CVE-2008-5161

LOW

Description

Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.

References

http://isc.sans.org/diary.html?storyid=5366

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

http://marc.info/?l=bugtraq&m=125017764422557&w=2

http://openssh.org/txt/cbc.adv

http://osvdb.org/49872

http://osvdb.org/50035

http://osvdb.org/50036

http://rhn.redhat.com/errata/RHSA-2009-1287.html

http://secunia.com/advisories/32740

http://secunia.com/advisories/32760

http://secunia.com/advisories/32833

http://secunia.com/advisories/33121

http://secunia.com/advisories/33308

http://secunia.com/advisories/34857

http://secunia.com/advisories/36558

http://sunsolve.sun.com/search/document.do?assetkey=1-66-247186-1

http://support.apple.com/kb/HT3937

http://support.attachmate.com/techdocs/2398.html

http://support.avaya.com/elmodocs2/security/ASA-2008-503.htm

http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt

http://www.kb.cert.org/vuls/id/958563

http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/CPNI957037.html

http://www.securityfocus.com/archive/1/498558/100/0/threaded

http://www.securityfocus.com/archive/1/498579/100/0/threaded

http://www.securityfocus.com/bid/32319

http://www.securitytracker.com/id?1021235

http://www.securitytracker.com/id?1021236

http://www.securitytracker.com/id?1021382

http://www.ssh.com/company/news/article/953/

http://www.vupen.com/english/advisories/2008/3172

http://www.vupen.com/english/advisories/2008/3173

http://www.vupen.com/english/advisories/2008/3409

http://www.vupen.com/english/advisories/2009/1135

http://www.vupen.com/english/advisories/2009/3184

https://exchange.xforce.ibmcloud.com/vulnerabilities/46620

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667

https://kc.mcafee.com/corporate/index?page=content&id=SB10106

https://kc.mcafee.com/corporate/index?page=content&id=SB10163

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11279

Details

Source: MITRE

Published: 2008-11-19

Updated: 2018-10-11

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 2.6

Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Impact Score: 2.9

Exploitability Score: 4.9

Severity: LOW