Vulnerabilities > CVE-2006-5794 - Unspecified vulnerability in Openbsd Openssh

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2006:0738 and 
# Oracle Linux Security Advisory ELSA-2006-0738 respectively.
#

include("compat.inc");

if (description)
{
  script_id(67425);
  script_version("1.8");
  script_cvs_date("Date: 2019/10/25 13:36:06");

  script_cve_id("CVE-2006-5794");
  script_xref(name:"RHSA", value:"2006:0738");

  script_name(english:"Oracle Linux 3 / 4 : openssh (ELSA-2006-0738)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Oracle Linux host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"From Red Hat Security Advisory 2006:0738 :

Updated openssh packages that fix an authentication flaw are now
available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having low security impact by the Red
Hat Security Response Team.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This
package includes the core files necessary for both the OpenSSH client
and server.

An authentication flaw was found in OpenSSH's privilege separation
monitor. If it ever becomes possible to alter the behavior of the
unprivileged process when OpenSSH is using privilege separation, an
attacker may then be able to login without possessing proper
credentials. (CVE-2006-5794)

Please note that this flaw by itself poses no direct threat to OpenSSH
users. Without another security flaw that could allow an attacker to
alter the behavior of OpenSSH's unprivileged process, this flaw cannot
be exploited. There are currently no known flaws to exploit this
behavior. However, we have decided to issue this erratum to fix this
flaw to reduce the security impact if an unprivileged process flaw is
ever found.

Users of openssh should upgrade to these updated packages, which
contain a backported patch to resolve this issue."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2006-November/000020.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2007-March/000089.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected openssh packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass-gnome");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-clients");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/11/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 3 / 4", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);

flag = 0;
if (rpm_check(release:"EL3", cpu:"i386", reference:"openssh-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"EL3", cpu:"x86_64", reference:"openssh-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"EL3", cpu:"i386", reference:"openssh-askpass-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"EL3", cpu:"x86_64", reference:"openssh-askpass-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"EL3", cpu:"i386", reference:"openssh-askpass-gnome-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"EL3", cpu:"x86_64", reference:"openssh-askpass-gnome-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"EL3", cpu:"i386", reference:"openssh-clients-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"EL3", cpu:"x86_64", reference:"openssh-clients-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"EL3", cpu:"i386", reference:"openssh-server-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"EL3", cpu:"x86_64", reference:"openssh-server-3.6.1p2-33.30.13")) flag++;

if (rpm_check(release:"EL4", cpu:"i386", reference:"openssh-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"EL4", cpu:"x86_64", reference:"openssh-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"EL4", cpu:"i386", reference:"openssh-askpass-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"EL4", cpu:"x86_64", reference:"openssh-askpass-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"EL4", cpu:"i386", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"EL4", cpu:"x86_64", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"EL4", cpu:"i386", reference:"openssh-clients-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"EL4", cpu:"x86_64", reference:"openssh-clients-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"EL4", cpu:"i386", reference:"openssh-server-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"EL4", cpu:"x86_64", reference:"openssh-server-3.9p1-8.RHEL4.17.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc");
}

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(44077);
  script_version("1.9");
  script_cvs_date("Date: 2018/11/15 20:50:23");

  script_cve_id("CVE-2006-4925", "CVE-2006-5794", "CVE-2007-0726");
  script_bugtraq_id(20956);

  script_name(english:"OpenSSH < 4.5 Multiple Vulnerabilities");
  script_summary(english:"Checks for remote SSH version");

  script_set_attribute(attribute:"synopsis", value:
"The remote SSH service is affected by multiple vulnerabilities.");

  script_set_attribute(attribute:"description", value:
"According to its banner, the remote host is running a version of
OpenSSH prior to 4.5.  Versions before 4.5 are affected by the
following vulnerabilities :

  - A client-side NULL pointer dereference, caused by a
    protocol error from a malicious server, which could
    cause the client to crash. (CVE-2006-4925)

  - A privilege separation vulnerability exists, which could 
    allow attackers to bypass authentication. The 
    vulnerability is caused by a design error between 
    privileged processes and their child processes. Note 
    that this particular issue is only exploitable when 
    other vulnerabilities are present. (CVE-2006-5794)

