https://feed.craftedsignal.io/tags/openssh/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 07 Apr 2026 10:16:06 +0000https://feed.craftedsignal.io/briefs/2026-04-openssh-gssapi-dos/Tue, 07 Apr 2026 10:16:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openssh-gssapi-dos/A remote, anonymous attacker can exploit a vulnerability in OpenSSH GSSAPI and Ubuntu Linux to trigger undefined behavior or a potential denial-of-service attack.A vulnerability exists within the GSSAPI implementation of OpenSSH, potentially affecting Ubuntu Linux systems. According to the BSI advisory published on April 7, 2026, an anonymous remote attacker can exploit this vulnerability. The specifics of the vulnerability are not detailed in the advisory, but successful exploitation could lead to undefined behavior or a denial-of-service condition on the targeted system. This is a significant concern for organizations relying on OpenSSH for secure remote access, as it could disrupt services and impact availability. Further investigation is warranted to understand the root cause and potential mitigations.

Attack Chain

1. Attacker identifies a vulnerable OpenSSH server running on an Ubuntu Linux system with GSSAPI enabled.
2. Attacker initiates an SSH connection to the target server.
3. During the GSSAPI authentication exchange, the attacker sends a specially crafted request.
4. The vulnerable OpenSSH GSSAPI implementation fails to properly handle the malicious request.
5. The server enters an unstable state due to the unhandled exception or memory corruption.
6. The OpenSSH process crashes, leading to a denial-of-service.
7. Repeated exploitation can keep the SSH service unavailable, preventing legitimate users from accessing the system.

Impact

Successful exploitation of this vulnerability can result in a denial-of-service condition, rendering the affected OpenSSH server unavailable. This can disrupt critical services relying on SSH for remote access and management. The number of potential victims is widespread, affecting any Ubuntu Linux system running a vulnerable version of OpenSSH with GSSAPI enabled. The impact ranges from temporary service outages to prolonged inaccessibility of affected systems, potentially leading to significant operational disruptions.

Recommendation

• Monitor network connections for unusual SSH traffic patterns, particularly those involving GSSAPI authentication (see the “Detect Suspicious SSH GSSAPI Authentication” rule).
• Review OpenSSH server logs for error messages or crashes occurring during GSSAPI authentication attempts (see the “Detect OpenSSH GSSAPI Authentication Failures” rule and enable detailed logging).
• Investigate any instances of OpenSSH processes crashing or becoming unresponsive, especially after receiving inbound network connections.
• Stay informed about future security updates from OpenSSH and Ubuntu Linux that address this vulnerability, and apply them promptly upon release.

]]>mediumadvisoryopensshgssapidenial-of-servicelinuxhttps://feed.craftedsignal.io/briefs/2026-04-openssh-scp-setuid/Thu, 02 Apr 2026 17:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openssh-scp-setuid/OpenSSH versions before 10.3 allow for the potential installation of setuid or setgid files when using scp to download files as root with the -O option (legacy SCP protocol) and without the -p option (preserve mode), contrary to user expectations.OpenSSH, a suite of secure networking utilities based on the Secure Shell (SSH) protocol, is affected by a vulnerability (CVE-2026-35385) in versions prior to 10.3. The vulnerability arises when using the scp command to download files as the root user with the -O (legacy SCP protocol) option and without the -p option (preserve mode). In this specific scenario, the downloaded file may be inadvertently installed with the setuid or setgid bits set. This behavior contradicts the expectations of some users, potentially leading to privilege escalation or other security misconfigurations. The vulnerability was publicly disclosed on April 2, 2026.

Attack Chain

1. Attacker gains access to a system where a user has scp installed and configured to connect to a remote server.
2. The user, operating as root, initiates an scp download using the command scp -O user@host:/path/to/file /local/path/. The -p option is omitted, and the -O flag is used, triggering the legacy SCP protocol.
3. The remote server serves the file /path/to/file. This file could have the setuid or setgid bits set.
4. scp, due to the vulnerability, incorrectly handles the file permissions during the download process.
5. The downloaded file is placed at /local/path/ with the setuid or setgid bits unexpectedly preserved from the remote server.
6. A local user executes the downloaded file /local/path/.
7. If the setuid or setgid bit is set, the process executes with elevated privileges, potentially leading to unauthorized access or modification of system resources.

Impact

Successful exploitation of this vulnerability can lead to unintended privilege escalation on the affected system. If a user downloads a file with the setuid bit set, an attacker could potentially execute the file with the privileges of the file owner (typically root). While the vulnerable scenario requires the user to be root and explicitly use the -O flag without -p, it can still represent a significant risk in environments where legacy SCP usage is prevalent or where users are unaware of the implications of these options. This scenario may affect a limited number of users who are using the specific vulnerable configuration.

Recommendation

• Upgrade OpenSSH to version 10.3 or later to patch the vulnerability (https://www.openssh.org/releasenotes.html#10.3p1).
• Avoid using the -O option (legacy SCP protocol) with scp, especially when downloading files as the root user. Use sftp or rsync as a more secure alternative.
• Always use the -p option to preserve file permissions when downloading files with scp to ensure that the downloaded file’s permissions are explicitly controlled.
• Deploy the Sigma rule provided below to detect the usage of scp with the -O flag, which is indicative of using the vulnerable legacy protocol.

