#VU32937 Use of a broken or risky cryptographic algorithm in OpenSSH - CVE-2020-14145
Published: July 30, 2020 / Updated: December 4, 2020
Vulnerability identifier: #VU32937
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-14145
CWE-ID: CWE-327
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
OpenSSH
OpenSSH
Software vendor:
OpenSSH
OpenSSH
Description
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists in openssh client during algorithm negotiation due to observable discrepancy. A remote attacker can perform a Man-in-the-Middle (MitM) attack.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Partial mitigation against this issue was included in OpenSSH 8.4
External links
- https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1
- https://security.netapp.com/advisory/ntap-20200709-0004/
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/
- https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d