Vulnerabilities > CVE-2008-1483 - Permissions, Privileges, and Access Controls vulnerability in Openbsd Openssh 4.3P2
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Blue Boxing This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
- Target Programs with Elevated Privileges This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2275-1.NASL description This update for openssh fixes the following issues: Security issues fixed : - CVE-2016-10012: Fix pre-auth compression checks that could be optimized away (bsc#1016370). - CVE-2016-10708: Fix remote denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYSmessage (bsc#1076957). - CVE-2017-15906: Fix r/o sftp-server zero byte file creation (bsc#1065000). - CVE-2008-1483: Fix accidental re-introduction of CVE-2008-1483 (bsc#1069509). Bug fixes : - bsc#1017099: Match conditions with uppercase hostnames fail (bsc#1017099) - bsc#1053972: supportedKeyExchanges diffie-hellman-group1-sha1 is duplicated (bsc#1053972) - bsc#1023275: Messages suppressed after upgrade from SLES 11 SP3 to SP4 (bsc#1023275) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111639 published 2018-08-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111639 title SUSE SLES11 Security Update : openssh (SUSE-SU-2018:2275-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:2275-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(111639); script_version("1.5"); script_cvs_date("Date: 2019/09/10 13:51:48"); script_cve_id("CVE-2008-1483", "CVE-2016-10012", "CVE-2016-10708", "CVE-2017-15906"); script_bugtraq_id(28444); script_name(english:"SUSE SLES11 Security Update : openssh (SUSE-SU-2018:2275-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for openssh fixes the following issues: Security issues fixed : - CVE-2016-10012: Fix pre-auth compression checks that could be optimized away (bsc#1016370). - CVE-2016-10708: Fix remote denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYSmessage (bsc#1076957). - CVE-2017-15906: Fix r/o sftp-server zero byte file creation (bsc#1065000). - CVE-2008-1483: Fix accidental re-introduction of CVE-2008-1483 (bsc#1069509). Bug fixes : - bsc#1017099: Match conditions with uppercase hostnames fail (bsc#1017099) - bsc#1053972: supportedKeyExchanges diffie-hellman-group1-sha1 is duplicated (bsc#1053972) - bsc#1023275: Messages suppressed after upgrade from SLES 11 SP3 to SP4 (bsc#1023275) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1016370" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1017099" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1023275" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1053972" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1065000" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1069509" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2008-1483/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10012/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10708/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-15906/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20182275-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?26523b41" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-openssh-13719=1 SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-openssh-13719=1" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/24"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-6.6p1-36.3.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-askpass-gnome-6.6p1-36.3.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-fips-6.6p1-36.3.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-helpers-6.6p1-36.3.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1576.NASL description The recently announced vulnerability in Debian last seen 2020-06-01 modified 2020-06-02 plugin id 32377 published 2008-05-19 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32377 title Debian DSA-1576-1 : openssh - predictable random number generator code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1576. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(32377); script_version("1.23"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2008-0166"); script_bugtraq_id(29179); script_xref(name:"DSA", value:"1576"); script_name(english:"Debian DSA-1576-1 : openssh - predictable random number generator"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "The recently announced vulnerability in Debian's openssl package ( DSA-1571-1, CVE-2008-0166 ) indirectly affects OpenSSH. As a result, all user and host keys generated using broken versions of the openssl package must be considered untrustworthy, even after the openssl update has been applied. 1. Install the security updates This update contains a dependency on the openssl update and will automatically install a corrected version of the libssl0.9.8 package, and a new package openssh-blacklist. Once the update is applied, weak user keys will be automatically rejected where possible (though they cannot be detected in all cases). If you are using such keys for user authentication, they will immediately stop working and will need to be replaced (see step 3). OpenSSH host keys can be automatically regenerated when the OpenSSH security update is applied. The update will prompt for confirmation before taking this step. 2. Update OpenSSH known_hosts files The regeneration of host keys will cause a warning to be displayed when connecting to the system using SSH until the host key is updated in the known_hosts file. The warning will look like this : @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. In this case, the host key has simply been changed, and you should update the relevant known_hosts file as indicated in the error message. It is recommended that you use a trustworthy channel to exchange the server key. It is found in the file /etc/ssh/ssh_host_rsa_key.pub on the server; it's fingerprint can be printed using the command : ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub In addition to user-specific known_hosts files, there may be a system-wide known hosts file /etc/ssh/ssh_known_hosts. This is file is used both by the ssh client and by sshd for the hosts.equiv functionality. This file needs to be updated as well. 3. Check all OpenSSH user keys The safest course of action is to regenerate all OpenSSH user keys, except where it can be established to a high degree of certainty that the key was generated on an unaffected system. Check whether your key is affected by running the ssh-vulnkey tool, included in the security update. By default, ssh-vulnkey will check the standard location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity), your authorized_keys file (~/.ssh/authorized_keys and ~/.ssh/authorized_keys2), and the system's host keys (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key). To check all your own keys, assuming they are in the standard locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity) : ssh-vulnkey To check all keys on your system : sudo ssh-vulnkey -a To check a key in a non-standard location : ssh-vulnkey /path/to/key If ssh-vulnkey says 'Unknown (no blacklist information)', then it has no information about whether that key is affected. In this case, you can examine the modification time (mtime) of the file using 'ls -l'. Keys generated before September 2006 are not affected. Keep in mind that, although unlikely, backup procedures may have changed the file date back in time (or the system clock may have been incorrectly set). If in doubt, generate a new key and remove the old one from any servers. 4. Regenerate any affected user keys OpenSSH keys used for user authentication must be manually regenerated, including those which may have since been transferred to a different system after being generated. New keys can be generated using ssh-keygen, e.g. : $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 user@host 5. Update authorized_keys files (if necessary) Once the user keys have been regenerated, the relevant public keys must be propagated to any authorized_keys files (and authorized_keys2 files, if applicable) on remote systems. Be sure to delete the lines containing old keys from those files. In addition to countermeasures to mitigate the randomness vulnerability, this OpenSSH update fixes several other vulnerabilities : CVE-2008-1483: Timo Juhani Lindfors discovered that, when using X11 forwarding, the SSH client selects an X11 forwarding port without ensuring that it can be bound on all address families. If the system is configured with IPv6 (even if it does not have working IPv6 connectivity), this could allow a local attacker on the remote server to hijack X11 forwarding. CVE-2007-4752: Jan Pechanec discovered that ssh falls back to creating a trusted X11 cookie if creating an untrusted cookie fails, potentially exposing the local display to a malicious remote server when using X11 forwarding." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-0166" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-1483" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-4752" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2008/dsa-1576" ); script_set_attribute( attribute:"solution", value: "Upgrade the openssh packages and take the measures indicated above. For the stable distribution (etch), these problems have been fixed in version 4.3p2-9etch1. Currently, only a subset of all supported architectures have been built; further updates will be provided when they become available." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(310); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/05/13"); script_set_attribute(attribute:"patch_publication_date", value:"2008/05/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/19"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"openssh-blacklist", reference:"0.1.1")) flag++; if (deb_check(release:"4.0", prefix:"openssh-client", reference:"4.3p2-9etch1")) flag++; if (deb_check(release:"4.0", prefix:"openssh-server", reference:"4.3p2-9etch1")) flag++; if (deb_check(release:"4.0", prefix:"ssh", reference:"4.3p2-9etch1")) flag++; if (deb_check(release:"4.0", prefix:"ssh-askpass-gnome", reference:"4.3p2-9etch1")) flag++; if (deb_check(release:"4.0", prefix:"ssh-krb5", reference:"4.3p2-9etch1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200804-03.NASL description The remote host is affected by the vulnerability described in GLSA-200804-03 (OpenSSH: Privilege escalation) Two issues have been discovered in OpenSSH: Timo Juhani Lindfors discovered that OpenSSH sets the DISPLAY variable in SSH sessions using X11 forwarding even when it cannot bind the X11 server to a local port in all address families (CVE-2008-1483). OpenSSH will execute the contents of the last seen 2020-06-01 modified 2020-06-02 plugin id 31834 published 2008-04-11 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31834 title GLSA-200804-03 : OpenSSH: Privilege escalation