OpenSSH Security Mechanisms: Analyzing Vulnerabilities in 2024OpenSSH (Open Secure Shell) is a suite of programs that provides encrypted communication sessions over computer networks using the SSH protocol.
Last year was an interesting one for SSH:
⏺In the spring: a backdoor in xz-utils (CVE-2024-3094), which resulted in the compromise of systemd systems in which OpenSSH has a liblzma dependency, which is not present in the distribution and is not directly used by OpenSSH itself (meaning it's more likely an attack on the supply chain of these distributions than on OpenSSH specifically).
⏺In July: a critical "race condition" vulnerability for glibc-based systems, dubbed regreSSHion (CVE-2024-6387), which is a reborn version of CVE-2006-5051. A week later, a similar issue was published, designated CVE-2024-6409.
⏺In August: another, this time specific to FreeBSD, CVE-2024-7589
РмеÑÐ°Ð½Ð¸Ð·Ð¼Ð°Ñ Ð±ÐµÐ·Ð¾Ð¿Ð°ÑноÑÑи OpenSSH: ÑазбиÑаем ÑÑзвимоÑÑи 2024 года
ÐÑоÑлÑй год инÑеÑеÑно пÑоÑодил Ð´Ð»Ñ SSH. ÐеÑной â бÑÐºÐ´Ð¾Ñ Ð² xz-utils (CVE-2024-3094), в ÑезÑлÑÑаÑе ÑкÑплÑаÑаÑии коÑоÑого бÑли ÑкомпÑомеÑиÑÐ¾Ð²Ð°Ð½Ñ ÑиÑÑÐµÐ¼Ñ Ñ systemd, в коÑоÑÑÑ Ð² OpenSSH еÑÑÑ Ð·Ð°Ð²Ð¸ÑимоÑÑÑ...
habr.com
