openssh unix dev - Jan 2014 - CVE-2014-1692

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692

The NIST advisory says that all versions of OpenSSH potentially contain the
flaw. ?But is that really true? ?For example, I looked at the 3.8.1p1
distribution and didn't find any reference to JPAKE at all.

Thanks.

<no_spam_98 <at> yahoo.com> writes:
> 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692
> 
> The NIST advisory says that all versions of OpenSSH potentially contain
> the flaw. ?But is that really true? ?For example, I looked at the
> 3.8.1p1 distribution and didn't find any reference to JPAKE at all.
Hi. The NVD advisory is inaccurate. JPAKE experimental code was
first introduced in OpenSSH 5.2, iirc.

Also, the advisory should be taken with a grain of salt as the
vulnerable code is not activated without pro-active user code
modification.

--mancha

On Thu, 30 Jan 2014, mancha wrote:
> <no_spam_98 <at> yahoo.com> writes:
> > 
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692
> > 
> > The NIST advisory says that all versions of OpenSSH potentially
contain
> > the flaw.  But is that really true?  For example, I looked at the
> > 3.8.1p1 distribution and didn't find any reference to JPAKE at
all.
> 
> Hi. The NVD advisory is inaccurate. JPAKE experimental code was
> first introduced in OpenSSH 5.2, iirc.
> 
> Also, the advisory should be taken with a grain of salt as the
> vulnerable code is not activated without pro-active user code
> modification.
oh man, that CVE is nuts.

"Exploitability Subscore: 10.0" - it's code that is experimental,
never enabled, never mentioned in release notes, has no configure
option. On top of that, the attacker has to make EVP_Digest* fail
(and I know of no way to do this remotely) as a result.

-d