Vulnerabilities > CVE-2008-1483 - Permissions, Privileges, and Access Controls vulnerability in Openbsd Openssh 4.3P2

047910
CVSS 6.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
openbsd
CWE-264
nessus

Summary

OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.

Vulnerable Configurations

Part Description Count
Application
Openbsd
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2275-1.NASL
    descriptionThis update for openssh fixes the following issues: Security issues fixed : - CVE-2016-10012: Fix pre-auth compression checks that could be optimized away (bsc#1016370). - CVE-2016-10708: Fix remote denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYSmessage (bsc#1076957). - CVE-2017-15906: Fix r/o sftp-server zero byte file creation (bsc#1065000). - CVE-2008-1483: Fix accidental re-introduction of CVE-2008-1483 (bsc#1069509). Bug fixes : - bsc#1017099: Match conditions with uppercase hostnames fail (bsc#1017099) - bsc#1053972: supportedKeyExchanges diffie-hellman-group1-sha1 is duplicated (bsc#1053972) - bsc#1023275: Messages suppressed after upgrade from SLES 11 SP3 to SP4 (bsc#1023275) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id111639
    published2018-08-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111639
    titleSUSE SLES11 Security Update : openssh (SUSE-SU-2018:2275-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:2275-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111639);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/10 13:51:48");
    
      script_cve_id("CVE-2008-1483", "CVE-2016-10012", "CVE-2016-10708", "CVE-2017-15906");
      script_bugtraq_id(28444);
    
      script_name(english:"SUSE SLES11 Security Update : openssh (SUSE-SU-2018:2275-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for openssh fixes the following issues: Security issues
    fixed :
    
      - CVE-2016-10012: Fix pre-auth compression checks that
        could be optimized away (bsc#1016370).
    
      - CVE-2016-10708: Fix remote denial of service (NULL
        pointer dereference and daemon crash) via an
        out-of-sequence NEWKEYSmessage (bsc#1076957).
    
      - CVE-2017-15906: Fix r/o sftp-server zero byte file
        creation (bsc#1065000).
    
      - CVE-2008-1483: Fix accidental re-introduction of
        CVE-2008-1483 (bsc#1069509). Bug fixes :
    
      - bsc#1017099: Match conditions with uppercase hostnames
        fail (bsc#1017099)
    
      - bsc#1053972: supportedKeyExchanges
        diffie-hellman-group1-sha1 is duplicated (bsc#1053972)
    
      - bsc#1023275: Messages suppressed after upgrade from SLES
        11 SP3 to SP4 (bsc#1023275)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1016370"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1017099"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1023275"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1053972"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065000"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1069509"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2008-1483/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10012/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10708/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15906/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20182275-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?26523b41"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-openssh-13719=1
    
    SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
    dbgsp4-openssh-13719=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/08/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-6.6p1-36.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-askpass-gnome-6.6p1-36.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-fips-6.6p1-36.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-helpers-6.6p1-36.3.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1576.NASL
    descriptionThe recently announced vulnerability in Debian
    last seen2020-06-01
    modified2020-06-02
    plugin id32377
    published2008-05-19
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32377
    titleDebian DSA-1576-1 : openssh - predictable random number generator
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1576. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(32377);
      script_version("1.23");
      script_cvs_date("Date: 2019/08/02 13:32:21");
    
      script_cve_id("CVE-2008-0166");
      script_bugtraq_id(29179);
      script_xref(name:"DSA", value:"1576");
    
      script_name(english:"Debian DSA-1576-1 : openssh - predictable random number generator");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The recently announced vulnerability in Debian's openssl package (
    DSA-1571-1, CVE-2008-0166 ) indirectly affects OpenSSH. As a result,
    all user and host keys generated using broken versions of the openssl
    package must be considered untrustworthy, even after the openssl
    update has been applied.
    
    1. Install the security updates
    
    This update contains a dependency on the openssl update and will
    automatically install a corrected version of the libssl0.9.8 package,
    and a new package openssh-blacklist.
    
