Vulnerabilities > CVE-2006-5051 - Double Free vulnerability in multiple products

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) 
{
  script_id(22466);
  script_version("1.30");
  script_cvs_date("Date: 2018/07/16 14:09:13");

  script_cve_id("CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2007-3102", "CVE-2008-4109");
  script_bugtraq_id(20216, 20241, 20245);

  script_name(english:"OpenSSH < 4.4 Multiple Vulnerabilities");
  script_summary(english:"Checks version number of OpenSSH");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote SSH server is affected by multiple vulnerabilities." );
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of OpenSSH installed on the
remote host is affected by multiple vulnerabilities :

  - A race condition exists that may allow an
    unauthenticated, remote attacker to crash the service 
    or, on portable OpenSSH, possibly execute code on the 
    affected host.  Note that successful exploitation 
    requires that GSSAPI authentication be enabled.
    
  - A flaw exists that may allow an attacker to determine 
    the validity of usernames on some platforms. Note that 
    this issue requires that GSSAPI authentication be 
    enabled.

  - When SSH version 1 is used, an issue can be triggered 
    via an SSH packet that contains duplicate blocks that 
    could result in a loss of availability for the service.

  - On Fedora Core 6 (and possibly other systems), an
    unspecified vulnerability in the
    linux_audit_record_event() function allows remote
    attackers to inject incorrect information into
    audit logs.");

  script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-4.4" );
  script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSH 4.4 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(264, 362, 399);
  script_set_attribute(attribute:"plugin_publication_date", value: "2006/09/28");
  script_set_attribute(attribute:"vuln_publication_date", value: "2006/09/28");
  script_set_attribute(attribute:"plugin_type", value: "remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
  script_dependencies("ssh_detect.nasl");
  script_require_ports("Services/ssh", 22);
  exit(0);
}

include("backport.inc");
include("global_settings.inc");
include("misc_func.inc");

# Ensure the port is open.
port = get_service(svc:"ssh", exit_on_fail:TRUE);

# Get banner for service.
banner = get_kb_item_or_exit("SSH/banner/"+port);

bp_banner = tolower(get_backport_banner(banner:banner));
if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");

if (!get_kb_item("Settings/PCI_DSS"))
{
  auth = get_kb_item_or_exit("SSH/supportedauth/" + port);
  if ("gssapi" >!< auth) exit(0, "The SSH service on port "+port+" doesn't support GSSAPI.");
}

if (bp_banner =~ "openssh[-_]([0-3]\.|4\.[0-3]([^0-9]|$))")
  security_hole(port);

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200611-06.
#
# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(23671);
  script_version("1.16");
  script_cvs_date("Date: 2019/08/02 13:32:43");

  script_cve_id("CVE-2006-5051", "CVE-2006-5052");
  script_bugtraq_id(20241, 20245);
  script_xref(name:"GLSA", value:"200611-06");

  script_name(english:"GLSA-200611-06 : OpenSSH: Multiple Denial of Service vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-200611-06
(OpenSSH: Multiple Denial of Service vulnerabilities)

    Tavis Ormandy of the Google Security Team has discovered a
    pre-authentication vulnerability, causing sshd to spin until the login
    grace time has been expired. Mark Dowd found an unsafe signal handler
    that was vulnerable to a race condition. It has also been discovered
    that when GSSAPI authentication is enabled, GSSAPI will in certain
    cases incorrectly abort.
  
Impact :

    The pre-authentication and signal handler vulnerabilities can cause a
    Denial of Service in OpenSSH. The vulnerability in the GSSAPI
    authentication abort could be used to determine the validity of
    usernames on some platforms.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.openssh.com/txt/release-4.4"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/200611-06"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All OpenSSH users should upgrade to the latest version:
    # emerge --sync
    # emerge --ask --oneshot --verbose '>=net-misc/openssh-4.4_p1-r5'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(362);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openssh");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/11/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/20");
  script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/28");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"net-misc/openssh", unaffected:make_list("ge 4.4_p1-r5"), vulnerable:make_list("lt 4.4_p1-r5"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenSSH");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1638. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(34223);
  script_version("1.17");
  script_cvs_date("Date: 2019/08/02 13:32:21");

  script_cve_id("CVE-2006-5051", "CVE-2008-4109");
  script_bugtraq_id(20241);
  script_xref(name:"DSA", value:"1638");

  script_name(english:"Debian DSA-1638-1 : openssh - denial of service");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"It has been discovered that the signal handler implementing the login
timeout in Debian's version of the OpenSSH server uses functions which
are not async-signal-safe, leading to a denial of service
vulnerability (CVE-2008-4109 ).

The problem was originally corrected in OpenSSH 4.4p1 (CVE-2006-5051
), but the patch backported to the version released with etch was
incorrect.

Systems affected by this issue suffer from lots of zombie sshd
processes. Processes stuck with a '[net]' process title have also been
observed. Over time, a sufficient number of processes may accumulate
such that further login attempts are impossible. Presence of these
processes does not indicate active exploitation of this vulnerability.
It is possible to trigger this denial of service condition by
accident."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498678"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2008-4109"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2006-5051"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2008/dsa-1638"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the openssh packages.

For the stable distribution (etch), this problem has been fixed in
version 4.3p2-9etch3."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(264, 362);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssh");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2008/09/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"4.0", prefix:"openssh-client", reference:"4.3p2-9etch3")) flag++;
if (deb_check(release:"4.0", prefix:"openssh-server", reference:"4.3p2-9etch3")) flag++;
if (deb_check(release:"4.0", prefix:"ssh", reference:"4.3p2-9etch3")) flag++;
if (deb_check(release:"4.0", prefix:"ssh-askpass-gnome", reference:"4.3p2-9etch3")) flag++;
if (deb_check(release:"4.0", prefix:"ssh-krb5", reference:"4.3p2-9etch3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openssh-2183.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(27365);
  script_version ("1.15");
  script_cvs_date("Date: 2019/10/25 13:36:28");

  script_cve_id("CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052");

  script_name(english:"openSUSE 10 Security Update : openssh (openssh-2183)");
  script_summary(english:"Check for the openssh-2183 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several security problems were fixed in OpenSSH :

  - CVE-2006-4924: A denial of service problem has been
    fixed in OpenSSH which could be used to cause lots of
    CPU consumption on a remote openssh server.

  - CVE-2006-4925: If a remote attacker is able to inject
    network traffic this could be used to cause a client
    connection to close.

  - CVE-2006-5051: Fixed an unsafe signal hander reported by
    Mark Dowd. The signal handler was vulnerable to a race
    condition that could be exploited to perform a
    pre-authentication denial of service. This vulnerability
    could theoretically lead to pre-authentication remote
    code execution if GSSAPI authentication is enabled, but
    the likelihood of successful exploitation appears
    remote.

  - CVE-2006-5052: Fixed a GSSAPI authentication abort that
    could be used to determine the validity of usernames on
    some platforms."
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected openssh packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_cwe_id(362, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/10/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE10.1", reference:"openssh-4.2p1-18.9") ) flag++;
if ( rpm_check(release:"SUSE10.1", reference:"openssh-askpass-4.2p1-18.9") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2006:0697 and 
# CentOS Errata and Security Advisory 2006:0697 respectively.
#

include("compat.inc");

if (description)
{
  script_id(22485);
  script_version("1.19");
  script_cvs_date("Date: 2019/10/25 13:36:03");

  script_cve_id("CVE-2006-4924", "CVE-2006-5051", "CVE-2006-5052");
  script_bugtraq_id(20216, 20241);
  script_xref(name:"RHSA", value:"2006:0697");

  script_name(english:"CentOS 3 / 4 : openssh / openssl (CESA-2006:0697)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote CentOS host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated openssh packages that fix two security flaws are now available
for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having important security impact by the
Red Hat Security Response Team.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This
package includes the core files necessary for both the OpenSSH client
and server.

Mark Dowd discovered a signal handler race condition in the OpenSSH
sshd server. A remote attacker could possibly leverage this flaw to
cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project
believes the likelihood of successful exploitation leading to
arbitrary code execution appears remote. However, the Red Hat Security
Response Team have not yet been able to verify this claim due to lack
of upstream vulnerability information. We are therefore including a
fix for this flaw and have rated it important security severity in the
event our continued investigation finds this issue to be exploitable.

Tavis Ormandy of the Google Security Team discovered a denial of
service bug in the OpenSSH sshd server. A remote attacker can send a
specially crafted SSH-1 request to the server causing sshd to consume
a large quantity of CPU resources. (CVE-2006-4924)

All users of openssh should upgrade to these updated packages, which
contain backported patches that resolves these issues."
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-September/013294.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?42ac1cd5"
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-September/013295.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?8500f549"
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-September/013296.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?4eca25d6"
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-September/013300.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?da00f6c1"
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-September/013301.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?b734a975"
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-September/013304.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?e63f62ee"
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-September/013305.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?59033243"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected openssh and / or openssl packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(362, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass-gnome");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssl-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssl-perl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssl096b");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/09/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/02");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CentOS Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/CentOS/release");
if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
os_ver = os_ver[1];
if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver);

if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);


flag = 0;
if (rpm_check(release:"CentOS-3", reference:"openssh-3.6.1p2-33.30.12")) flag++;
if (rpm_check(release:"CentOS-3", reference:"openssh-askpass-3.6.1p2-33.30.12")) flag++;
if (rpm_check(release:"CentOS-3", reference:"openssh-askpass-gnome-3.6.1p2-33.30.12")) flag++;
if (rpm_check(release:"CentOS-3", reference:"openssh-clients-3.6.1p2-33.30.12")) flag++;
if (rpm_check(release:"CentOS-3", reference:"openssh-server-3.6.1p2-33.30.12")) flag++;

if (rpm_check(release:"CentOS-4", reference:"openssh-3.9p1-8.RHEL4.17")) flag++;
if (rpm_check(release:"CentOS-4", reference:"openssh-askpass-3.9p1-8.RHEL4.17")) flag++;
if (rpm_check(release:"CentOS-4", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.17")) flag++;
if (rpm_check(release:"CentOS-4", reference:"openssh-clients-3.9p1-8.RHEL4.17")) flag++;
if (rpm_check(release:"CentOS-4", reference:"openssh-server-3.9p1-8.RHEL4.17")) flag++;
if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssl-0.9.7a-43.14")) flag++;
if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssl-devel-0.9.7a-43.14")) flag++;
if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssl-perl-0.9.7a-43.14")) flag++;
if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssl096b-0.9.6b-22.46")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc");
}

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:062
#


if ( ! defined_func("bn_random") ) exit(0);

include("compat.inc");

if(description)
{
 script_id(24440);
 script_version ("1.9");
 
 name["english"] = "SUSE-SA:2006:062: openssh";
 
 script_name(english:name["english"]);
 
 script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a vendor-supplied security patch" );
 script_set_attribute(attribute:"description", value:
"The remote host is missing the patch for the advisory SUSE-SA:2006:062 (openssh).


Several security problems were fixed in OpenSSH 4.4 and the bug fixes were
back ported to the openssh versions in our products.

- CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could
be used to cause lots of CPU consumption on a remote openssh server.

- CVE-2006-4925: If a remote attacker is able to inject network traffic this could
be used to cause a client connection to close.

- CVE-2006-5051: Fixed an unsafe signal handler reported by Mark Dowd. The signal
handler was vulnerable to a race condition that could be exploited to perform a
pre-authentication denial of service. This vulnerability could theoretically lead to
pre-authentication remote code execution if GSSAPI authentication is enabled,
but the likelihood of successful exploitation appears remote.

- CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine
the validity of user names on some platforms." );
 script_set_attribute(attribute:"solution", value:
"http://www.novell.com/linux/security/advisories/2006_62_openssh.html" );
 script_set_attribute(attribute:"risk_factor", value:"High" );



 script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/18");
 script_end_attributes();

 
 summary["english"] = "Check for the version of the openssh package";
 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
 family["english"] = "SuSE Local Security Checks";
 script_family(english:family["english"]);
 
 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/SuSE/rpm-list");
 exit(0);
}

include("rpm.inc");
if ( rpm_check( reference:"openssh-4.1p1-10.9", release:"SUSE10.0") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"openssh-askpass-4.1p1-10.9", release:"SUSE10.0") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"openssh-3.9p1-3.10", release:"SUSE9.2") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"openssh-askpass-3.9p1-3.10", release:"SUSE9.2") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"openssh-3.9p1-12.8", release:"SUSE9.3") )
{
 security_hole(0);
 exit(0);
}
if ( rpm_check( reference:"openssh-askpass-3.9p1-12.8", release:"SUSE9.3") )
{
 security_hole(0);
 exit(0);
}

#
# (C) Tenable Network Security, Inc.
#

# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2019-0146. The text
# itself is copyright (C) ZTE, Inc.

include("compat.inc");

if (description)
{
  script_id(127415);
  script_version("1.3");
  script_cvs_date("Date: 2019/09/24 11:01:33");

  script_cve_id(
    "CVE-2006-0225",
    "CVE-2006-4924",
    "CVE-2006-5051",
    "CVE-2006-5794",
    "CVE-2007-3102",
    "CVE-2010-4755",
    "CVE-2010-5107",
    "CVE-2014-2532",
    "CVE-2014-2653",
    "CVE-2014-9278",
    "CVE-2015-5600",
    "CVE-2015-8325",
    "CVE-2016-0777",
    "CVE-2016-1908",
    "CVE-2016-6210"
  );

  script_name(english:"NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)");

  script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by
multiple vulnerabilities:

  - scp in OpenSSH 4.2p1 allows attackers to execute
    arbitrary commands via filenames that contain shell
    metacharacters or spaces, which are expanded twice.
    (CVE-2006-0225)

  - sshd in OpenSSH before 4.4, when using the version 1 SSH
    protocol, allows remote attackers to cause a denial of
    service (CPU consumption) via an SSH packet that
    contains duplicate blocks, which is not properly handled
    by the CRC compensation attack detector. (CVE-2006-4924)

  - Signal handler race condition in OpenSSH before 4.4
    allows remote attackers to cause a denial of service
    (crash), and possibly execute arbitrary code if GSSAPI
    authentication is enabled, via unspecified vectors that
    lead to a double-free. (CVE-2006-5051)

  - Unspecified vulnerability in the sshd Privilege
    Separation Monitor in OpenSSH before 4.5 causes weaker
    verification that authentication has been successful,
    which might allow attackers to bypass authentication.
    NOTE: as of 20061108, it is believed that this issue is
    only exploitable by leveraging vulnerabilities in the
    unprivileged process, which are not known to exist.
    (CVE-2006-5794)

  - Unspecified vulnerability in the
    linux_audit_record_event function in OpenSSH 4.3p2, as
    used on Fedora Core 6 and possibly other systems, allows
    remote attackers to write arbitrary characters to an
    audit log via a crafted username. NOTE: some of these
    details are obtained from third party information.
    (CVE-2007-3102)

  - The (1) remote_glob function in sftp-glob.c and the (2)
    process_put function in sftp.c in OpenSSH 5.8 and
    earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2,
    OpenBSD 4.7, and other products, allow remote
    authenticated users to cause a denial of service (CPU
    and memory consumption) via crafted glob expressions
    that do not match any pathnames, as demonstrated by glob
    expressions in SSH_FXP_STAT requests to an sftp daemon,
    a different vulnerability than CVE-2010-2632.
    (CVE-2010-4755)

  - The default configuration of OpenSSH through 6.1
    enforces a fixed time limit between establishing a TCP
    connection and completing a login, which makes it easier
    for remote attackers to cause a denial of service
    (connection-slot exhaustion) by periodically making many
    new TCP connections. (CVE-2010-5107)

  - It was found that OpenSSH did not properly handle
    certain AcceptEnv parameter values with wildcard
    characters. A remote attacker could use this flaw to
    bypass intended environment variable restrictions.
    (CVE-2014-2532)

  - It was discovered that OpenSSH clients did not correctly
    verify DNS SSHFP records. A malicious server could use
    this flaw to force a connecting client to skip the DNS
    SSHFP record check and require the user to perform
    manual host verification of the DNS SSHFP record.
    (CVE-2014-2653)

  - It was found that when OpenSSH was used in a Kerberos
    environment, remote authenticated users were allowed to
    log in as a different user if they were listed in the
    ~/.k5users file of that user, potentially bypassing
    intended authentication restrictions. (CVE-2014-9278)

  - It was discovered that the OpenSSH sshd daemon did not
    check the list of keyboard-interactive authentication
    methods for duplicates. A remote attacker could use this
    flaw to bypass the MaxAuthTries limit, making it easier
    to perform password guessing attacks. (CVE-2015-5600)

  - It was discovered that the OpenSSH sshd daemon fetched
    PAM environment settings before running the login
    program. In configurations with UseLogin=yes and the
    pam_env PAM module configured to read user environment
    settings, a local user could use this flaw to execute
    arbitrary code as root. (CVE-2015-8325)

  - An information leak flaw was found in the way the
    OpenSSH client roaming feature was implemented. A
    malicious server could potentially use this flaw to leak
    portions of memory (possibly including private SSH keys)
    of a successfully authenticated OpenSSH client.
    (CVE-2016-0777)

  - An access flaw was discovered in OpenSSH; the OpenSSH
    client did not correctly handle failures to generate
    authentication cookies for untrusted X11 forwarding. A
    malicious or compromised remote X application could
    possibly use this flaw to establish a trusted connection
    to the local X server, even if only untrusted X11
    forwarding was requested. (CVE-2016-1908)

  - A covert timing channel flaw was found in the way
    OpenSSH handled authentication of non-existent users. A
    remote unauthenticated attacker could possibly use this
    flaw to determine valid user names by measuring the
    timing of server responses. (CVE-2016-6210)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0146");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL openssh-latest packages. Note that updated packages may not be available yet. Please contact
ZTE for more information.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-5051");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(362, 399);

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/ZTE-CGSL/release");
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");

if (release !~ "CGSL MAIN 4.05")
  audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');

if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);

flag = 0;

pkgs = {
  "CGSL MAIN 4.05": [
    "openssh-latest-7.9p1-1.el6.cgsl7741",
    "openssh-latest-askpass-7.9p1-1.el6.cgsl7741",
    "openssh-latest-cavs-7.9p1-1.el6.cgsl7741",
    "openssh-latest-clients-7.9p1-1.el6.cgsl7741",
    "openssh-latest-debuginfo-7.9p1-1.el6.cgsl7741",
    "openssh-latest-keycat-7.9p1-1.el6.cgsl7741",
    "openssh-latest-ldap-7.9p1-1.el6.cgsl7741",
    "openssh-latest-server-7.9p1-1.el6.cgsl7741"
  ]
};
pkg_list = pkgs[release];

foreach (pkg in pkg_list)
  if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-latest");
}

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2006-1011.
#

include("compat.inc");

if (description)
{
  script_id(24029);
  script_version ("1.16");
  script_cvs_date("Date: 2019/08/02 13:32:24");

  script_xref(name:"FEDORA", value:"2006-1011");

  script_name(english:"Fedora Core 5 : openssh-4.3p2-4.10 (2006-1011)");
  script_summary(english:"Checks rpm output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora Core host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"  - Mon Oct 2 2006 Tomas Mraz <tmraz at redhat.com> -
    4.3p2-4.10

    - improve gssapi-no-spnego patch (#208102)

    - CVE-2006-4924 - prevent DoS on deattack detector
      (#207957)

    - CVE-2006-5051 - don't call cleanups from signal
      handler (#208459)

    - Wed Sep 13 2006 Tomas Mraz <tmraz at redhat.com> -
      4.3p2-4.1

    - sync with FC6 version

    - build for FC5

    - Wed Aug 23 2006 Tomas Mraz <tmraz at redhat.com> -
      4.3p2-9

    - don't report duplicate syslog messages, use correct
      local time (#189158)

    - don't allow spnego as gssapi mechanism (from upstream)

    - fixed memleaks found by Coverity (from upstream)

    - allow ip options except source routing (#202856)
      (patch by HP)

    - Tue Aug 8 2006 Tomas Mraz <tmraz at redhat.com> -
      4.3p2-8

    - drop the pam-session patch from the previous build
      (#201341)

    - don't set IPV6_V6ONLY sock opt when listening on
      wildcard addr (#201594)

    - Thu Jul 20 2006 Tomas Mraz <tmraz at redhat.com> -
      4.3p2-7

    - dropped old ssh obsoletes

    - call the pam_session_open/close from the monitor when
      privsep is enabled so it is always called as root
      (patch by Darren Tucker)

  - Mon Jul 17 2006 Tomas Mraz <tmraz at redhat.com> -
    4.3p2-6

    - improve selinux patch (by Jan Kiszka)

    - upstream patch for buffer append space error (#191940)

    - fixed typo in configure.ac (#198986)

    - added pam_keyinit to pam configuration (#198628)

    - improved error message when askpass dialog cannot grab
      keyboard input (#198332)

  - buildrequires xauth instead of xorg-x11-xauth

    - fixed a few rpmlint warnings

    - Wed Jul 12 2006 Jesse Keating <jkeating at redhat.com>
      - 4.3p2-5.1

    - rebuild

    - Fri Apr 14 2006 Tomas Mraz <tmraz at redhat.com> -
      4.3p2-5

    - don't request pseudoterminal allocation if stdin is
      not tty (#188983)

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2006-October/000644.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?e3722192"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_attribute(attribute:"risk_factor", value:"High");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh-askpass");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh-clients");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh-server");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:5");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/10/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 5.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC5", reference:"openssh-4.3p2-4.10")) flag++;
if (rpm_check(release:"FC5", reference:"openssh-askpass-4.3p2-4.10")) flag++;
if (rpm_check(release:"FC5", reference:"openssh-clients-4.3p2-4.10")) flag++;
if (rpm_check(release:"FC5", reference:"openssh-debuginfo-4.3p2-4.10")) flag++;
if (rpm_check(release:"FC5", reference:"openssh-server-4.3p2-4.10")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc");
}