Main Vulnerability Database Vulnerabilities #VU6126

#VU6126 Padding oracle in OpenSSH

Published: March 20, 2017

Vulnerability identifier: #VU6126

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-310

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenSSH

Software vendor:
OpenSSH

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to incomplete fix of CBC padding oracle countermeasures, allowing a variant of the attack fixed in OpenSSH 7.3 (SB2016080201 #3). A remote attacker can force the ssh client to use weak CBC ciphers and decrypt ssh session.

Successful exploitation of the vulnerability may allow an attacker to gain access to potentially sensitive information.

Remediation

Update to version 7.5.

External links

http://www.openssh.com/txt/release-7.5

#VU6126 Padding oracle in OpenSSH

Description

Remediation

External links

Please verify you're human