Tuesday, 2 August 2016

On 04:31 by admin   No comments
A vulnerability classified as problematic has been found in OpenSSH up to 7.2p2. This affects an unknown function of the component sshd. The manipulation with an unknown input leads to a information disclosure vulnerability. This is going to have an impact on confidentiality.
The weakness was published 08/01/2016 by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht as release-7.3 as confirmed advisory (Website). The advisory is shared for download at openssh.com. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Neither technical details nor an exploit are publicly available.
Upgrading to version 7.3 eliminates this vulnerability. It is possible to mitigate the problem by applying the configuration setting Disable CBC Ciphers. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability.
Entries connected to this vulnerability are available at 90403 and 90404.


Base Score: 5.3 [?]
Temp Score: 5.1 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C [?]
Reliability: High


Base Score: 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [?]
Temp Score: 4.4 (CVSS2#E:ND/RL:OF/RC:C) [?]
Reliability: High




Class: Information disclosure
Local: No
Remote: Yes


Post a comment