CVE-2025-59339
📋 TL;DR
CVE-2025-59339 is a vulnerability in The Bastion's session recording encryption script that fails to sign encrypted SSH session files when configured to do so. This affects organizations using The Bastion for SSH access management with session recording enabled and the osh-encrypt-rsync script configured for file rotation and encryption.
💻 Affected Systems
- The Bastion
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
If exploited, unsigned session recordings could be tampered with without detection, compromising audit integrity and potentially allowing attackers to cover tracks or insert malicious content into audit trails.
Likely Case
Session recordings lack cryptographic signatures despite configuration, reducing the reliability of audit trails for forensic investigations and compliance requirements.
If Mitigated
With proper monitoring and integrity checks, the impact is limited to reduced cryptographic assurance of session recording files.
🎯 Exploit Status
Exploitation requires access to encrypted session files and knowledge of the signing failure. No authentication bypass or remote code execution is involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version containing commit 9bc85ec3f4b724f903773ba64909777c4826a13f
Vendor Advisory: https://github.com/ovh/the-bastion/security/advisories/GHSA-h66q-g57p-rgg6
Restart Required: No
Instructions:
1. Update The Bastion to the latest version containing the fix commit. 2. Verify the osh-encrypt-rsync script properly signs files when configured to do so. 3. Re-encrypt existing session recordings if needed for consistency.
🔧 Temporary Workarounds
Manual signing verification
allManually verify signatures on encrypted session files after rotation
gpg --verify [encrypted-file].sig [encrypted-file]
Disable signing requirement
allTemporarily disable signing in the osh-encrypt-rsync configuration if not required for compliance
Edit configuration to remove signing options from osh-encrypt-rsync script
🧯 If You Can't Patch
- Implement manual verification of session recording file integrity using checksums or hashes
- Store session recordings in write-protected storage with access controls to prevent tampering
🔍 How to Verify
Check if Vulnerable:
Check if osh-encrypt-rsync script is configured to sign files and verify that generated .sig files are created and valid for recent session recordings.Check Version:
Check The Bastion version or verify presence of fix commit 9bc85ec3f4b724f903773ba64909777c4826a13f in the installation.Verify Fix Applied:
After patching, run the osh-encrypt-rsync script and verify that .sig files are generated and can be validated with gpg --verify.📡 Detection & Monitoring
Log Indicators:
- Missing or invalid signature files for session recordings
- osh-encrypt-rsync script running without generating signature files when configured to
Network Indicators:
- None - this is a local file handling issue
SIEM Query:
Search for failed signature generation events in The Bastion logs or file system monitoring alerts for missing .sig files