PSIRT Note: SSH and CVE-2014-2532
Description
Some vulnerability scanners incorrectly report FortiAnalyzer and FortiManager as vulnerable to CVE-2014-2532.
The security issue mentions that OpenSSH does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
In reality, FortiAnalyzer and FortiManager are not affected by CVE-2014-2532 vulnerability. These products are configured to ignore any environment variables configured with the -o SendEnv option sent from the SSH client.
The security issue mentions that OpenSSH does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
In reality, FortiAnalyzer and FortiManager are not affected by CVE-2014-2532 vulnerability. These products are configured to ignore any environment variables configured with the -o SendEnv option sent from the SSH client.