An issue in AsyncSSH prior to 2.14.1 allows malicious users to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation."
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
asyncssh project asyncssh |
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources No need to panic, but grab those updates or mitigations anyway just to be safe
A vulnerability in the SSH protocol can be exploited by a well-placed adversary to weaken the security of people's connections, if conditions are right. In a successful man-in-the-middle attack, the adversary may be able to force SSH clients to use weaker authentication methods and disable some defense mechanisms. It is hard right now to pin down the true realistic impact of the flaw because it all depends on individual client-server configurations, implementations of the protocol, and other var...