SSRT101487

HPSBMU03409

[oss-security] 20140129 Re: OpenSSH J-PAKE vulnerability (no cause for panic! remain calm!)

[oss-security] 20140128 OpenSSH J-PAKE vulnerability (no cause for panic! remain calm!)

102611

60184

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/Attic/schnorr.c.diff?r1=1.9;r2=1.10;f=h

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/schnorr.c#rev1.10

65230

http://www-01.ibm.com/support/docview.wss?uid=isg3T1020637

openssh-cve20141692-code-exec(90819)

A version of IBM General Parallel File System (GPFS) that is 3.5.0.11 or later but prior to 3.5.0.19 is installed on the remote host. It is, therefore, affected by a memory corruption issue in the bundled version of OpenSSH. The issue exists due to a failure to initialize certain data structures when makefile.inc is modified to enable the J-PAKE protocol. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition and potentially the execution of arbitrary code.

Versions of OpenSSH server before 6.6 are unpatched for multiple restriction bypass vulnerabilities:

 -  A vulnerability exists related to wildcard usage in the 'AcceptEnv' configuration setting within sshd_config. This could be leveraged by an attacker to bypass environment restrictions via a specially crafted request.

Note: NNM has solely relied on the banner of the SSH client to perform this check. Any backported patches or workarounds such as recompiling or edited configurations are not observable through the banner. (CVE-2014-2532)
 - 	The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition. (CVE-2014-1692)

According to its banner, the version of OpenSSH running on the remote host is prior to 6.6. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists due to a failure to initialize certain     data structures when makefile.inc is modified to enable     the J-PAKE protocol. An unauthenticated, remote attacker     can exploit this to corrupt memory, resulting in a     denial of service condition and potentially the     execution of arbitrary code. (CVE-2014-1692)

  - An error exists related to the 'AcceptEnv' configuration     setting in sshd_config due to improper processing of     wildcard characters. An unauthenticated, remote attacker     can exploit this, via a specially crafted request, to     bypass intended environment restrictions.
    (CVE-2014-2532)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
76766	IBM General Parallel File System OpenSSH Memory Corruption	Nessus	Windows	high
8169	OpenSSH < 6.6 Multiple Remote Restriction Bypass Vulnerability	Nessus Network Monitor	SSH	high
73079	OpenSSH < 6.6 Multiple Vulnerabilities	Nessus	Misc.	high

CVE-2014-1692

high

Tenable Plugins

high

high

high