    Once the update is applied, weak user keys will be automatically
    rejected where possible (though they cannot be detected in all cases).
    If you are using such keys for user authentication, they will
    immediately stop working and will need to be replaced (see step 3).
    
    OpenSSH host keys can be automatically regenerated when the OpenSSH
    security update is applied. The update will prompt for confirmation
    before taking this step.
    
    2. Update OpenSSH known_hosts files
    
    The regeneration of host keys will cause a warning to be displayed
    when connecting to the system using SSH until the host key is updated
    in the known_hosts file. The warning will look like this :
    
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING:
    REMOTE HOST IDENTIFICATION HAS CHANGED! @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS
    POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be
    eavesdropping on you right now (man-in-the-middle attack)! It is also
    possible that the RSA host key has just been changed.
    
    In this case, the host key has simply been changed, and you should
    update the relevant known_hosts file as indicated in the error
    message. It is recommended that you use a trustworthy channel to
    exchange the server key. It is found in the file
    /etc/ssh/ssh_host_rsa_key.pub on the server; it's fingerprint can be
    printed using the command :
    
    ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
    
    In addition to user-specific known_hosts files, there may be a
    system-wide known hosts file /etc/ssh/ssh_known_hosts. This is file is
    used both by the ssh client and by sshd for the hosts.equiv
    functionality. This file needs to be updated as well.
    
    3. Check all OpenSSH user keys
    
    The safest course of action is to regenerate all OpenSSH user keys,
    except where it can be established to a high degree of certainty that
    the key was generated on an unaffected system.
    
    Check whether your key is affected by running the ssh-vulnkey tool,
    included in the security update. By default, ssh-vulnkey will check
    the standard location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and
    ~/.ssh/identity), your authorized_keys file (~/.ssh/authorized_keys
    and ~/.ssh/authorized_keys2), and the system's host keys
    (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key).
    
    To check all your own keys, assuming they are in the standard
    locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity) :
    
    ssh-vulnkey
    
    To check all keys on your system :
    
    sudo ssh-vulnkey -a
    
    To check a key in a non-standard location :
    
    ssh-vulnkey /path/to/key
    
    If ssh-vulnkey says 'Unknown (no blacklist information)', then it has
    no information about whether that key is affected. In this case, you
    can examine the modification time (mtime) of the file using 'ls -l'.
    Keys generated before September 2006 are not affected. Keep in mind
    that, although unlikely, backup procedures may have changed the file
    date back in time (or the system clock may have been incorrectly set).
    If in doubt, generate a new key and remove the old one from any
    servers.
    
    4. Regenerate any affected user keys
    
    OpenSSH keys used for user authentication must be manually
    regenerated, including those which may have since been transferred to
    a different system after being generated.
    
    New keys can be generated using ssh-keygen, e.g. :
    
        $ ssh-keygen Generating public/private rsa key pair. Enter file in
        which to save the key (/home/user/.ssh/id_rsa): Enter passphrase
        (empty for no passphrase): Enter same passphrase again: Your
        identification has been saved in /home/user/.ssh/id_rsa. Your
        public key has been saved in /home/user/.ssh/id_rsa.pub. The key
        fingerprint is: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
        user@host
    
    5. Update authorized_keys files (if necessary)
    
    Once the user keys have been regenerated, the relevant public keys
    must be propagated to any authorized_keys files (and authorized_keys2
    files, if applicable) on remote systems. Be sure to delete the lines
    containing old keys from those files.
    
    In addition to countermeasures to mitigate the randomness
    vulnerability, this OpenSSH update fixes several other vulnerabilities
    :
    
     CVE-2008-1483: Timo Juhani Lindfors discovered that, when using X11
     forwarding, the SSH client selects an X11 forwarding port without
     ensuring that it can be bound on all address families. If the system
     is configured with IPv6 (even if it does not have working IPv6
     connectivity), this could allow a local attacker on the remote server
     to hijack X11 forwarding.
    
