U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

OpenSSH 7.0 Fixes Four Flaws and other issues

A new version of OpenSSH is available, the new release of OpenSSH 7.0 fixes four security flaws and several other bugs. Update it! A new version of OpenSSH is available, the new release of OpenSSH 7.0 fixes four security flaws and several other bugs. Then new OpenSSH 7.0 fixes a use-after-free vulnerability and three other […]

OpenSSH 7.0 Fixes Four Flaws and other issues

A new version of OpenSSH is available, the new release of OpenSSH 7.0 fixes four security flaws and several other bugs. Update it!

A new version of OpenSSH is available, the new release of OpenSSH 7.0 fixes four security flaws and several other bugs.

Then new OpenSSH 7.0 fixes a use-after-free vulnerability and three other flaws, two of which only affect the version Portable OpenSSH.

One of the vulnerabilities patched in version 7.0, a fix for circumvention of MaxAuthTries using keyboard- interactive authentication,  is an issue with the way OpenSSH handles some authentication requests.

“By specifying a long, repeating keyboard-interactive “devices” string, an attacker could request the same authentication method be tried thousands of times in a single pass. The LoginGraceTime timeout in sshd(8) and any authentication failure delays implemented by the authentication mechanism itself were still applied,” states the release notes.

One of the bugs in the Portable OpenSSH is a use-after-free that could be exploited by attackers to remote code execution.

“Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution,” continues the advisory.

Encryption-820x420

The other vulnerability that affects only the Portable OpenSSH could be also exploited to remote code execution.

“Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users,” the advisory says.

The maintainers of the OpenSSH project also announced that the next version of the software, the OpenSSH 7.1, would deprecate several old cipher suites and cryptographic algorithms because they are no longer secure.

The list of changes includes:

  • Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits)
  • Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES.
  • MD5-based HMAC algorithms will be disabled by default.

Pierluigi Paganini

(Security Affairs – OpenSSH 7, encryption)