What are you looking for ?
Infinidat
Articles_top

Asustor Security Advisory AS-2023-013: OpenSSH

Concerning vulnerability in ADM 4.2 and ADM 4.0 NAS OS

Asustor Inc. had published a security advisory concerning OpenSSH vulnerability in ADM 4.2 and ADM 4.0 NAS OS.

Severity: Important
Status: Ongoing

Statement
OpenSSH versions prior to 9.3p2 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data.

CVE-2023-38408 affected Asustor products with ADM 4.2 and ADM 4.0. Updates with OpenSSH 9.5p1 will be released as soon as possible.

  • OpenSSH 9.5p1 has been updated on ADM 4.2.5.RN33 to resolve the issue.

Affected products

Product

Severity

Fixed release availability

ADM 4.2 and 4.1

Important

Upgrade to 4.2.5.RN33 or above

ADM 4.0

Important

Ongoing

Detail

  • CVE-2023-38408
    • Severity: Critical
    • The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Reference

Revision

Revision

Date

Description

1

2023-10-25

Initial public release

2

2023-11-06

Release ADM 4.2.5.RN33 to update OpenSSH version for fixing the issue

Articles_bottom
AIC
ATTO
OPEN-E