     CVE-2007-4752: Jan Pechanec discovered that ssh falls back to
     creating a trusted X11 cookie if creating an untrusted cookie fails,
     potentially exposing the local display to a malicious remote server
     when using X11 forwarding."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-0166"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-1483"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-4752"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2008/dsa-1576"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the openssh packages and take the measures indicated above.
    
    For the stable distribution (etch), these problems have been fixed in
    version 4.3p2-9etch1. Currently, only a subset of all supported
    architectures have been built; further updates will be provided when
    they become available."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(310);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/05/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/19");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"openssh-blacklist", reference:"0.1.1")) flag++;
    if (deb_check(release:"4.0", prefix:"openssh-client", reference:"4.3p2-9etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"openssh-server", reference:"4.3p2-9etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"ssh", reference:"4.3p2-9etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"ssh-askpass-gnome", reference:"4.3p2-9etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"ssh-krb5", reference:"4.3p2-9etch1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200804-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200804-03 (OpenSSH: Privilege escalation) Two issues have been discovered in OpenSSH: Timo Juhani Lindfors discovered that OpenSSH sets the DISPLAY variable in SSH sessions using X11 forwarding even when it cannot bind the X11 server to a local port in all address families (CVE-2008-1483). OpenSSH will execute the contents of the
    last seen2020-06-01
    modified2020-06-02
    plugin id31834
    published2008-04-11
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31834
    titleGLSA-200804-03 : OpenSSH: Privilege escalation
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200804-03.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31834);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:44");
    
      script_cve_id("CVE-2008-1483", "CVE-2008-1657");
      script_xref(name:"GLSA", value:"200804-03");
    
      script_name(english:"GLSA-200804-03 : OpenSSH: Privilege escalation");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200804-03
    (OpenSSH: Privilege escalation)
    
        Two issues have been discovered in OpenSSH:
        Timo Juhani
        Lindfors discovered that OpenSSH sets the DISPLAY variable in SSH
        sessions using X11 forwarding even when it cannot bind the X11 server
        to a local port in all address families (CVE-2008-1483).
        OpenSSH will execute the contents of the '.ssh/rc' file even when
        the 'ForceCommand' directive is enabled in the global sshd_config
        (CVE-2008-1657).
      
    Impact :
    
        A local attacker could exploit the first vulnerability to hijack
        forwarded X11 sessions of other users and possibly execute code with
        their privileges, disclose sensitive data or cause a Denial of Service,
        by binding a local X11 server to a port using only one address family.
        The second vulnerability might allow local attackers to bypass intended
        security restrictions and execute commands other than those specified
        by 'ForceCommand' if they are able to write to their home directory.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200804-03"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All OpenSSH users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=net-misc/openssh-4.7_p1-r6'"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openssh");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/04/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/11");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-misc/openssh", unaffected:make_list("ge 4.7_p1-r6"), vulnerable:make_list("lt 4.7_p1-r6"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenSSH");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_OPENSSH-5148.NASL
    descriptionA flaw in the X forwarding code of openssh allowed malicious users to steal the X access credentials of other users (CVE-2008-1483).
    last seen2020-06-01
    modified2020-06-02
    plugin id31842
    published2008-04-11
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31842
    titleopenSUSE 10 Security Update : openssh (openssh-5148)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openssh-5148.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31842);
      script_version ("1.11");
      script_cvs_date("Date: 2019/10/25 13:36:33");
    
      script_cve_id("CVE-2008-1483");
    
      script_name(english:"openSUSE 10 Security Update : openssh (openssh-5148)");
      script_summary(english:"Check for the openssh-5148 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A flaw in the X forwarding code of openssh allowed malicious users to
    steal the X access credentials of other users (CVE-2008-1483)."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/03/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/11");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.1", reference:"openssh-4.2p1-18.36") ) flag++;
    if ( rpm_check(release:"SUSE10.1", reference:"openssh-askpass-4.2p1-18.36") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12122.NASL
    descriptionA flaw in the X forwarding code of openssh allowed malicious users to steal the X access credentials of other users. (CVE-2008-1483)
    last seen2020-06-01
    modified2020-06-02
    plugin id41205
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41205
    titleSuSE9 Security Update : OpenSSH (YOU Patch Number 12122)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(41205);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/25 13:36:31");
    
