{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/openssh/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["openssh","gssapi","denial-of-service","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists within the GSSAPI implementation of OpenSSH, potentially affecting Ubuntu Linux systems. According to the BSI advisory published on April 7, 2026, an anonymous remote attacker can exploit this vulnerability. The specifics of the vulnerability are not detailed in the advisory, but successful exploitation could lead to undefined behavior or a denial-of-service condition on the targeted system. This is a significant concern for organizations relying on OpenSSH for secure remote access, as it could disrupt services and impact availability. Further investigation is warranted to understand the root cause and potential mitigations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OpenSSH server running on an Ubuntu Linux system with GSSAPI enabled.\u003c/li\u003e\n\u003cli\u003eAttacker initiates an SSH connection to the target server.\u003c/li\u003e\n\u003cli\u003eDuring the GSSAPI authentication exchange, the attacker sends a specially crafted request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable OpenSSH GSSAPI implementation fails to properly handle the malicious request.\u003c/li\u003e\n\u003cli\u003eThe server enters an unstable state due to the unhandled exception or memory corruption.\u003c/li\u003e\n\u003cli\u003eThe OpenSSH process crashes, leading to a denial-of-service.\u003c/li\u003e\n\u003cli\u003eRepeated exploitation can keep the SSH service unavailable, preventing legitimate users from accessing the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can result in a denial-of-service condition, rendering the affected OpenSSH server unavailable. This can disrupt critical services relying on SSH for remote access and management. The number of potential victims is widespread, affecting any Ubuntu Linux system running a vulnerable version of OpenSSH with GSSAPI enabled. The impact ranges from temporary service outages to prolonged inaccessibility of affected systems, potentially leading to significant operational disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections for unusual SSH traffic patterns, particularly those involving GSSAPI authentication (see the \u0026ldquo;Detect Suspicious SSH GSSAPI Authentication\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eReview OpenSSH server logs for error messages or crashes occurring during GSSAPI authentication attempts (see the \u0026ldquo;Detect OpenSSH GSSAPI Authentication Failures\u0026rdquo; rule and enable detailed logging).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of OpenSSH processes crashing or becoming unresponsive, especially after receiving inbound network connections.\u003c/li\u003e\n\u003cli\u003eStay informed about future security updates from OpenSSH and Ubuntu Linux that address this vulnerability, and apply them promptly upon release.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T10:16:06Z","date_published":"2026-04-07T10:16:06Z","id":"/briefs/2026-04-openssh-gssapi-dos/","summary":"A remote, anonymous attacker can exploit a vulnerability in OpenSSH GSSAPI and Ubuntu Linux to trigger undefined behavior or a potential denial-of-service attack.","title":"OpenSSH GSSAPI Vulnerability Leads to Potential Denial-of-Service","url":"https://feed.craftedsignal.io/briefs/2026-04-openssh-gssapi-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-35385"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["openssh","scp","privilege-escalation","cve-2026-35385"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenSSH, a suite of secure networking utilities based on the Secure Shell (SSH) protocol, is affected by a vulnerability (CVE-2026-35385) in versions prior to 10.3. The vulnerability arises when using the \u003ccode\u003escp\u003c/code\u003e command to download files as the root user with the \u003ccode\u003e-O\u003c/code\u003e (legacy SCP protocol) option and without the \u003ccode\u003e-p\u003c/code\u003e option (preserve mode). In this specific scenario, the downloaded file may be inadvertently installed with the setuid or setgid bits set. This behavior contradicts the expectations of some users, potentially leading to privilege escalation or other security misconfigurations. The vulnerability was publicly disclosed on April 2, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a system where a user has \u003ccode\u003escp\u003c/code\u003e installed and configured to connect to a remote server.\u003c/li\u003e\n\u003cli\u003eThe user, operating as root, initiates an \u003ccode\u003escp\u003c/code\u003e download using the command \u003ccode\u003escp -O user@host:/path/to/file /local/path/\u003c/code\u003e. The \u003ccode\u003e-p\u003c/code\u003e option is omitted, and the \u003ccode\u003e-O\u003c/code\u003e flag is used, triggering the legacy SCP protocol.\u003c/li\u003e\n\u003cli\u003eThe remote server serves the file \u003ccode\u003e/path/to/file\u003c/code\u003e. This file could have the setuid or setgid bits set.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escp\u003c/code\u003e, due to the vulnerability, incorrectly handles the file permissions during the download process.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is placed at \u003ccode\u003e/local/path/\u003c/code\u003e with the setuid or setgid bits unexpectedly preserved from the remote server.\u003c/li\u003e\n\u003cli\u003eA local user executes the downloaded file \u003ccode\u003e/local/path/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the setuid or setgid bit is set, the process executes with elevated privileges, potentially leading to unauthorized access or modification of system resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unintended privilege escalation on the affected system. If a user downloads a file with the setuid bit set, an attacker could potentially execute the file with the privileges of the file owner (typically root). While the vulnerable scenario requires the user to be root and explicitly use the \u003ccode\u003e-O\u003c/code\u003e flag without \u003ccode\u003e-p\u003c/code\u003e, it can still represent a significant risk in environments where legacy SCP usage is prevalent or where users are unaware of the implications of these options. This scenario may affect a limited number of users who are using the specific vulnerable configuration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenSSH to version 10.3 or later to patch the vulnerability (\u003ca href=\"https://www.openssh.org/releasenotes.html#10.3p1)\"\u003ehttps://www.openssh.org/releasenotes.html#10.3p1)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eAvoid using the \u003ccode\u003e-O\u003c/code\u003e option (legacy SCP protocol) with \u003ccode\u003escp\u003c/code\u003e, especially when downloading files as the root user. Use \u003ccode\u003esftp\u003c/code\u003e or \u003ccode\u003ersync\u003c/code\u003e as a more secure alternative.\u003c/li\u003e\n\u003cli\u003eAlways use the \u003ccode\u003e-p\u003c/code\u003e option to preserve file permissions when downloading files with \u003ccode\u003escp\u003c/code\u003e to ensure that the downloaded file\u0026rsquo;s permissions are explicitly controlled.