Vulnerabilities > CVE-2006-5051 - Double Free vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Misc. NASL id OPENSSH_44.NASL description According to its banner, the version of OpenSSH installed on the remote host is affected by multiple vulnerabilities : - A race condition exists that may allow an unauthenticated, remote attacker to crash the service or, on portable OpenSSH, possibly execute code on the affected host. Note that successful exploitation requires that GSSAPI authentication be enabled. - A flaw exists that may allow an attacker to determine the validity of usernames on some platforms. Note that this issue requires that GSSAPI authentication be enabled. - When SSH version 1 is used, an issue can be triggered via an SSH packet that contains duplicate blocks that could result in a loss of availability for the service. - On Fedora Core 6 (and possibly other systems), an unspecified vulnerability in the linux_audit_record_event() function allows remote attackers to inject incorrect information into audit logs. last seen 2020-06-01 modified 2020-06-02 plugin id 22466 published 2006-09-28 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22466 title OpenSSH < 4.4 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22466); script_version("1.30"); script_cvs_date("Date: 2018/07/16 14:09:13"); script_cve_id("CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2007-3102", "CVE-2008-4109"); script_bugtraq_id(20216, 20241, 20245); script_name(english:"OpenSSH < 4.4 Multiple Vulnerabilities"); script_summary(english:"Checks version number of OpenSSH"); script_set_attribute(attribute:"synopsis", value: "The remote SSH server is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "According to its banner, the version of OpenSSH installed on the remote host is affected by multiple vulnerabilities : - A race condition exists that may allow an unauthenticated, remote attacker to crash the service or, on portable OpenSSH, possibly execute code on the affected host. Note that successful exploitation requires that GSSAPI authentication be enabled. - A flaw exists that may allow an attacker to determine the validity of usernames on some platforms. Note that this issue requires that GSSAPI authentication be enabled. - When SSH version 1 is used, an issue can be triggered via an SSH packet that contains duplicate blocks that could result in a loss of availability for the service. - On Fedora Core 6 (and possibly other systems), an unspecified vulnerability in the linux_audit_record_event() function allows remote attackers to inject incorrect information into audit logs."); script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-4.4" ); script_set_attribute(attribute:"solution", value: "Upgrade to OpenSSH 4.4 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(264, 362, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2006/09/28"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/09/28"); script_set_attribute(attribute:"plugin_type", value: "remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh", 22); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); if (!get_kb_item("Settings/PCI_DSS")) { auth = get_kb_item_or_exit("SSH/supportedauth/" + port); if ("gssapi" >!< auth) exit(0, "The SSH service on port "+port+" doesn't support GSSAPI."); } if (bp_banner =~ "openssh[-_]([0-3]\.|4\.[0-3]([^0-9]|$))") security_hole(port);
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200611-06.NASL description The remote host is affected by the vulnerability described in GLSA-200611-06 (OpenSSH: Multiple Denial of Service vulnerabilities) Tavis Ormandy of the Google Security Team has discovered a pre-authentication vulnerability, causing sshd to spin until the login grace time has been expired. Mark Dowd found an unsafe signal handler that was vulnerable to a race condition. It has also been discovered that when GSSAPI authentication is enabled, GSSAPI will in certain cases incorrectly abort. Impact : The pre-authentication and signal handler vulnerabilities can cause a Denial of Service in OpenSSH. The vulnerability in the GSSAPI authentication abort could be used to determine the validity of usernames on some platforms. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 23671 published 2006-11-20 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23671 title GLSA-200611-06 : OpenSSH: Multiple Denial of Service vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200611-06. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(23671); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-5051", "CVE-2006-5052"); script_bugtraq_id(20241, 20245); script_xref(name:"GLSA", value:"200611-06"); script_name(english:"GLSA-200611-06 : OpenSSH: Multiple Denial of Service vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200611-06 (OpenSSH: Multiple Denial of Service vulnerabilities) Tavis Ormandy of the Google Security Team has discovered a pre-authentication vulnerability, causing sshd to spin until the login grace time has been expired. Mark Dowd found an unsafe signal handler that was vulnerable to a race condition. It has also been discovered that when GSSAPI authentication is enabled, GSSAPI will in certain cases incorrectly abort. Impact : The pre-authentication and signal handler vulnerabilities can cause a Denial of Service in OpenSSH. The vulnerability in the GSSAPI authentication abort could be used to determine the validity of usernames on some platforms. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"http://www.openssh.com/txt/release-4.4" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200611-06" ); script_set_attribute( attribute:"solution", value: "All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/openssh-4.4_p1-r5'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(362); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/20"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-misc/openssh", unaffected:make_list("ge 4.4_p1-r5"), vulnerable:make_list("lt 4.4_p1-r5"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenSSH"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1638.NASL description It has been discovered that the signal handler implementing the login timeout in Debian last seen 2020-06-01 modified 2020-06-02 plugin id 34223 published 2008-09-17 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/34223 title Debian DSA-1638-1 : openssh - denial of service code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1638. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(34223); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2006-5051", "CVE-2008-4109"); script_bugtraq_id(20241); script_xref(name:"DSA", value:"1638"); script_name(english:"Debian DSA-1638-1 : openssh - denial of service"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It has been discovered that the signal handler implementing the login timeout in Debian's version of the OpenSSH server uses functions which are not async-signal-safe, leading to a denial of service vulnerability (CVE-2008-4109 ). The problem was originally corrected in OpenSSH 4.4p1 (CVE-2006-5051 ), but the patch backported to the version released with etch was incorrect. Systems affected by this issue suffer from lots of zombie sshd processes. Processes stuck with a '[net]' process title have also been observed. Over time, a sufficient number of processes may accumulate such that further login attempts are impossible. Presence of these processes does not indicate active exploitation of this vulnerability. It is possible to trigger this denial of service condition by accident." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498678" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-4109" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-5051" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2008/dsa-1638" ); script_set_attribute( attribute:"solution", value: "Upgrade the openssh packages. For the stable distribution (etch), this problem has been fixed in version 4.3p2-9etch3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(264, 362); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"openssh-client", reference:"4.3p2-9etch3")) flag++; if (deb_check(release:"4.0", prefix:"openssh-server", reference:"4.3p2-9etch3")) flag++; if (deb_check(release:"4.0", prefix:"ssh", reference:"4.3p2-9etch3")) flag++; if (deb_check(release:"4.0", prefix:"ssh-askpass-gnome", reference:"4.3p2-9etch3")) flag++; if (deb_check(release:"4.0", prefix:"ssh-krb5", reference:"4.3p2-9etch3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id SUSE_OPENSSH-2183.NASL description Several security problems were fixed in OpenSSH : - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. - CVE-2006-5051: Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. last seen 2020-06-01 modified 2020-06-02 plugin id 27365 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27365 title openSUSE 10 Security Update : openssh (openssh-2183) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openssh-2183. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27365); script_version ("1.15"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_cve_id("CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052"); script_name(english:"openSUSE 10 Security Update : openssh (openssh-2183)"); script_summary(english:"Check for the openssh-2183 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several security problems were fixed in OpenSSH : - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. - CVE-2006-5051: Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms." ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(362, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/10/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"openssh-4.2p1-18.9") ) flag++; if ( rpm_check(release:"SUSE10.1", reference:"openssh-askpass-4.2p1-18.9") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0697.NASL description Updated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 22485 published 2006-10-02 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22485 title CentOS 3 / 4 : openssh / openssl (CESA-2006:0697) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2006:0697 and # CentOS Errata and Security Advisory 2006:0697 respectively. # include("compat.inc"); if (description) { script_id(22485); script_version("1.19"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2006-4924", "CVE-2006-5051", "CVE-2006-5052"); script_bugtraq_id(20216, 20241); script_xref(name:"RHSA", value:"2006:0697"); script_name(english:"CentOS 3 / 4 : openssh / openssl (CESA-2006:0697)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. Mark Dowd discovered a signal handler race condition in the OpenSSH sshd server. A remote attacker could possibly leverage this flaw to cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project believes the likelihood of successful exploitation leading to arbitrary code execution appears remote. However, the Red Hat Security Response Team have not yet been able to verify this claim due to lack of upstream vulnerability information. We are therefore including a fix for this flaw and have rated it important security severity in the event our continued investigation finds this issue to be exploitable. Tavis Ormandy of the Google Security Team discovered a denial of service bug in the OpenSSH sshd server. A remote attacker can send a specially crafted SSH-1 request to the server causing sshd to consume a large quantity of CPU resources. (CVE-2006-4924) All users of openssh should upgrade to these updated packages, which contain backported patches that resolves these issues." ); # https://lists.centos.org/pipermail/centos-announce/2006-September/013294.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?42ac1cd5" ); # https://lists.centos.org/pipermail/centos-announce/2006-September/013295.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8500f549" ); # https://lists.centos.org/pipermail/centos-announce/2006-September/013296.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4eca25d6" ); # https://lists.centos.org/pipermail/centos-announce/2006-September/013300.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?da00f6c1" ); # https://lists.centos.org/pipermail/centos-announce/2006-September/013301.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b734a975" ); # https://lists.centos.org/pipermail/centos-announce/2006-September/013304.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e63f62ee" ); # https://lists.centos.org/pipermail/centos-announce/2006-September/013305.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?59033243" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh and / or openssl packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(362, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssl-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssl-perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssl096b"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/26"); script_set_attribute(attribute:"patch_publication_date", value:"2006/09/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"openssh-3.6.1p2-33.30.12")) flag++; if (rpm_check(release:"CentOS-3", reference:"openssh-askpass-3.6.1p2-33.30.12")) flag++; if (rpm_check(release:"CentOS-3", reference:"openssh-askpass-gnome-3.6.1p2-33.30.12")) flag++; if (rpm_check(release:"CentOS-3", reference:"openssh-clients-3.6.1p2-33.30.12")) flag++; if (rpm_check(release:"CentOS-3", reference:"openssh-server-3.6.1p2-33.30.12")) flag++; if (rpm_check(release:"CentOS-4", reference:"openssh-3.9p1-8.RHEL4.17")) flag++; if (rpm_check(release:"CentOS-4", reference:"openssh-askpass-3.9p1-8.RHEL4.17")) flag++; if (rpm_check(release:"CentOS-4", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.17")) flag++; if (rpm_check(release:"CentOS-4", reference:"openssh-clients-3.9p1-8.RHEL4.17")) flag++; if (rpm_check(release:"CentOS-4", reference:"openssh-server-3.9p1-8.RHEL4.17")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssl-0.9.7a-43.14")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssl-devel-0.9.7a-43.14")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssl-perl-0.9.7a-43.14")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssl096b-0.9.6b-22.46")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_062.