Multiple vulnerabilities in OpenSSH
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Padding oracle
EUVDB-ID: #VU6126
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incomplete fix of CBC padding oracle countermeasures, allowing a variant of the attack fixed in OpenSSH 7.3 (SB2016080201 #3). A remote attacker can force the ssh client to use weak CBC ciphers and decrypt ssh session.
Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information.
MitigationUpdate to version 7.5.
OpenSSH: 7.0p1 - 7.4p1
CPE2.3- cpe:2.3:a:openssh:openssh:7.0p1:*:*:*:*:*:*:
- cpe:2.3:a:openssh:openssh:7.1p1:*:*:*:*:*:*:
- cpe:2.3:a:openssh:openssh:7.2p1:*:*:*:*:*:*:
http://www.openssh.com/txt/release-7.5
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Directory traversal
EUVDB-ID: #VU6127
Risk: Low
CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists in sftp-client in portable version of OpenSSH when processing file names. A remote attacker can trick the victim to connect to a malicious SFTP server and perform operations on files with specially crafted file names, containing directory traversal sequences (e.g. ../../).
Successful exploitation of the vulnerability may allow an attacker to overwrite arbitrary files on the victim’s system.
MitigationUpdate to version 7.5.
OpenSSH: 7.0p1 - 7.4p1
CPE2.3- cpe:2.3:a:openssh:openssh:7.0p1:*:*:*:*:*:*:
- cpe:2.3:a:openssh:openssh:7.1p1:*:*:*:*:*:*:
- cpe:2.3:a:openssh:openssh:7.2p1:*:*:*:*:*:*:
http://www.openssh.com/txt/release-7.5
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
