OpenSSH , a tool that provides encrypted communication sessions over a computer network using the SSH protocol, has patched a critical code execution vulnerability.
"A memory corruption vulnerability exists in the post- authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during kex exchange." The security advisory reads.
"If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations."
The vulnerability was identified by an OpenSSH developer Mark Friedl on November 7th. The fix has immediately been issued.
The flaw is fixed in OpenSSH 6.4 version. There is security patch available for those users who prefer to continue use OpenSSH 6.2 or 6.3.