code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200804-03. # # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(31834); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2008-1483", "CVE-2008-1657"); script_xref(name:"GLSA", value:"200804-03"); script_name(english:"GLSA-200804-03 : OpenSSH: Privilege escalation"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200804-03 (OpenSSH: Privilege escalation) Two issues have been discovered in OpenSSH: Timo Juhani Lindfors discovered that OpenSSH sets the DISPLAY variable in SSH sessions using X11 forwarding even when it cannot bind the X11 server to a local port in all address families (CVE-2008-1483). OpenSSH will execute the contents of the '.ssh/rc' file even when the 'ForceCommand' directive is enabled in the global sshd_config (CVE-2008-1657). Impact : A local attacker could exploit the first vulnerability to hijack forwarded X11 sessions of other users and possibly execute code with their privileges, disclose sensitive data or cause a Denial of Service, by binding a local X11 server to a port using only one address family. The second vulnerability might allow local attackers to bypass intended security restrictions and execute commands other than those specified by 'ForceCommand' if they are able to write to their home directory. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200804-03" ); script_set_attribute( attribute:"solution", value: "All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/openssh-4.7_p1-r6'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/04/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-misc/openssh", unaffected:make_list("ge 4.7_p1-r6"), vulnerable:make_list("lt 4.7_p1-r6"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenSSH"); }NASL family SuSE Local Security Checks NASL id SUSE_OPENSSH-5148.NASL description A flaw in the X forwarding code of openssh allowed malicious users to steal the X access credentials of other users (CVE-2008-1483). last seen 2020-06-01 modified 2020-06-02 plugin id 31842 published 2008-04-11 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31842 title openSUSE 10 Security Update : openssh (openssh-5148) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openssh-5148. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(31842); script_version ("1.11"); script_cvs_date("Date: 2019/10/25 13:36:33"); script_cve_id("CVE-2008-1483"); script_name(english:"openSUSE 10 Security Update : openssh (openssh-5148)"); script_summary(english:"Check for the openssh-5148 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "A flaw in the X forwarding code of openssh allowed malicious users to steal the X access credentials of other users (CVE-2008-1483)." ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2008/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"openssh-4.2p1-18.36") ) flag++; if ( rpm_check(release:"SUSE10.1", reference:"openssh-askpass-4.2p1-18.36") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass"); }NASL family SuSE Local Security Checks NASL id SUSE9_12122.NASL description A flaw in the X forwarding code of openssh allowed malicious users to steal the X access credentials of other users. (CVE-2008-1483) last seen 2020-06-01 modified 2020-06-02 plugin id 41205 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41205 title SuSE9 Security Update : OpenSSH (YOU Patch Number 12122) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(41205); script_version("1.8"); script_cvs_date("Date: 2019/10/25 13:36:31"); script_cve_id("CVE-2008-1483"); script_name(english:"SuSE9 Security Update : OpenSSH (YOU Patch Number 12122)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 9 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "A flaw in the X forwarding code of openssh allowed malicious users to steal the X access credentials of other users. (CVE-2008-1483)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2008-1483.html" ); script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12122."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/03/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SUSE9", reference:"openssh-4.1p1-11.42")) flag++; if (rpm_check(release:"SUSE9", reference:"openssh-askpass-4.1p1-11.42")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1351.NASL description This update for openssh fixes the following issues : Security issue fixed : - CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). Bug fixes : - FIPS: Startup selfchecks (bsc#1068310). - FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166). - Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). - Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367) This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-12-14 plugin id 105237 published 2017-12-14 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/105237 title openSUSE Security Update : openssh (openSUSE-2017-1351) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-1351. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(105237); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2008-1483", "CVE-2017-15906"); script_name(english:"openSUSE Security Update : openssh (openSUSE-2017-1351)"); script_summary(english:"Check for the openSUSE-2017-1351 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for openssh fixes the following issues : Security issue fixed : - CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). Bug fixes : - FIPS: Startup selfchecks (bsc#1068310). - FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166). - Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). - Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367) This update was imported from the SUSE:SLE-12-SP2:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1006166" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1048367" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1065000" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1068310" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1069509" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"openssh-7.2p2-11.