search cancel

PacketShaper Vulnerability CVE-2008-5161


Article ID: 168797


Updated On:




PacketShaper 9.2.12 Release Notes states:

PacketWise 9.2.12 fixes the following security vulnerability: CVE-2008-5161

However, the Nessus scan still lists PacketShaper as vulnerable. Is this issue addressed?


This CVE is fixed in PacketShaper by back-porting the necessary code from OpenSSH 5.2 to the current version used by PacketShaper, OpenSSH version 4.5.  Since the entire OpenSSH has not been upgraded (only the fix needed to address this issue has been added), the OpenSSH version used by PS remains at 4.5.

Regarding CVE-2008-5161:

A fix for CVE-2008-5161 was put into OpenSSH 5.2. The fix has two parts as stated in the OpenSSH release notes:
•    This release changes the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
•    This release also adds countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behavior that leaked information about the plaintext of injected data which formed the basis of this attack. We believe that these attacks are rendered infeasible by these changes.

The above fix from OpenSSH 5.2 has been back-ported to PacketShaper 9.2.12 with the following caveat:

OpenSSH 4.5 does not include support for AES CTR-mode, "arcfour128" or "arcfour256" ciphers.  The default cipher order has been changed to prefer the "arcfour" mode to CBC mode ciphers that  are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".

However, most testing suites (including Nessus scan) will flag this CVE based on the version reported by the SSH server code, which remains at 4.5. And for that reason the test suite could still flag this vulnerability.

All addressed CVEs can be found via the following link: