CVE-2021-36368
published 2022-03-13CVE-2021-36368: An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an…
PriorityP422low3.7CVSS 3.1
AVNACHPRNUINSUCLINAN
EPSS
1.68%
74.0th percentile
An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | openssh | < openssh 1:8.9p1-1 (bookworm) | openssh 1:8.9p1-1 (bookworm) |
| msrc | cbl2_openssh_8.9p1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_openssh_8.9p1-1_on_cbl_mariner_1.0 | — | — |
| openbsd | openssh | < 8.9 | 8.9 |
| openbsd | openssh | >= 0 < 1:8.9p1-1 | 1:8.9p1-1 |
| openbsd | openssh | >= 0 < 1:8.9p1-1 | 1:8.9p1-1 |
| openbsd | openssh | >= 0 < 1:8.9p1-1 | 1:8.9p1-1 |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
osv3.7LOW
vendor_debian3.7LOW
vendor_msrc3.7LOW
vendor_redhat3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-02-14·CVSS 9.8
CVE-2017-18342 [CRITICAL] PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-18342, CVE-2017-8923, CVE-2017-9120, CVE-2019-1551, CVE-2019-16865, CVE-2019-16905, CVE-2019-19523, CVE-2019-19528, CVE-2019-19911, CVE-2020-0404, CVE-2020-0431, CVE-2020-0466, CVE-2020-10379, CVE-2020-11538, CVE-2020-11608, CVE-2020-12114, CVE-2020-12321, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-13757, CVE-2020-14314, CVE-2020-14351, CVE-2020-15778, CVE-2020-1967, CVE-2020-24394, CVE-2020-24504, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25717, CVE-2020-26541, CVE-2020-2715
Red Hat
openssh: possible bypass of fido 2 devices and ssh-askpass
vendor_redhat·2022-03-13·CVSS 3.7
CVE-2021-36368 [LOW] CWE-287 openssh: possible bypass of fido 2 devices and ssh-askpass
openssh: possible bypass of fido 2 devices and ssh-askpass
An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed.
Statement: Red Hat Product Security does not consider this to be a vulnerability.
Package: openssh (Red Hat Enterprise Linux 6) - Not affected
Package: openssh (Red Ha
Microsoft
An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose and an attacker has silently modified the server to s
vendor_msrc·2022-03-08·CVSS 3.7
CVE-2021-36368 [LOW] CWE-287 An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose and an attacker has silently modified the server to s
An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose and an attacker has silently modified the server to support the None authentication option then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass since nothing is being bypassed.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is
Debian
CVE-2021-36368: openssh - An issue was discovered in OpenSSH before 8.9. If a client is using public-key a...
vendor_debian·2021·CVSS 3.7
CVE-2021-36368 [LOW] CVE-2021-36368: openssh - An issue was discovered in OpenSSH before 8.9. If a client is using public-key a...
An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed.
Scope: local
bookworm: resolved (fixed in 1:8.9p1-1)
bullseye: open
forky: resolved (fixed in 1:8.9p1-1)
sid: resolved (fixed in 1:8.9p1-1)
trixie: resolved (fixed in 1:8.9p1-1)
VulDB
OpenSSH up to 8.8 FIDO Authentication improper authentication
vuldb·2026-06-01·CVSS 3.7
CVE-2021-36368 [LOW] OpenSSH up to 8.8 FIDO Authentication improper authentication
A vulnerability was found in OpenSSH up to 8.8. It has been rated as critical. Affected is an unknown function of the component FIDO Authentication. The manipulation leads to improper authentication.
This vulnerability is documented as CVE-2021-36368. The attack can be initiated remotely. There is not any exploit available.
It is still unclear if this vulnerability genuinely exists.
Upgrading the affected component is advised.
the vendor's position is "this is not an authentication bypass, since nothing is being bypassed."
GHSA
GHSA-542x-jxrc-hw4x: ** DISPUTED ** An issue was discovered in OpenSSH before 8
ghsa_unreviewed·2022-03-14
CVE-2021-36368 [LOW] CWE-287 GHSA-542x-jxrc-hw4x: ** DISPUTED ** An issue was discovered in OpenSSH before 8
** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed."
OSV
CVE-2021-36368: An issue was discovered in OpenSSH before 8
osv·2022-03-13·CVSS 3.7
CVE-2021-36368 [LOW] CVE-2021-36368: An issue was discovered in OpenSSH before 8
An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.mindrot.org/show_bug.cgi?id=3316https://docs.ssh-mitm.at/trivialauth.htmlhttps://github.com/openssh/openssh-portable/pull/258https://security-tracker.debian.org/tracker/CVE-2021-36368https://www.openssh.com/security.htmlhttps://bugzilla.mindrot.org/show_bug.cgi?id=3316https://docs.ssh-mitm.at/trivialauth.htmlhttps://github.com/openssh/openssh-portable/pull/258https://security-tracker.debian.org/tracker/CVE-2021-36368https://www.openssh.com/security.html
2022-03-13
Published