CVE-2024-39894

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Jul 2, 2024

Updated: Jul 28, 2024

CWE ID 367

Summary

CVE-2024-39894 is a vulnerability affecting OpenSSH versions 9.5 through 9.7. This issue involves a logic error in the ObscureKeystrokeTiming feature, which could allow timing attacks against echo-off password entry during su and Sudo operations. The vulnerability exposes the system to potential unauthorized access through keystroke input manipulation. Other similar timing attacks against keystroke entry may also pose a threat. Users are advised to upgrade to OpenSSH version 9.8 to mitigate this risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

OpenSSH

Affected Vendors

OpenBSD Project

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/wx4DwL
https://www.cve.org/CVERecord?id=CVE-2024-39894
https://nvd.nist.gov/vuln/detail/CVE-2024-39894

Back to Vulnerability Database