<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Configuration-Bypass - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/configuration-bypass/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 07:42:56 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/configuration-bypass/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-59999: OpenSSH sshd Configuration Bypass via PermitTunnel</title><link>https://feed.craftedsignal.io/briefs/2026-07-openssh-sshd-config-bypass/</link><pubDate>Thu, 09 Jul 2026 07:42:56 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openssh-sshd-config-bypass/</guid><description>A logic error in OpenSSH's sshd daemon before version 10.4 allowed the PermitTunnel configuration to take precedence over DisableForwarding=yes, leading to unintended SSH tunnel establishment and potential unauthorized network access through the tunnel feature.</description><content:encoded><![CDATA[<p>The Microsoft Security Response Center (MSRC) has published details on CVE-2026-59999, a logic error affecting the <code>sshd</code> component of OpenSSH versions prior to 10.4. This vulnerability stems from an incorrect precedence rule when <code>DisableForwarding=yes</code> and <code>PermitTunnel=yes</code> are simultaneously configured in the <code>sshd_config</code> file. Despite an administrator's intention to prevent SSH forwarding via <code>DisableForwarding=yes</code>, the <code>PermitTunnel=yes</code> option inadvertently takes precedence, enabling an authenticated attacker to establish an SSH tunnel. This bypass of intended security controls creates a pathway for attackers to circumvent network segmentation, access internal services, or exfiltrate data from environments where SSH forwarding was presumed to be blocked. The vulnerability was disclosed on July 9, 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains authenticated access (e.g., via stolen credentials or another vulnerability) to a server running a vulnerable <code>sshd</code> instance (OpenSSH prior to version 10.4).</li>
<li>The target <code>sshd</code> server's configuration (<code>sshd_config</code>) contains a conflicting setup where both <code>DisableForwarding=yes</code> and <code>PermitTunnel=yes</code> are enabled.</li>
<li>The attacker attempts to establish an SSH tunnel, such as local port forwarding, remote port forwarding, or a SOCKS proxy, from their client to the compromised server.</li>
<li>The vulnerable <code>sshd</code> process on the server incorrectly prioritizes <code>PermitTunnel=yes</code> over <code>DisableForwarding=yes</code> due to the logic error, allowing the tunnel setup.</li>
<li>An unauthorized SSH tunnel is successfully established, bypassing the administrator's intended security policy to disable forwarding.</li>
<li>The attacker then utilizes this tunnel to circumvent network access controls or firewall rules, enabling connections to internal network resources that would otherwise be unreachable.</li>
<li>This unauthorized network access allows the attacker to conduct further reconnaissance, pivot deeper into the network, exfiltrate sensitive data, or deploy additional malicious tools.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-59999 allows an authenticated attacker to bypass intended network security policies, specifically those designed to prevent SSH forwarding. This can lead to unauthorized network access, enabling attackers to circumvent firewall rules, reach internal systems, or pivot to otherwise isolated network segments. While no specific victim counts or sectors have been reported, any organization utilizing OpenSSH <code>sshd</code> with the described conflicting configuration is at risk of unauthorized internal network traversal and potential data exfiltration or further compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch OpenSSH <code>sshd</code> to version 10.4 or later to remediate CVE-2026-59999.</li>
<li>Review all <code>sshd_config</code> files across your infrastructure to ensure that if <code>DisableForwarding=yes</code> is intended, <code>PermitTunnel=no</code> is explicitly set or omitted (as <code>no</code> is often the default).</li>
<li>Audit your network for unusual SSH tunnel activity, as this vulnerability bypasses configuration rather than introducing novel network signatures.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>ssh</category><category>openssh</category><category>vulnerability</category><category>configuration-bypass</category><category>linux</category><category>macos</category></item></channel></rss>