CVE-2022-29245

Description

SSH.NET is a Secure Shell (SSH) library for .NET. In versions 2020.0.0 and 2020.0.1, during an X25519 key exchange, the clients private key is generated with System.Random. System.Random is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes. When establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with a weak random number generator whose seed can be brute forced. This allows an attacker who is able to eavesdrop on the communications to decrypt them. Version 2020.0.2 contains a patch for this issue. As a workaround, one may disable support for curve25519-sha256 and curve25519-sha256@libssh.org key exchange algorithms.

Risk Information

Base Score

5.9

MODERATE

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

Exploitation Probability

0.319

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2022-29245 are fixed in Nuget - SSH.NET 2020.0.2	Windows
Vulnerabilities CVE-2022-29245 are fixed in Nuget - SSH.NET for Linux 2020.0.2	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234