Vulnerability Name:

CVE-2020-14145 (CCN-184514)

Assigned:2020-06-26
Published:2020-06-26
Updated:2022-04-28
Summary:The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).
Note: some reports state that 8.5 and 8.6 are also affected.
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.9 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.9 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-203
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2020-14145

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[oss-security] 20201202 Some mitigation for openssh CVE-2020-14145

Source: MISC
Type: Patch, Third Party Advisory
https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d

Source: MISC
Type: Third Party Advisory
https://docs.ssh-mitm.at/CVE-2020-14145.html

Source: XF
Type: UNKNOWN
openssh-cve202014145-mitm(184514)

Source: CCN
Type: OpenSSH GIT Repository
OpenSSH

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1

Source: MISC
Type: Third Party Advisory
https://github.com/ssh-mitm/ssh-mitm/blob/master/ssh_proxy_server/plugins/session/cve202014145.py

Source: GENTOO
Type: Third Party Advisory
GLSA-202105-35

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20200709-0004/

Source: CCN
Type: FSA-2020-2
Targeted MitM Attacks Using Information Leakage in SSH Clients

Source: MISC
Type: Third Party Advisory
https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/

Source: CCN
Type: IBM Security Bulletin 6403463 (Security Guardium Insights)
IBM Security Guardium Insights is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6452607 (Integrated Analytics System)
Vulnerability in OpenSSH affects IBM Integrated Analytics System

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-14145

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openbsd:openssh:*:*:*:*:*:*:*:* (Version >= 5.7 and < 8.4)
  • OR cpe:/a:openbsd:openssh:8.4:-:*:*:*:*:*:*
  • OR cpe:/a:openbsd:openssh:8.5:-:*:*:*:*:*:*
  • OR cpe:/a:openbsd:openssh:8.6:-:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:netapp:aff_a700s_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:aff_a700s:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:* (Version >= 9.5
  • OR cpe:/a:netapp:hci_management_node:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:solidfire:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
  • OR cpe:/h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
  • OR cpe:/h:netapp:hci_storage_node:-:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:openbsd:openssh:5.7:-:*:*:*:*:*:*
  • OR cpe:/a:openbsd:openssh:8.3:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:security_guardium_insights:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7894
    P
    		gnome-desktop-lang-41.8-150400.3.3.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7943
    P
    		liblouis-data-3.20.0-150400.3.13.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:94468
    P
    		 (Important)
    2022-07-12
    oval:org.opensuse.security:def:3356
    P
    		rsync-3.1.3-1.19 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3191
    P
    		libjasper1-1.900.14-195.15.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94756
    P
    		mozilla-nspr-32bit-4.32-3.20.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95155
    P
    		sca-patterns-sle12-1.5.0-150400.1.4 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:5338
    P
    		Security update for libvirt (Important)
    2022-01-05
    oval:com.redhat.rhsa:def:20214368
    P
    		RHSA-2021:4368: openssh security update (Moderate)
    2021-11-09
    oval:org.opensuse.security:def:96748
    P
    		postgresql-10-6.8 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:96760
    P
    		python3-pycrypto-2.6.1-1.28 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:96765
    P
    		radvd-2.17-3.18 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:101181
    P
    		libass-devel-0.14.0-3.3.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101469
    P
    		Security update for bluez (Moderate)
    2021-07-12
    oval:org.opensuse.security:def:101868
    P
    		Security update for the Linux Kernel (Important)
    2021-06-15
    oval:org.opensuse.security:def:31219
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:57961
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:87424
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:21399
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:51607
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:82602
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:28921
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:55832
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:85683
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:31652
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:58783
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:23159
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:83216
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:29395
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:57042
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:86116
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:81087
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:32138
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:23619
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:54744
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:84176
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:30009
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:57475
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:86602
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:51147
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:82128
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:32960
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:55218
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:84635
    P
    		Security update for openssh (Moderate)
    2021-01-05
    oval:org.opensuse.security:def:110379
    P
    		Security update for openssh (Moderate)
    2020-12-20
    oval:org.opensuse.security:def:8536
    P
    		Security update for openssh (Moderate)
    2020-12-18
    oval:org.opensuse.security:def:9279
    P
    		Security update for openssh (Moderate)
    2020-12-18
    oval:org.opensuse.security:def:69419
    P
    		Security update for openssh (Moderate)
    2020-12-18
    oval:org.opensuse.security:def:10033
    P
    		Security update for openssh (Moderate)
    2020-12-18
    oval:org.opensuse.security:def:70173
    P
    		Security update for openssh (Moderate)
    2020-12-18
    oval:org.opensuse.security:def:104250
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:73402
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:91777
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:68983
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:75495
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:90429
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:98727
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:104789
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:64280
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:97394
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:90595
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:4051
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:66427
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:105417
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:74208
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:97560
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:104084
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:91134
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:65140
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:98099
    P
    		Security update for openssh (Moderate)
    2020-12-17
    oval:org.opensuse.security:def:127075
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:33624
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:60159
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:89360
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:88086
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:51861
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:33882
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:125506
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:59447
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:88395
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:34336
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:126678
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:59705
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:89102
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:23873
    P
    		Security update for openssh (Moderate)
    2020-12-16
    oval:org.opensuse.security:def:110916
    P
    		Security update for openssh (Moderate)
    2020-12-13
    oval:org.opensuse.security:def:108135
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:96024
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:118476
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:65200
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:73567
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:5607
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:69032
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:102714
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:108534
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:75764
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:117362
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:64445
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:109380
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:4111
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:66696
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:107847
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:74268
    P
    		Security update for openssh (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:117649
    P
    		Security update for openssh (Moderate)
    2020-12-09
    BACK
    openbsd openssh *
    openbsd openssh 8.4 -
    openbsd openssh 8.5 -
    openbsd openssh 8.6 -
    netapp aff a700s firmware -
    netapp aff a700s -
    netapp active iq unified manager *
    netapp hci management node -
    netapp ontap select deploy administration utility -
    netapp solidfire -
    netapp steelstore cloud integrated storage -
    netapp hci compute node -
    netapp hci storage node -
    openbsd openssh 5.7
    openbsd openssh 8.3
    ibm security guardium insights 2.0.2
    ibm cloud pak for security 1.7.2.0