Vulnerabilities > CVE-2003-0695 - Unspecified vulnerability in Openbsd Openssh

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

openbsd

nessus

NVD

Published: 2003-10-06

Updated: 2024-11-20

Summary

Multiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693.

Vulnerable Configurations

Part	Description	Count
Application	Openbsd Openbsd Openssh - Openbsd Openssh 1.2 Openbsd Openssh 1.2.1 Openbsd Openssh 1.2.2 Openbsd Openssh 1.2.3 Openbsd Openssh 1.2.27 Openbsd Openssh 1.3 Openbsd Openssh 1.5 Openbsd Openssh 1.5.7 Openbsd Openssh 1.5.8 Openbsd Openssh 2 Openbsd Openssh 2.1 Openbsd Openssh 2.1.0 Openbsd Openssh 2.1.1 Openbsd Openssh 2.2 Openbsd Openssh 2.2.0 Openbsd Openssh 2.3 Openbsd Openssh 2.3.0 Openbsd Openssh 2.3.1 Openbsd Openssh 2.5 Openbsd Openssh 2.5.1 Openbsd Openssh 2.5.2 Openbsd Openssh 2.9 Openbsd Openssh 2.9.9 Openbsd Openssh 2.9.9P2 Openbsd Openssh 2.9P1 Openbsd Openssh 2.9P2 Openbsd Openssh 3.0 Openbsd Openssh 3.0.1 Openbsd Openssh 3.0.1P1 Openbsd Openssh 3.0.2 Openbsd Openssh 3.0.2P1 Openbsd Openssh 3.0P1 Openbsd Openssh 3.1 Openbsd Openssh 3.1P1 Openbsd Openssh 3.2 Openbsd Openssh 3.2.2 Openbsd Openssh 3.2.2P1 Openbsd Openssh 3.2.3 Openbsd Openssh 3.2.3P1 Openbsd Openssh 3.3 Openbsd Openssh 3.3P1 Openbsd Openssh 3.4 Openbsd Openssh 3.4P1 Openbsd Openssh 3.5 Openbsd Openssh 3.5P1 Openbsd Openssh 3.6 Openbsd Openssh 3.6.1 Openbsd Openssh 3.6.1P1 Openbsd Openssh 3.6.1P2 Openbsd Openssh 3.7 Openbsd Openssh 3.7.1	100

Nessus

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2003-090.NASL
description	A buffer management error was discovered in all versions of openssh prior to version 3.7. According to the OpenSSH team
last seen	2020-06-01
modified	2020-06-02
plugin id	14072
published	2004-07-31
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/14072
title	Mandrake Linux Security Advisory : openssh (MDKSA-2003:090-1)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:090. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14072); script_version ("1.23"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2003-0693", "CVE-2003-0695"); script_xref(name:"CERT-CC", value:"CA-2003-24"); script_xref(name:"CERT", value:"333628"); script_xref(name:"MDKSA", value:"2003:090-1"); script_name(english:"Mandrake Linux Security Advisory : openssh (MDKSA-2003:090-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A buffer management error was discovered in all versions of openssh prior to version 3.7. According to the OpenSSH team's advisory: 'It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively.' There have also been reports of an exploit in the wild. MandrakeSoft encourages all users to upgrade to these patched openssh packages immediately and to disable sshd until you are able to upgrade if at all possible. Update : The OpenSSH developers discovered more, similar, problems and revised the patch to correct these issues. These new packages have the latest patch fix applied." ); script_set_attribute( attribute:"see_also", value:"http://www.openssh.com/txt/buffer.adv" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2003/09/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64\|i[3-6]86\|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-3.6.1p2-1.2.82mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-askpass-3.6.1p2-1.2.82mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-askpass-gnome-3.6.1p2-1.2.82mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-clients-3.6.1p2-1.2.82mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-server-3.6.1p2-1.2.82mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"openssh-3.6.1p2-1.2.90mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"openssh-askpass-3.6.1p2-1.2.90mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"openssh-askpass-gnome-3.6.1p2-1.2.90mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"openssh-clients-3.6.1p2-1.2.90mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"openssh-server-3.6.1p2-1.2.90mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"openssh-3.6.1p2-1.2.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"openssh-askpass-3.6.1p2-1.2.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"openssh-askpass-gnome-3.6.1p2-1.2.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"openssh-clients-3.6.1p2-1.2.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"openssh-server-3.6.1p2-1.2.91mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2003-280.NASL
description	Updated OpenSSH packages are now available that fix bugs that may be remotely exploitable. [Updated 17 Sep 2003] Updated packages are now available to fix additional buffer manipulation problems which were fixed in OpenSSH 3.7.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0695 to these additional issues. We have also included fixes from Solar Designer for some additional memory bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0682 to these issues. OpenSSH is a suite of network connectivity tools that can be used to establish encrypted connections between systems on a network and can provide interactive login sessions and port forwarding, among other functions. The OpenSSH team has announced a bug which affects the OpenSSH buffer handling code. This bug has the potential of being remotely exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0693 to this issue. All users of OpenSSH should immediately apply this update which contains a backported fix for this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	12421
published	2004-07-06
reporter	This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/12421
title	RHEL 2.1 : openssh (RHSA-2003:280)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:280. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12421); script_version ("1.23"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695"); script_xref(name:"RHSA", value:"2003:280"); script_name(english:"RHEL 2.1 : openssh (RHSA-2003:280)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated OpenSSH packages are now available that fix bugs that may be remotely exploitable. [Updated 17 Sep 2003] Updated packages are now available to fix additional buffer manipulation problems which were fixed in OpenSSH 3.7.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0695 to these additional issues. We have also included fixes from Solar Designer for some additional memory bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0682 to these issues. OpenSSH is a suite of network connectivity tools that can be used to establish encrypted connections between systems on a network and can provide interactive login sessions and port forwarding, among other functions. The OpenSSH team has announced a bug which affects the OpenSSH buffer handling code. This bug has the potential of being remotely exploitable. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0693 to this issue. All users of OpenSSH should immediately apply this update which contains a backported fix for this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0682" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0693" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0695" ); script_set_attribute( attribute:"see_also", value:"http://www.openssh.com/txt/buffer.adv" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:280" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/22"); script_set_attribute(attribute:"patch_publication_date", value:"2003/09/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:280"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-3.1p1-14")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-askpass-3.1p1-14")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-askpass-gnome-3.1p1-14")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-clients-3.1p1-14")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-server-3.1p1-14")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc"); } }

