660642 – (CVE-2010-4478) CVE-2010-4478 openssh: J-PAKE authentication bypass

Bug 660642 (CVE-2010-4478) - CVE-2010-4478 openssh: J-PAKE authentication bypass

Summary: CVE-2010-4478 openssh: J-PAKE authentication bypass

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2010-4478
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-12-07 13:03 UTC by Tomas Hoger
Modified:	2021-02-24 16:54 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-12-07 13:05:11 UTC
Embargoed:

Attachments	(Terms of Use)

Description Tomas Hoger 2010-12-07 13:03:26 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4478 to the following vulnerability:

OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252.

References:
http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
https://github.com/seb-m/jpake
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5

Comment 1 Tomas Hoger 2010-12-07 13:05:11 UTC

As noted in Sébastien Martini's paper, J-PAKE support in OpenSSH is experimental work-in-progress.  It's not enabled in Red Hat Enterprise Linux and Fedora openssh packages.

Statement:

Not vulnerable. This issue did not affect the versions of openssh as shipped with Red Hat Enterprise Linux 4, 5, or 6.

Note You need to log in before you can comment on or make changes to this bug.