  - An attacker that connects to the service before it has 
    finished creating keys could force the keys to be 
    recreated. This could result in a denial of service for 
    any processes that relies on a trust relationship with 
    the server. Note that this particular issue only affects 
    the Apple implementation of OpenSSH on Mac OS X. 
    (CVE-2007-0726)"
  );

  script_set_attribute(attribute:"see_also", value:"https://www.openssh.com/txt/release-4.5");
  script_set_attribute(attribute:"see_also", value:"https://support.apple.com/kb/TA24626?locale=en_US");
  script_set_attribute(attribute:"see_also", value:"https://www.openssh.com/security.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSH 4.5 or later.
For Mac OS X 10.3, apply Security Update 2007-003.
For Mac OS X 10.4, upgrade to 10.4.9.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/11/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/04");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
  script_family(english:"Misc.");

  script_dependencies("ssh_detect.nasl");
  script_require_ports("Services/ssh", 22);

  exit(0);
}

include("backport.inc");
include("global_settings.inc");
include("misc_func.inc");

port = get_service(svc:'ssh', exit_on_fail:TRUE);

banner = get_kb_item_or_exit('SSH/banner/'+port);

bp_banner = tolower(get_backport_banner(banner:banner));
if ('openssh' >!< bp_banner) exit(0, 'The SSH service on port '+port+' is not OpenSSH.');
if (backported) exit(1, 'The banner from the OpenSSH server on port '+port+' indicates patches may have been backported.');

# Check the version in the banner.
matches = eregmatch(string:bp_banner, pattern:'openssh[-_]([0-9][-._0-9a-z]+)');
if (isnull(matches))  exit(0, 'Could not parse number from version string on port ' + port + '.');

version = matches[1];
if (version =~ '^([0-3]\\..*|4\\.[0-4]($|[^\\.0-9]|\\..*))')
{
  if (report_verbosity > 0)
  {
    report = 
      '\n  Version source    : ' + banner +
      '\n  Installed version : ' + version + 
      '\n  Fixed version     : 4.5\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else exit(0, 'The OpenSSH server on port '+port+' is not affected as it\'s version '+version+'.');

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openssh-2256.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(27366);
  script_version ("1.12");
  script_cvs_date("Date: 2019/10/25 13:36:28");

  script_cve_id("CVE-2006-5794");

  script_name(english:"openSUSE 10 Security Update : openssh (openssh-2256)");
  script_summary(english:"Check for the openssh-2256 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The OpenSSH release 4.5 contains a security fix which has been
backported to the openssh versions in our old products.

CVE-2006-5794: Incorrect return argument checking in the privilege
separation monitor was fixed. In case of an exploitable unprivileged
helper this could have been used to elevate privileges."
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected openssh packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/11/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE10.1", reference:"openssh-4.2p1-18.12") ) flag++;
if ( rpm_check(release:"SUSE10.1", reference:"openssh-askpass-4.2p1-18.12") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The text description of this plugin is (C) Novell, Inc.
#

include("compat.inc");

if (description)
{
  script_id(29539);
  script_version ("1.12");
  script_cvs_date("Date: 2019/10/25 13:36:28");

  script_cve_id("CVE-2006-5794");

  script_name(english:"SuSE 10 Security Update : OpenSSH (ZYPP Patch Number 2257)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SuSE 10 host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The OpenSSH release 4.5 contains a security fix which has been
backported to the openssh versions in our old products.

  - Incorrect return argument checking in the privilege
    separation monitor was fixed. In case of an exploitable
    unprivileged helper this could have been used to elevate
    privileges. (CVE-2006-5794)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2006-5794.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 2257.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/11/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");


flag = 0;
if (rpm_check(release:"SLED10", sp:0, reference:"openssh-4.2p1-18.12")) flag++;
if (rpm_check(release:"SLED10", sp:0, reference:"openssh-askpass-4.2p1-18.12")) flag++;
if (rpm_check(release:"SLES10", sp:0, reference:"openssh-4.2p1-18.12")) flag++;
if (rpm_check(release:"SLES10", sp:0, reference:"openssh-askpass-4.2p1-18.12")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else exit(0, "The host is not affected.");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2006:0738 and 
# CentOS Errata and Security Advisory 2006:0738 respectively.
#

