This vulnerability is marked as RESERVED by NVD. This means that the CVE-ID is reserved for future use by the CVE Numbering Authority (CNA) or a security researcher, but the details of it are not yet publicly available yet.
This page will reflect the classification results once they are available through NVD.
Any vendor information available is shown as below.
openssh: Denial-of-service in OpenSSH
This issue can be mitigated by setting the following three different options in the sshd configuration file located at: /etc/ssh/sshd_config MaxStartups: Set to a reasonable value, this option controls the maximum number of concurrent unauthenticated connections the SSH server accepts; PerSourcePenalties: Set its suboptions to a reasonable value, this option is used to help sshd to detect and drop connections that are potentially malicious for the SSH server; LoginGraceTime: Set to a resonable value, this option controls how much time the SSH server will wait the client to authenticate before dropping its connection; All the three option above needs to be set to implement a full mitigation for this vulnerability.
The OpenSSH client and server are vulnerable to a pre-authentication denial-of-service attack: an asymmetric resource consumption of both memory and CPU. This vulnerability was introduced in August 2023 (shortly before OpenSSH 9.5p1) by commit dce6d80 (“Introduce a transport-level ping facility”).
| Name | Vendor | Version |
|---|---|---|
| Openssh-ssh1 | Ubuntu/upstream | frozen on openssh 7.5p |
| Openssh | Ubuntu/oracular | 1:9.7p1-7ubuntu4.2 |
| Openssh | Ubuntu/noble | 1:9.6p1-3ubuntu13.8 |
| Openssh | Ubuntu/upstream | TBD |