      script_cve_id("CVE-2008-1483");
    
      script_name(english:"SuSE9 Security Update : OpenSSH (YOU Patch Number 12122)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 9 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A flaw in the X forwarding code of openssh allowed malicious users to
    steal the X access credentials of other users. (CVE-2008-1483)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-1483.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12122.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/03/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SUSE9", reference:"openssh-4.1p1-11.42")) flag++;
    if (rpm_check(release:"SUSE9", reference:"openssh-askpass-4.1p1-11.42")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1351.NASL
    descriptionThis update for openssh fixes the following issues : Security issue fixed : - CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). Bug fixes : - FIPS: Startup selfchecks (bsc#1068310). - FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166). - Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). - Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2017-12-14
    plugin id105237
    published2017-12-14
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/105237
    titleopenSUSE Security Update : openssh (openSUSE-2017-1351)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2017-1351.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105237);
      script_version("3.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2008-1483", "CVE-2017-15906");
    
      script_name(english:"openSUSE Security Update : openssh (openSUSE-2017-1351)");
      script_summary(english:"Check for the openSUSE-2017-1351 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for openssh fixes the following issues :
    
    Security issue fixed :
    
      - CVE-2017-15906: Stricter checking of operations in
        read-only mode in sftp server (bsc#1065000).
    
    Bug fixes :
    
      - FIPS: Startup selfchecks (bsc#1068310).
    
      - FIPS: Silent complaints about unsupported key exchange
        methods (bsc#1006166).
    
      - Refine handling of sockets for X11 forwarding to remove
        reintroduced CVE-2008-1483 (bsc#1069509).
    
      - Test configuration before running daemon to prevent
        looping resulting in service shutdown (bsc#1048367)
    
    This update was imported from the SUSE:SLE-12-SP2:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1006166"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1048367"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1065000"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1068310"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1069509"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-fips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/14");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.2", reference:"openssh-7.2p2-11.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"openssh-askpass-gnome-7.2p2-11.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"openssh-askpass-gnome-debuginfo-7.2p2-11.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"openssh-cavs-7.2p2-11.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"openssh-cavs-debuginfo-7.2p2-11.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"openssh-debuginfo-7.2p2-11.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"openssh-debugsource-7.2p2-11.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"openssh-fips-7.2p2-11.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"openssh-helpers-7.2p2-11.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"openssh-helpers-debuginfo-7.2p2-11.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-7.2p2-15.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-askpass-gnome-7.2p2-15.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-askpass-gnome-debuginfo-7.2p2-15.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-cavs-7.2p2-15.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-cavs-debuginfo-7.2p2-15.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-debuginfo-7.2p2-15.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-debugsource-7.2p2-15.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-fips-7.2p2-15.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-helpers-7.2p2-15.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-helpers-debuginfo-7.2p2-15.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-askpass-gnome / openssh-askpass-gnome-debuginfo / openssh / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-597-1.NASL
    descriptionTimo Juhani Lindfors discovered that the OpenSSH client, when port forwarding was requested, would listen on any available address family. A local attacker could exploit this flaw on systems with IPv6 enabled to hijack connections, including X11 forwards. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31784
    published2008-04-04
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31784
    titleUbuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : openssh vulnerability (USN-597-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-597-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31784);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:33:02");
    
      script_cve_id("CVE-2008-1483");
      script_bugtraq_id(28444);
      script_xref(name:"USN", value:"597-1");
    
