This could potentially allow an attacker to gain unauthorized access to protected information by exploiting the timing discrepancy. Similarly, other timing attacks against keystroke entry could occur due to this logic error.

Recommendations: For OpenSSH versions 9.5 through 9.7, update to version 9.8 or later to resolve the issue. As a temporary workaround, consider disabling the ObscureKeystrokeTiming function until a patch is available. Restrict access to sensitive information and limit the use of su and Sudo commands to minimize the risk of exploitation.

Fix

Side Channel Attack

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203CWE-367

Related Identifiers

AZL-43140

BDU:2024-07894

CVE-2024-39894

FREEBSD-SA-25_01

OPENSUSE-SU-2024:14113-1

SUSE-SU-2024:2393-1

SUSE-SU-2025:20009-1

USN-6887-1

Affected Products

Astra Linux

Freebsd

Linuxmint

Apple Macos

Openssh

Red Os

Suse

Ubuntu

PT-2024-6687 · Openssh+7 · Openssh+7

CVE-2024-39894

Weakness Enumeration

Related Identifiers

Affected Products

References · 57