CVE-2016-8858 — Openssh vulnerability

CWE-39911 documents9 sources

Severity

7.5HIGHNVD

EPSS

27.1%

top 3.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openbsd Openssh Paloalto Prisma SD

Timeline

PublishedDec 9

Latest updateApr 5

Description

The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Debianopenbsd/openssh< 1:7.3p1-2+3

▶NVDopenbsd/openssh6 versions+5

▶Palo Altopaloalto/prisma_sd

Patches

Patch: ftp.openbsd.org ↗Patch: github.com ↗Patch: ftp.openbsd.org ↗

🔴Vulnerability Details

GHSA

GHSA-cfx4-r6f2-m2mc: ** DISPUTED ** The kex_input_kexinit function in kex↗2022-05-14

▶

CVEList

CVE-2016-8858: The kex_input_kexinit function in kex↗2016-12-09

▶

OSV

CVE-2016-8858: The kex_input_kexinit function in kex↗2016-12-09

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION↗2024-04-05

▶

BSD

FreeBSD-SA-16:33.openssh: OpenSSH Remote Denial of Service vulnerability↗2016-11-02

▶

Red Hat

openssh: Memory exhaustion due to unregistered KEXINIT handler after receiving message↗2016-10-17

▶

Debian

CVE-2016-8858: openssh - The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allow...↗2016

▶

💬Community

Bugzilla

CVE-2016-8858 openssh: Memory exhaustion issue [fedora-all]↗2016-10-20

▶

Bugzilla

CVE-2016-8858 openssh: Memory exhaustion due to unregistered KEXINIT handler after receiving message↗2016-10-14

▶

Bugzilla

CVE-2015-8858 uglify-js: regular expression denial of service↗2015-11-04

▶