include("compat.inc");

if (description)
{
  script_id(37366);
  script_version("1.11");
  script_cvs_date("Date: 2019/10/25 13:36:03");

  script_cve_id("CVE-2006-5794");
  script_xref(name:"RHSA", value:"2006:0738");

  script_name(english:"CentOS 3 / 4 : openssh (CESA-2006:0738)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote CentOS host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated openssh packages that fix an authentication flaw are now
available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having low security impact by the Red
Hat Security Response Team.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This
package includes the core files necessary for both the OpenSSH client
and server.

An authentication flaw was found in OpenSSH's privilege separation
monitor. If it ever becomes possible to alter the behavior of the
unprivileged process when OpenSSH is using privilege separation, an
attacker may then be able to login without possessing proper
credentials. (CVE-2006-5794)

Please note that this flaw by itself poses no direct threat to OpenSSH
users. Without another security flaw that could allow an attacker to
alter the behavior of OpenSSH's unprivileged process, this flaw cannot
be exploited. There are currently no known flaws to exploit this
behavior. However, we have decided to issue this erratum to fix this
flaw to reduce the security impact if an unprivileged process flaw is
ever found.

Users of openssh should upgrade to these updated packages, which
contain a backported patch to resolve this issue."
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-November/013400.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?951b9942"
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-November/013401.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?04866605"
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-November/013402.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?7111e9ab"
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-November/013404.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?9cb246f0"
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-November/013410.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?c4d657f7"
  );
  # https://lists.centos.org/pipermail/centos-announce/2006-November/013411.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?18971c81"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected openssh packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass-gnome");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/11/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CentOS Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/CentOS/release");
if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
os_ver = os_ver[1];
if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver);

if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);


flag = 0;
if (rpm_check(release:"CentOS-3", reference:"openssh-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"CentOS-3", reference:"openssh-askpass-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"CentOS-3", reference:"openssh-askpass-gnome-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"CentOS-3", reference:"openssh-clients-3.6.1p2-33.30.13")) flag++;
if (rpm_check(release:"CentOS-3", reference:"openssh-server-3.6.1p2-33.30.13")) flag++;

if (rpm_check(release:"CentOS-4", reference:"openssh-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"CentOS-4", reference:"openssh-askpass-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"CentOS-4", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"CentOS-4", reference:"openssh-clients-3.9p1-8.RHEL4.17.1")) flag++;
if (rpm_check(release:"CentOS-4", reference:"openssh-server-3.9p1-8.RHEL4.17.1")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc");
}

#
# (C) Tenable Network Security, Inc.
#

# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2019-0146. The text
# itself is copyright (C) ZTE, Inc.

include("compat.inc");

if (description)
{
  script_id(127415);
  script_version("1.3");
  script_cvs_date("Date: 2019/09/24 11:01:33");

  script_cve_id(
    "CVE-2006-0225",
    "CVE-2006-4924",
    "CVE-2006-5051",
    "CVE-2006-5794",
    "CVE-2007-3102",
    "CVE-2010-4755",
    "CVE-2010-5107",
    "CVE-2014-2532",
    "CVE-2014-2653",
    "CVE-2014-9278",
    "CVE-2015-5600",
    "CVE-2015-8325",
    "CVE-2016-0777",
    "CVE-2016-1908",
    "CVE-2016-6210"
  );

  script_name(english:"NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)");

  script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by
multiple vulnerabilities:

  - scp in OpenSSH 4.2p1 allows attackers to execute
    arbitrary commands via filenames that contain shell
    metacharacters or spaces, which are expanded twice.
    (CVE-2006-0225)

  - sshd in OpenSSH before 4.4, when using the version 1 SSH
    protocol, allows remote attackers to cause a denial of
    service (CPU consumption) via an SSH packet that
    contains duplicate blocks, which is not properly handled
    by the CRC compensation attack detector. (CVE-2006-4924)

  - Signal handler race condition in OpenSSH before 4.4
    allows remote attackers to cause a denial of service
    (crash), and possibly execute arbitrary code if GSSAPI
    authentication is enabled, via unspecified vectors that
    lead to a double-free. (CVE-2006-5051)

