CVE-2024-39894

一、漏洞信息
 漏洞编号：[CVE-2024-39894](https://nvd.nist.gov/vuln/detail/CVE-2024-39894)
 漏洞归属组件：[openssh](https://gitee.com/src-openeuler/openssh)
 漏洞归属的版本：8.2p1,8.8p1,9.1p1,9.3p1,9.3p2
 CVSS V2.0分值：
  BaseScore：0.0 None
  Vector：CVSS：2.0/
 漏洞简述：
  OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur.
 漏洞公开时间：2024-07-03 02:15:03
 漏洞创建时间：2024-07-03 02:32:05
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-39894
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/07/03/6 |  |
| cve.mitre.org | https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html |  |
| cve.mitre.org | https://www.openssh.com/txt/release-9.8 |  |
| cve.mitre.org | https://www.openwall.com/lists/oss-security/2024/07/02/1 |  |
| suse_bugzilla | https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html | https://bugzilla.suse.com/show_bug.cgi?id=1227318 |
| suse_bugzilla | https://www.openssh.com/txt/release-9.8 | https://bugzilla.suse.com/show_bug.cgi?id=1227318 |
| suse_bugzilla | http://www.openwall.com/lists/oss-security/2024/07/02/1 | https://bugzilla.suse.com/show_bug.cgi?id=1227318 |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39894 | https://bugzilla.suse.com/show_bug.cgi?id=1227318 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-39894 | https://bugzilla.suse.com/show_bug.cgi?id=1227318 |
| ubuntu | https://www.cve.org/CVERecord?id=CVE-2024-39894 | https://ubuntu.com/security/CVE-2024-39894 |
| ubuntu | https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html | https://ubuntu.com/security/CVE-2024-39894 |
| ubuntu | https://www.openwall.com/lists/oss-security/2024/07/02/1 | https://ubuntu.com/security/CVE-2024-39894 |
| ubuntu | https://www.openssh.com/txt/release-9.8 | https://ubuntu.com/security/CVE-2024-39894 |
| ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2024-39894 | https://ubuntu.com/security/CVE-2024-39894 |
| ubuntu | https://launchpad.net/bugs/cve/CVE-2024-39894 | https://ubuntu.com/security/CVE-2024-39894 |
| ubuntu | https://security-tracker.debian.org/tracker/CVE-2024-39894 | https://ubuntu.com/security/CVE-2024-39894 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-39894 |
| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2024-39894 | https://explore.alas.aws.amazon.com/CVE-2024-39894.html |
| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39894 | https://explore.alas.aws.amazon.com/CVE-2024-39894.html |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

无
</details>

二、漏洞分析结构反馈
 影响性分析说明：
  OpenSSH 9.5到9.7版本有时允许对回显密码输入进行计时攻击（例如，对于su和Sudo），因为存ObscureKeyshotTiming逻辑错误。同样，其他针对击键输入的计时攻击也可能发生。openEuler:openssh的openssh的基线版本均低于9.5，因此不涉及该漏洞。
 openEuler评分：
  5.9
 Vector：CVSS：3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
 受影响版本排查(受影响/不受影响)：
  1.master(9.3p2):不受影响
2.openEuler-20.03-LTS-SP4(8.2p1):不受影响
3.openEuler-22.03-LTS-SP1(8.8p1):不受影响
4.openEuler-22.03-LTS-SP3(8.8p1):不受影响
5.openEuler-22.03-LTS-SP4(8.8p1):不受影响
6.openEuler-24.03-LTS(9.3p2):不受影响
7.openEuler-24.03-LTS-Next(9.3p2):不受影响

修复是否涉及abi变化(是/否)：
  1.master(9.3p2):否
2.openEuler-20.03-LTS-SP4(8.2p1):否
3.openEuler-22.03-LTS-SP1(8.8p1):否
4.openEuler-22.03-LTS-SP3(8.8p1):否
5.openEuler-22.03-LTS-SP4(8.8p1):否
6.openEuler-24.03-LTS(9.3p2):否
7.openEuler-24.03-LTS-Next(9.3p2):否

src-openEuler/openssh
关闭

内容风险标识

评论 (9)

src-openEuler/openssh关闭 .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-39894

评论 (9)

搜索帮助

src-openEuler/openssh
关闭