CVE-2021-36368

An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed.
Configurations

Configuration 1 (hide)

cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

07 Nov 2023, 03:36

Type Values Removed Values Added
Summary ** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed." An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed.

01 Jul 2022, 17:21

Type Values Removed Values Added
First Time Debian debian Linux
Debian
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
References (MISC) https://security-tracker.debian.org/tracker/CVE-2021-36368 - (MISC) https://security-tracker.debian.org/tracker/CVE-2021-36368 - Third Party Advisory

12 Apr 2022, 15:15

Type Values Removed Values Added
References
  • (MISC) https://security-tracker.debian.org/tracker/CVE-2021-36368 -

20 Mar 2022, 00:23

Type Values Removed Values Added
References (CONFIRM) https://bugzilla.mindrot.org/show_bug.cgi?id=3316 - (CONFIRM) https://bugzilla.mindrot.org/show_bug.cgi?id=3316 - Issue Tracking, Third Party Advisory
References (MISC) https://github.com/openssh/openssh-portable/pull/258 - (MISC) https://github.com/openssh/openssh-portable/pull/258 - Patch, Third Party Advisory
References (MISC) https://docs.ssh-mitm.at/trivialauth.html - (MISC) https://docs.ssh-mitm.at/trivialauth.html - Third Party Advisory
References (MISC) https://www.openssh.com/security.html - (MISC) https://www.openssh.com/security.html - Vendor Advisory
CPE cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 2.6
v3 : 3.7
First Time Openbsd
Openbsd openssh
CWE CWE-287

13 Mar 2022, 00:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-03-13 00:15

Updated : 2024-05-17 01:58


NVD link : CVE-2021-36368

Mitre link : CVE-2021-36368

CVE.ORG link : CVE-2021-36368


JSON object : View

Products Affected

openbsd

  • openssh

debian

  • debian_linux
CWE
CWE-287

Improper Authentication