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:062 (openssh). Several security problems were fixed in OpenSSH 4.4 and the bug fixes were back ported to the openssh versions in our products. - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. - CVE-2006-5051: Fixed an unsafe signal handler reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of user names on some platforms. last seen 2019-10-28 modified 2007-02-18 plugin id 24440 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24440 title SUSE-SA:2006:062: openssh code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:062 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(24440); script_version ("1.9"); name["english"] = "SUSE-SA:2006:062: openssh"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2006:062 (openssh). Several security problems were fixed in OpenSSH 4.4 and the bug fixes were back ported to the openssh versions in our products. - CVE-2006-4924: A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. - CVE-2006-4925: If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. - CVE-2006-5051: Fixed an unsafe signal handler reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. - CVE-2006-5052: Fixed a GSSAPI authentication abort that could be used to determine the validity of user names on some platforms." ); script_set_attribute(attribute:"solution", value: "http://www.novell.com/linux/security/advisories/2006_62_openssh.html" ); script_set_attribute(attribute:"risk_factor", value:"High" ); script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/18"); script_end_attributes(); summary["english"] = "Check for the version of the openssh package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"openssh-4.1p1-10.9", release:"SUSE10.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"openssh-askpass-4.1p1-10.9", release:"SUSE10.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"openssh-3.9p1-3.10", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"openssh-askpass-3.9p1-3.10", release:"SUSE9.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"openssh-3.9p1-12.8", release:"SUSE9.3") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"openssh-askpass-3.9p1-12.8", release:"SUSE9.3") ) { security_hole(0); exit(0); }
NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0146_OPENSSH-LATEST.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) - It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) - It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) - It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) - It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. (CVE-2015-8325) - An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. (CVE-2016-0777) - An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127415 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127415 title NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from ZTE advisory NS-SA-2019-0146. The text # itself is copyright (C) ZTE, Inc. include("compat.inc"); if (description) { script_id(127415); script_version("1.3"); script_cvs_date("Date: 2019/09/24 11:01:33"); script_cve_id( "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-5051", "CVE-2006-5794", "CVE-2007-3102", "CVE-2010-4755", "CVE-2010-5107", "CVE-2014-2532", "CVE-2014-2653", "CVE-2014-9278", "CVE-2015-5600", "CVE-2015-8325", "CVE-2016-0777", "CVE-2016-1908", "CVE-2016-6210" ); script_name(english:"NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)"); script_set_attribute(attribute:"synopsis", value: "The remote machine is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) - It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) - It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) - It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) - It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. (CVE-2015-8325) - An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. (CVE-2016-0777) - An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0146"); script_set_attribute(attribute:"solution", value: "Upgrade the vulnerable CGSL openssh-latest packages. Note that updated packages may not be available yet. Please contact ZTE for more information."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-5051"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(362, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/25"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"NewStart CGSL Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/ZTE-CGSL/release"); if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux"); if (release !~ "CGSL MAIN 4.05") audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05'); if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu); flag = 0; pkgs = { "CGSL MAIN 4.05": [ "openssh-latest-7.9p1-1.el6.cgsl7741", "openssh-latest-askpass-7.9p1-1.el6.cgsl7741", "openssh-latest-cavs-7.9p1-1.el6.cgsl7741", "openssh-latest-clients-7.9p1-1.el6.cgsl7741", "openssh-latest-debuginfo-7.9p1-1.el6.cgsl7741", "openssh-latest-keycat-7.9p1-1.el6.cgsl7741", "openssh-latest-ldap-7.9p1-1.el6.cgsl7741", "openssh-latest-server-7.9p1-1.el6.cgsl7741" ] }; pkg_list = pkgs[release]; foreach (pkg in pkg_list) if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-latest"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2006-1011.NASL description - Mon Oct 2 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-4.10 - improve gssapi-no-spnego patch (#208102) - CVE-2006-4924 - prevent DoS on deattack detector (#207957) - CVE-2006-5051 - don last seen 2020-06-01 modified 2020-06-02 plugin id 24029 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24029 title Fedora Core 5 : openssh-4.3p2-4.10 (2006-1011) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2006-1011. # include("compat.inc"); if (description) { script_id(24029); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_xref(name:"FEDORA", value:"2006-1011"); script_name(english:"Fedora Core 5 : openssh-4.3p2-4.10 (2006-1011)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Mon Oct 2 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-4.10 - improve gssapi-no-spnego patch (#208102) - CVE-2006-4924 - prevent DoS on deattack detector (#207957) - CVE-2006-5051 - don't call cleanups from signal handler (#208459) - Wed Sep 13 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-4.1 - sync with FC6 version - build for FC5 - Wed Aug 23 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-9 - don't report duplicate syslog messages, use correct local time (#189158) - don't allow spnego as gssapi mechanism (from upstream) - fixed memleaks found by Coverity (from upstream) - allow ip options except source routing (#202856) (patch by HP) - Tue Aug 8 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-8 - drop the pam-session patch from the previous build (#201341) - don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594) - Thu Jul 20 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-7 - dropped old ssh obsoletes - call the pam_session_open/close from the monitor when privsep is enabled so it is always called as root (patch by Darren Tucker) - Mon Jul 17 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-6 - improve selinux patch (by Jan Kiszka) - upstream patch for buffer append space error (#191940) - fixed typo in configure.ac (#198986) - added pam_keyinit to pam configuration (#198628) - improved error message when askpass dialog cannot grab keyboard input (#198332) - buildrequires xauth instead of xorg-x11-xauth - fixed a few rpmlint warnings - Wed Jul 12 2006 Jesse Keating <jkeating at redhat.com> - 4.3p2-5.1 - rebuild - Fri Apr 14 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-5 - don't request pseudoterminal allocation if stdin is not tty (#188983) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2006-October/000644.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e3722192" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:5"); script_set_attribute(attribute:"patch_publication_date", value:"2006/10/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 5.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC5", reference:"openssh-4.3p2-4.10")) flag++; if (rpm_check(release:"FC5", reference:"openssh-askpass-4.3p2-4.10")) flag++; if (rpm_check(release:"FC5", reference:"openssh-clients-4.3p2-4.10")) flag++; if (rpm_check(release:"FC5", reference:"openssh-debuginfo-4.3p2-4.10")) flag++; if (rpm_check(release:"FC5", reference:"openssh-server-4.3p2-4.10")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc"); }
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-179.NASL description Tavis Ormandy of the Google Security Team discovered a Denial of Service vulnerability in the SSH protocol version 1 CRC compensation attack detector. This could allow a remote unauthenticated attacker to trigger excessive CPU utilization by sending a specially crafted SSH message, which would then deny ssh services to other users or processes (CVE-2006-4924, CVE-2006-4925). Please note that Mandriva ships with only SSH protocol version 2 enabled by default. Next, an unsafe signal handler was found by Mark Dowd. This signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication DoS, and theoretically a pre-authentication remote code execution in the case where some authentication methods like GSSAPI are enabled (CVE-2006-5051). Updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24565 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24565 title Mandrake Linux Security Advisory : openssh (MDKSA-2006:179) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1189.NASL description Several remote vulnerabilities have been discovered in OpenSSH, a free implementation of the Secure Shell protocol, which may lead to denial of service and potentially the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-4924 Tavis Ormandy of the Google Security Team discovered a denial of service vulnerability in the mitigation code against complexity attacks, which might lead to increased CPU consumption until a timeout is triggered. This is only exploitable if support for SSH protocol version 1 is enabled. - CVE-2006-5051 Mark Dowd discovered that insecure signal handler usage could potentially lead to execution of arbitrary code through a double free. The Debian