From News to Knowledge: Mastering OpenSSH Security on openSUSE

 

OpenSSH vulnerabilities CVE-2026-35385 & CVE-2026-35414 affect openSUSE. Learn to check, patch, and mitigate with iptables & AppArmor. Includes automation script + books to master binary analysis and malware dissection. 

A security update was released on May 15, 2026, for openSUSE systems. The update addresses two distinct flaws in OpenSSH: CVE-2026-35385, where a file downloaded by scp could be installed with dangerous setuid/setgid permissions, and CVE-2026-35414, involving mishandling of the authorized_keys principals option. 

While the update itself is important, the real value is in building a repeatable process to handle these situations every time.

This guide will give you the commands, scripts, and strategies to not just fix this vulnerability, but to systematically handle any future OpenSSH security issue. 

We'll cover how to check your system, apply the patch, implement a bash automation script, and use defensive "compensating controls" when you can't update immediately.

How to Check if You Are Vulnerable (openSUSE Commands)

Before you patch, know exactly what you're dealing with. Run these commands on your openSUSE system to check your OpenSSH version and see if the security patches are missing.

1. Check Your Current OpenSSH Version

bash

# Check the SSH client version
ssh -V
# Example output: OpenSSH_9.6p1, OpenSSL 3.0.14 2024-06-04

# Check the SSH server version
sshd -V

# Check the exact package version installed
rpm -qa | grep openssh

2. See Which Security Patches Are Missing

Use zypper to list all missing patches, including the one for this OpenSSH update:

bash

# List all missing patches
sudo zypper list-patches

# Check specifically for security patches
sudo zypper patch-check

3. Verify if a Specific CVE is Patched

To check if a specific CVE (like CVE-2026-35385) has been addressed, you can search the package changelog:

bash

rpm -q --changelog openssh | grep -i cve-2026

If you see entries referencing the CVEs, the patch has been applied. If not, your system is vulnerable and needs updating

Automation Script to Apply the Fix (openSUSE & SUSE)

This bash script automates the entire process: it checks your OpenSSH version, identifies if the system is vulnerable to the specific CVEs, applies the official patch, and restarts the SSH service. Save it as openssh-hardening.sh and run it with sudo bash openssh-hardening.sh.

bash

#!/bin/bash
# openssh-hardening.sh
# Author: Security Automation
# Purpose: Automatically detect and patch CVE-2026-35385 and CVE-2026-35414 on openSUSE/SUSE

set -e  # Exit on any error

echo "[+] Starting OpenSSH vulnerability scan and patch process..."

# 1. Check current OpenSSH version
SSH_VERSION=$(ssh -V 2>&1 | grep -oP 'OpenSSH_\K[0-9.]+')
echo "[*] Detected OpenSSH Client Version: $SSH_VERSION"

# 2. Check if patches are already applied by looking at the changelog
if rpm -q --changelog openssh | grep -q "CVE-2026-35385\|CVE-2026-35414"; then
    echo "[✓] System appears to be patched for the CVEs. Exiting."
    exit 0
else
    echo "[!] System is VULNERABLE. Proceeding with patch application..."
fi

# 3. Refresh repository metadata and apply all security patches
echo "[*] Refreshing repositories..."
sudo zypper --non-interactive refresh

echo "[*] Applying all security patches (zypper patch)..."
sudo zypper --non-interactive patch

# Alternative: Update only OpenSSH package if you prefer
# sudo zypper --non-interactive update openssh

# 4. Verify the update was successful by checking the changelog again
if rpm -q --changelog openssh | grep -q "CVE-2026-35385\|CVE-2026-35414"; then
    echo "[✓] Patch applied successfully!"
else
    echo "[✗] ERROR: Patch verification failed. Please check manually."
    exit 1
fi

# 5. Restart SSH service to load the new binaries
echo "[*] Restarting SSH daemon..."
sudo systemctl restart sshd
sudo systemctl status sshd --no-pager

echo "[✓] OpenSSH update and restart completed."

Note: This script resolves CVE-2026-35385 and CVE-2026-35414. To learn how to create your own vulnerability assessment scripts for any future CVE, you need to understand binary analysis.

The Books That Solve ALL the CVEs You've Never Seen

Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly: This book is the first to present advanced topics like binary instrumentation, dynamic taint analysis, and symbolic execution in an accessible way. By the end, you'll be able to build your own Linux binary analysis tools—tools that can find unknown vulnerabilities before they get a CVE number.

Pratical Binary Analysis (adversiting) -> https://amzn.to/4wvL7c9

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software: When malware breaches your defenses, you need to act quickly to cure current infections and prevent future ones. This book teaches you the tools and techniques used by professional analysts to safely analyze, debug, and disassemble any malicious software that comes your way.

Pratical Malware Analysis  (adversiting)  -> https://amzn.to/49Wm4oW

Stop chasing patches reactively. Learn to dissect the malware that exploits them.

I earn a comission with you make a purchase.

Alternative Mitigation if You Can't Update Now

Sometimes you can't reboot a production server or apply a package update immediately. In those cases, use these "compensating controls" to reduce your risk until you can patch.

Option 1: Rate-Limit SSH Connections with iptables

This prevents automated brute-force attacks from overwhelming your SSH service. It doesn't fix the flaw, but it makes exploitation much harder.
Command-line iptables rules:

bash

# Limit new SSH connections to 5 per minute
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 5/minute -j ACCEPT

# Log and drop excessive connections
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-prefix "SSH_RATE_LIMIT: "
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j DROP

# Save rules (openSUSE uses iptables-save)
sudo iptables-save > /etc/iptables/rules.v4

Alternative: Using SuSEfirewall2 (openSUSE's native tool)

Edit /etc/sysconfig/SuSEfirewall2 and add this line to limit SSH connections:

text

FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

Then restart the firewall:

bash

sudo systemctl restart SuSEfirewall2

This configuration allows a maximum of 3 SSH connection attempts per minute from the same IP address, blocking the fourth.

Option 2: Enforce AppArmor Profiles for SSH

openSUSE comes with AppArmor enabled by default, which can confine SSH even if there's an unknown vulnerability.

Check if SSH has an AppArmor profile:

bash

sudo aa-status | grep ssh

If no profile exists, generate one:

bash

# Generate a new profile for sshd
sudo aa-genprof sshd

# Set to enforce mode
sudo aa-enforce /etc/apparmor.d/usr.sbin.sshd

An AppArmor profile restricts what the SSH daemon can do—what files it can read, what network connections it can make, and what programs it can execute. Even if an attacker exploits a vulnerability, the profile limits the damage.

Conclusion 

Security isn't a one-time event—it's a continuous process of verification, automation, and learning. You now have a reusable workflow for handling OpenSSH vulnerabilities on openSUSE:

  1.Check your version and patch status.

  2. Automate the fix with a script.

  3. Apply mitigations (iptables/AppArmor) when you can't update.

  4. Go deeper—learn binary analysis and malware dissection.

Don't wait for the next CVE to catch you off guard.