Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
Vulnerabilidad en el delta GSSAPI de OpenSSH incluida en varias distribuciones de Linux. Esta vulnerabilidad afecta a los parches GSSAPI añadidos por varias distribuciones de Linux y no afecta al proyecto upstream de OpenSSH en sí. El uso de sshpkt_disconnect() en caso de error, que no termina el proceso, permite a un atacante enviar un tipo de mensaje GSSAPI inesperado durante el intercambio de claves GSSAPI al servidor, lo que llamará a la función subyacente y continuará la ejecución del programa sin establecer las variables de conexión relacionadas. Como las variables no se inicializan a NULL, el código accede posteriormente a esas variables no inicializadas, accediendo a memoria aleatoria, lo que podría llevar a un comportamiento indefinido. La solución alternativa recomendada es usar ssh_packet_disconnect() en su lugar, que sí termina el proceso. El impacto de la vulnerabilidad depende en gran medida de la configuración de endurecimiento de las banderas del compilador.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Attack Requirements | NONE |
| Privileges Required | NONE |
| User Interaction | NONE |
| Vulnerability Confidentiality | NONE |
| Vulnerability Integrity | LOW |
| Vulnerability Availability | LOW |
| Subsequent Confidentiality | NONE |
| Subsequent Integrity | NONE |
| Subsequent Availability | NONE |
Source: [email protected]
Type: Secondary
| Source | Type | Description |
|---|---|---|
| [email protected] | Secondary |
en
CWE-908
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary |
en
CWE-824
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| canonical | ubuntu_linux | 25.10 | <built-in method update of dict object at 0x702b8344eb40> | Application |
| openbsd | openssh | - | <built-in method update of dict object at 0x702bfc1dd4c0> | Application |
| canonical | ubuntu_linux | 20.04 | <built-in method update of dict object at 0x702bfc1de2c0> | Operating System |
| canonical | ubuntu_linux | 22.04 | <built-in method update of dict object at 0x702b8052ecc0> | Operating System |
| canonical | ubuntu_linux | 24.04 | <built-in method update of dict object at 0x702b8344f8c0> | Operating System |
| debian | debian_linux | 11.0 | <built-in method update of dict object at 0x702bdd26c940> | Operating System |
| redhat | enterprise_linux | 8.0 | <built-in method update of dict object at 0x702bdd2f2940> | Operating System |
| redhat | enterprise_linux | 9.0 | <built-in method update of dict object at 0x702bfc334f00> | Operating System |
| redhat | enterprise_linux | 10.0 | <built-in method update of dict object at 0x702bfc3358c0> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:canonical:ubuntu_linux:25.10:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:openbsd:openssh:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:* |
| Yes | cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:* |
| Yes | cpe:2.3:o:canonical:ubuntu_linux:24.04:*:*:*:lts:*:*:* |
| Yes | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:* |