CVE-2010-4478

Name of the Vulnerable Software and Affected Versions OpenSSH versions prior to 6.6 p1-r1 OpenSSH version 5.6 and earlier

Description The issue concerns multiple vulnerabilities in the OpenSSH package, which can be exploited remotely to compromise the confidentiality, integrity, and availability of protected information. Specifically, when J-PAKE is enabled in OpenSSH 5.6 and earlier, the software does not properly validate public parameters in the J-PAKE protocol. This allows remote attackers to bypass the need for knowledge of the shared secret and successfully authenticate by sending crafted values in each round of the protocol.

Recommendations For OpenSSH versions prior to 6.6 p1-r1, update to version 6.6 p1-r1 or later to resolve the issue. For OpenSSH version 5.6 and earlier, consider disabling J-PAKE until a patch is available, and restrict access to the affected protocol to minimize the risk of exploitation.