CVE-2024-39894
published 2024-07-02CVE-2024-39894: OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming…
PriorityP339high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
EPSS
1.63%
73.3th percentile
OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_sequoia | — | — |
| debian | openssh | < openssh 1:9.8p1-1 (forky) | openssh 1:9.8p1-1 (forky) |
| msrc | azl3_openssh_9.7p1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_openssh_9.8p1-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| openbsd | openssh | >= 0 < 1:9.8p1-1 | 1:9.8p1-1 |
| openbsd | openssh | >= 0 < 1:9.8p1-1 | 1:9.8p1-1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.5HIGH
vendor_debian7.5LOW
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-25:01.openssh: OpenSSH Keystroke Obfuscation Bypass
bsd_advisories·2025-01-29·CVSS 7.5
CVE-2024-39894 [HIGH] FreeBSD-SA-25:01.openssh: OpenSSH Keystroke Obfuscation Bypass
FreeBSD-SA-25:01.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH Keystroke Obfuscation Bypass
Category: contrib
Module: openssh
Announced: 2025-01-29
Credits: Philippos Giavridis
Credits: Jacky Wei En Kung, Daniel Hugenroth and
Alastair Beresford (University of Cambridge)
Affects: FreeBSD 14.1
Corrected: 2024-07-15 18:45:16 UTC (stable/14, 14.2-STABLE)
2025-01-29 18:55:25 UTC (releng/14.1, 14.1-RELEASE-p7)
2024-08-01 15:03:50 UTC (stable/13, 13.4-STABLE)
CVE Name: CVE-2024-39894
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a va
Apple
CVE-2024-39894: macOS Sequoia 15
vendor_apple·2024-09-16·CVSS 7.5
CVE-2024-39894 [HIGH] CVE-2024-39894: macOS Sequoia 15
Apple Security Update: About the security content of macOS Sequoia 15
Product: macOS Sequoia
Version: 15
CVE: CVE-2024-39894
Component: CVE-2024-39894
Microsoft
OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g. for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly other timing attac
vendor_msrc·2024-07-09·CVSS 7.5
CVE-2024-39894 [HIGH] CWE-367 OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g. for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly other timing attac
OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g. for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly other timing attacks against keystroke entry could occur.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional pro
Ubuntu
OpenSSH vulnerability
vendor_ubuntu·2024-07-09
CVE-2024-39894 OpenSSH vulnerability
Title: OpenSSH vulnerability
Summary: OpenSSH could be made to expose timing information over the network.
Philippos Giavridis, Jacky Wei En Kung, Daniel Hugenroth, and Alastair
Beresford discovered that the OpenSSH ObscureKeystrokeTiming feature did
not work as expected. A remote attacker could possibly use this issue to
determine timing information about keystrokes.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
openssh: Logic error in ObscureKeystrokeTiming
vendor_redhat·2024-07-02·CVSS 7.5
CVE-2024-39894 [HIGH] CWE-203 openssh: Logic error in ObscureKeystrokeTiming
openssh: Logic error in ObscureKeystrokeTiming
OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.
A flaw was found in OpenSSH. A logic error in the SSH ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective. A passive observer could still detect which network packets contained real keystrokes when the countermeasure was active because fake and real keystroke packets were being sent unconditionally.
Package: openssh (Red Hat Enterprise Linux 10) - Not affected
Package: openssh (Red Hat Enterprise Linux 6) - Not affected
Package: openssh (Red Hat Enterprise Linux 7) - Not a
Debian
CVE-2024-39894: openssh - OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-...
vendor_debian·2024·CVSS 7.5
CVE-2024-39894 [HIGH] CVE-2024-39894: openssh - OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-...
OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 1:9.8p1-1)
sid: resolved (fixed in 1:9.8p1-1)
trixie: resolved (fixed in 1:9.8p1-1)
GHSA
GHSA-g5qj-pfmg-p3jp: OpenSSH 9
ghsa_unreviewed·2024-07-02
CVE-2024-39894 [HIGH] CWE-367 GHSA-g5qj-pfmg-p3jp: OpenSSH 9
OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.
OSV
CVE-2024-39894: OpenSSH 9
osv·2024-07-02·CVSS 7.5
CVE-2024-39894 [HIGH] CVE-2024-39894: OpenSSH 9
OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2024/07/03/6http://www.openwall.com/lists/oss-security/2024/07/23/4http://www.openwall.com/lists/oss-security/2024/07/23/6http://www.openwall.com/lists/oss-security/2024/07/28/3https://crzphil.github.io/posts/ssh-obfuscation-bypass/https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.htmlhttps://news.ycombinator.com/item?id=41508530https://security.netapp.com/advisory/ntap-20240712-0004/https://www.openssh.com/txt/release-9.8https://www.openwall.com/lists/oss-security/2024/07/02/1http://seclists.org/fulldisclosure/2024/Sep/33http://www.openwall.com/lists/oss-security/2024/07/03/6http://www.openwall.com/lists/oss-security/2024/07/23/4http://www.openwall.com/lists/oss-security/2024/07/23/6http://www.openwall.com/lists/oss-security/2024/07/28/3https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.htmlhttps://security.netapp.com/advisory/ntap-20240712-0004/https://www.freebsd.org/security/advisories/FreeBSD-SA-25:01.openssh.aschttps://www.openssh.com/txt/release-9.8https://www.openwall.com/lists/oss-security/2024/07/02/1
2024-07-02
Published