CVE Vulnerabilities

CVE-2018-7750

Improper Authentication

Published: Mar 13, 2018 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
9.8 CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
HIGH

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Paramiko Paramiko * 1.17.6 (excluding)
Paramiko Paramiko 1.18.0 (including) 1.18.5 (excluding)
Paramiko Paramiko 2.0.0 (including) 2.0.8 (excluding)
Paramiko Paramiko 2.1.0 (including) 2.1.5 (excluding)
Paramiko Paramiko 2.2.0 (including) 2.2.3 (excluding)
Paramiko Paramiko 2.3.0 (including) 2.3.2 (excluding)
Paramiko Paramiko 2.4.0 (including) 2.4.0 (including)
CloudForms Management Engine 5.8 RedHat ansible-0:2.4.4.0-1.el7ae *
CloudForms Management Engine 5.8 RedHat ansible-tower-0:3.1.7-1.el7at *
CloudForms Management Engine 5.8 RedHat cfme-0:5.8.4.5-1.el7cf *
CloudForms Management Engine 5.8 RedHat cfme-appliance-0:5.8.4.5-1.el7cf *
CloudForms Management Engine 5.8 RedHat cfme-gemset-0:5.8.4.5-1.el7cf *
CloudForms Management Engine 5.8 RedHat python-paramiko-0:2.1.1-4.el7 *
CloudForms Management Engine 5.8 RedHat rh-ruby23-rubygem-json-0:2.1.0-1.el7cf *
CloudForms Management Engine 5.9 RedHat ansible-0:2.4.4.0-1.el7ae *
CloudForms Management Engine 5.9 RedHat ansible-tower-0:3.2.4-1.el7at *
CloudForms Management Engine 5.9 RedHat cfme-0:5.9.2.4-1.el7cf *
CloudForms Management Engine 5.9 RedHat cfme-amazon-smartstate-0:5.9.2.4-1.el7cf *
CloudForms Management Engine 5.9 RedHat cfme-appliance-0:5.9.2.4-1.el7cf *
CloudForms Management Engine 5.9 RedHat cfme-gemset-0:5.9.2.4-1.el7cf *
CloudForms Management Engine 5.9 RedHat dbus-api-service-0:1.0.1-3.el7cf *
CloudForms Management Engine 5.9 RedHat httpd-configmap-generator-0:0.2.1-2.el7cf *
CloudForms Management Engine 5.9 RedHat postgresql96-0:9.6.6-1PGDG.el7 *
CloudForms Management Engine 5.9 RedHat python-paramiko-0:2.1.1-4.el7 *
CloudForms Management Engine 5.9 RedHat rh-ruby23-rubygem-json-0:2.1.0-1.el7cf *
CloudForms Management Engine 5.9 RedHat rh-ruby23-rubygem-qpid_proton-0:0.22.0-2.el7cf *
Red Hat Ansible Engine 2.4 for RHEL 7 RedHat python-paramiko-0:2.1.1-4.el7 *
Red Hat Ansible Engine 2 for RHEL 7 RedHat python-paramiko-0:2.1.1-4.el7 *
Red Hat Enterprise Linux 6 RedHat python-paramiko-0:1.7.5-4.el6_9 *
Red Hat Enterprise Linux 6.4 Advanced Update Support RedHat python-paramiko-0:1.7.5-4.el6_4 *
Red Hat Enterprise Linux 6.5 Advanced Update Support RedHat python-paramiko-0:1.7.5-4.el6_5 *
Red Hat Enterprise Linux 6.6 Advanced Update Support RedHat python-paramiko-0:1.7.5-4.el6_6 *
Red Hat Enterprise Linux 6.6 Telco Extended Update Support RedHat python-paramiko-0:1.7.5-4.el6_6 *
Red Hat Enterprise Linux 6.7 Extended Update Support RedHat python-paramiko-0:1.7.5-4.el6_7 *
Red Hat Enterprise Linux 7 Extras RedHat python-paramiko-0:2.1.1-4.el7 *
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 RedHat python-paramiko-0:2.1.1-4.el7 *
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 RedHat rhvm-appliance-0:4.2-20180504.0 *
Red Hat Virtualization Engine 4.1 RedHat python-paramiko-0:2.1.1-4.el7 *
Paramiko Ubuntu artful *
Paramiko Ubuntu devel *
Paramiko Ubuntu trusty *
Paramiko Ubuntu xenial *

Potential Mitigations

References