Security Team doesn last seen 2020-06-01 modified 2020-06-02 plugin id 22731 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22731 title Debian DSA-1189-1 : openssh-krb5 - several vulnerabilities NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL6736.NASL description The remote BIG-IP device is missing a patch required by a security advisory. last seen 2020-06-01 modified 2020-06-02 plugin id 88441 published 2016-01-28 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88441 title F5 Networks BIG-IP : OpenSSH vulnerabilities (SOL6736) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0697.NASL description Updated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 22473 published 2006-09-29 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22473 title RHEL 3 / 4 : openssh (RHSA-2006:0697) NASL family SuSE Local Security Checks NASL id SUSE_OPENSSH-2184.NASL description Several security problems were fixed in OpenSSH : - A denial of service problem has been fixed in OpenSSH which could be used to cause lots of CPU consumption on a remote openssh server. (CVE-2006-4924) - If a remote attacker is able to inject network traffic this could be used to cause a client connection to close. (CVE-2006-4925) - Fixed an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. This vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. (CVE-2006-5051) - Fixed a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. (CVE-2006-5052) last seen 2020-06-01 modified 2020-06-02 plugin id 29538 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29538 title SuSE 10 Security Update : OpenSSH (ZYPP Patch Number 2184) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0036_OPENSSH.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127206 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127206 title NewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0036) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-355-1.NASL description Tavis Ormandy discovered that the SSH daemon did not properly handle authentication packets with duplicated blocks. By sending specially crafted packets, a remote attacker could exploit this to cause the ssh daemon to drain all available CPU resources until the login grace time expired. (CVE-2006-4924) Mark Dowd discovered a race condition in the server last seen 2020-06-01 modified 2020-06-02 plugin id 27935 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27935 title Ubuntu 5.04 / 5.10 / 6.06 LTS : openssh vulnerabilities (USN-355-1) NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure NASL family MacOS X Local Security Checks NASL id MACOSX_10_4_9.NASL description The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog last seen 2020-06-01 modified 2020-06-02 plugin id 24811 published 2007-03-13 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24811 title Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-272-02.NASL description New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 22468 published 2006-09-29 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22468 title Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2006-272-02) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2006-0697.NASL description From Red Hat Security Advisory 2006:0697 : Updated openssh packages that fix two security flaws are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 67412 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67412 title Oracle Linux 4 : openssh (ELSA-2006-0697) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1212.NASL description Two denial of service problems have been found in the OpenSSH server. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2006-4924 The sshd support for ssh protocol version 1 does not properly handle duplicate incoming blocks. This could allow a remote attacker to cause sshd to consume significant CPU resources leading to a denial of service. - CVE-2006-5051 A signal handler race condition could potentially allow a remote attacker to crash sshd and could theoretically lead to the ability to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 23661 published 2006-11-20 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23661 title Debian DSA-1212-1 : openssh - Denial of service NASL family Fedora Local Security Checks NASL id FEDORA_2007-395.NASL description - Fri Mar 30 2007 Miloslav Trmac <mitr at redhat.com> - 4.3p2-4.12 - Fix an information leak in Kerberos password authentication (CVE-2006-5052) Resolves: #234640 - Fri Nov 10 2006 Tomas Mraz <tmraz at redhat.com> - 4.3p2-4.11 - CVE-2006-5794 - properly detect failed key verify in monitor (#214641) - kill all ssh sessions when stop is called in halt or reboot runlevel (#213008) - remove -TERM option from killproc so we don last seen 2020-06-01 modified 2020-06-02 plugin id 24926 published 2007-04-05 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24926 title Fedora Core 5 : openssh-4.3p2-4.12.fc5 (2007-395) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0698.NASL description Updated openssh packages that fix several security issues in sshd are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 22474 published 2006-09-29 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22474 title RHEL 2.1 : openssh (RHSA-2006:0698) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-649-1.NASL description It was discovered that the ForceCommand directive could be bypassed. If a local user created a malicious ~/.ssh/rc file, they could execute arbitrary commands as their user id. This only affected Ubuntu 7.10. (CVE-2008-1657) USN-355-1 fixed vulnerabilities in OpenSSH. It was discovered that the fixes for this issue were incomplete. A remote attacker could attempt multiple logins, filling all available connection slots, leading to a denial of service. This only affected Ubuntu 6.06 and 7.04. (CVE-2008-4109). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36855 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36855 title Ubuntu 6.06 LTS / 7.04 / 7.10 : openssh vulnerabilities (USN-649-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_32DB37A550C311DBACF3000C6EC775D9.NASL description Problem Description The CRC compensation attack detector in the sshd(8) daemon, upon receipt of duplicate blocks, uses CPU time cubic in the number of duplicate blocks received. [CVE-2006-4924] A race condition exists in a signal handler used by the sshd(8) daemon to handle the LoginGraceTime option, which can potentially cause some cleanup routines to be executed multiple times. [CVE-2006-5051] Impact An attacker sending specially crafted packets to sshd(8) can cause a Denial of Service by using 100% of CPU time until a connection timeout occurs. Since this attack can be performed over multiple connections simultaneously, it is possible to cause up to MaxStartups (10 by default) sshd processes to use all the CPU time they can obtain. [CVE-2006-4924] The OpenSSH project believe that the race condition can lead to a Denial of Service or potentially remote code execution, but the FreeBSD Security Team has been unable to verify the exact impact. [CVE-2006-5051] Workaround The attack against the CRC compensation attack detector can be avoided by disabling SSH Protocol version 1 support in sshd_config(5). There is no workaround for the second issue. last seen 2020-06-01 modified 2020-06-02 plugin id 22488 published 2006-10-02 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22488 title FreeBSD : openssh -- multiple vulnerabilities (32db37a5-50c3-11db-acf3-000c6ec775d9) NASL family Misc. NASL id JUNIPER_NSM_2012_1.NASL description According to the version of one or more Juniper NSM servers running on the remote host, it is potentially vulnerable to multiple vulnerabilities, the worst of which may allow an authenticated user to trigger a denial of service condition or execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 69872 published 2013-09-13 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69872 title Juniper NSM Servers < 2012.1 Multiple Vulnerabilities
Oval
accepted | 2013-04-29T04:13:43.866-04:00 | ||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||
contributors |
| ||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||
description | Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. | ||||||||||||||||||||
family | unix | ||||||||||||||||||||
id | oval:org.mitre.oval:def:11387 | ||||||||||||||||||||
status | accepted | ||||||||||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
title | Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. | ||||||||||||||||||||
version | 26 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Statements
contributor | Mark J Cox |
lastmodified | 2007-03-14 |
organization | Red Hat |
statement | Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
References
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:22.openssh.asc
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:22.openssh.asc
- ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
- ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
- http://docs.info.apple.com/article.html?artnum=305214
- http://docs.info.apple.com/article.html?artnum=305214
- http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html
- http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html
- http://lists.freebsd.org/pipermail/freebsd-security/2006-October/004051.html
- http://lists.freebsd.org/pipermail/freebsd-security/2006-October/004051.html
- http://marc.info/?l=openssh-unix-dev&m=115939141729160&w=2
- http://marc.info/?l=openssh-unix-dev&m=115939141729160&w=2
- http://openssh.org/txt/release-4.4
- http://openssh.org/txt/release-4.4
- http://secunia.com/advisories/22158
- http://secunia.com/advisories/22158
- http://secunia.com/advisories/22173
- http://secunia.com/advisories/22173
- http://secunia.com/advisories/22183
