CVE-2021-36368
low-risk
Published 2022-03-13
An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed.
Do I need to act?
-
0.43% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10
Low
NETWORK
/ HIGH complexity
Affected Products (4)
References (10)
Issue Tracking
https://bugzilla.mindrot.org/show_bug.cgi?id=3316
Third Party Advisory
https://docs.ssh-mitm.at/trivialauth.html
Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2021-36368
Vendor Advisory
https://www.openssh.com/security.html
Issue Tracking
https://bugzilla.mindrot.org/show_bug.cgi?id=3316
Third Party Advisory
https://docs.ssh-mitm.at/trivialauth.html
Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2021-36368
Vendor Advisory
https://www.openssh.com/security.html
25
/ 100
low-risk
Severity
13/34 · Low
Exploitability
2/34 · Minimal
Exposure
10/34 · Low