OpenSSH 9.3 seals security leaks

In OpenSSH 9.3, the developers have closed two security holes. They can appear in rather unusual situations. The new version also corrects other minor bugs.

OpenSSH: smart card vulnerability

One of the vulnerabilities concerns adding smart card keys to the SSH agent. A restriction can be specified as to which hosts and users (“per-hop destination constraints”) are allowed to log in with it. This OpenSSH 8.9 added feature contained a logic error that prevented the restrictions from being communicated to the SSH agent. As a result, the restrictions were simply not active.

A second vulnerability affects Portable OpenSSH. This version includes a fallback function getrrsetbynamewhich then in the function VerifyHostKeyDNS comes into play when the standard libraries from the Portable OpenSSH environment do not offer the function. Manipulated DNS responses can trigger an out of bounds read on the stack. The OpenSSH developers believe that this vulnerability cannot be exploited to do anything more than a denial of service where the service crashes. Nevertheless, they regard all memory errors that can be provoked from the network as security errors, the OpenSSH maintainers explain in the version announcement.

In the announcement, they also list other minor fixes and new features. so can ssh-keygen and ssh-keyscan now with the option -Ohashald=sha1|sha256 select the hash algorithms used for the SSHFP fingerprint.

The updated sources are about means git available, but also on download mirrors. Linux distributions are likely to offer updated packages with their own software management. IT managers should promptly check whether the updates are available and apply them when they are available.

The OpenSSH developers had already sealed two security gaps in OpenSSH 9.2 at the beginning of February. There, too, no CVE entries and concrete risk assessments were available, for example according to the CVSS evaluation scheme.

(dmk)