{"document":{"category":"csaf_vex","csaf_version":"2.1","notes":[{"category":"summary","text":"Palo Alto Networks PSIRT provided VEX document. This document is autogenerated.","title":"Informational: Third-party or open source vulnerabilities that do not affect PAN-OS"}],"publisher":{"category":"vendor","name":"Palo Alto Networks","namespace":"https://security.paloaltonetworks.com"},"title":"Palo Alto Networks PSIRT provided VEX document: PAN-SA-2020-0004","distribution":{"text":"Copyright © 2024 Palo Alto Networks. All rights reserved.","tlp":{"label":"CLEAR","url":"https://www.first.org/tlp/"}},"tracking":{"current_release_date":"2026-04-11T00:26:46.282Z","generator":{"date":"2026-04-11T00:26:46.282Z","engine":{"name":"Vulnogram","version":"0.0.9"}},"id":"PAN-SA-2020-0004","initial_release_date":"2020-05-13T16:00:00.000Z","revision_history":[{"number":"1","date":"2020-05-13T09:00:00.000Z","summary":"Initial publication"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"name":"Palo Alto Networks","category":"vendor","branches":[{"name":"PAN-OS","category":"product_name","branches":[{"category":"product_version","name":"PAN-OS All","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-1"}}]}]}]},"vulnerabilities":[{"cve":"CVE-2014-1692","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition."}],"references":[{"category":"external","summary":"NVD - CVE-2014-1692","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-1692"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition."}]},{"cve":"CVE-2014-2532","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character."}],"references":[{"category":"external","summary":"NVD - CVE-2014-2532","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-2532"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character."}]},{"cve":"CVE-2014-2653","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate."}],"references":[{"category":"external","summary":"NVD - CVE-2014-2653","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-2653"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate."}]},{"cve":"CVE-2015-5352","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time window."}],"references":[{"category":"external","summary":"NVD - CVE-2015-5352","url":"https://nvd.nist.gov/vuln/detail/CVE-2015-5352"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time window."}]},{"cve":"CVE-2016-3115","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions."}],"references":[{"category":"external","summary":"NVD - CVE-2016-3115","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3115"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions."}]},{"cve":"CVE-2015-8325","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable."}],"references":[{"category":"external","summary":"NVD - CVE-2015-8325","url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8325"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable."}]},{"cve":"CVE-2016-6515","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string."}],"references":[{"category":"external","summary":"NVD - CVE-2016-6515","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-6515"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string."}]},{"cve":"CVE-2016-10009","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket."}],"references":[{"category":"external","summary":"NVD - CVE-2016-10009","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10009"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket."}]},{"cve":"CVE-2016-10010","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c."}],"references":[{"category":"external","summary":"NVD - CVE-2016-10010","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10010"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c."}]},{"cve":"CVE-2016-1908","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server."}],"references":[{"category":"external","summary":"NVD - CVE-2016-1908","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1908"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server."}]},{"cve":"CVE-2018-15473","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c."}],"references":[{"category":"external","summary":"NVD - CVE-2018-15473","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-15473"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c."}]},{"cve":"CVE-2018-15919","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'"}],"references":[{"category":"external","summary":"NVD - CVE-2018-15919","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-15919"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'"}]},{"cve":"CVE-2016-10708","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c."}],"references":[{"category":"external","summary":"NVD - CVE-2016-10708","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10708"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c."}]},{"cve":"CVE-2015-8325","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable."}],"references":[{"category":"external","summary":"NVD - CVE-2015-8325","url":"https://nvd.nist.gov/vuln/detail/CVE-2015-8325"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable."}]},{"cve":"CVE-2016-1908","product_status":{"known_not_affected":["PANW-PAN-OS-1"]},"notes":[{"category":"description","text":"The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server."}],"references":[{"category":"external","summary":"NVD - CVE-2016-1908","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1908"},{"category":"self","summary":"Palo Alto Networks Security Advisory PAN-SA-2020-0004","url":"https://security.paloaltonetworks.com/PAN-SA-2020-0004"}],"threats":[{"category":"impact","description":"The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server."}]}]}