7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.0005 Low
EPSS
Percentile
15.3%
A Denial of service flaw was found in the way OpenSSH parsed certain specially crafted XMSS (eXtended Merkle Signature Scheme) private keys. Any OpenSSH functionality which parses private keys is vulnerable, for example: 1. If ‘sshd’ daemon is configured to use an XMSS host key that is malformed, it will crash upon any attempt to connect to this server. 2. If ‘authorized_keys’ is configured to use an XMSS public key, and the private key is used to connect to the server, the ssh client used for the connection will crash. 3. Adding a crafted XMSS key to ssh-agent, will cause the ssh-agent to crash. 4. Hosting services which allow users to upload keys may be affected. Malicious keys will cause the flaw to be triggered when the key is parsed. (Note: upload alone is not enough, the key needs to be parsed to cause the crash)
This flaw is triggered when parsing XMSS private keys. XMSS is a PQC (Post-quantum cryptography) algorithm and its use is currently experimental. Other key types or any other OpenSSH functionality are not affected by this flaw. A possible mitigation for this flaw is to NOT use XMSS keys for SSH.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.0005 Low
EPSS
Percentile
15.3%