9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.399 Low
EPSS
Percentile
96.7%
It has been discovered that the signal handler implementing the login
timeout in Debian’s version of the OpenSSH server uses functions which
are not async-signal-safe, leading to a denial of service
vulnerability (CVE-2008-4109).
The problem was originally corrected in OpenSSH 4.4p1 (CVE-2006-5051),
but the patch backported to the version released with etch was
incorrect.
Systems affected by this issue suffer from lots of zombie sshd
processes. Processes stuck with a “[net]” process title have also been
observed. Over time, a sufficient number of processes may accumulate
such that further login attempts are impossible. Presence of these
processes does not indicate active exploitation of this vulnerability.
It is possible to trigger this denial of service condition by accident.
For the stable distribution (etch), this problem has been fixed in
version 4.3p2-9etch3.
For the unstable distribution (sid) and the testing distribution
(lenny), this problem has been fixed in version 4.6p1-1.
We recommend that you upgrade your openssh packages.
CPE | Name | Operator | Version |
---|---|---|---|
openssh | eq | 1:4.3p2-9 | |
openssh | eq | 1:4.3p2-9etch1 | |
openssh | eq | 1:4.3p2-9etch2 | |
openssh | eq | 1:4.3p2-9etch2+m68k1 |