Vulnerabilidad en protocolo SSH en distintas aplicaciones (CVE-2008-5161)
Gravedad CVSS v2.0:
BAJA
Tipo:
CWE-200
Revelación de información
Fecha de publicación:
19/11/2008
Última modificación:
09/04/2025
Descripción
Error en el manejo del protocolo SSH en (1) SSH Tectia Client y Server y Connector 4v.0 a la v4.4.11, v5.0 a la v5.2.4, y v5.3 a la v5.3.8; Client y Server y ConnectSecure v6.0 a la v6.0.4; Server para Linux sobre IBM System z v6.0.4; Server para IBM z/OS v5.5.1 y anteriores, v6.0.0, y v6.0.1; y Client v4.0-J a la v4.3.3-J y v4.0-K a la v4.3.10-K; y (2) OpenSSH v4.7p1 y posiblemente otras versiones, cuando usan un algoritmo de bloque cifrado en el modo Cipher Block Chaining (CBC), facilita a los atacantes remotos el conseguir cierta información en texto plano desde cualquier bloque de texto cifrado de su elección en una sessión SSH mediante vectores de ataque desconocidos.
Impacto
Puntuación base 2.0
2.60
Gravedad 2.0
BAJA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:openbsd:openssh:4.7p1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.0.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.0.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.0.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3.1j:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3.2j:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3.4:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- http://isc.sans.org/diary.html?storyid=5366
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
- http://marc.info/?l=bugtraq&m=125017764422557&w=2
- http://marc.info/?l=bugtraq&m=125017764422557&w=2
- http://openssh.org/txt/cbc.adv
- http://osvdb.org/49872
- http://osvdb.org/50035
- http://osvdb.org/50036
- http://rhn.redhat.com/errata/RHSA-2009-1287.html
- http://secunia.com/advisories/32740
- http://secunia.com/advisories/32760
- http://secunia.com/advisories/32833
- http://secunia.com/advisories/33121
- http://secunia.com/advisories/33308
- http://secunia.com/advisories/34857
- http://secunia.com/advisories/36558
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-247186-1
- http://support.apple.com/kb/HT3937
- http://support.attachmate.com/techdocs/2398.html
- http://support.avaya.com/elmodocs2/security/ASA-2008-503.htm
- http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
- http://www.kb.cert.org/vuls/id/958563
- http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/CPNI957037.html
- http://www.securityfocus.com/archive/1/498558/100/0/threaded
- http://www.securityfocus.com/archive/1/498579/100/0/threaded
- http://www.securityfocus.com/bid/32319
- http://www.securitytracker.com/id?1021235=
- http://www.securitytracker.com/id?1021236=
- http://www.securitytracker.com/id?1021382=
- http://www.ssh.com/company/news/article/953/
- http://www.vupen.com/english/advisories/2008/3172
- http://www.vupen.com/english/advisories/2008/3173
- http://www.vupen.com/english/advisories/2008/3409
- http://www.vupen.com/english/advisories/2009/1135
- http://www.vupen.com/english/advisories/2009/3184
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46620
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667
- https://kc.mcafee.com/corporate/index?page=content&id=SB10106
- https://kc.mcafee.com/corporate/index?page=content&id=SB10163
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11279
- http://isc.sans.org/diary.html?storyid=5366
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
- http://marc.info/?l=bugtraq&m=125017764422557&w=2
- http://marc.info/?l=bugtraq&m=125017764422557&w=2
- http://openssh.org/txt/cbc.adv
- http://osvdb.org/49872
- http://osvdb.org/50035
- http://osvdb.org/50036
- http://rhn.redhat.com/errata/RHSA-2009-1287.html
- http://secunia.com/advisories/32740
- http://secunia.com/advisories/32760
- http://secunia.com/advisories/32833
- http://secunia.com/advisories/33121
- http://secunia.com/advisories/33308
- http://secunia.com/advisories/34857
- http://secunia.com/advisories/36558
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-247186-1
- http://support.apple.com/kb/HT3937
- http://support.attachmate.com/techdocs/2398.html
- http://support.avaya.com/elmodocs2/security/ASA-2008-503.htm
- http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
- http://www.kb.cert.org/vuls/id/958563
- http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/CPNI957037.html
- http://www.securityfocus.com/archive/1/498558/100/0/threaded
- http://www.securityfocus.com/archive/1/498579/100/0/threaded
- http://www.securityfocus.com/bid/32319
- http://www.securitytracker.com/id?1021235=
- http://www.securitytracker.com/id?1021236=
- http://www.securitytracker.com/id?1021382=
- http://www.ssh.com/company/news/article/953/
- http://www.vupen.com/english/advisories/2008/3172
- http://www.vupen.com/english/advisories/2008/3173
- http://www.vupen.com/english/advisories/2008/3409
- http://www.vupen.com/english/advisories/2009/1135
- http://www.vupen.com/english/advisories/2009/3184
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46620
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667
- https://kc.mcafee.com/corporate/index?page=content&id=SB10106
- https://kc.mcafee.com/corporate/index?page=content&id=SB10163
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11279