  - Unspecified vulnerability in the sshd Privilege
    Separation Monitor in OpenSSH before 4.5 causes weaker
    verification that authentication has been successful,
    which might allow attackers to bypass authentication.
    NOTE: as of 20061108, it is believed that this issue is
    only exploitable by leveraging vulnerabilities in the
    unprivileged process, which are not known to exist.
    (CVE-2006-5794)

  - Unspecified vulnerability in the
    linux_audit_record_event function in OpenSSH 4.3p2, as
    used on Fedora Core 6 and possibly other systems, allows
    remote attackers to write arbitrary characters to an
    audit log via a crafted username. NOTE: some of these
    details are obtained from third party information.
    (CVE-2007-3102)

  - The (1) remote_glob function in sftp-glob.c and the (2)
    process_put function in sftp.c in OpenSSH 5.8 and
    earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2,
    OpenBSD 4.7, and other products, allow remote
    authenticated users to cause a denial of service (CPU
    and memory consumption) via crafted glob expressions
    that do not match any pathnames, as demonstrated by glob
    expressions in SSH_FXP_STAT requests to an sftp daemon,
    a different vulnerability than CVE-2010-2632.
    (CVE-2010-4755)

  - The default configuration of OpenSSH through 6.1
    enforces a fixed time limit between establishing a TCP
    connection and completing a login, which makes it easier
    for remote attackers to cause a denial of service
    (connection-slot exhaustion) by periodically making many
    new TCP connections. (CVE-2010-5107)

  - It was found that OpenSSH did not properly handle
    certain AcceptEnv parameter values with wildcard
    characters. A remote attacker could use this flaw to
    bypass intended environment variable restrictions.
    (CVE-2014-2532)

  - It was discovered that OpenSSH clients did not correctly
    verify DNS SSHFP records. A malicious server could use
    this flaw to force a connecting client to skip the DNS
    SSHFP record check and require the user to perform
    manual host verification of the DNS SSHFP record.
    (CVE-2014-2653)

  - It was found that when OpenSSH was used in a Kerberos
    environment, remote authenticated users were allowed to
    log in as a different user if they were listed in the
    ~/.k5users file of that user, potentially bypassing
    intended authentication restrictions. (CVE-2014-9278)

  - It was discovered that the OpenSSH sshd daemon did not
    check the list of keyboard-interactive authentication
    methods for duplicates. A remote attacker could use this
    flaw to bypass the MaxAuthTries limit, making it easier
    to perform password guessing attacks. (CVE-2015-5600)

  - It was discovered that the OpenSSH sshd daemon fetched
    PAM environment settings before running the login
    program. In configurations with UseLogin=yes and the
    pam_env PAM module configured to read user environment
    settings, a local user could use this flaw to execute
    arbitrary code as root. (CVE-2015-8325)

  - An information leak flaw was found in the way the
    OpenSSH client roaming feature was implemented. A
    malicious server could potentially use this flaw to leak
    portions of memory (possibly including private SSH keys)
    of a successfully authenticated OpenSSH client.
    (CVE-2016-0777)

  - An access flaw was discovered in OpenSSH; the OpenSSH
    client did not correctly handle failures to generate
    authentication cookies for untrusted X11 forwarding. A
    malicious or compromised remote X application could
    possibly use this flaw to establish a trusted connection
    to the local X server, even if only untrusted X11
    forwarding was requested. (CVE-2016-1908)

  - A covert timing channel flaw was found in the way
    OpenSSH handled authentication of non-existent users. A
    remote unauthenticated attacker could possibly use this
    flaw to determine valid user names by measuring the
    timing of server responses. (CVE-2016-6210)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0146");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL openssh-latest packages. Note that updated packages may not be available yet. Please contact
ZTE for more information.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-5051");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(362, 399);

