CVE-2016-20012
Sergio Durigan Junior
sergiodj at ubuntu.com
Thu Oct 28 19:22:00 UTC 2021
On Thursday, October 28 2021, Leroy Tennison wrote:
> Under "Notes:" for https://ubuntu.com/security/CVE-2016-20012 Seth
> Arnold makes a reference to "openssh-ssh1", does this CVE only apply
> to version 1 of openssh? The reason I ask is that we have a PCI
> environment and our scanning vendor has noted us as non-compliant
> because of this CVE. I understand there is disagreement about the
> severity of the CVE but we need an answer and Seth hasn't provided a
> public email address. If the CVE applies only to ssh version 1 then
> we have an answer.
> A related question, would using a certificate-based ssh configuration avoid this issue?
> Thanks for your help.
Hello Leroy,
I looked at the CVE and upstream fix/discussion, and it doesn't seem to
me like this is just applicable to the version 1 of the protocol. For
example, take a look at the following highlighted comment:
https://github.com/openssh/openssh-portable/blob/d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd/auth2-pubkey.c#L261-L265
You will notice that it tries to send a userauth message using SSH2:
if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_PK_OK))...
I read Seth's notes as a simple warning for those users who rely on
openssh-ssh1 (likely due to old devices), letting them know that the fix
for this CVE may not be provided for them if doing so means breaking
compatibility with said old equipments.
Thanks,
--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14
More information about the ubuntu-server
mailing list