The release of OpenSSH 8.6, an open implementation of the client and server for working over the SSH 2.0 and SFTP protocols, has been published. The new version fixes a vulnerability in the implementation of the LogVerbose directive that appeared in the previous release and allows raising the level of debugging information dumped to the log, including the ability to filter by patterns, functions, and files associated with code executed with dropped privileges in the sshd process, isolated in a sandbox environment.
An attacker who gains control of an unprivileged process through some as yet unknown vulnerability could use a LogVerbose issue to bypass sandbox isolation and attack a process running with elevated privileges. The exploitation of the vulnerability in LogVerbose is considered unlikely in practice, since the LogVerbose setting is disabled by default and is usually used only during debugging. The attack also requires finding a new vulnerability in an unprivileged process.
Changes in OpenSSH 8.6 not related to the vulnerability:
- sftp and sftp-server have implemented a new protocol extension "[email protected]β, allowing the SFTP client to obtain information about the limits set on the server, including limits on the maximum packet size and limits on write and read operations. In sftp, a new extension is used to select the optimal block size for data transfer.
- Added ModuliFile setting to sshd_config for sshd, which allows you to specify the path to the "moduli" file containing groups for DH-GEX.
- Added the TEST_SSH_ELAPSED_TIMES environment variable to unit tests to enable output of the time elapsed since each test was run.
- The password request interface for GNOME is split into two options, one for GNOME2 and one for GNOME3 (contrib/gnome-ssk-askpass3.c). A variant for GNOME3 to improve compatibility with Wayland uses the gdk_seat_grab() call to control keyboard and mouse capture.
- Soft-disallow the fstatat64 system call added to the seccomp-bpf-based Linux sandbox.
Source: opennet.ru