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-askpass-gnome-7.2p2-11.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-askpass-gnome-debuginfo-7.2p2-11.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-cavs-7.2p2-11.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-cavs-debuginfo-7.2p2-11.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-debuginfo-7.2p2-11.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-debugsource-7.2p2-11.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-fips-7.2p2-11.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-helpers-7.2p2-11.6.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-helpers-debuginfo-7.2p2-11.6.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-7.2p2-15.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-askpass-gnome-7.2p2-15.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-askpass-gnome-debuginfo-7.2p2-15.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-cavs-7.2p2-15.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-cavs-debuginfo-7.2p2-15.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-debuginfo-7.2p2-15.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-debugsource-7.2p2-15.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-fips-7.2p2-15.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-helpers-7.2p2-15.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-helpers-debuginfo-7.2p2-15.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-askpass-gnome / openssh-askpass-gnome-debuginfo / openssh / etc"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-597-1.NASL description Timo Juhani Lindfors discovered that the OpenSSH client, when port forwarding was requested, would listen on any available address family. A local attacker could exploit this flaw on systems with IPv6 enabled to hijack connections, including X11 forwards. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 31784 published 2008-04-04 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31784 title Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : openssh vulnerability (USN-597-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-597-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(31784); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:33:02"); script_cve_id("CVE-2008-1483"); script_bugtraq_id(28444); script_xref(name:"USN", value:"597-1"); script_name(english:"Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : openssh vulnerability (USN-597-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Timo Juhani Lindfors discovered that the OpenSSH client, when port forwarding was requested, would listen on any available address family. A local attacker could exploit this flaw on systems with IPv6 enabled to hijack connections, including X11 forwards. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/597-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ssh-krb5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.10"); script_set_attribute(attribute:"patch_publication_date", value:"2008/04/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(6\.06|6\.10|7\.04|7\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 6.10 / 7.04 / 7.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"openssh-client", pkgver:"1:4.2p1-7ubuntu3.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"openssh-server", pkgver:"4.2p1-7ubuntu3.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"ssh", pkgver:"4.2p1-7ubuntu3.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"ssh-askpass-gnome", pkgver:"4.2p1-7ubuntu3.3")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"openssh-client", pkgver:"1:4.3p2-5ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"openssh-server", pkgver:"4.3p2-5ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"ssh", pkgver:"4.3p2-5ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"ssh-askpass-gnome", pkgver:"4.3p2-5ubuntu1.2")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"openssh-client", pkgver:"1:4.3p2-8ubuntu1.2")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"openssh-server", pkgver:"4.3p2-8ubuntu1.2")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"ssh", pkgver:"4.3p2-8ubuntu1.2")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"ssh-askpass-gnome", pkgver:"4.3p2-8ubuntu1.2")) flag++; if (ubuntu_check(osver:"7.04", pkgname:"ssh-krb5", pkgver:"4.3p2-8ubuntu1.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"openssh-client", pkgver:"1:4.6p1-5ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"openssh-server", pkgver:"4.6p1-5ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"ssh", pkgver:"4.6p1-5ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"ssh-askpass-gnome", pkgver:"4.6p1-5ubuntu0.2")) flag++; if (ubuntu_check(osver:"7.10", pkgname:"ssh-krb5", pkgver:"4.6p1-5ubuntu0.