SB2016102102 - Denial of service in OpenSSH for Ubuntu
Published: October 21, 2016 Updated: October 29, 2016
Security Bulletin ID
SB2016102102
CSH Severity
Medium
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Denial of service (CVE-ID: CVE-2016-8858)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote unauthenticated attacker to cause DoS conditions on the target system.
The weakness is due to flaw in kex_input_kexinit() function. By sending a specially crafted data during the key exchange process, attackers can cause memory exhaustion. Consuming up to 128 MB per connection may lead to denial of service.
Successful exploitation of the vulnerability results in denial of service of the vulnerable system.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.