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/ZTE-CGSL/release");
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");

if (release !~ "CGSL MAIN 4.05")
  audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');

if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);

flag = 0;

pkgs = {
  "CGSL MAIN 4.05": [
    "openssh-latest-7.9p1-1.el6.cgsl7741",
    "openssh-latest-askpass-7.9p1-1.el6.cgsl7741",
    "openssh-latest-cavs-7.9p1-1.el6.cgsl7741",
    "openssh-latest-clients-7.9p1-1.el6.cgsl7741",
    "openssh-latest-debuginfo-7.9p1-1.el6.cgsl7741",
    "openssh-latest-keycat-7.9p1-1.el6.cgsl7741",
    "openssh-latest-ldap-7.9p1-1.el6.cgsl7741",
    "openssh-latest-server-7.9p1-1.el6.cgsl7741"
  ]
};
pkg_list = pkgs[release];

foreach (pkg in pkg_list)
  if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-latest");
}

#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandrake Linux Security Advisory MDKSA-2006:204. 
# The text itself is copyright (C) Mandriva S.A.
#

include("compat.inc");

if (description)
{
  script_id(24589);
  script_version ("1.16");
  script_cvs_date("Date: 2019/08/02 13:32:48");

  script_cve_id("CVE-2006-5794");
  script_bugtraq_id(20956);
  script_xref(name:"MDKSA", value:"2006:204");

  script_name(english:"Mandrake Linux Security Advisory : openssh (MDKSA-2006:204)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Mandrake Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A vulnerability in the privilege separation functionality in OpenSSH
was discovered, caused by an incorrect checking for bad signatures in
sshd's privsep monitor. As a result, the monitor and the unprivileged
process can get out sync. The OpenSSH team indicated that this bug is
not known to be exploitable in the abence of additional
vulnerabilities.

Updated packages have been patched to correct this issue, and Mandriva
Linux 2007 has received the latest version of OpenSSH."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.openssh.com/txt/release-4.5"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass-gnome");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-clients");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-server");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/11/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK2006.0", reference:"openssh-4.3p1-0.4.20060mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"openssh-askpass-4.3p1-0.4.20060mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"openssh-askpass-gnome-4.3p1-0.4.20060mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"openssh-clients-4.3p1-0.4.20060mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"openssh-server-4.3p1-0.4.20060mdk", yank:"mdk")) flag++;

if (rpm_check(release:"MDK2007.0", reference:"openssh-4.5p1-0.1mdv2007.0", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2007.0", reference:"openssh-askpass-4.5p1-0.1mdv2007.0", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2007.0", reference:"openssh-askpass-common-4.5p1-0.1mdv2007.0", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2007.0", reference:"openssh-askpass-gnome-4.5p1-0.1mdv2007.0", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2007.0", reference:"openssh-clients-4.5p1-0.1mdv2007.0", yank:"mdv")) flag++;
if (rpm_check(release:"MDK2007.0", reference:"openssh-server-4.5p1-0.1mdv2007.0", yank:"mdv")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#

# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2019-0036. The text
# itself is copyright (C) ZTE, Inc.

include("compat.inc");

if (description)
{
  script_id(127206);
  script_version("1.3");
  script_cvs_date("Date: 2019/09/24 11:01:33");

  script_cve_id(
    "CVE-2006-0225",
    "CVE-2006-4924",
    "CVE-2006-5051",
    "CVE-2006-5794",
    "CVE-2007-3102",
    "CVE-2010-4755",
    "CVE-2010-5107",
    "CVE-2014-2532"
  );

  script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0036)");

  script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected
by multiple vulnerabilities:

  - scp in OpenSSH 4.2p1 allows attackers to execute
    arbitrary commands via filenames that contain shell
    metacharacters or spaces, which are expanded twice.
    (CVE-2006-0225)

  - sshd in OpenSSH before 4.4, when using the version 1 SSH
    protocol, allows remote attackers to cause a denial of
    service (CPU consumption) via an SSH packet that
    contains duplicate blocks, which is not properly handled
    by the CRC compensation attack detector. (CVE-2006-4924)

  - Signal handler race condition in OpenSSH before 4.4
    allows remote attackers to cause a denial of service
    (crash), and possibly execute arbitrary code if GSSAPI
    authentication is enabled, via unspecified vectors that
    lead to a double-free. (CVE-2006-5051)

  - Unspecified vulnerability in the sshd Privilege
    Separation Monitor in OpenSSH before 4.5 causes weaker
    verification that authentication has been successful,
    which might allow attackers to bypass authentication.
    NOTE: as of 20061108, it is believed that this issue is
    only exploitable by leveraging vulnerabilities in the
    unprivileged process, which are not known to exist.
    (CVE-2006-5794)

