Login Sign Up

CVE-2024-39894

7.5 HIGH

📋 TL;DR

This vulnerability in OpenSSH allows attackers to perform timing attacks against password entry when echo is disabled (e.g., during su or sudo operations). The flaw in ObscureKeystrokeTiming logic could enable attackers to infer keystroke timing patterns and potentially guess passwords. It affects systems running OpenSSH 9.5 through 9.7.

💻 Affected Systems

Products:
  • OpenSSH
Versions: 9.5 through 9.7 (before 9.8)
Operating Systems: Linux, Unix-like systems with affected OpenSSH versions
Default Config Vulnerable: ⚠️ Yes
Notes: Affects password entry when echo is disabled, commonly used in su, sudo, and similar authentication prompts.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could potentially deduce password characters through timing analysis, leading to privilege escalation or unauthorized access to sensitive systems.

🟠

Likely Case

Limited password information leakage in controlled environments where attackers can measure precise timing of keystrokes during authentication.

🟢

If Mitigated

Minimal impact with strong passwords, network segmentation, and proper access controls limiting attacker proximity.

🌐 Internet-Facing: MEDIUM - Requires attacker to have network access and ability to measure precise timing during authentication attempts.
🏢 Internal Only: MEDIUM - Internal attackers with network access could potentially exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires precise timing measurements and multiple authentication attempts. Public research and proof-of-concept demonstrations exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenSSH 9.8

Vendor Advisory: http://www.openwall.com/lists/oss-security/2024/07/03/6

Restart Required: Yes

Instructions:

1. Update OpenSSH to version 9.8 or later. 2. For package managers: 'sudo apt update && sudo apt upgrade openssh-server' (Debian/Ubuntu) or 'sudo yum update openssh' (RHEL/CentOS). 3. Restart SSH service: 'sudo systemctl restart sshd'.

🔧 Temporary Workarounds

Disable password authentication

linux

Use SSH keys instead of passwords for authentication to bypass vulnerable password entry mechanism.

Edit /etc/ssh/sshd_config and set: PasswordAuthentication no
Then restart SSH: sudo systemctl restart sshd

Limit authentication attempts

linux

Reduce the number of allowed authentication attempts to limit timing attack opportunities.

Edit /etc/ssh/sshd_config and set: MaxAuthTries 3
Then restart SSH: sudo systemctl restart sshd

🧯 If You Can't Patch

  • Implement network segmentation to limit who can attempt SSH authentication
  • Use multi-factor authentication to add additional security layer beyond passwords

🔍 How to Verify

Check if Vulnerable:

Check OpenSSH version with: ssh -V 2>&1 | grep -o 'OpenSSH_[0-9.]*' | cut -d_ -f2

Check Version:

ssh -V

Verify Fix Applied:

Verify version is 9.8 or higher: ssh -V 2>&1 | grep -q 'OpenSSH_9\.[8-9]\|OpenSSH_[1-9][0-9]' && echo 'Patched' || echo 'Vulnerable'

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authentication attempts with precise timing patterns
  • Unusual authentication timing from single source

Network Indicators:

  • High volume of SSH authentication attempts with consistent timing intervals

SIEM Query:

source="sshd" AND "Failed password" | stats count by src_ip | where count > 10

📊 Metadata

CVE ID: CVE-2024-39894
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-367
Published: July 2, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39894, you might also want to check these:

CVE-2026-25641 10.0

CVE-2026-25641 is a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attack...

Same vulnerability type (CWE-367)
CVE-2025-64180 10.0

A critical TOCTOU vulnerability in Manager accounting software allows attackers to bypass DNS valida...

Same vulnerability type (CWE-367)
CVE-2025-13032 9.9

A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows l...

Same vulnerability type (CWE-367)