New security bulletin: IBM i Access Client Solutions is vulnerable to a remote attacker bypassing integrity checks in Apache Mina SSHD Common.
Apache MINA SSHD is a 100% pure Java library that supports both client-side and server-side SSH protocols, and is used by IBM i Access Client Solutions’ Open Source Package Manager functionality when authenticating to the IBM i server.
OpenSSH is vulnerable to a machine-in-the-middle attack, caused by a flaw in the extension negotiation process in the SSH transport protocol when used with certain OpenSSH extensions.
A remote attacker can then exploit this vulnerability to launch his attack and strip an arbitrary number of messages after the initial key exchange, thus breaking the SSH extension negotiation and degrading the security of the client’s connection.
To correct this flaw, simply update ACS to the latest release (version 1.1.9.5 minimum).
The CVSS score for this flaw is base 5.9 and you can find its details by clicking on the link below:
https://lnkd.in/ejgJR3UN
Posted in Alert