Bugzilla – Bug 1217028
VUL-0: CVE-2023-46445: python-asyncssh: extension negotiation MitM attack
Last modified: 2023-11-14 08:18:41 UTC
CVE-2023-46445 Summary An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack. Details The rogue extension negotiation attack targets an AsyncSSH client connecting to any SSH server sending an extension info message. The attack exploits an implementation flaw in the AsyncSSH implementation to inject an extension info message chosen by the attacker and delete the original extension info message, effectively replacing it. A correct SSH implementation should not process an unauthenticated extension info message. However, the injected message is accepted due to flaws in AsyncSSH. AsyncSSH supports the server-sig-algs and global-requests-ok extensions. Hence, the attacker can downgrade the algorithm used for client authentication by meddling with the value of server-sig-algs (e.g. use of SHA-1 instead of SHA-2). References: https://github.com/advisories/GHSA-cfc2-wr2v-gxm5 https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e
This is an autogenerated message for OBS integration: This bug (1217028) was mentioned in https://build.opensuse.org/request/show/1124972 Factory / python-asyncssh
Factory fixed. Closing