      script_name(english:"Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : openssh vulnerability (USN-597-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Timo Juhani Lindfors discovered that the OpenSSH client, when port
    forwarding was requested, would listen on any available address
    family. A local attacker could exploit this flaw on systems with IPv6
    enabled to hijack connections, including X11 forwards.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/597-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ssh-krb5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:7.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/04/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(6\.06|6\.10|7\.04|7\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 6.10 / 7.04 / 7.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"6.06", pkgname:"openssh-client", pkgver:"1:4.2p1-7ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"openssh-server", pkgver:"4.2p1-7ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"ssh", pkgver:"4.2p1-7ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"ssh-askpass-gnome", pkgver:"4.2p1-7ubuntu3.3")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"openssh-client", pkgver:"1:4.3p2-5ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"openssh-server", pkgver:"4.3p2-5ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"ssh", pkgver:"4.3p2-5ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"ssh-askpass-gnome", pkgver:"4.3p2-5ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"openssh-client", pkgver:"1:4.3p2-8ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"openssh-server", pkgver:"4.3p2-8ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"ssh", pkgver:"4.3p2-8ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"ssh-askpass-gnome", pkgver:"4.3p2-8ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"7.04", pkgname:"ssh-krb5", pkgver:"4.3p2-8ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"openssh-client", pkgver:"1:4.6p1-5ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"openssh-server", pkgver:"4.6p1-5ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"ssh", pkgver:"4.6p1-5ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"ssh-askpass-gnome", pkgver:"4.6p1-5ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"7.10", pkgname:"ssh-krb5", pkgver:"4.6p1-5ubuntu0.2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-client / openssh-server / ssh / ssh-askpass-gnome / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-3230-1.NASL
    descriptionThis update for openssh fixes the following issues: Security issue fixed : - CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). Bug fixes : - FIPS: Startup selfchecks (bsc#1068310). - FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166). - Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). - Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id105093
    published2017-12-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105093
    titleSUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2017:3230-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:3230-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105093);
      script_version("3.7");
      script_cvs_date("Date: 2019/09/11 11:22:16");
    
      script_cve_id("CVE-2008-1483", "CVE-2017-15906");
      script_bugtraq_id(28444);
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2017:3230-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for openssh fixes the following issues: Security issue
    fixed :
    
      - CVE-2017-15906: Stricter checking of operations in
        read-only mode in sftp server (bsc#1065000). Bug fixes :
    
      - FIPS: Startup selfchecks (bsc#1068310).
    
      - FIPS: Silent complaints about unsupported key exchange
        methods (bsc#1006166).
    
      - Refine handling of sockets for X11 forwarding to remove
        reintroduced CVE-2008-1483 (bsc#1069509).
    
      - Test configuration before running daemon to prevent
        looping resulting in service shutdown (bsc#1048367)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006166"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1048367"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065000"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1068310"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1069509"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2008-1483/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15906/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20173230-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4b96b981"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
    patch SUSE-SLE-RPI-12-SP2-2017-2009=1
    
    SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-2017-2009=1
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2017-2009=1
    
    SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP3-2017-2009=1
    
    SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP2-2017-2009=1
    
    SUSE Container as a Service Platform ALL:zypper in -t patch
    SUSE-CAASP-ALL-2017-2009=1
    
    OpenStack Cloud Magnum Orchestration 7:zypper in -t patch
    SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-2009=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/12/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/08");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2/3", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2/3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-askpass-gnome-7.2p2-74.11.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.11.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-debuginfo-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-debugsource-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-fips-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-helpers-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-helpers-debuginfo-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-askpass-gnome-7.2p2-74.11.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.11.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-debuginfo-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-debugsource-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-fips-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-helpers-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-helpers-debuginfo-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-askpass-gnome-7.2p2-74.11.3")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.11.3")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-debuginfo-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-debugsource-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-helpers-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-helpers-debuginfo-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-askpass-gnome-7.2p2-74.11.3")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.11.3")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-debuginfo-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-debugsource-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-helpers-7.2p2-74.11.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"openssh-helpers-debuginfo-7.2p2-74.11.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-527.NASL
    descriptionUpdated openssh packages that fix a security issue, bugs, and add support for recording login user IDs for audit are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id19990
    published2005-10-11
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19990
    titleRHEL 4 : openssh (RHSA-2005:527)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:527. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19990);
      script_version ("1.23");
      script_cvs_date("Date: 2019/10/25 13:36:11");
    
      script_cve_id("CVE-2005-2798", "CVE-2008-1483");
      script_xref(name:"RHSA", value:"2005:527");
    
      script_name(english:"RHEL 4 : openssh (RHSA-2005:527)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated openssh packages that fix a security issue, bugs, and add
    support for recording login user IDs for audit are now available for
    Red Hat Enterprise Linux 4.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation.
    
