OpenSSH 9.3 update reveals security flaws

OpenSSH 9.3, a client and server for working on SSH 2.0 and SFTP protocols, has been released, according to a post on the OpenSSH Unix-dev mailing list. The latest version has eliminated security problems identified in earlier versions.

One such vulnerability was in the SSH-DDD utility. A logical error was revealed, resulting in the SSH-Agent not transmitting restrictions specified using the SSH-OADD -H option when adding to the agent. As a result, a key was added to the agent, but restrictions were not applied, which allowed connections only from certain hosts.

Additionally, in the SSH utility, a vulnerability that could lead to data being read from the area outside of the highlighted buffer was discovered. This vulnerability was present in the built-in implementation of the Getrrsetbyname() function, which is used in ongoing versions of OpenSSH. It is present in installations that did not use the external LDNS (–with-ldns) external library and on systems with standard libraries that do not support the Getrrsetbyname() call. While remote exploitation of the vulnerability would only initiate a refusal to maintain an SSH client, the likelihood of exploitation was evaluated as minimal.

A vulnerability in the Libskey OpenBSD library was also identified. It has been present since 1997 and can lead to the overflow of the stack in the processing of specially designed costs. It’s worth noting that despite the remote initiation of the vulnerability through OpenSSH, in practice it’s useless, since the name of the attacked host (/etc/hostname) should contain more than 126 characters, and the buffer can only be crowded with symbols with symbols with symbols with symbols zero code (‘ 0’).

OpenSSH 9.3 also introduces several non-security changes. SSH-KEYGEN and SSH-KEYSCAN added support for the parameter “-OHASHALG = Sha1 | SHA256” to choose the SSHFP casting algorithm. SSHD added a “-g” option to analyze and display active configuration without attempts to load closed keys and without additional checks. In SSHD, insulation on the Linux platform was strengthened by using SECCCOCP and SecCCOMP-BPF systemic calls. Additionally, the allowed system calls were extended with flags to MMAP, MADVISE, and FUTEX.

For additional information, please refer to official vulnerability posts on OpenSSH and OpenBSD.

/Reports, release notes, official announcements.