Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2021-36368

Published: 13 March 2022

** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed."

Notes

AuthorNote
seth-arnold
openssh-ssh1 is provided for compatibility with old devices that
cannot be upgraded to modern protocols. Thus we may not provide security
support for this package if doing so would prevent access to equipment.
mdeslaur
This CVE appears to have been disputed by upstream, marking as
not-affected
Priority

Medium

CVSS 3 base score: 3.7

Status

Package Release Status
openssh
Launchpad, Ubuntu, Debian
bionic Not vulnerable

focal Not vulnerable

impish Not vulnerable

jammy Not vulnerable

trusty Not vulnerable

upstream Needs triage

xenial Not vulnerable

openssh-ssh1
Launchpad, Ubuntu, Debian
bionic Not vulnerable

focal Not vulnerable

impish Not vulnerable

jammy Not vulnerable

trusty Does not exist

upstream Ignored
(frozen on openssh 7.5p)
xenial Does not exist