PROBABLYPWNED
VulnerabilitiesJuly 13, 20264 min read

OpenSSH 10.4 Patches 8 Flaws, Adds Post-Quantum Signatures

OpenSSH 10.4 fixes eight security vulnerabilities including sftp/scp file redirection bugs and client-side use-after-free. Experimental ML-DSA post-quantum signatures debut.

Marcus Chen

OpenSSH 10.4, released July 6, patches eight security vulnerabilities spanning the client, server, and file transfer tools. The update also introduces experimental support for post-quantum cryptographic signatures, making it the first step toward quantum-resistant SSH authentication for organizations planning ahead.

The security fixes address bugs in every major OpenSSH component: ssh, sshd, sftp, scp, and ssh-agent. Organizations running any recent OpenSSH version should plan upgrades, particularly those using sftp or scp for automated file transfers.

Critical Vulnerabilities Fixed

Malicious Server File Redirection (sftp): The sftp client could be tricked by a malicious server into writing downloaded files to unexpected locations on the client system. Automated scripts pulling files via sftp from untrusted servers were particularly at risk.

Path Traversal in scp: During remote-to-remote copies, malicious servers could exploit path handling to write files into parent directories on destination systems. Combined with privileged access, this could enable code execution through config file overwrites.

Client Use-After-Free: A memory corruption bug in the ssh client triggered when servers changed their host key during post-authentication rekeying. Exploitation would require a malicious server, but the memory safety issue is concerning regardless.

GSSAPIAuthentication DoS: When GSSAPI authentication was enabled, attackers could trigger pre-authentication denial of service conditions against the sshd daemon.

Timing Attack Mitigation Gaps: The minimum authentication delay enforcement was inconsistently applied, potentially enabling timing attacks against authentication mechanisms.

Ed25519 Signature Verification: Missing malleability and validity checks in Ed25519 signature verification have been added, hardening the cryptographic implementation.

ssh-agent Username DoS: Length constraints on usernames in key use limitations could trigger crashes in the ssh-agent process.

sshd Internal SFTP Arguments: The internal-sftp server silently dropped arguments beyond the ninth on long command lines, potentially discarding security-critical configuration settings.

Post-Quantum Cryptography Arrives

The release introduces experimental support for composite post-quantum signatures using ML-DSA 44 combined with Ed25519. This hybrid approach pairs a classical algorithm with a quantum-resistant one, providing security even if one scheme is eventually broken.

The feature is disabled by default and requires manual configuration:

  1. Generate composite keys with ssh-keygen -t mldsa44-ed25519
  2. Add the algorithm to HostKeyAlgorithms and PubkeyAcceptedAlgorithms in configs
  3. Distribute new host keys to clients

For most organizations, this is forward-looking preparation rather than an immediate need. Current quantum computers can't break classical cryptography, but the "harvest now, decrypt later" threat model drives early adoption planning—especially for long-lived infrastructure where key material captured today might be decrypted by future quantum systems.

Why This Matters

OpenSSH is everywhere. It secures administrative access to Linux servers, network equipment, cloud infrastructure, and developer workstations across virtually every organization. These bugs affect automated transfer pipelines that often run with elevated privileges.

The sftp and scp vulnerabilities are particularly concerning for CI/CD systems that pull artifacts from external servers. If any of those servers are compromised—or if network position allows MITM attacks—attackers could redirect downloads to writable locations and potentially execute code.

The recent U-Boot vulnerabilities we covered showed how boot-time security gaps can undermine everything above them. OpenSSH sits at the other end of the stack, protecting runtime access—and bugs here propagate across everything that depends on secure shell access.

Recommended Actions

  1. Update to OpenSSH 10.4 on all systems, prioritizing those using automated sftp/scp transfers
  2. Audit transfer scripts for connections to external or semi-trusted servers
  3. Consider disabling GSSAPIAuthentication if not actively used
  4. Review internal-sftp configurations with more than nine arguments
  5. Plan post-quantum migration for long-lived infrastructure, but don't rush—the feature is experimental

Vendors shipping OpenSSH-based implementations should integrate the 10.4 release promptly. The combined severity of these bugs—especially the file redirection issues—warrants faster-than-normal patching cycles.

Frequently Asked Questions

Should I enable post-quantum signatures now? Not unless you're specifically testing quantum-resistant cryptography. The ML-DSA+Ed25519 composite is experimental, and enabling it before broad ecosystem support exists could cause compatibility issues. Plan for it, but wait for maturity.

Are these vulnerabilities being exploited in the wild? No active exploitation has been reported. However, the sftp/scp bugs are straightforward enough that weaponization is likely once details spread. Patch before that happens.

Related Articles