    An error in the way OpenSSH handled GSSAPI credential delegation was
    discovered. OpenSSH as distributed with Red Hat Enterprise Linux 4
    contains support for GSSAPI user authentication, typically used for
    supporting Kerberos. On OpenSSH installations which have GSSAPI
    enabled, this flaw could allow a user who sucessfully authenticates
    using a method other than GSSAPI to be delegated with GSSAPI
    credentials. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2005-2798 to this issue.
    
    Additionally, the following bugs have been addressed :
    
    The ssh command incorrectly failed when it was issued by the root user
    with a non-default group set.
    
    The sshd daemon could fail to properly close the client connection if
    multiple X clients were forwarded over the connection and the client
    session exited.
    
    The sshd daemon could bind only on the IPv6 address family for X
    forwarding if the port on IPv4 address family was already bound. The X
    forwarding did not work in such cases.
    
    This update also adds support for recording login user IDs for the
    auditing service. The user ID is attached to the audit records
    generated from the user's session.
    
    All users of openssh should upgrade to these updated packages, which
    contain backported patches to resolve these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-2798"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2008-1483"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2005:527"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/10/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2005:527";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL4", reference:"openssh-3.9p1-8.RHEL4.9")) flag++;
      if (rpm_check(release:"RHEL4", reference:"openssh-askpass-3.9p1-8.RHEL4.9")) flag++;
      if (rpm_check(release:"RHEL4", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.9")) flag++;
      if (rpm_check(release:"RHEL4", reference:"openssh-clients-3.9p1-8.RHEL4.9")) flag++;
      if (rpm_check(release:"RHEL4", reference:"openssh-server-3.9p1-8.RHEL4.9")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc");
      }
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_OPENSSH-5122.NASL
    descriptionA flaw in the X forwarding code of openssh allowed malicious users to steal the X access credentials of other users. (CVE-2008-1483)
    last seen2020-06-01
    modified2020-06-02
    plugin id31841
    published2008-04-11
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31841
    titleSuSE 10 Security Update : OpenSSH (ZYPP Patch Number 5122)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2008-095-01.NASL
    descriptionNew openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id31801
    published2008-04-11
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31801
    titleSlackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2008-095-01)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2685-1.NASL
    descriptionThis update for openssh provides the following fixes : Security issues fixed : CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). CVE-2016-10012: Remove pre-auth compression support from the server to prevent possible cryptographic attacks (bsc#1016370). CVE-2008-1483: Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Bug fixes: bsc#1017099: Enable case-insensitive hostname matching. bsc#1023275: Add a new switch for printing diagnostic messages in sftp client
    last seen2020-06-01
    modified2020-06-02
    plugin id117452
    published2018-09-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117452
    titleSUSE SLES12 Security Update : openssh (SUSE-SU-2018:2685-1)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-078.NASL
    descriptionOpenSSH allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port. The updated packages have been patched to prevent this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id36879
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/36879
    titleMandriva Linux Security Advisory : openssh (MDVSA-2008:078)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2008-006.NASL
