Bug 660128 (CVE-2010-4478) - VUL-1: CVE-2010-4478: openssh: when J-PAKE is enabled, does not properly validate the
Summary: VUL-1: CVE-2010-4478: openssh: when J-PAKE is enabled, does not properly vali...
Status: RESOLVED UPSTREAM
Alias: CVE-2010-4478
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Critical
Target Milestone: ---
Assignee: Petr Cerny
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-12-17 09:50 UTC by Thomas Biege
Modified: 2016-06-01 08:23 UTC (History)
3 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2010-12-17 09:50:19 UTC 
Hi.
There is a security bug in package 'openssh'.

This bug is public.

There is no coordinated release date (CRD) set.

CVE number: CVE-2010-4478
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4478
CVSS v2 Base Score: 7.5 (important) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Authentication Issues (CWE-287)


Original posting:


 public parameters
CVE-ID: CVE-2010-4478
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4478


OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly
validate the public parameters in the J-PAKE protocol, which allows
remote attackers to bypass the need for knowledge of the shared
secret, and successfully authenticate, by sending crafted values in
each round of the protocol, a related issue to CVE-YYYY-NNN.


Current Votes:
None (candidate not yet proposed)
Comment 1 Thomas Biege 2010-12-17 10:13:54 UTC 
It may not affect us because we might not support J-PAKE. Please verify...
Comment 3 Ludwig Nussel 2010-12-20 08:04:56 UTC 
JPAKE is not defined so the vulnerable code from jpake.c is not compiled in ie we are not affected
Comment 5 Petr Cerny 2011-01-04 16:51:48 UTC 
It seems, that JPAKE depends (at least partly) on BSD user capabilities (and hence won't build as-is GNU/Linux)
Comment 6 Zhigang Gao 2016-05-30 05:41:59 UTC 
Huawei is requesting patch for CVE-2010-4478 on sles10 sp2
Comment 7 Marcus Meissner 2016-05-31 11:37:43 UTC 
@zhigang gao: JPAKE was never built into our openssh versions.
Comment 8 Zhigang Gao 2016-06-01 08:23:13 UTC 
(In reply to Marcus Meissner from comment #7)
> @zhigang gao: JPAKE was never built into our openssh versions.

Thanks very much!