  - Unspecified vulnerability in the
    linux_audit_record_event function in OpenSSH 4.3p2, as
    used on Fedora Core 6 and possibly other systems, allows
    remote attackers to write arbitrary characters to an
    audit log via a crafted username. NOTE: some of these
    details are obtained from third party information.
    (CVE-2007-3102)

  - The (1) remote_glob function in sftp-glob.c and the (2)
    process_put function in sftp.c in OpenSSH 5.8 and
    earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2,
    OpenBSD 4.7, and other products, allow remote
    authenticated users to cause a denial of service (CPU
    and memory consumption) via crafted glob expressions
    that do not match any pathnames, as demonstrated by glob
    expressions in SSH_FXP_STAT requests to an sftp daemon,
    a different vulnerability than CVE-2010-2632.
    (CVE-2010-4755)

  - The default configuration of OpenSSH through 6.1
    enforces a fixed time limit between establishing a TCP
    connection and completing a login, which makes it easier
    for remote attackers to cause a denial of service
    (connection-slot exhaustion) by periodically making many
    new TCP connections. (CVE-2010-5107)

  - It was found that OpenSSH did not properly handle
    certain AcceptEnv parameter values with wildcard
    characters. A remote attacker could use this flaw to
    bypass intended environment variable restrictions.
    (CVE-2014-2532)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0036");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL openssh packages. Note that updated packages may not be available yet. Please contact ZTE
for more information.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-5051");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(362, 399);

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/ZTE-CGSL/release");
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");

if (release !~ "CGSL CORE 5.04" &&
    release !~ "CGSL MAIN 5.04")
  audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');

if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);

flag = 0;

pkgs = {
  "CGSL CORE 5.04": [
    "openssh-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-askpass-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-cavs-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-clients-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-debuginfo-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-keycat-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-ldap-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-server-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "pam_ssh_agent_auth-0.10.3-6.1.el7.cgslv5.0.2.gc747ef6"
  ],
  "CGSL MAIN 5.04": [
    "openssh-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-askpass-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-cavs-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-clients-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-debuginfo-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-keycat-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-ldap-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-server-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "pam_ssh_agent_auth-0.10.3-6.1.el7.cgslv5.0.2.gc747ef6"
  ]
};
pkg_list = pkgs[release];

foreach (pkg in pkg_list)
  if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
}

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(55992);
  script_version("1.17");
  script_cvs_date("Date: 2018/07/31 17:27:54");

  script_cve_id(
    "CVE-2000-0525",
    "CVE-2000-1169",
    "CVE-2001-0361",
    "CVE-2001-0529",
    "CVE-2001-0572",
    "CVE-2001-0816",
    "CVE-2001-0872",
    "CVE-2001-1380",
    "CVE-2001-1382",
    "CVE-2001-1459",
    "CVE-2001-1507",
    "CVE-2001-1585",
    "CVE-2002-0083",
    "CVE-2002-0575",
    "CVE-2002-0639",
    "CVE-2002-0640",
    "CVE-2002-0765",
    "CVE-2003-0190",
    "CVE-2003-0386",
    "CVE-2003-0682",
    "CVE-2003-0693",
    "CVE-2003-0695",
    "CVE-2003-0786",
    "CVE-2003-0787",
    "CVE-2003-1562",
    "CVE-2004-0175",
    "CVE-2004-1653",
    "CVE-2004-2069",
    "CVE-2004-2760",
    "CVE-2005-2666",
    "CVE-2005-2797",
    "CVE-2005-2798",
    "CVE-2006-0225",
    "CVE-2006-4924",
    "CVE-2006-4925",
    "CVE-2006-5051",
    "CVE-2006-5052",
    "CVE-2006-5229",
    "CVE-2006-5794",
    "CVE-2007-2243",
    "CVE-2007-2768",
    "CVE-2007-3102",
    "CVE-2007-4752",
    "CVE-2008-1483",
    "CVE-2008-1657",
    "CVE-2008-3259",
    "CVE-2008-4109",
    "CVE-2008-5161"
  );
  script_bugtraq_id(32319);
  script_xref(name:"CERT", value:"958563");

  script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure");
  script_summary(english:"Checks SSH banner");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The SSH service running on the remote host has an information
disclosure vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of SunSSH running on the remote host has an information
disclosure vulnerability.  A design flaw in the SSH specification
could allow a man-in-the-middle attacker to recover up to 32 bits of
plaintext from an SSH-protected connection in the standard
configuration.  An attacker could exploit this to gain access to
sensitive information.

