CVE-2010-4478

Openbsd Openssh < 5.6 - Authentication Bypass

Title source: rule

Description

OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252.

References (7)

[Vendor Advisory] http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673

[Exploit] http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf

[Patch] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5

[Various Sources] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c.diff?r1=1.4%3Br2=1.5%3Bf=h

[Patch] https://bugzilla.redhat.com/show_bug.cgi?id=659297

[Various Sources] https://github.com/seb-m/jpake

View Writeup ZIP pw:eip

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12338

Scores

EPSS 0.0044

EPSS Percentile 62.8%

Classification

CWE

CWE-287

Status draft

Affected Products (50)

openbsd/openssh < 5.6

openbsd/openssh

openbsd/openssh

openbsd/openssh

openbsd/openssh

openbsd/openssh

openbsd/openssh

openbsd/openssh

openbsd/openssh

openbsd/openssh

openbsd/openssh

openbsd/openssh

openbsd/openssh

openbsd/openssh

openbsd/openssh

... and 35 more

Timeline

Published Dec 06, 2010

Tracked Since Feb 18, 2026