    descriptionThe remote host is running a version of Mac OS X 10.4 that does not have the security update 2008-006 applied. This update contains security fixes for a number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id34210
    published2008-09-16
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34210
    titleMac OS X Multiple Vulnerabilities (Security Update 2008-006)
  • NASL familyMisc.
    NASL idOPENSSH_50.NASL
    descriptionAccording to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the corresponding ports on the IPv4 interface are in use.
    last seen2020-06-01
    modified2020-06-02
    plugin id31737
    published2008-04-03
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31737
    titleOpenSSH X11 Forwarding Session Hijacking
  • NASL familyMisc.
    NASL idSUNSSH_PLAINTEXT_RECOVERY.NASL
    descriptionThe version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen2020-06-01
    modified2020-06-02
    plugin id55992
    published2011-08-29
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55992
    titleSunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
  • NASL familySuSE Local Security Checks
    NASL idSUSE_OPENSSH-5149.NASL
    descriptionA flaw in the X forwarding code of openssh allowed malicious users to steal the X access credentials of other users (CVE-2008-1483). Due to another flaw users could bypass the option
    last seen2020-06-01
    modified2020-06-02
    plugin id31843
    published2008-04-11
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31843
    titleopenSUSE 10 Security Update : openssh (openssh-5149)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-527.NASL
    descriptionUpdated openssh packages that fix a security issue, bugs, and add support for recording login user IDs for audit are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id67028
    published2013-06-29
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67028
    titleCentOS 4 : openssh (CESA-2005:527)
  • NASL familyMisc.
    NASL idATTACHMATE_REFLECTION_70_SP1.NASL
    descriptionThe version of Attachmate Reflection for Secure IT UNIX server installed on the remote host is less than 7.0 SP1 and thus reportedly affected by several issues : - There is an inherited vulnerability in OpenSSL when parsing malformed ASN.1 structures leading to a denial of service vulnerability (CVE-2006-2937). - There is an inherited vulnerability in OpenSSL when parsing parasitic public keys leading to a denial of service vulnerability (CVE-2006-2940). - There is an inherited vulnerability in OpenSSL when performing Montgomery multiplication, leading to a side-channel attack vulnerability (CVE-2007-3108). - There is an inherited vulnerability in OpenSSH with the execution of the ~/.ssh2/rc session file (CVE-2008-1657). - There is an issue with the security of forwarded X11 connections, leading to possible hijacking. (CVE-2008-1483) - There are multiple unspecified other vulnerabilities. (CVE-2008-6021)
    last seen2020-06-01
    modified2020-06-02
    plugin id33948
    published2008-08-20
    reporterThis script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33948
    titleAttachmate Reflection for Secure IT UNIX server < 7.0 SP1 Multiple Vulnerabilities
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_5_5.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.5. Mac OS X 10.5.5 contains security fixes for a number of programs.
    last seen2020-06-01
    modified2020-06-02
    plugin id34211
    published2008-09-16
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34211
    titleMac OS X 10.5.x < 10.5.5 Multiple Vulnerabilities
  • NASL familyAIX Local Security Checks
    NASL idAIX_SSH_ADVISORY.NASL
    descriptionThe version of OpenSSH running on the remote host is affected by the following vulnerabilities : - OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. (CVE-2008-1483) - OpenSSH before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file. (CVE-2008-1657)
    last seen2020-06-01
    modified2020-06-02
    plugin id73565
    published2014-04-16
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73565
    titleAIX OpenSSH Advisory : ssh_advisory.asc