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-client / openssh-server / ssh / ssh-askpass-gnome / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-3230-1.NASL description This update for openssh fixes the following issues: Security issue fixed : - CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). Bug fixes : - FIPS: Startup selfchecks (bsc#1068310). - FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166). - Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). - Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 105093 published 2017-12-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105093 title SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2017:3230-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2017:3230-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(105093); script_version("3.7"); script_cvs_date("Date: 2019/09/11 11:22:16"); script_cve_id("CVE-2008-1483", "CVE-2017-15906"); script_bugtraq_id(28444); script_name(english:"SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2017:3230-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for openssh fixes the following issues: Security issue fixed : - CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). Bug fixes : - FIPS: Startup selfchecks (bsc#1068310). - FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166). - Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). - Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1006166" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1048367" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1065000" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1068310" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1069509" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2008-1483/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-15906/" ); # https://www.suse.com/support/update/announcement/2017/suse-su-20173230-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4b96b981" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-2009=1 SUSE Linux Enterprise Server 12-SP3:zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-2009=1 SUSE Linux Enterprise Server 12-SP2:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-2009=1 SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2017-2009=1 SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-2009=1 SUSE Container as a Service Platform ALL:zypper in -t patch SUSE-CAASP-ALL-2017-2009=1 OpenStack Cloud Magnum Orchestration 7:zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-2009=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/24"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2/3", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2/3", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-askpass-gnome-7.2p2-74.11.3")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.11.3")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-debuginfo-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-debugsource-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-fips-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-helpers-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-helpers-debuginfo-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-askpass-gnome-7.2p2-74.11.3")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.11.3")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-debuginfo-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-debugsource-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-fips-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-helpers-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-helpers-debuginfo-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-askpass-gnome-7.2p2-74.11.3")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.11.3")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-debuginfo-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-debugsource-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-helpers-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-helpers-debuginfo-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-askpass-gnome-7.2p2-74.11.3")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.11.3")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-debuginfo-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-debugsource-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-helpers-7.2p2-74.11.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-helpers-debuginfo-7.2p2-74.11.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-527.NASL description Updated openssh packages that fix a security issue, bugs, and add support for recording login user IDs for audit are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 19990 published 2005-10-11 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19990 title RHEL 4 : openssh (RHSA-2005:527) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:527. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(19990); script_version ("1.23"); script_cvs_date("Date: 2019/10/25 13:36:11"); script_cve_id("CVE-2005-2798", "CVE-2008-1483"); script_xref(name:"RHSA", value:"2005:527"); script_name(english:"RHEL 4 : openssh (RHSA-2005:527)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix a security issue, bugs, and add support for recording login user IDs for audit are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. An error in the way OpenSSH handled GSSAPI credential delegation was discovered. OpenSSH as distributed with Red Hat Enterprise Linux 4 contains support for GSSAPI user authentication, typically used for supporting Kerberos. On OpenSSH installations which have GSSAPI enabled, this flaw could allow a user who sucessfully authenticates using a method other than GSSAPI to be delegated with GSSAPI credentials. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2798 to this issue. Additionally, the following bugs have been addressed : The ssh command incorrectly failed when it was issued by the root user with a non-default group set. The sshd daemon could fail to properly close the client connection if multiple X clients were forwarded over the connection and the client session exited. The sshd daemon could bind only on the IPv6 address family for X forwarding if the port on IPv4 address family was already bound. The X forwarding did not work in such cases. This update also adds support for recording login user IDs for the auditing service. The user ID is attached to the audit records generated from the user's session. All users of openssh should upgrade to these updated packages, which contain backported patches to resolve these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-2798" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-1483" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:527" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/06"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:527"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL4", reference:"openssh-3.9p1-8.RHEL4.9")) flag++; if (rpm_check(release:"RHEL4", reference:"openssh-askpass-3.9p1-8.RHEL4.9")) flag++; if (rpm_check(release:"RHEL4", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.9")) flag++; if (rpm_check(release:"RHEL4", reference:"openssh-clients-3.9p1-8.RHEL4.9")) flag++; if (rpm_check(release:"RHEL4", reference:"openssh-server-3.9p1-8.RHEL4.9")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc"); } }NASL family SuSE Local Security Checks NASL id SUSE_OPENSSH-5122.NASL description A flaw in the X forwarding code of openssh allowed malicious users to steal the X access credentials of other users. (CVE-2008-1483) last seen 2020-06-01 modified 2020-06-02 plugin id 31841 published 2008-04-11 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31841 title SuSE 10 Security Update : OpenSSH (ZYPP Patch Number 5122) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2008-095-01.NASL description New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 31801 published 2008-04-11 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31801 title Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2008-095-01) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2685-1.NASL description This update for openssh provides the following fixes : Security issues fixed : CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). CVE-2016-10012: Remove pre-auth compression support from the server to prevent possible cryptographic attacks (bsc#1016370). CVE-2008-1483: Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Bug fixes: bsc#1017099: Enable case-insensitive hostname matching. bsc#1023275: Add a new switch for printing diagnostic messages in sftp client last seen 2020-06-01 modified 2020-06-02 plugin id 117452 published 2018-09-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117452 title SUSE SLES12 Security Update : openssh (SUSE-SU-2018:2685-1) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-078.NASL description OpenSSH allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port. The updated packages have been patched to prevent this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 36879 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36879 title Mandriva Linux Security Advisory : openssh (MDVSA-2008:078) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2008-006.NASL description The remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-006 applied. This update contains security fixes for a number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 34210 published 2008-09-16 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34210 title Mac OS X Multiple Vulnerabilities (Security Update 2008-006) NASL family Misc. NASL id OPENSSH_50.NASL description According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use. last seen 2020-06-01 modified 2020-06-02 plugin id 31737 published 2008-04-03 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31737 title OpenSSH X11 Forwarding Session Hijacking NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure NASL family SuSE Local Security Checks NASL id SUSE_OPENSSH-5149.NASL description A flaw in the X forwarding code of openssh allowed malicious users to steal the X access credentials of other users (CVE-2008-1483). Due to another flaw users could bypass the option last seen 2020-06-01 modified 2020-06-02 plugin id 31843 published 2008-04-11 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31843 title openSUSE 10 Security Update : openssh (openssh-5149) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-527.NASL description Updated openssh packages that fix a security issue, bugs, and add support for recording login user IDs for audit are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 67028 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67028 title CentOS 4 : openssh (CESA-2005:527) NASL family Misc. NASL id ATTACHMATE_REFLECTION_70_SP1.NASL description The version of Attachmate Reflection for Secure IT UNIX server installed on the remote host is less than 7.0 SP1 and thus reportedly affected by several issues : - There