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-382.NASL
description	A bug has been found in OpenSSH
last seen	2020-06-01
modified	2020-06-02
plugin id	15219
published	2004-09-29
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15219
title	Debian DSA-382-3 : ssh - possible remote vulnerability

NASL family	Misc.
NASL id	SUNSSH_PLAINTEXT_RECOVERY.NASL
description	The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
last seen	2020-06-01
modified	2020-06-02
plugin id	55992
published	2011-08-29
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/55992
title	SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure

NASL family	Red Hat Local Security Checks
NASL id	REDHAT_FIXES.NASL
description	This plugin writes in the knowledge base the CVE ids that we know Red Hat enterprise Linux is not vulnerable to.
last seen	2020-06-01
modified	2020-06-02
plugin id	12512
published	2004-07-06
reporter	This script is Copyright (C) 2004-2011 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/12512
title	Red Hat Enterprise Linux fixes

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-383.NASL
description	Several bugs have been found in OpenSSH
last seen	2020-06-01
modified	2020-06-02
plugin id	15220
published	2004-09-29
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15220
title	Debian DSA-383-2 : ssh-krb5 - possible remote vulnerability

NASL family	Gain a shell remotely
NASL id	OPENSSH_36.NASL
description	According to its banner, the remote SSH server is running a version of OpenSSH older than 3.7.1. Such versions are vulnerable to a flaw in the buffer management functions that might allow an attacker to execute arbitrary commands on this host. An exploit for this issue is rumored to exist. Note that several distributions patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive. If you are running a RedHat host, make sure that the command : rpm -q openssh-server returns : openssh-server-3.1p1-13 (RedHat 7.x) openssh-server-3.4p1-7 (RedHat 8.0) openssh-server-3.5p1-11 (RedHat 9)
last seen	2020-06-01
modified	2020-06-02
plugin id	11837
published	2003-09-16
reporter	This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/11837
title	OpenSSH < 3.7.1 Multiple Vulnerabilities

Oval

accepted

2010-09-20T04:00:27.401-04:00

class

vulnerability

contributors

name Jay Beale
organization Bastille Linux
name Jay Beale
organization Bastille Linux
name Thomas R. Jones
organization Maitreya Security
name Jonathan Baker
organization The MITRE Corporation

description

family

unix

oval:org.mitre.oval:def:452

status

accepted

submitted

2003-09-21T12:00:00.000-04:00

title

Mutliple Buffer Management Errors in OpenSSH

version

Redhat

advisories

rhsa
id RHSA-2003:279
rhsa
id RHSA-2003:280

Statements

contributor	Mark J Cox
lastmodified	2007-06-01
organization	Red Hat
statement	Not vulnerable. This flaw is fixed in Red Hat Enterprise Linux 2.1 via the errata RHSA-2003:280. This flaw is fixed in Red Hat Enterprise Linux 3 as a backported patch. The source RPM contains the patch openssh-3.6.1p2-owl-realloc.diff which resolved this flaw before Red Hat Enterprise Linux 3 GA. This flaw does not affect any subsequent versions of Red Hat Enterprise Linux.

Summary

Vulnerable Configurations

Nessus

Oval

Redhat

Statements

References