Oval

accepted2008-10-06T04:00:20.232-04:00
classvulnerability
contributors
nameNicholas Hansen
organizationHewlett-Packard
definition_extensions
  • commentSolaris 9 (SPARC) is installed
    ovaloval:org.mitre.oval:def:1457
  • commentSolaris 9 (x86) is installed
    ovaloval:org.mitre.oval:def:1683
  • commentSolaris 10 (SPARC) is installed
    ovaloval:org.mitre.oval:def:1440
  • commentSolaris 10 (x86) is installed
    ovaloval:org.mitre.oval:def:1926
descriptionOpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
familyunix
idoval:org.mitre.oval:def:6085
statusaccepted
submitted2008-08-25T11:33:40.000-04:00
titleSecurity Vulnerability in Solaris SSH May Allow Unauthorized Access to X11 Sessions
version35

Redhat

rpms
  • openssh-0:3.9p1-8.RHEL4.9
  • openssh-askpass-0:3.9p1-8.RHEL4.9
  • openssh-askpass-gnome-0:3.9p1-8.RHEL4.9
  • openssh-clients-0:3.9p1-8.RHEL4.9
  • openssh-debuginfo-0:3.9p1-8.RHEL4.9
  • openssh-server-0:3.9p1-8.RHEL4.9

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 28444 CVE(CAN) ID: CVE-2008-1483 OpenSSH是一种开放源码的SSH协议的实现,初始版本用于OpenBSD平台,现在已经被移植到多种Unix/Linux类操作系统下。 在通过启用了X11转发的SSH登录时,sshd(8)没有正确地处理无法绑定到IPv4端口但成功绑定到IPv6端口的情况。在这种情况下,使用X11的设备即使没有被sshd(8)绑定也会连接到IPv4端口,因此无法安全的进行转发。 恶意用户可以在未使用的IPv4端口(如tcp 6010端口)上监听X11连接。当不知情的用户登录并创建X11转发时,恶意用户可以捕获所有通过端口发送的X11数据,这可能泄露敏感信息或允许以使用X11转发用户的权限执行命令。 OpenSSH &lt;= 4.3p2 临时解决方法: * 通过在/etc/ssh/sshd_config中设置AddressFamily inet选项以在sshd(8)守护程序中禁用IPv6支持。 * 通过在/etc/ssh/sshd_config中设置X11Forwarding no选项以在sshd(8)守护程序中禁用X11转发支持。 厂商补丁: FreeBSD ------- FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-08:05)以及相应补丁: FreeBSD-SA-08:05:OpenSSH X11-forwarding privilege escalation 链接:<a href=ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-08:05.openssh.asc target=_blank>ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-08:05.openssh.asc</a> 补丁下载: 执行以下步骤之一: 1) 将有漏洞的系统升级到5-STABLE、6-STABLE或7-STABLE,或修改日期之后的RELENG_7_0、RELENG_6_3、RELENG_6_2、RELENG_6_1、RELENG_5_5安全版本。 2) 为当前系统打补丁: 以下补丁确认可应用于FreeBSD 5.5、6.1、6.2、6.3和7.0系统。 a) 从以下位置下载相关补丁,并使用PGP工具验证附带的PGP签名。 # fetch <a href=http://security.FreeBSD.org/patches/SA-08:05/openssh.patch target=_blank>http://security.FreeBSD.org/patches/SA-08:05/openssh.patch</a> # fetch <a href=http://security.FreeBSD.org/patches/SA-08:05/openssh.patch.asc target=_blank>http://security.FreeBSD.org/patches/SA-08:05/openssh.patch.asc</a> b) 以root执行以下命令: # cd /usr/src # patch &lt; /path/to/patch # cd /usr/src/secure/lib/libssh # make obj &amp;&amp; make depend &amp;&amp; make &amp;&amp; make install # cd /usr/src/secure/usr.sbin/sshd # make obj &amp;&amp; make depend &amp;&amp; make &amp;&amp; make install # /etc/rc. OpenSSH ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.openbsd.org/errata41.html target=_blank>http://www.openbsd.org/errata41.html</a> <a href=http://www.openbsd.org/errata42.html target=_blank>http://www.openbsd.org/errata42.html</a> <a href=http://www.openbsd.org/errata43.html target=_blank>http://www.openbsd.org/errata43.html</a> Gentoo ------ Gentoo已经为此发布了一个安全公告(GLSA-200804-03)以及相应补丁: GLSA-200804-03:OpenSSH: Privilege escalation 链接:<a href=http://security.gentoo.org/glsa/glsa-200804-03.xml target=_blank>http://security.gentoo.org/glsa/glsa-200804-03.xml</a> 所有OpenSSH用户都应升级到最新版本: # emerge --sync # emerge --ask --oneshot --verbose &quot;&gt;=net-misc/openssh-4.7_p1-r6&quot;
idSSV:3188
last seen2017-11-19
modified2008-04-18
published2008-04-18
reporterRoot
titleOpenSSH X连接会话劫持漏洞

Statements

contributorMark J Cox
lastmodified2010-03-19
organizationRed Hat
statementAll openssh versions shipped in Red Hat Enterprise Linux 5 include the patch for this issue. This issue was fixed in Red Hat Enterprise Linux 4 via: https://rhn.redhat.com/errata/RHSA-2005-527.html Red Hat Enterprise Linux 3 is affected by this issue. The Red Hat Security Response Team has rated this issue as having low security impact. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1483

References