Executive Summary

Summary
Title LibSSH: Information disclosure
Informations
Name GLSA-201408-03 First vendor Publication 2014-08-10
Vendor Gentoo Last vendor Modification 2014-08-10
Severity (Vendor) Low Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score 1.9 Attack Range Local
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 3.4 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

A vulnerability in LibSSH can result in leakage of private key information.

Background

LibSSH is a C library providing SSHv2 and SSHv1.

Description

A new connection inherits the state of the PRNG without re-seeding with random data.

Impact

Servers using ECC (ECDSA) or DSA certificates in non-deterministic mode may under certain conditions leak their private key.

Workaround

There is no known workaround at this time.

Resolution

All LibSSH users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/libssh-0.6.3"

References

[ 1 ] CVE-2014-0017 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0017

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201408-03.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201408-03.xml

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:23904
 
Oval ID: oval:org.mitre.oval:def:23904
Title: USN-2145-1 -- libssh vulnerability
Description: A security issue was fixed in libssh.
Family: unix Class: patch
Reference(s): USN-2145-1
CVE-2014-0017
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Product(s): libssh
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24236
 
Oval ID: oval:org.mitre.oval:def:24236
Title: DSA-2879-1 libssh - security update
Description: It was discovered that libssh, a tiny C SSH library, did not reset the state of the PRNG after accepting a connection. A server mode application that forks itself to handle incoming connections could see its children sharing the same PRNG state, resulting in a cryptographic weakness and possibly the recovery of the private key.
Family: unix Class: patch
Reference(s): DSA-2879-1
CVE-2014-0017
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): libssh
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25490
 
Oval ID: oval:org.mitre.oval:def:25490
Title: SUSE-SU-2014:0413-1 -- Security update for libssh2
Description: This update of libssh fixes the following security issue: * When libssh operates in server mode, the randomness pool was not switched on fork, so two pools could operate on the same randomness and could generate the same keys.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0413-1
CVE-2014-0017
Version: 3
Platform(s): SUSE Linux Enterprise Desktop 11
Product(s): libssh2
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 14

Nessus® Vulnerability Scanner

Date Description
2015-04-22 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2015-111-04.nasl - Type : ACT_GATHER_INFO
2015-03-30 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-086.nasl - Type : ACT_GATHER_INFO
2014-10-30 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_f8c88d505fb311e481bd5453ed2e2b49.nasl - Type : ACT_GATHER_INFO
2014-08-11 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201408-03.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-208.nasl - Type : ACT_GATHER_INFO
2014-03-21 Name : The remote SuSE 11 host is missing a security update.
File : suse_11_libssh2-140307.nasl - Type : ACT_GATHER_INFO
2014-03-17 Name : The remote Fedora host is missing a security update.
File : fedora_2014-3485.nasl - Type : ACT_GATHER_INFO
2014-03-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2879.nasl - Type : ACT_GATHER_INFO
2014-03-14 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-053.nasl - Type : ACT_GATHER_INFO
2014-03-13 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2145-1.nasl - Type : ACT_GATHER_INFO
2014-03-07 Name : The remote Fedora host is missing a security update.
File : fedora_2014-3473.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-08-12 13:24:02
  • Multiple Updates
2014-08-12 13:21:32
  • First insertion