Note that this version of SunSSH is also prone to several additional
issues but Nessus did not test for them." );

  # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9");
  # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a");
  script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning");
  script_set_attribute(
    attribute:"solution",
    value:"Upgrade to SunSSH 1.1.1 / 1.3 or later"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399);
  script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17");
  script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11");
  script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29");
  script_set_attribute(attribute:"plugin_type",value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_detect.nasl");
  script_require_ports("Services/ssh");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

# Ensure the port is open.
port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE);

# Get banner for service.
banner = get_kb_item_or_exit("SSH/banner/" + port);

# Check that we're using SunSSH.
if ('sun_ssh' >!< tolower(banner))
  exit(0, "The SSH service on port " + port + " is not SunSSH.");

# Check the version in the banner.
match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE);
if (isnull(match))
  exit(1, "Could not parse the version string from the banner on port " + port + ".");
else
  version = match[1];

# the Oracle (Sun) blog above explains how the versioning works. we could
# probably explicitly check for each vulnerable version if it came down to it
if (
  ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 ||
  version == '1.2'
)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source    : ' + banner +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 1.1.1 / 1.3\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2006:0738. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(23683);
  script_version ("1.22");
  script_cvs_date("Date: 2019/10/25 13:36:12");

  script_cve_id("CVE-2006-5794");
  script_xref(name:"RHSA", value:"2006:0738");

  script_name(english:"RHEL 3 / 4 : openssh (RHSA-2006:0738)");
  script_summary(english:"Checks the rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated openssh packages that fix an authentication flaw are now
available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having low security impact by the Red
Hat Security Response Team.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This
package includes the core files necessary for both the OpenSSH client
and server.

An authentication flaw was found in OpenSSH's privilege separation
monitor. If it ever becomes possible to alter the behavior of the
unprivileged process when OpenSSH is using privilege separation, an
attacker may then be able to login without possessing proper
credentials. (CVE-2006-5794)

Please note that this flaw by itself poses no direct threat to OpenSSH
users. Without another security flaw that could allow an attacker to
alter the behavior of OpenSSH's unprivileged process, this flaw cannot
be exploited. There are currently no known flaws to exploit this
behavior. However, we have decided to issue this erratum to fix this
flaw to reduce the security impact if an unprivileged process flaw is
ever found.

Users of openssh should upgrade to these updated packages, which
contain a backported patch to resolve this issue."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2006-5794"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2006:0738"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/11/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/20");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x / 4.x", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2006:0738";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL3", reference:"openssh-3.6.1p2-33.30.13")) flag++;
  if (rpm_check(release:"RHEL3", reference:"openssh-askpass-3.6.1p2-33.30.13")) flag++;
  if (rpm_check(release:"RHEL3", reference:"openssh-askpass-gnome-3.6.1p2-33.30.13")) flag++;
  if (rpm_check(release:"RHEL3", reference:"openssh-clients-3.6.1p2-33.30.13")) flag++;
  if (rpm_check(release:"RHEL3", reference:"openssh-server-3.6.1p2-33.30.13")) flag++;

  if (rpm_check(release:"RHEL4", reference:"openssh-3.9p1-8.RHEL4.17.1")) flag++;
  if (rpm_check(release:"RHEL4", reference:"openssh-askpass-3.9p1-8.RHEL4.17.1")) flag++;
  if (rpm_check(release:"RHEL4", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.17.1")) flag++;
  if (rpm_check(release:"RHEL4", reference:"openssh-clients-3.9p1-8.RHEL4.17.1")) flag++;
  if (rpm_check(release:"RHEL4", reference:"openssh-server-3.9p1-8.RHEL4.17.1")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc");
  }
}