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect the usage of \u003ccode\u003escp\u003c/code\u003e with the \u003ccode\u003e-O\u003c/code\u003e flag, which is indicative of using the vulnerable legacy protocol.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T17:16:27Z","date_published":"2026-04-02T17:16:27Z","id":"/briefs/2026-04-openssh-scp-setuid/","summary":"OpenSSH versions before 10.3 allow for the potential installation of setuid or setgid files when using scp to download files as root with the -O option (legacy SCP protocol) and without the -p option (preserve mode), contrary to user expectations.","title":"OpenSSH scp Insecure File Permission Vulnerability (CVE-2026-35385)","url":"https://feed.craftedsignal.io/briefs/2026-04-openssh-scp-setuid/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openssh","code-execution","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified in OpenSSH that could allow a local attacker to execute arbitrary code. The specific details of these vulnerabilities are not provided in the source document but the potential impact is significant, especially on systems where OpenSSH is used to manage critical infrastructure or sensitive data. Exploitation would require a local presence on the targeted system, and successful exploitation could grant the attacker elevated privileges and the ability to install malware, exfiltrate data, or disrupt services. This impacts any system using OpenSSH.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial local access to the target system through some unspecified means (e.g., compromised account, physical access).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a vulnerable version of OpenSSH running on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a specific vulnerability in OpenSSH to inject and execute arbitrary code. This step is vulnerability-specific and the method varies.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the OpenSSH process.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by exploiting further vulnerabilities or misconfigurations accessible through the OpenSSH process.\u003c/li\u003e\n\u003cli\u003eThe attacker installs persistent backdoors or implants to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the network, leveraging the compromised system as a pivot point.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or disrupts critical services, depending on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these OpenSSH vulnerabilities could lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and disruption of critical services. While the number of victims and specific sectors targeted are currently unknown, the widespread use of OpenSSH makes this a potentially high-impact threat. A successful attack could result in significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for unusual child processes spawned by sshd, looking for unexpected command-line arguments, using the \u003ccode\u003eDetect Suspicious SSHD Child Processes\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable and review OpenSSH audit logging to identify suspicious activity related to authentication and session management (log source).\u003c/li\u003e\n\u003cli\u003eInvestigate any anomalous file modifications or network connections originating from the sshd process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T10:30:51Z","date_published":"2026-03-24T10:30:51Z","id":"/briefs/2026-03-openssh-code-execution/","summary":"A local attacker can exploit multiple vulnerabilities in OpenSSH to execute arbitrary code, potentially leading to privilege escalation and system compromise.","title":"OpenSSH Vulnerabilities Allow Local Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-03-openssh-code-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","proxy-execution","openssh","application-control-bypass"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies attempts to execute commands through a proxy using the Windows OpenSSH client (ssh.exe or sftp.exe). Attackers may abuse this behavior to evade application control policies by leveraging the trusted Windows OpenSSH binaries. The technique involves using the \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e options with the OpenSSH client to execute arbitrary commands on the target system. The rule focuses on detecting command lines containing potentially malicious commands such as PowerShell, schtasks, mshta, msiexec, cmd, or script execution, indicating a possible attempt to bypass security measures. The detection logic is applicable to Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the Windows OpenSSH client (ssh.exe or sftp.exe) with either the \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e parameter specifies a command to be executed locally on the system.\u003c/li\u003e\n\u003cli\u003eThe command includes potentially malicious payloads such as PowerShell commands, scheduled tasks manipulation (schtasks), or execution of other LOLBINs (Living Off the Land Binaries) like mshta or msiexec.\u003c/li\u003e\n\u003cli\u003eThe OpenSSH client executes the specified command.\u003c/li\u003e\n\u003cli\u003eThe malicious command performs actions such as downloading and executing additional payloads, creating scheduled tasks for persistence, or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objectives, such as gaining further access to the system, escalating privileges, or deploying malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a complete compromise of the affected system. Attackers can bypass application control mechanisms, execute arbitrary code, and establish persistence. This can result in data theft, system disruption, or further propagation of the attack within the network. The severity of the impact depends on the privileges of the account running the OpenSSH client and the specific actions performed by the malicious commands.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line details to capture the execution of ssh.exe and sftp.exe with malicious parameters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eProxy Execution via Windows OpenSSH\u003c/code\u003e to your SIEM to detect suspicious OpenSSH client executions with malicious commands in the command line.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of child processes from ssh.exe or sftp.exe, as this can indicate the execution of malicious commands specified in the \u003ccode\u003eProxyCommand\u003c/code\u003e or \u003ccode\u003eLocalCommand\u003c/code\u003e options.\u003c/li\u003e\n\u003cli\u003eReview and restrict the usage of \u003ccode\u003ePermitLocalCommand\u003c/code\u003e in OpenSSH server configurations to prevent attackers from executing commands locally on the system after a connection is established.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:22:00Z","date_published":"2024-01-03T14:22:00Z","id":"/briefs/2024-01-openssh-proxy-execution/","summary":"Detection of command execution via proxy using the Windows OpenSSH client (ssh.exe or sftp.exe) to bypass application control using trusted Windows binaries.","title":"Proxy Execution via Windows OpenSSH Client","url":"https://feed.craftedsignal.io/briefs/2024-01-openssh-proxy-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Openssh","version":"https://jsonfeed.org/version/1.1"}