AsyncSSH before 2.14.1 Rogue Session Attack (PIP package)
Created:2024/02/26 | Revised:2024/02/26
SYXSCORE
Severity:A level of a security risk associated with a vulnerability exploitation
|
MEDIUM |
CVSS:Indication of a severity level of each CVE
|
5.9 |
Countermeasure:Availability of measures to reduce a probability of an attack or an impact of a threat
|
No |
Public Aware:Availability of a public announcement of a vulnerability
|
Yes |
Weaponized:Vulnerability being abused by exploit or malware
|
No |
Overview
AsyncSSH before 2.14.1 is prone to Rogue Session Attacks.
Description
AsyncSSH, a popular asynchronous SSH library for Python, has been found to contain several vulnerabilities in versions released before 2.14.1. These vulnerabilities expose users to significant risks, including unauthorized control over SSH connections and potential manipulation of extension info messages. Attackers could exploit these vulnerabilities to execute 'Rogue Extension Negotiation' attacks and 'Rogue Session Attacks' compromising the security and integrity of SSH communications.
CVE-2023-46445
An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a 'Rogue Extension Negotiation'.
CVE-2023-46446
An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a 'Rogue Session Attack'.
Impact
These vulnerabilities could allow attackers to gain unauthorized access, manipulate SSH connections, and compromise the confidentiality, integrity, and availability of sensitive information and systems.
Successful exploitation of these vulnerabilities could lead to unauthorized data access, remote code execution, or complete system compromise, posing significant risks to affected organizations and users.
Solution
Users are strongly advised to upgrade their installations of AsyncSSH to version 2.14.1 or later. The latest release is available at: |
©2024 by Syxsense Inc. All Rights Reserved |
|