CVE-2014-1692
Description
OpenSSH J-PAKE code in schnorr.c has uninitialized data in hash_buffer(), potentially causing memory corruption or DoS when the experimental protocol is enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSSH J-PAKE code in schnorr.c has uninitialized data in hash_buffer(), potentially causing memory corruption or DoS when the experimental protocol is enabled.
Vulnerability
The hash_buffer function in schnorr.c of OpenSSH through 6.4 does not initialize certain data structures when an error condition occurs during EVP_Digest* operations. This flaw exists only within the experimental J-PAKE (Password Authenticated Key Exchange) protocol code, which is not enabled by default; it requires modifying Makefile.inc or using specific compiler flags to activate [4]. The commit fixing the issue (revision 1.10) was made on 2014-01-29 and added explicit clearing of returned digest and length for error cases [4]. HP-UX running HP Secure Shell before versions A.06.20.010 (B.11.11), A.06.20.011 (B.11.23), and A.06.20.012 (B.11.31) are affected [2].
Exploitation
An attacker can trigger the vulnerability by sending crafted network traffic that causes an error in the J-PAKE hashing routine, provided the server has been compiled with J-PAKE support enabled [3][4]. No default OpenSSH installations are vulnerable because the code is not reachable unless explicitly enabled by the administrator [3]. The attacker does not need authentication but must be able to initiate a connection to the SSH server running the modified build [4].
Impact
A successful exploitation leads to denial of service via memory corruption, as indicated by the CVE description and HP bulletins [1][2]. The HP advisory categorizes this under "Buffer Errors (CWE-119)" and rates the CVSS v2 impact as partial confidentiality, integrity, and availability, though the primary demonstrated outcome is remote denial of service [2]. The CVE description also notes "unspecified other impact" is possible, but the references do not provide details on code execution [3][4].
Mitigation
For upstream OpenSSH, the fix was committed in revision 1.10 of schnorr.c on 2014-01-29 [4]. Users should ensure their OpenSSH builds are up to date (post-6.4). For HP-UX users, HP released updates for HP Secure Shell: A.06.20.010 (B.11.11), A.06.20.011 (B.11.23), and A.06.20.012 (B.11.31) [2]. Since J-PAKE is experimental and never enabled by default, the most effective workaround is to not enable J-PAKE support in any environment. There is no indication that CVE-2014-1692 is listed in the CISA Known Exploited Vulnerabilities catalog.
- '[security bulletin] HPSBMU03409 rev.1 - HP Matrix Operating Environment, Multiple Vulnerabilities'
- '[security bulletin] HPSBUX03188 SSRT101487 rev.1 - HP-UX running HP Secure Shell, Remote Denial of S'
- security - Re: OpenSSH J-PAKE vulnerability (no cause for panic! remain calm!)
- security - OpenSSH J-PAKE vulnerability (no cause for panic! remain calm!)
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- marc.infonvdThird Party Advisory
- marc.infonvdThird Party Advisory
- openwall.com/lists/oss-security/2014/01/29/10nvdMailing ListThird Party Advisory
- openwall.com/lists/oss-security/2014/01/29/2nvdMailing ListThird Party Advisory
- secunia.com/advisories/60184nvdThird Party Advisory
- www-01.ibm.com/support/docview.wssnvdThird Party Advisory
- www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/schnorr.cnvdVendor Advisory
- www.securityfocus.com/bid/65230nvdThird Party AdvisoryVDB Entry
- exchange.xforce.ibmcloud.com/vulnerabilities/90819nvdThird Party AdvisoryVDB Entry
- osvdb.org/102611nvdBroken Link
- www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/Attic/schnorr.c.diffnvd
News mentions
0No linked articles in our index yet.