]]>mediumadvisoryopensshscpprivilege-escalationcve-2026-35385https://feed.craftedsignal.io/briefs/2026-03-openssh-code-execution/Tue, 24 Mar 2026 10:30:51 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-openssh-code-execution/A local attacker can exploit multiple vulnerabilities in OpenSSH to execute arbitrary code, potentially leading to privilege escalation and system compromise.Multiple vulnerabilities have been identified in OpenSSH that could allow a local attacker to execute arbitrary code. The specific details of these vulnerabilities are not provided in the source document but the potential impact is significant, especially on systems where OpenSSH is used to manage critical infrastructure or sensitive data. Exploitation would require a local presence on the targeted system, and successful exploitation could grant the attacker elevated privileges and the ability to install malware, exfiltrate data, or disrupt services. This impacts any system using OpenSSH.

Attack Chain

1. The attacker gains initial local access to the target system through some unspecified means (e.g., compromised account, physical access).
2. The attacker identifies a vulnerable version of OpenSSH running on the system.
3. The attacker leverages a specific vulnerability in OpenSSH to inject and execute arbitrary code. This step is vulnerability-specific and the method varies.
4. The injected code executes within the context of the OpenSSH process.
5. The attacker escalates privileges by exploiting further vulnerabilities or misconfigurations accessible through the OpenSSH process.
6. The attacker installs persistent backdoors or implants to maintain access to the compromised system.
7. The attacker moves laterally to other systems within the network, leveraging the compromised system as a pivot point.
8. The attacker exfiltrates sensitive data or disrupts critical services, depending on their objectives.

Impact

Successful exploitation of these OpenSSH vulnerabilities could lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and disruption of critical services. While the number of victims and specific sectors targeted are currently unknown, the widespread use of OpenSSH makes this a potentially high-impact threat. A successful attack could result in significant financial losses, reputational damage, and legal liabilities.

Recommendation

• Monitor process execution for unusual child processes spawned by sshd, looking for unexpected command-line arguments, using the Detect Suspicious SSHD Child Processes Sigma rule.
• Enable and review OpenSSH audit logging to identify suspicious activity related to authentication and session management (log source).
• Investigate any anomalous file modifications or network connections originating from the sshd process.

]]>highadvisoryopensshcode-executionprivilege-escalationhttps://feed.craftedsignal.io/briefs/2024-01-openssh-proxy-execution/Wed, 03 Jan 2024 14:22:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-openssh-proxy-execution/Detection of command execution via proxy using the Windows OpenSSH client (ssh.exe or sftp.exe) to bypass application control using trusted Windows binaries.This detection identifies attempts to execute commands through a proxy using the Windows OpenSSH client (ssh.exe or sftp.exe). Attackers may abuse this behavior to evade application control policies by leveraging the trusted Windows OpenSSH binaries. The technique involves using the ProxyCommand or LocalCommand options with the OpenSSH client to execute arbitrary commands on the target system. The rule focuses on detecting command lines containing potentially malicious commands such as PowerShell, schtasks, mshta, msiexec, cmd, or script execution, indicating a possible attempt to bypass security measures. The detection logic is applicable to Windows systems.

Attack Chain

1. An attacker gains initial access to a Windows system.
2. The attacker executes the Windows OpenSSH client (ssh.exe or sftp.exe) with either the ProxyCommand or LocalCommand option.
3. The ProxyCommand or LocalCommand parameter specifies a command to be executed locally on the system.
4. The command includes potentially malicious payloads such as PowerShell commands, scheduled tasks manipulation (schtasks), or execution of other LOLBINs (Living Off the Land Binaries) like mshta or msiexec.
5. The OpenSSH client executes the specified command.
6. The malicious command performs actions such as downloading and executing additional payloads, creating scheduled tasks for persistence, or executing arbitrary code.
7. The attacker achieves their objectives, such as gaining further access to the system, escalating privileges, or deploying malware.

Impact

Successful exploitation can lead to a complete compromise of the affected system. Attackers can bypass application control mechanisms, execute arbitrary code, and establish persistence. This can result in data theft, system disruption, or further propagation of the attack within the network. The severity of the impact depends on the privileges of the account running the OpenSSH client and the specific actions performed by the malicious commands.

Recommendation

• Enable process creation logging with command line details to capture the execution of ssh.exe and sftp.exe with malicious parameters.
• Deploy the Sigma rule Proxy Execution via Windows OpenSSH to your SIEM to detect suspicious OpenSSH client executions with malicious commands in the command line.
• Monitor for the creation of child processes from ssh.exe or sftp.exe, as this can indicate the execution of malicious commands specified in the ProxyCommand or LocalCommand options.
• Review and restrict the usage of PermitLocalCommand in OpenSSH server configurations to prevent attackers from executing commands locally on the system after a connection is established.

]]>highadvisorydefense-evasionproxy-executionopensshapplication-control-bypass