F5 Networks BIG-IP : OpenSSH vulnerabilities (K15780)
Medium Nessus Plugin ID 91617
SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionCVE-2014-2653 The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.
CVE-2014-2532 sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K15780.