Main Vulnerability Database SB2014070907

SB2014070907 - Amazon Linux AMI update for openssh

Published: July 9, 2014

Security Bulletin ID SB2014070907

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-2532)

The vulnerability allows a remote authenticated user to read and manipulate data.

sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.

2) Input validation error (CVE-ID: CVE-2014-2653)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.

Remediation

Install update from vendor's website.

References

https://alas.aws.amazon.com/ALAS-2014-369.html