- http://secunia.com/advisories/22183
- http://secunia.com/advisories/22196
- http://secunia.com/advisories/22196
- http://secunia.com/advisories/22208
- http://secunia.com/advisories/22208
- http://secunia.com/advisories/22236
- http://secunia.com/advisories/22236
- http://secunia.com/advisories/22245
- http://secunia.com/advisories/22245
- http://secunia.com/advisories/22270
- http://secunia.com/advisories/22270
- http://secunia.com/advisories/22352
- http://secunia.com/advisories/22352
- http://secunia.com/advisories/22362
- http://secunia.com/advisories/22362
- http://secunia.com/advisories/22487
- http://secunia.com/advisories/22487
- http://secunia.com/advisories/22495
- http://secunia.com/advisories/22495
- http://secunia.com/advisories/22823
- http://secunia.com/advisories/22823
- http://secunia.com/advisories/22926
- http://secunia.com/advisories/22926
- http://secunia.com/advisories/23680
- http://secunia.com/advisories/23680
- http://secunia.com/advisories/24479
- http://secunia.com/advisories/24479
- http://secunia.com/advisories/24799
- http://secunia.com/advisories/24799
- http://secunia.com/advisories/24805
- http://secunia.com/advisories/24805
- http://security.freebsd.org/advisories/FreeBSD-SA-06%3A22.openssh.asc
- http://security.freebsd.org/advisories/FreeBSD-SA-06%3A22.openssh.asc
- http://security.gentoo.org/glsa/glsa-200611-06.xml
- http://security.gentoo.org/glsa/glsa-200611-06.xml
- http://securitytracker.com/id?1016940
- http://securitytracker.com/id?1016940
- http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566
- http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.592566
- http://sourceforge.net/forum/forum.php?forum_id=681763
- http://sourceforge.net/forum/forum.php?forum_id=681763
- http://support.avaya.com/elmodocs2/security/ASA-2006-216.htm
- http://support.avaya.com/elmodocs2/security/ASA-2006-216.htm
- http://www.arkoon.fr/upload/alertes/36AK-2006-07-FR-1.0_FAST360_OPENSSH.pdf
- http://www.arkoon.fr/upload/alertes/36AK-2006-07-FR-1.0_FAST360_OPENSSH.pdf
- http://www.arkoon.fr/upload/alertes/43AK-2006-09-FR-1.0_SSL360_OPENSSH.pdf
- http://www.arkoon.fr/upload/alertes/43AK-2006-09-FR-1.0_SSL360_OPENSSH.pdf
- http://www.debian.org/security/2006/dsa-1189
- http://www.debian.org/security/2006/dsa-1189
- http://www.debian.org/security/2006/dsa-1212
- http://www.debian.org/security/2006/dsa-1212
- http://www.kb.cert.org/vuls/id/851340
- http://www.kb.cert.org/vuls/id/851340
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:179
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:179
- http://www.novell.com/linux/security/advisories/2006_62_openssh.html
- http://www.novell.com/linux/security/advisories/2006_62_openssh.html
- http://www.openbsd.org/errata.html#ssh
- http://www.openbsd.org/errata.html#ssh
- http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.022-openssh.html
- http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.022-openssh.html
- http://www.openwall.com/lists/oss-security/2024/07/01/3
- http://www.openwall.com/lists/oss-security/2024/07/01/3
- http://www.openwall.com/lists/oss-security/2024/07/28/3
- http://www.openwall.com/lists/oss-security/2024/07/28/3
- http://www.osvdb.org/29264
- http://www.osvdb.org/29264
- http://www.redhat.com/support/errata/RHSA-2006-0697.html
- http://www.redhat.com/support/errata/RHSA-2006-0697.html
- http://www.redhat.com/support/errata/RHSA-2006-0698.html
- http://www.redhat.com/support/errata/RHSA-2006-0698.html
- http://www.securityfocus.com/bid/20241
- http://www.securityfocus.com/bid/20241
- http://www.ubuntu.com/usn/usn-355-1
- http://www.ubuntu.com/usn/usn-355-1
- http://www.us-cert.gov/cas/techalerts/TA07-072A.html
- http://www.us-cert.gov/cas/techalerts/TA07-072A.html
- http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
- http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
- http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
- http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
- http://www.vupen.com/english/advisories/2006/4018
- http://www.vupen.com/english/advisories/2006/4018
- http://www.vupen.com/english/advisories/2006/4329
- http://www.vupen.com/english/advisories/2006/4329
- http://www.vupen.com/english/advisories/2007/0930
- http://www.vupen.com/english/advisories/2007/0930
- http://www.vupen.com/english/advisories/2007/1332
- http://www.vupen.com/english/advisories/2007/1332
- http://www-unix.globus.org/mail_archive/security-announce/2007/04/msg00000.html
- http://www-unix.globus.org/mail_archive/security-announce/2007/04/msg00000.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/29254
- https://exchange.xforce.ibmcloud.com/vulnerabilities/29254
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11387
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11387
- https://www.openwall.com/lists/oss-security/2024/07/28/3
- https://www.openwall.com/lists/oss-security/2024/07/28/3