CVE-2002-1360 — Improper Input Validation in Cisco IOS

CWE-20 — Improper Input Validation6 documents5 sources

Severity

10.0CRITICALNVD

EPSS

4.1%

top 11.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IOS Fissh SSH Client Intersoft Securenetterm +5 more

Timeline

PublishedDec 23

Latest updateApr 30

Description

Multiple SSH2 servers and clients do not properly handle strings with null characters in them when the string length is specified by a length field, which could allow remote attackers to cause a denial of service or possibly execute arbitrary code due to interactions with the use of null-terminated strings as implemented using languages such as C, as demonstrated by the SSHredder SSH protocol test suite.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages8 packages

▶NVDcisco/ios8 versions+7

▶NVDputty/putty0.48, 0.49, 0.53+2

▶NVDwinscp/winscp2.0.0

▶debiandebian/openssh

▶NVDfissh/ssh_client1.0a_for_windows

🔴Vulnerability Details

GHSA

GHSA-4h7v-2vgp-qh2w: Multiple SSH2 servers and clients do not properly handle strings with null characters in them when the string length is specified by a length field, w↗2022-04-30

▶

📋Vendor Advisories

Cisco

SSH Malformed Packet Vulnerabilities↗2002-12-19

▶

Debian

CVE-2002-1360: openssh - Multiple SSH2 servers and clients do not properly handle strings with null chara...↗2002

▶

Cisco

SSH Malformed Packet Vulnerabilities↗

▶