Lucene search

[email protected]NVD:CVE-2024-39894

HistoryJul 02, 2024 - 6:15 p.m.

CVE-2024-39894

2024-07-0218:15:03

CWE-367

[email protected]

web.nvd.nist.gov

openssh 9.5-9.7

obscurekeystroketiming

timing attacks

echo-off password entry

sudo

keystroke entry

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

Percentile

10.7%

JSON

OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.

References

www.openwall.com/lists/oss-security/2024/07/03/6

www.openwall.com/lists/oss-security/2024/07/23/4

www.openwall.com/lists/oss-security/2024/07/23/6

www.openwall.com/lists/oss-security/2024/07/28/3

crzphil.github.io/posts/ssh-obfuscation-bypass/

lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html

news.ycombinator.com/item?id=41508530

security.netapp.com/advisory/ntap-20240712-0004/

www.openssh.com/txt/release-9.8

www.openwall.com/lists/oss-security/2024/07/02/1

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

Percentile

10.7%

JSON

Related for NVD:CVE-2024-39894

openvas2 debiancve1 nessus3 osv2 cvelist1 f51 ubuntu1 redhatcve1 ubuntucve1 redos1 alpinelinux1 vulnrichment1 cbl_mariner1 cve1