Mailing List Archive

CVE-2014-1692
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692

The NIST advisory says that all versions of OpenSSH potentially contain the flaw.  But is that really true?  For example, I looked at the 3.8.1p1 distribution and didn't find any reference to JPAKE at all.

Thanks.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: CVE-2014-1692 [ In reply to ]
<no_spam_98 <at> yahoo.com> writes:
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692
>
> The NIST advisory says that all versions of OpenSSH potentially contain
> the flaw.  But is that really true?  For example, I looked at the
> 3.8.1p1 distribution and didn't find any reference to JPAKE at all.

Hi. The NVD advisory is inaccurate. JPAKE experimental code was
first introduced in OpenSSH 5.2, iirc.

Also, the advisory should be taken with a grain of salt as the
vulnerable code is not activated without pro-active user code
modification.

--mancha


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: CVE-2014-1692 [ In reply to ]
On Thu, 30 Jan 2014, mancha wrote:

> <no_spam_98 <at> yahoo.com> writes:
> >
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692
> >
> > The NIST advisory says that all versions of OpenSSH potentially contain
> > the flaw. But is that really true? For example, I looked at the
> > 3.8.1p1 distribution and didn't find any reference to JPAKE at all.
>
> Hi. The NVD advisory is inaccurate. JPAKE experimental code was
> first introduced in OpenSSH 5.2, iirc.
>
> Also, the advisory should be taken with a grain of salt as the
> vulnerable code is not activated without pro-active user code
> modification.

oh man, that CVE is nuts.

"Exploitability Subscore: 10.0" - it's code that is experimental,
never enabled, never mentioned in release notes, has no configure
option. On top of that, the attacker has to make EVP_Digest* fail
(and I know of no way to do this remotely) as a result.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: CVE-2014-1692 [ In reply to ]
On 30 Jan 2014, at 20:31, Damien Miller wrote:

> oh man, that CVE is nuts.

It starts "The hash_buffer function in schnorr.c in OpenSSH through 6.4,
when Makefile.inc is modified to enable the J-PAKE protocol ..."

If one is allowed to modify files in order to trigger security vulnerabilities,
I think I could find some rather more obvious modifications to do with
rather more serious impacts.

--
Alex Bligh




_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: CVE-2014-1692 [ In reply to ]
>>>>> "AB" == Alex Bligh <alex@alex.org.uk> writes:

AB> If one is allowed to modify files in order to trigger security
AB> vulnerabilities, I think I could find some rather more obvious
AB> modifications to do with rather more serious impacts.

The original filing is interesting; there was confusion about whether it
qualified for a CVE at all, and the rationale by the assignment team is
given in a reply.

http://openwall.com/lists/oss-security/2014/01/29/2

- J<
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev