Vulnerabilities > CVE-2006-5051 - Double Free vulnerability in multiple products

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
openbsd
debian
apple
CWE-415
nessus

Summary

Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.

Vulnerable Configurations

Part Description Count
Application
Openbsd
136
OS
Debian
1
OS
Apple
92

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMisc.
    NASL idOPENSSH_44.NASL
    descriptionAccording to its banner, the version of OpenSSH installed on the remote host is affected by multiple vulnerabilities : - A race condition exists that may allow an unauthenticated, remote attacker to crash the service or, on portable OpenSSH, possibly execute code on the affected host. Note that successful exploitation requires that GSSAPI authentication be enabled. - A flaw exists that may allow an attacker to determine the validity of usernames on some platforms. Note that this issue requires that GSSAPI authentication be enabled. - When SSH version 1 is used, an issue can be triggered via an SSH packet that contains duplicate blocks that could result in a loss of availability for the service. - On Fedora Core 6 (and possibly other systems), an unspecified vulnerability in the linux_audit_record_event() function allows remote attackers to inject incorrect information into audit logs.
    last seen2020-06-01
    modified2020-06-02
    plugin id22466
    published2006-09-28
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22466
    titleOpenSSH < 4.4 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description) 
    {
      script_id(22466);
      script_version("1.30");
      script_cvs_date("Date: 2018/07/16 14:09:13");
    
      script_cve_id("CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2007-3102", "CVE-2008-4109");
      script_bugtraq_id(20216, 20241, 20245);
    
      script_name(english:"OpenSSH < 4.4 Multiple Vulnerabilities");
      script_summary(english:"Checks version number of OpenSSH");
     
      script_set_attribute(attribute:"synopsis", value:
    "The remote SSH server is affected by multiple vulnerabilities." );
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of OpenSSH installed on the
    remote host is affected by multiple vulnerabilities :
    
      - A race condition exists that may allow an
        unauthenticated, remote attacker to crash the service 
        or, on portable OpenSSH, possibly execute code on the 
        affected host.  Note that successful exploitation 
        requires that GSSAPI authentication be enabled.
        
      - A flaw exists that may allow an attacker to determine 
        the validity of usernames on some platforms. Note that 
        this issue requires that GSSAPI authentication be 
        enabled.
    
      - When SSH version 1 is used, an issue can be triggered 
        via an SSH packet that contains duplicate blocks that 
        could result in a loss of availability for the service.
    
      - On Fedora Core 6 (and possibly other systems), an
        unspecified vulnerability in the
        linux_audit_record_event() function allows remote
        attackers to inject incorrect information into
        audit logs.");
    
      script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-4.4" );
      script_set_attribute(attribute:"solution", value:
    "Upgrade to OpenSSH 4.4 or later." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(264, 362, 399);
      script_set_attribute(attribute:"plugin_publication_date", value: "2006/09/28");
      script_set_attribute(attribute:"vuln_publication_date", value: "2006/09/28");
      script_set_attribute(attribute:"plugin_type", value: "remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
      script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
      script_dependencies("ssh_detect.nasl");
      script_require_ports("Services/ssh", 22);
      exit(0);
    }
    
    include("backport.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Ensure the port is open.
    port = get_service(svc:"ssh", exit_on_fail:TRUE);
    
    # Get banner for service.
    banner = get_kb_item_or_exit("SSH/banner/"+port);
    
    bp_banner = tolower(get_backport_banner(banner:banner));
    if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
    if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");
    
    if (!get_kb_item("Settings/PCI_DSS"))
    {
      auth = get_kb_item_or_exit("SSH/supportedauth/" + port);
      if ("gssapi" >!< auth) exit(0, "The SSH service on port "+port+" doesn't support GSSAPI.");
    }
    
    if (bp_banner =~ "openssh[-_]([0-3]\.|4\.[0-3]([^0-9]|$))")
      security_hole(port);
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200611-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200611-06 (OpenSSH: Multiple Denial of Service vulnerabilities) Tavis Ormandy of the Google Security Team has discovered a pre-authentication vulnerability, causing sshd to spin until the login grace time has been expired. Mark Dowd found an unsafe signal handler that was vulnerable to a race condition. It has also been discovered that when GSSAPI authentication is enabled, GSSAPI will in certain cases incorrectly abort. Impact : The pre-authentication and signal handler vulnerabilities can cause a Denial of Service in OpenSSH. The vulnerability in the GSSAPI authentication abort could be used to determine the validity of usernames on some platforms. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id23671
    published2006-11-20
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23671
    titleGLSA-200611-06 : OpenSSH: Multiple Denial of Service vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200611-06.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(23671);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:43");
    
      script_cve_id("CVE-2006-5051", "CVE-2006-5052");
      script_bugtraq_id(20241, 20245);
      script_xref(name:"GLSA", value:"200611-06");
    
      script_name(english:"GLSA-200611-06 : OpenSSH: Multiple Denial of Service vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200611-06
    (OpenSSH: Multiple Denial of Service vulnerabilities)
    
        Tavis Ormandy of the Google Security Team has discovered a
        pre-authentication vulnerability, causing sshd to spin until the login
        grace time has been expired. Mark Dowd found an unsafe signal handler
        that was vulnerable to a race condition. It has also been discovered
        that when GSSAPI authentication is enabled, GSSAPI will in certain
        cases incorrectly abort.
      
    Impact :
    
        The pre-authentication and signal handler vulnerabilities can cause a
        Denial of Service in OpenSSH. The vulnerability in the GSSAPI
        authentication abort could be used to determine the validity of
        usernames on some platforms.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.openssh.com/txt/release-4.4"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200611-06"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All OpenSSH users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=net-misc/openssh-4.4_p1-r5'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(362);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openssh");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/20");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-misc/openssh", unaffected:make_list("ge 4.4_p1-r5"), vulnerable:make_list("lt 4.4_p1-r5"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenSSH");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1638.NASL
    descriptionIt has been discovered that the signal handler implementing the login timeout in Debian
    last seen2020-06-01
    modified2020-06-02
    plugin id34223
    published2008-09-17
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34223
    titleDebian DSA-1638-1 : openssh - denial of service
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1638. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(34223);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:21");
    
      script_cve_id("CVE-2006-5051", "CVE-2008-4109");
      script_bugtraq_id(20241);
      script_xref(name:"DSA", value:"1638");
    
      script_name(english:"Debian DSA-1638-1 : openssh - denial of service");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It has been discovered that the signal handler implementing the login
    timeout in Debian's version of the OpenSSH server uses functions which
    are not async-signal-safe, leading to a denial of service
    vulnerability (CVE-2008-4109 ).
    
    The problem was originally corrected in OpenSSH 4.4p1 (CVE-2006-5051
    ), but the patch backported to the version released with etch was
    incorrect.
    
    Systems affected by this issue suffer from lots of zombie sshd
    processes. Processes stuck with a '[net]' process title have also been
    observed. Over time, a sufficient number of processes may accumulate
    such that further login attempts are impossible. Presence of these
    processes does not indicate active exploitation of this vulnerability.
    It is possible to trigger this denial of service condition by
    accident."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498678"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-4109"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2006-5051"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2008/dsa-1638"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the openssh packages.
    
    For the stable distribution (etch), this problem has been fixed in
    version 4.3p2-9etch3."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(264, 362);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/09/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"openssh-client", reference:"4.3p2-9etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"openssh-server", reference:"4.3p2-9etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"ssh", reference:"4.3p2-9etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"ssh-askpass-gnome", reference:"4.3p2-9etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"ssh-krb5", reference:"4.3p2-9etch3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_OPENSSH-2183.NASL
    descriptionSeveral security problems were fixed in OpenSSH : - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. - CVE-2006-5051: Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms.
    last seen2020-06-01
    modified2020-06-02
    plugin id27365
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27365
    titleopenSUSE 10 Security Update : openssh (openssh-2183)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openssh-2183.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27365);
      script_version ("1.15");
      script_cvs_date("Date: 2019/10/25 13:36:28");
    
      script_cve_id("CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052");
    
      script_name(english:"openSUSE 10 Security Update : openssh (openssh-2183)");
      script_summary(english:"Check for the openssh-2183 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several security problems were fixed in OpenSSH :
    
      - CVE-2006-4924: A denial of service problem has been
        fixed in OpenSSH which could be used to cause lots of
        CPU consumption on a remote openssh server.
    
      - CVE-2006-4925: If a remote attacker is able to inject
        network traffic this could be used to cause a client
        connection to close.
    
      - CVE-2006-5051: Fixed an unsafe signal hander reported by
        Mark Dowd. The signal handler was vulnerable to a race
        condition that could be exploited to perform a
        pre-authentication denial of service. This vulnerability
        could theoretically lead to pre-authentication remote
        code execution if GSSAPI authentication is enabled, but
        the likelihood of successful exploitation appears
        remote.
    
      - CVE-2006-5052: Fixed a GSSAPI authentication abort that
        could be used to determine the validity of usernames on
        some platforms."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(362, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/10/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.1", reference:"openssh-4.2p1-18.9") ) flag++;
    if ( rpm_check(release:"SUSE10.1", reference:"openssh-askpass-4.2p1-18.9") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0697.NASL
    descriptionUpdated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id22485
    published2006-10-02
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22485
    titleCentOS 3 / 4 : openssh / openssl (CESA-2006:0697)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2006:0697 and 
    # CentOS Errata and Security Advisory 2006:0697 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22485);
      script_version("1.19");
      script_cvs_date("Date: 2019/10/25 13:36:03");
    
      script_cve_id("CVE-2006-4924", "CVE-2006-5051", "CVE-2006-5052");
      script_bugtraq_id(20216, 20241);
      script_xref(name:"RHSA", value:"2006:0697");
    
      script_name(english:"CentOS 3 / 4 : openssh / openssl (CESA-2006:0697)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated openssh packages that fix two security flaws are now available
    for Red Hat Enterprise Linux 3 and 4.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This
    package includes the core files necessary for both the OpenSSH client
    and server.
    
    Mark Dowd discovered a signal handler race condition in the OpenSSH
    sshd server. A remote attacker could possibly leverage this flaw to
    cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project
    believes the likelihood of successful exploitation leading to
    arbitrary code execution appears remote. However, the Red Hat Security
    Response Team have not yet been able to verify this claim due to lack
    of upstream vulnerability information. We are therefore including a
    fix for this flaw and have rated it important security severity in the
    event our continued investigation finds this issue to be exploitable.
    
    Tavis Ormandy of the Google Security Team discovered a denial of
    service bug in the OpenSSH sshd server. A remote attacker can send a
    specially crafted SSH-1 request to the server causing sshd to consume
    a large quantity of CPU resources. (CVE-2006-4924)
    
    All users of openssh should upgrade to these updated packages, which
    contain backported patches that resolves these issues."
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-September/013294.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?42ac1cd5"
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-September/013295.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8500f549"
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-September/013296.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4eca25d6"
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-September/013300.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?da00f6c1"
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-September/013301.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b734a975"
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-September/013304.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e63f62ee"
      );
      # https://lists.centos.org/pipermail/centos-announce/2006-September/013305.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?59033243"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh and / or openssl packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(362, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssl-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssl-perl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssl096b");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/09/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"openssh-3.6.1p2-33.30.12")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"openssh-askpass-3.6.1p2-33.30.12")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"openssh-askpass-gnome-3.6.1p2-33.30.12")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"openssh-clients-3.6.1p2-33.30.12")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"openssh-server-3.6.1p2-33.30.12")) flag++;
    
    if (rpm_check(release:"CentOS-4", reference:"openssh-3.9p1-8.RHEL4.17")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"openssh-askpass-3.9p1-8.RHEL4.17")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.17")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"openssh-clients-3.9p1-8.RHEL4.17")) flag++;
    if (rpm_check(release:"CentOS-4", reference:"openssh-server-3.9p1-8.RHEL4.17")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssl-0.9.7a-43.14")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssl-devel-0.9.7a-43.14")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssl-perl-0.9.7a-43.14")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssl096b-0.9.6b-22.46")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2006_062.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2006:062 (openssh). Several security problems were fixed in OpenSSH 4.4 and the bug fixes were back ported to the openssh versions in our products. - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. - CVE-2006-5051: Fixed an unsafe signal handler reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of user names on some platforms.
    last seen2019-10-28
    modified2007-02-18
    plugin id24440
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24440
    titleSUSE-SA:2006:062: openssh
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:062
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(24440);
     script_version ("1.9");
     
     name["english"] = "SUSE-SA:2006:062: openssh";
     
     script_name(english:name["english"]);
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a vendor-supplied security patch" );
     script_set_attribute(attribute:"description", value:
    "The remote host is missing the patch for the advisory SUSE-SA:2006:062 (openssh).
    
    
    Several security problems were fixed in OpenSSH 4.4 and the bug fixes were
    back ported to the openssh versions in our products.
    
    - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could
    be used to cause lots of CPU consumption on a remote openssh server.
    
    - CVE-2006-4925: If a remote attacker is able to inject network traffic this could
    be used to cause a client connection to close.
    
    - CVE-2006-5051: Fixed an unsafe signal handler reported by Mark Dowd. The signal
    handler was vulnerable to a race condition that could be exploited to perform a
    pre-authentication denial of service. This vulnerability could theoretically lead to
    pre-authentication remote code execution if GSSAPI authentication is enabled,
    but the likelihood of successful exploitation appears remote.
    
    - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine
    the validity of user names on some platforms." );
     script_set_attribute(attribute:"solution", value:
    "http://www.novell.com/linux/security/advisories/2006_62_openssh.html" );
     script_set_attribute(attribute:"risk_factor", value:"High" );
    
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/18");
     script_end_attributes();
    
     
     summary["english"] = "Check for the version of the openssh package";
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
     family["english"] = "SuSE Local Security Checks";
     script_family(english:family["english"]);
     
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/SuSE/rpm-list");
     exit(0);
    }
    
    include("rpm.inc");
    if ( rpm_check( reference:"openssh-4.1p1-10.9", release:"SUSE10.0") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"openssh-askpass-4.1p1-10.9", release:"SUSE10.0") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"openssh-3.9p1-3.10", release:"SUSE9.2") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"openssh-askpass-3.9p1-3.10", release:"SUSE9.2") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"openssh-3.9p1-12.8", release:"SUSE9.3") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"openssh-askpass-3.9p1-12.8", release:"SUSE9.3") )
    {
     security_hole(0);
     exit(0);
    }
    
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0146_OPENSSH-LATEST.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) - It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) - It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) - It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) - It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. (CVE-2015-8325) - An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. (CVE-2016-0777) - An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127415
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127415
    titleNewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0146. The text
    # itself is copyright (C) ZTE, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127415);
      script_version("1.3");
      script_cvs_date("Date: 2019/09/24 11:01:33");
    
      script_cve_id(
        "CVE-2006-0225",
        "CVE-2006-4924",
        "CVE-2006-5051",
        "CVE-2006-5794",
        "CVE-2007-3102",
        "CVE-2010-4755",
        "CVE-2010-5107",
        "CVE-2014-2532",
        "CVE-2014-2653",
        "CVE-2014-9278",
        "CVE-2015-5600",
        "CVE-2015-8325",
        "CVE-2016-0777",
        "CVE-2016-1908",
        "CVE-2016-6210"
      );
    
      script_name(english:"NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by
    multiple vulnerabilities:
    
      - scp in OpenSSH 4.2p1 allows attackers to execute
        arbitrary commands via filenames that contain shell
        metacharacters or spaces, which are expanded twice.
        (CVE-2006-0225)
    
      - sshd in OpenSSH before 4.4, when using the version 1 SSH
        protocol, allows remote attackers to cause a denial of
        service (CPU consumption) via an SSH packet that
        contains duplicate blocks, which is not properly handled
        by the CRC compensation attack detector. (CVE-2006-4924)
    
      - Signal handler race condition in OpenSSH before 4.4
        allows remote attackers to cause a denial of service
        (crash), and possibly execute arbitrary code if GSSAPI
        authentication is enabled, via unspecified vectors that
        lead to a double-free. (CVE-2006-5051)
    
      - Unspecified vulnerability in the sshd Privilege
        Separation Monitor in OpenSSH before 4.5 causes weaker
        verification that authentication has been successful,
        which might allow attackers to bypass authentication.
        NOTE: as of 20061108, it is believed that this issue is
        only exploitable by leveraging vulnerabilities in the
        unprivileged process, which are not known to exist.
        (CVE-2006-5794)
    
      - Unspecified vulnerability in the
        linux_audit_record_event function in OpenSSH 4.3p2, as
        used on Fedora Core 6 and possibly other systems, allows
        remote attackers to write arbitrary characters to an
        audit log via a crafted username. NOTE: some of these
        details are obtained from third party information.
        (CVE-2007-3102)
    
      - The (1) remote_glob function in sftp-glob.c and the (2)
        process_put function in sftp.c in OpenSSH 5.8 and
        earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2,
        OpenBSD 4.7, and other products, allow remote
        authenticated users to cause a denial of service (CPU
        and memory consumption) via crafted glob expressions
        that do not match any pathnames, as demonstrated by glob
        expressions in SSH_FXP_STAT requests to an sftp daemon,
        a different vulnerability than CVE-2010-2632.
        (CVE-2010-4755)
    
      - The default configuration of OpenSSH through 6.1
        enforces a fixed time limit between establishing a TCP
        connection and completing a login, which makes it easier
        for remote attackers to cause a denial of service
        (connection-slot exhaustion) by periodically making many
        new TCP connections. (CVE-2010-5107)
    
      - It was found that OpenSSH did not properly handle
        certain AcceptEnv parameter values with wildcard
        characters. A remote attacker could use this flaw to
        bypass intended environment variable restrictions.
        (CVE-2014-2532)
    
      - It was discovered that OpenSSH clients did not correctly
        verify DNS SSHFP records. A malicious server could use
        this flaw to force a connecting client to skip the DNS
        SSHFP record check and require the user to perform
        manual host verification of the DNS SSHFP record.
        (CVE-2014-2653)
    
      - It was found that when OpenSSH was used in a Kerberos
        environment, remote authenticated users were allowed to
        log in as a different user if they were listed in the
        ~/.k5users file of that user, potentially bypassing
        intended authentication restrictions. (CVE-2014-9278)
    
      - It was discovered that the OpenSSH sshd daemon did not
        check the list of keyboard-interactive authentication
        methods for duplicates. A remote attacker could use this
        flaw to bypass the MaxAuthTries limit, making it easier
        to perform password guessing attacks. (CVE-2015-5600)
    
      - It was discovered that the OpenSSH sshd daemon fetched
        PAM environment settings before running the login
        program. In configurations with UseLogin=yes and the
        pam_env PAM module configured to read user environment
        settings, a local user could use this flaw to execute
        arbitrary code as root. (CVE-2015-8325)
    
      - An information leak flaw was found in the way the
        OpenSSH client roaming feature was implemented. A
        malicious server could potentially use this flaw to leak
        portions of memory (possibly including private SSH keys)
        of a successfully authenticated OpenSSH client.
        (CVE-2016-0777)
    
      - An access flaw was discovered in OpenSSH; the OpenSSH
        client did not correctly handle failures to generate
        authentication cookies for untrusted X11 forwarding. A
        malicious or compromised remote X application could
        possibly use this flaw to establish a trusted connection
        to the local X server, even if only untrusted X11
        forwarding was requested. (CVE-2016-1908)
    
      - A covert timing channel flaw was found in the way
        OpenSSH handled authentication of non-existent users. A
        remote unauthenticated attacker could possibly use this
        flaw to determine valid user names by measuring the
        timing of server responses. (CVE-2016-6210)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0146");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL openssh-latest packages. Note that updated packages may not be available yet. Please contact
    ZTE for more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-5051");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(362, 399);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL MAIN 4.05")
      audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL MAIN 4.05": [
        "openssh-latest-7.9p1-1.el6.cgsl7741",
        "openssh-latest-askpass-7.9p1-1.el6.cgsl7741",
        "openssh-latest-cavs-7.9p1-1.el6.cgsl7741",
        "openssh-latest-clients-7.9p1-1.el6.cgsl7741",
        "openssh-latest-debuginfo-7.9p1-1.el6.cgsl7741",
        "openssh-latest-keycat-7.9p1-1.el6.cgsl7741",
        "openssh-latest-ldap-7.9p1-1.el6.cgsl7741",
        "openssh-latest-server-7.9p1-1.el6.cgsl7741"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-latest");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-1011.NASL
    description - Mon Oct 2 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-4.10 - improve gssapi-no-spnego patch (#208102) - CVE-2006-4924 - prevent DoS on deattack detector (#207957) - CVE-2006-5051 - don
    last seen2020-06-01
    modified2020-06-02
    plugin id24029
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24029
    titleFedora Core 5 : openssh-4.3p2-4.10 (2006-1011)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2006-1011.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24029);
      script_version ("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:24");
    
      script_xref(name:"FEDORA", value:"2006-1011");
    
      script_name(english:"Fedora Core 5 : openssh-4.3p2-4.10 (2006-1011)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - Mon Oct 2 2006 Tomas Mraz <tmraz at redhat.com> -
        4.3p2-4.10
    
        - improve gssapi-no-spnego patch (#208102)
    
        - CVE-2006-4924 - prevent DoS on deattack detector
          (#207957)
    
        - CVE-2006-5051 - don't call cleanups from signal
          handler (#208459)
    
        - Wed Sep 13 2006 Tomas Mraz <tmraz at redhat.com> -
          4.3p2-4.1
    
        - sync with FC6 version
    
        - build for FC5
    
        - Wed Aug 23 2006 Tomas Mraz <tmraz at redhat.com> -
          4.3p2-9
    
        - don't report duplicate syslog messages, use correct
          local time (#189158)
    
        - don't allow spnego as gssapi mechanism (from upstream)
    
        - fixed memleaks found by Coverity (from upstream)
    
        - allow ip options except source routing (#202856)
          (patch by HP)
    
        - Tue Aug 8 2006 Tomas Mraz <tmraz at redhat.com> -
          4.3p2-8
    
        - drop the pam-session patch from the previous build
          (#201341)
    
        - don't set IPV6_V6ONLY sock opt when listening on
          wildcard addr (#201594)
    
        - Thu Jul 20 2006 Tomas Mraz <tmraz at redhat.com> -
          4.3p2-7
    
        - dropped old ssh obsoletes
    
        - call the pam_session_open/close from the monitor when
          privsep is enabled so it is always called as root
          (patch by Darren Tucker)
    
      - Mon Jul 17 2006 Tomas Mraz <tmraz at redhat.com> -
        4.3p2-6
    
        - improve selinux patch (by Jan Kiszka)
    
        - upstream patch for buffer append space error (#191940)
    
        - fixed typo in configure.ac (#198986)
    
        - added pam_keyinit to pam configuration (#198628)
    
        - improved error message when askpass dialog cannot grab
          keyboard input (#198332)
    
      - buildrequires xauth instead of xorg-x11-xauth
    
        - fixed a few rpmlint warnings
    
        - Wed Jul 12 2006 Jesse Keating <jkeating at redhat.com>
          - 4.3p2-5.1
    
        - rebuild
    
        - Fri Apr 14 2006 Tomas Mraz <tmraz at redhat.com> -
          4.3p2-5
    
        - don't request pseudoterminal allocation if stdin is
          not tty (#188983)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2006-October/000644.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e3722192"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_attribute(attribute:"risk_factor", value:"High");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:5");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/10/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 5.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC5", reference:"openssh-4.3p2-4.10")) flag++;
    if (rpm_check(release:"FC5", reference:"openssh-askpass-4.3p2-4.10")) flag++;
    if (rpm_check(release:"FC5", reference:"openssh-clients-4.3p2-4.10")) flag++;
    if (rpm_check(release:"FC5", reference:"openssh-debuginfo-4.3p2-4.10")) flag++;
    if (rpm_check(release:"FC5", reference:"openssh-server-4.3p2-4.10")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc");
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-179.NASL
    descriptionTavis Ormandy of the Google Security Team discovered a Denial of Service vulnerability in the SSH protocol version 1 CRC compensation attack detector. This could allow a remote unauthenticated attacker to trigger excessive CPU utilization by sending a specially crafted SSH message, which would then deny ssh services to other users or processes (CVE-2006-4924, CVE-2006-4925). Please note that Mandriva ships with only SSH protocol version 2 enabled by default. Next, an unsafe signal handler was found by Mark Dowd. This signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication DoS, and theoretically a pre-authentication remote code execution in the case where some authentication methods like GSSAPI are enabled (CVE-2006-5051). Updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id24565
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24565
    titleMandrake Linux Security Advisory : openssh (MDKSA-2006:179)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1189.NASL
    descriptionSeveral remote vulnerabilities have been discovered in OpenSSH, a free implementation of the Secure Shell protocol, which may lead to denial of service and potentially the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-4924 Tavis Ormandy of the Google Security Team discovered a denial of service vulnerability in the mitigation code against complexity attacks, which might lead to increased CPU consumption until a timeout is triggered. This is only exploitable if support for SSH protocol version 1 is enabled. - CVE-2006-5051 Mark Dowd discovered that insecure signal handler usage could potentially lead to execution of arbitrary code through a double free. The Debian Security Team doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id22731
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22731
    titleDebian DSA-1189-1 : openssh-krb5 - several vulnerabilities
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL6736.NASL
    descriptionThe remote BIG-IP device is missing a patch required by a security advisory.
    last seen2020-06-01
    modified2020-06-02
    plugin id88441
    published2016-01-28
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88441
    titleF5 Networks BIG-IP : OpenSSH vulnerabilities (SOL6736)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0697.NASL
    descriptionUpdated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id22473
    published2006-09-29
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22473
    titleRHEL 3 / 4 : openssh (RHSA-2006:0697)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_OPENSSH-2184.NASL
    descriptionSeveral security problems were fixed in OpenSSH : - A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. (CVE-2006-4924) - If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. (CVE-2006-4925) - Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. (CVE-2006-5051) - Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. (CVE-2006-5052)
    last seen2020-06-01
    modified2020-06-02
    plugin id29538
    published2007-12-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29538
    titleSuSE 10 Security Update : OpenSSH (ZYPP Patch Number 2184)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0036_OPENSSH.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127206
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127206
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0036)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-355-1.NASL
    descriptionTavis Ormandy discovered that the SSH daemon did not properly handle authentication packets with duplicated blocks. By sending specially crafted packets, a remote attacker could exploit this to cause the ssh daemon to drain all available CPU resources until the login grace time expired. (CVE-2006-4924) Mark Dowd discovered a race condition in the server
    last seen2020-06-01
    modified2020-06-02
    plugin id27935
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27935
    titleUbuntu 5.04 / 5.10 / 6.06 LTS : openssh vulnerabilities (USN-355-1)
  • NASL familyMisc.
    NASL idSUNSSH_PLAINTEXT_RECOVERY.NASL
    descriptionThe version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen2020-06-01
    modified2020-06-02
    plugin id55992
    published2011-08-29
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55992
    titleSunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_4_9.NASL
    descriptionThe remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog
    last seen2020-06-01
    modified2020-06-02
    plugin id24811
    published2007-03-13
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24811
    titleMac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2006-272-02.NASL
    descriptionNew openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id22468
    published2006-09-29
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22468
    titleSlackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2006-272-02)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2006-0697.NASL
    descriptionFrom Red Hat Security Advisory 2006:0697 : Updated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id67412
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67412
    titleOracle Linux 4 : openssh (ELSA-2006-0697)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1212.NASL
    descriptionTwo denial of service problems have been found in the OpenSSH server. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2006-4924 The sshd support for ssh protocol version 1 does not properly handle duplicate incoming blocks. This could allow a remote attacker to cause sshd to consume significant CPU resources leading to a denial of service. - CVE-2006-5051 A signal handler race condition could potentially allow a remote attacker to crash sshd and could theoretically lead to the ability to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id23661
    published2006-11-20
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23661
    titleDebian DSA-1212-1 : openssh - Denial of service
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-395.NASL
    description - Fri Mar 30 2007 Miloslav Trmac <mitr at redhat.com> - 4.3p2-4.12 - Fix an information leak in Kerberos password authentication (CVE-2006-5052) Resolves: #234640 - Fri Nov 10 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-4.11 - CVE-2006-5794 - properly detect failed key verify in monitor (#214641) - kill all ssh sessions when stop is called in halt or reboot runlevel (#213008) - remove -TERM option from killproc so we don
    last seen2020-06-01
    modified2020-06-02
    plugin id24926
    published2007-04-05
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24926
    titleFedora Core 5 : openssh-4.3p2-4.12.fc5 (2007-395)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0698.NASL
    descriptionUpdated openssh packages that fix several security issues in sshd are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id22474
    published2006-09-29
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22474
    titleRHEL 2.1 : openssh (RHSA-2006:0698)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-649-1.NASL
    descriptionIt was discovered that the ForceCommand directive could be bypassed. If a local user created a malicious ~/.ssh/rc file, they could execute arbitrary commands as their user id. This only affected Ubuntu 7.10. (CVE-2008-1657) USN-355-1 fixed vulnerabilities in OpenSSH. It was discovered that the fixes for this issue were incomplete. A remote attacker could attempt multiple logins, filling all available connection slots, leading to a denial of service. This only affected Ubuntu 6.06 and 7.04. (CVE-2008-4109). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id36855
    published2009-04-23
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/36855
    titleUbuntu 6.06 LTS / 7.04 / 7.10 : openssh vulnerabilities (USN-649-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_32DB37A550C311DBACF3000C6EC775D9.NASL
    descriptionProblem Description The CRC compensation attack detector in the sshd(8) daemon, upon receipt of duplicate blocks, uses CPU time cubic in the number of duplicate blocks received. [CVE-2006-4924] A race condition exists in a signal handler used by the sshd(8) daemon to handle the LoginGraceTime option, which can potentially cause some cleanup routines to be executed multiple times. [CVE-2006-5051] Impact An attacker sending specially crafted packets to sshd(8) can cause a Denial of Service by using 100% of CPU time until a connection timeout occurs. Since this attack can be performed over multiple connections simultaneously, it is possible to cause up to MaxStartups (10 by default) sshd processes to use all the CPU time they can obtain. [CVE-2006-4924] The OpenSSH project believe that the race condition can lead to a Denial of Service or potentially remote code execution, but the FreeBSD Security Team has been unable to verify the exact impact. [CVE-2006-5051] Workaround The attack against the CRC compensation attack detector can be avoided by disabling SSH Protocol version 1 support in sshd_config(5). There is no workaround for the second issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id22488
    published2006-10-02
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22488
    titleFreeBSD : openssh -- multiple vulnerabilities (32db37a5-50c3-11db-acf3-000c6ec775d9)
  • NASL familyMisc.
    NASL idJUNIPER_NSM_2012_1.NASL
    descriptionAccording to the version of one or more Juniper NSM servers running on the remote host, it is potentially vulnerable to multiple vulnerabilities, the worst of which may allow an authenticated user to trigger a denial of service condition or execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id69872
    published2013-09-13
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/69872
    titleJuniper NSM Servers < 2012.1 Multiple Vulnerabilities