is an inherited vulnerability in OpenSSL when parsing malformed ASN.1 structures leading to a denial of service vulnerability (CVE-2006-2937). - There is an inherited vulnerability in OpenSSL when parsing parasitic public keys leading to a denial of service vulnerability (CVE-2006-2940). - There is an inherited vulnerability in OpenSSL when performing Montgomery multiplication, leading to a side-channel attack vulnerability (CVE-2007-3108). - There is an inherited vulnerability in OpenSSH with the execution of the ~/.ssh2/rc session file (CVE-2008-1657). - There is an issue with the security of forwarded X11 connections, leading to possible hijacking. (CVE-2008-1483) - There are multiple unspecified other vulnerabilities. (CVE-2008-6021) last seen 2020-06-01 modified 2020-06-02 plugin id 33948 published 2008-08-20 reporter This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33948 title Attachmate Reflection for Secure IT UNIX server < 7.0 SP1 Multiple Vulnerabilities NASL family MacOS X Local Security Checks NASL id MACOSX_10_5_5.NASL description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.5. Mac OS X 10.5.5 contains security fixes for a number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 34211 published 2008-09-16 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34211 title Mac OS X 10.5.x < 10.5.5 Multiple Vulnerabilities NASL family AIX Local Security Checks NASL id AIX_SSH_ADVISORY.NASL description The version of OpenSSH running on the remote host is affected by the following vulnerabilities : - OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. (CVE-2008-1483) - OpenSSH before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file. (CVE-2008-1657) last seen 2020-06-01 modified 2020-06-02 plugin id 73565 published 2014-04-16 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73565 title AIX OpenSSH Advisory : ssh_advisory.asc
Oval
| accepted | 2008-10-06T04:00:20.232-04:00 | ||||||||||||||||
| class | vulnerability | ||||||||||||||||
| contributors |
| ||||||||||||||||
| definition_extensions |
| ||||||||||||||||
| description | OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. | ||||||||||||||||
| family | unix | ||||||||||||||||
| id | oval:org.mitre.oval:def:6085 | ||||||||||||||||
| status | accepted | ||||||||||||||||
| submitted | 2008-08-25T11:33:40.000-04:00 | ||||||||||||||||
| title | Security Vulnerability in Solaris SSH May Allow Unauthorized Access to X11 Sessions | ||||||||||||||||
| version | 35 |
Redhat
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 28444 CVE(CAN) ID: CVE-2008-1483 OpenSSH是一种开放源码的SSH协议的实现,初始版本用于OpenBSD平台,现在已经被移植到多种Unix/Linux类操作系统下。 在通过启用了X11转发的SSH登录时,sshd(8)没有正确地处理无法绑定到IPv4端口但成功绑定到IPv6端口的情况。在这种情况下,使用X11的设备即使没有被sshd(8)绑定也会连接到IPv4端口,因此无法安全的进行转发。 恶意用户可以在未使用的IPv4端口(如tcp 6010端口)上监听X11连接。当不知情的用户登录并创建X11转发时,恶意用户可以捕获所有通过端口发送的X11数据,这可能泄露敏感信息或允许以使用X11转发用户的权限执行命令。 OpenSSH <= 4.3p2 临时解决方法: * 通过在/etc/ssh/sshd_config中设置AddressFamily inet选项以在sshd(8)守护程序中禁用IPv6支持。 * 通过在/etc/ssh/sshd_config中设置X11Forwarding no选项以在sshd(8)守护程序中禁用X11转发支持。 厂商补丁: FreeBSD ------- FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-08:05)以及相应补丁: FreeBSD-SA-08:05:OpenSSH X11-forwarding privilege escalation 链接:<a href=ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-08:05.openssh.asc target=_blank>ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-08:05.openssh.asc</a> 补丁下载: 执行以下步骤之一: 1) 将有漏洞的系统升级到5-STABLE、6-STABLE或7-STABLE,或修改日期之后的RELENG_7_0、RELENG_6_3、RELENG_6_2、RELENG_6_1、RELENG_5_5安全版本。 2) 为当前系统打补丁: 以下补丁确认可应用于FreeBSD 5.5、6.1、6.2、6.3和7.0系统。 a) 从以下位置下载相关补丁,并使用PGP工具验证附带的PGP签名。 # fetch <a href=http://security.FreeBSD.org/patches/SA-08:05/openssh.patch target=_blank>http://security.FreeBSD.org/patches/SA-08:05/openssh.patch</a> # fetch <a href=http://security.FreeBSD.org/patches/SA-08:05/openssh.patch.asc target=_blank>http://security.FreeBSD.org/patches/SA-08:05/openssh.patch.asc</a> b) 以root执行以下命令: # cd /usr/src # patch < /path/to/patch # cd /usr/src/secure/lib/libssh # make obj && make depend && make && make install # cd /usr/src/secure/usr.sbin/sshd # make obj && make depend && make && make install # /etc/rc. OpenSSH ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.openbsd.org/errata41.html target=_blank>http://www.openbsd.org/errata41.html</a> <a href=http://www.openbsd.org/errata42.html target=_blank>http://www.openbsd.org/errata42.html</a> <a href=http://www.openbsd.org/errata43.html target=_blank>http://www.openbsd.org/errata43.html</a> Gentoo ------ Gentoo已经为此发布了一个安全公告(GLSA-200804-03)以及相应补丁: GLSA-200804-03:OpenSSH: Privilege escalation 链接:<a href=http://security.gentoo.org/glsa/glsa-200804-03.xml target=_blank>http://security.gentoo.org/glsa/glsa-200804-03.xml</a> 所有OpenSSH用户都应升级到最新版本: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.7_p1-r6" |
| id | SSV:3188 |
| last seen | 2017-11-19 |
| modified | 2008-04-18 |
| published | 2008-04-18 |
| reporter | Root |
| title | OpenSSH X连接会话劫持漏洞 |
Statements
| contributor | Mark J Cox |
| lastmodified | 2010-03-19 |
| organization | Red Hat |
| statement | All openssh versions shipped in Red Hat Enterprise Linux 5 include the patch for this issue. This issue was fixed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2005-527.html Red Hat Enterprise Linux 3 is affected by this issue. The Red Hat Security Response Team has rated this issue as having low security impact. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1483 |
References
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-005.txt.asc
