CVE-2023-46445 Report - Details, Severity, & Advisories
Twingate Team
•
Jul 12, 2024
What is CVE-2023-46445?
CVE-2023-46445 is a medium-severity vulnerability in AsyncSSH software versions up to 2.14.0. It allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, known as "Rogue Extension Negotiation." This can lead to prefix truncation attacks, breaking SSH extension negotiation, downgrading public key algorithms for user authentication, and redirecting the victim's login to an attacker-controlled shell.
Who is impacted by this?
The vulnerability affects users of AsyncSSH software versions up to 2.14.0, as well as systems using SSH Binary Packet Protocol and SSH extension negotiation (RFC 8308). Users of OpenSSH 9.5 and earlier versions may also be affected, facing risks such as algorithm downgrades during user authentication.
What to do if CVE-2023-46445 affected you
If you're affected by the CVE-2023-46445 vulnerability, it's important to take action to protect your systems. To mitigate this issue, follow these steps:
Update AsyncSSH to version 2.14.1 or later, which includes a patch for the vulnerability.
Monitor updates from your SSH implementation and apply patches as they become available.
Stay informed about related vulnerabilities and best practices for securing your SSH connections.
Is this in CISA’s Known Exploited Vulnerabilities Catalog?
The CVE-2023-46445 vulnerability, also known as "AsyncSSH Rogue Extension Negotiation," is not listed in CISA's Known Exploited Vulnerabilities Catalog. It was published on November 8, 2023, and affects AsyncSSH software versions up to 2.14.0. To mitigate this issue, users should update AsyncSSH to version 2.14.1 or later.
Weakness Enumeration
The weakness enumeration for this vulnerability is categorized as CWE-345, which involves insufficient verification of data authenticity in AsyncSSH software.
Learn More
For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the resources listed below.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
CVE-2023-46445 Report - Details, Severity, & Advisories
Twingate Team
•
Jul 12, 2024
What is CVE-2023-46445?
CVE-2023-46445 is a medium-severity vulnerability in AsyncSSH software versions up to 2.14.0. It allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, known as "Rogue Extension Negotiation." This can lead to prefix truncation attacks, breaking SSH extension negotiation, downgrading public key algorithms for user authentication, and redirecting the victim's login to an attacker-controlled shell.
Who is impacted by this?
The vulnerability affects users of AsyncSSH software versions up to 2.14.0, as well as systems using SSH Binary Packet Protocol and SSH extension negotiation (RFC 8308). Users of OpenSSH 9.5 and earlier versions may also be affected, facing risks such as algorithm downgrades during user authentication.
What to do if CVE-2023-46445 affected you
If you're affected by the CVE-2023-46445 vulnerability, it's important to take action to protect your systems. To mitigate this issue, follow these steps:
Update AsyncSSH to version 2.14.1 or later, which includes a patch for the vulnerability.
Monitor updates from your SSH implementation and apply patches as they become available.
Stay informed about related vulnerabilities and best practices for securing your SSH connections.
Is this in CISA’s Known Exploited Vulnerabilities Catalog?
The CVE-2023-46445 vulnerability, also known as "AsyncSSH Rogue Extension Negotiation," is not listed in CISA's Known Exploited Vulnerabilities Catalog. It was published on November 8, 2023, and affects AsyncSSH software versions up to 2.14.0. To mitigate this issue, users should update AsyncSSH to version 2.14.1 or later.
Weakness Enumeration
The weakness enumeration for this vulnerability is categorized as CWE-345, which involves insufficient verification of data authenticity in AsyncSSH software.
Learn More
For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the resources listed below.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
CVE-2023-46445 Report - Details, Severity, & Advisories
Twingate Team
•
Jul 12, 2024
What is CVE-2023-46445?
CVE-2023-46445 is a medium-severity vulnerability in AsyncSSH software versions up to 2.14.0. It allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, known as "Rogue Extension Negotiation." This can lead to prefix truncation attacks, breaking SSH extension negotiation, downgrading public key algorithms for user authentication, and redirecting the victim's login to an attacker-controlled shell.
Who is impacted by this?
The vulnerability affects users of AsyncSSH software versions up to 2.14.0, as well as systems using SSH Binary Packet Protocol and SSH extension negotiation (RFC 8308). Users of OpenSSH 9.5 and earlier versions may also be affected, facing risks such as algorithm downgrades during user authentication.
What to do if CVE-2023-46445 affected you
If you're affected by the CVE-2023-46445 vulnerability, it's important to take action to protect your systems. To mitigate this issue, follow these steps:
Update AsyncSSH to version 2.14.1 or later, which includes a patch for the vulnerability.
Monitor updates from your SSH implementation and apply patches as they become available.
Stay informed about related vulnerabilities and best practices for securing your SSH connections.
Is this in CISA’s Known Exploited Vulnerabilities Catalog?
The CVE-2023-46445 vulnerability, also known as "AsyncSSH Rogue Extension Negotiation," is not listed in CISA's Known Exploited Vulnerabilities Catalog. It was published on November 8, 2023, and affects AsyncSSH software versions up to 2.14.0. To mitigate this issue, users should update AsyncSSH to version 2.14.1 or later.
Weakness Enumeration
The weakness enumeration for this vulnerability is categorized as CWE-345, which involves insufficient verification of data authenticity in AsyncSSH software.
Learn More
For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, refer to the NVD page or the resources listed below.
Solutions
Solutions
The VPN replacement your workforce will love.
Solutions