SA-2023-093 - *Disputed* OpenSSH authentication by... - Extreme Networks

Summary

In OpenSSH, if a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf.

Products not listed in the Products Potentially Affected section have not been evaluated. Furthermore, products that have exceeded any software maintenance time periods are also not evaluated and will not be published. Please consult End of Sale and End of Service Life - Extreme Networks for the EOL notices related to the product under question.

Products Potentially Affected

OS/Product	Exposure
Extreme Wireless (IdentiFi)	No

Repair Recommendations

None

Please see the full Security Advisory article here for more details and updated information.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Extreme Networks

SA-2023-093 - Disputed OpenSSH authentication bypass (CVE-2021-36368)

SA-2023-047 - Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues (Leaking fr

SA-2023-107 - libcurl cookie injection with none file (CVE-2023-38546)

SA-2023-106 - SOCKS5 heap buffer overflow (CVE-2023-38545)

Extreme Networks

SA-2023-093 - *Disputed* OpenSSH authentication bypass (CVE-2021-36368)

SA-2023-047 - Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues (Leaking fr

SA-2023-107 - libcurl cookie injection with none file (CVE-2023-38546)

SA-2023-106 - SOCKS5 heap buffer overflow (CVE-2023-38545)

SA-2023-093 - Disputed OpenSSH authentication bypass (CVE-2021-36368)