Oval

accepted2013-04-29T04:13:43.866-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionSignal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
familyunix
idoval:org.mitre.oval:def:11387
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleSignal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
version26

Redhat

advisories
  • bugzilla
    id208347
    titleCVE-2006-5051 unsafe GSSAPI signal handler
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 4 is installed
        ovaloval:com.redhat.rhba:tst:20070304025
      • OR
        • AND
          • commentopenssh-server is earlier than 0:3.9p1-8.RHEL4.17
            ovaloval:com.redhat.rhsa:tst:20060697001
          • commentopenssh-server is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060044006
        • AND
          • commentopenssh-askpass is earlier than 0:3.9p1-8.RHEL4.17
            ovaloval:com.redhat.rhsa:tst:20060697003
          • commentopenssh-askpass is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060044008
        • AND
          • commentopenssh is earlier than 0:3.9p1-8.RHEL4.17
            ovaloval:com.redhat.rhsa:tst:20060697005
          • commentopenssh is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060044010
        • AND
          • commentopenssh-clients is earlier than 0:3.9p1-8.RHEL4.17
            ovaloval:com.redhat.rhsa:tst:20060697007
          • commentopenssh-clients is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060044002
        • AND
          • commentopenssh-askpass-gnome is earlier than 0:3.9p1-8.RHEL4.17
            ovaloval:com.redhat.rhsa:tst:20060697009
          • commentopenssh-askpass-gnome is signed with Red Hat master key
            ovaloval:com.redhat.rhsa:tst:20060044004
    rhsa
    idRHSA-2006:0697
    released2006-09-28
    severityImportant
    titleRHSA-2006:0697: openssh security update (Important)
  • rhsa
    idRHSA-2006:0698
rpms
  • openssh-0:3.6.1p2-33.30.12
  • openssh-0:3.9p1-8.RHEL4.17
  • openssh-askpass-0:3.6.1p2-33.30.12
  • openssh-askpass-0:3.9p1-8.RHEL4.17
  • openssh-askpass-gnome-0:3.6.1p2-33.30.12
  • openssh-askpass-gnome-0:3.9p1-8.RHEL4.17
  • openssh-clients-0:3.6.1p2-33.30.12
  • openssh-clients-0:3.9p1-8.RHEL4.17
  • openssh-debuginfo-0:3.6.1p2-33.30.12
  • openssh-debuginfo-0:3.9p1-8.RHEL4.17
  • openssh-server-0:3.6.1p2-33.30.12
  • openssh-server-0:3.9p1-8.RHEL4.17
  • openssh-0:3.1p1-21
  • openssh-askpass-0:3.1p1-21
  • openssh-askpass-gnome-0:3.1p1-21
  • openssh-clients-0:3.1p1-21
  • openssh-server-0:3.1p1-21

Statements

contributorMark J Cox
lastmodified2007-03-14
organizationRed Hat
statementRed Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

References