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-005.txt.asc
- http://aix.software.ibm.com/aix/efixes/security/ssh_advisory.asc
- http://aix.software.ibm.com/aix/efixes/security/ssh_advisory.asc
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01462841
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01462841
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01462841
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01462841
- http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html
- http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00007.html
- http://secunia.com/advisories/29522
- http://secunia.com/advisories/29522
- http://secunia.com/advisories/29537
- http://secunia.com/advisories/29537
- http://secunia.com/advisories/29554
- http://secunia.com/advisories/29554
- http://secunia.com/advisories/29626
- http://secunia.com/advisories/29626
- http://secunia.com/advisories/29676
- http://secunia.com/advisories/29676
- http://secunia.com/advisories/29683
- http://secunia.com/advisories/29683
- http://secunia.com/advisories/29686
- http://secunia.com/advisories/29686
- http://secunia.com/advisories/29721
- http://secunia.com/advisories/29721
- http://secunia.com/advisories/29735
- http://secunia.com/advisories/29735
- http://secunia.com/advisories/29873
- http://secunia.com/advisories/29873
- http://secunia.com/advisories/29939
- http://secunia.com/advisories/29939
- http://secunia.com/advisories/30086
- http://secunia.com/advisories/30086
- http://secunia.com/advisories/30230
- http://secunia.com/advisories/30230
- http://secunia.com/advisories/30249
- http://secunia.com/advisories/30249
- http://secunia.com/advisories/30347
- http://secunia.com/advisories/30347
- http://secunia.com/advisories/30361
- http://secunia.com/advisories/30361
- http://secunia.com/advisories/31531
- http://secunia.com/advisories/31531
- http://secunia.com/advisories/31882
- http://secunia.com/advisories/31882
- http://security.FreeBSD.org/advisories/FreeBSD-SA-08:05.openssh.asc
- http://security.FreeBSD.org/advisories/FreeBSD-SA-08:05.openssh.asc
- http://sourceforge.net/project/shownotes.php?release_id=590180&group_id=69227
- http://sourceforge.net/project/shownotes.php?release_id=590180&group_id=69227
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-237444-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-237444-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1019235.1-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1019235.1-1
- http://support.attachmate.com/techdocs/2374.html
- http://support.attachmate.com/techdocs/2374.html
- http://support.avaya.com/elmodocs2/security/ASA-2008-205.htm
- http://support.avaya.com/elmodocs2/security/ASA-2008-205.htm
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2008-1483
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2008-1483
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0120
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0120
- http://www.debian.org/security/2008/dsa-1576
- http://www.debian.org/security/2008/dsa-1576
- http://www.gentoo.org/security/en/glsa/glsa-200804-03.xml
- http://www.gentoo.org/security/en/glsa/glsa-200804-03.xml
- http://www.globus.org/mail_archive/security-announce/2008/04/msg00000.html
- http://www.globus.org/mail_archive/security-announce/2008/04/msg00000.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:078
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:078
- http://www.securityfocus.com/archive/1/490054/100/0/threaded
- http://www.securityfocus.com/archive/1/490054/100/0/threaded
- http://www.securityfocus.com/bid/28444
- http://www.securityfocus.com/bid/28444
- http://www.securitytracker.com/id?1019707
- http://www.securitytracker.com/id?1019707
- http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.540188
- http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.540188
- http://www.us-cert.gov/cas/techalerts/TA08-260A.html
- http://www.us-cert.gov/cas/techalerts/TA08-260A.html
- http://www.vupen.com/english/advisories/2008/0994/references
- http://www.vupen.com/english/advisories/2008/0994/references
- http://www.vupen.com/english/advisories/2008/1123/references
- http://www.vupen.com/english/advisories/2008/1123/references
- http://www.vupen.com/english/advisories/2008/1124/references
- http://www.vupen.com/english/advisories/2008/1124/references
- http://www.vupen.com/english/advisories/2008/1448/references
- http://www.vupen.com/english/advisories/2008/1448/references
- http://www.vupen.com/english/advisories/2008/1526/references
- http://www.vupen.com/english/advisories/2008/1526/references
- http://www.vupen.com/english/advisories/2008/1624/references
- http://www.vupen.com/english/advisories/2008/1624/references
- http://www.vupen.com/english/advisories/2008/1630/references
- http://www.vupen.com/english/advisories/2008/1630/references
- http://www.vupen.com/english/advisories/2008/2396
- http://www.vupen.com/english/advisories/2008/2396
- http://www.vupen.com/english/advisories/2008/2584
- http://www.vupen.com/english/advisories/2008/2584
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41438
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41438
- https://issues.rpath.com/browse/RPL-2397
- https://issues.rpath.com/browse/RPL-2397
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6085
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6085
- https://usn.ubuntu.com/597-1/
- https://usn.ubuntu.com/597-1/