Описание
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords.
Отчет
This issue in OpenSSH is mitigated by the usage of SELinux in Red Hat Enterprise Linux 6, 7 and 8. More details available at: https://bugzilla.redhat.com/show_bug.cgi?id=1364935#c13
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | openssh | Will not fix | ||
| Red Hat Enterprise Linux 6 | openssh | Will not fix | ||
| Red Hat Enterprise Linux 7 | openssh | Fixed | RHSA-2017:2029 | 01.08.2017 |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
4.3 Medium
CVSS2
Связанные уязвимости
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
The auth_password function in auth-passwd.c in sshd in OpenSSH before ...
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
Уязвимость функции auth_password службы sshd средства криптографической защиты OpenSSH, позволяющая нарушителю вызвать отказ в обслуживании
5.3 Medium
CVSS3
4.3 Medium
CVSS2