SB2014111805 - Input validation error in FreeBSD
Published: November 18, 2014 Updated: August 9, 2020
Security Bulletin ID
SB2014111805
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2014-8475)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
FreeBSD 9.1, 9.2, and 10.0, when compiling OpenSSH with Kerberos support, uses incorrect library ordering when linking sshd, which causes symbols to be resolved incorrectly and allows remote attackers to cause a denial of service (sshd deadlock and prevention of new connections) by ending multiple connections before authentication is completed.
Remediation
Install update from vendor's website.
References
- http://packetstormsecurity.com/files/128972/FreeBSD-Security-Advisory-sshd-Denial-Of-Service.html
- http://secunia.com/advisories/61440
- http://www.securityfocus.com/bid/70913
- http://www.securitytracker.com/id/1031168
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98491
- https://www.freebsd.org/security/advisories/FreeBSD-SA-14%3A24.sshd.asc