OpenSSH 6.2 / 6.3 Remote Memory Corruption Vulnerability

Medium

Synopsis

The remote SSH service may be affected by a memory corruption vulnerability that could allow an attacker to execute arbitrary code in the context of the authenticated user.

Description

Versions of OpenSSH server before 6.4 may contain a memory corruption vulnerability that exists in the post-authentication 'sshd' process when an AES-GCM cipher is selected during key exchange. This issue can be exploited to execute arbitrary code with the privileges of an authenticated user and bypass restricted shell/command configurations.

Solution

Upgrade to OpenSSH version 6.4 or later.