Vulnerabilities > CVE-2008-4109 - Unspecified vulnerability in Openbsd Openssh

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) 
{
  script_id(22466);
  script_version("1.30");
  script_cvs_date("Date: 2018/07/16 14:09:13");

  script_cve_id("CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2007-3102", "CVE-2008-4109");
  script_bugtraq_id(20216, 20241, 20245);

  script_name(english:"OpenSSH < 4.4 Multiple Vulnerabilities");
  script_summary(english:"Checks version number of OpenSSH");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote SSH server is affected by multiple vulnerabilities." );
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of OpenSSH installed on the
remote host is affected by multiple vulnerabilities :

  - A race condition exists that may allow an
    unauthenticated, remote attacker to crash the service 
    or, on portable OpenSSH, possibly execute code on the 
    affected host.  Note that successful exploitation 
    requires that GSSAPI authentication be enabled.
    
  - A flaw exists that may allow an attacker to determine 
    the validity of usernames on some platforms. Note that 
    this issue requires that GSSAPI authentication be 
    enabled.

  - When SSH version 1 is used, an issue can be triggered 
    via an SSH packet that contains duplicate blocks that 
    could result in a loss of availability for the service.

  - On Fedora Core 6 (and possibly other systems), an
    unspecified vulnerability in the
    linux_audit_record_event() function allows remote
    attackers to inject incorrect information into
    audit logs.");

  script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-4.4" );
  script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSH 4.4 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(264, 362, 399);
  script_set_attribute(attribute:"plugin_publication_date", value: "2006/09/28");
  script_set_attribute(attribute:"vuln_publication_date", value: "2006/09/28");
  script_set_attribute(attribute:"plugin_type", value: "remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
  script_dependencies("ssh_detect.nasl");
  script_require_ports("Services/ssh", 22);
  exit(0);
}

include("backport.inc");
include("global_settings.inc");
include("misc_func.inc");

# Ensure the port is open.
port = get_service(svc:"ssh", exit_on_fail:TRUE);

# Get banner for service.
banner = get_kb_item_or_exit("SSH/banner/"+port);

bp_banner = tolower(get_backport_banner(banner:banner));
if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");

if (!get_kb_item("Settings/PCI_DSS"))
{
  auth = get_kb_item_or_exit("SSH/supportedauth/" + port);
  if ("gssapi" >!< auth) exit(0, "The SSH service on port "+port+" doesn't support GSSAPI.");
}

if (bp_banner =~ "openssh[-_]([0-3]\.|4\.[0-3]([^0-9]|$))")
  security_hole(port);

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1638. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(34223);
  script_version("1.17");
  script_cvs_date("Date: 2019/08/02 13:32:21");

  script_cve_id("CVE-2006-5051", "CVE-2008-4109");
  script_bugtraq_id(20241);
  script_xref(name:"DSA", value:"1638");

  script_name(english:"Debian DSA-1638-1 : openssh - denial of service");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"It has been discovered that the signal handler implementing the login
timeout in Debian's version of the OpenSSH server uses functions which
are not async-signal-safe, leading to a denial of service
vulnerability (CVE-2008-4109 ).

The problem was originally corrected in OpenSSH 4.4p1 (CVE-2006-5051
), but the patch backported to the version released with etch was
incorrect.

Systems affected by this issue suffer from lots of zombie sshd
processes. Processes stuck with a '[net]' process title have also been
observed. Over time, a sufficient number of processes may accumulate
such that further login attempts are impossible. Presence of these
processes does not indicate active exploitation of this vulnerability.
It is possible to trigger this denial of service condition by
accident."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498678"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2008-4109"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2006-5051"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2008/dsa-1638"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the openssh packages.

For the stable distribution (etch), this problem has been fixed in
version 4.3p2-9etch3."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(264, 362);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssh");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2008/09/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"4.0", prefix:"openssh-client", reference:"4.3p2-9etch3")) flag++;
if (deb_check(release:"4.0", prefix:"openssh-server", reference:"4.3p2-9etch3")) flag++;
if (deb_check(release:"4.0", prefix:"ssh", reference:"4.3p2-9etch3")) flag++;
if (deb_check(release:"4.0", prefix:"ssh-askpass-gnome", reference:"4.3p2-9etch3")) flag++;
if (deb_check(release:"4.0", prefix:"ssh-krb5", reference:"4.3p2-9etch3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The text description of this plugin is (C) Novell, Inc.
#

include("compat.inc");

if (description)
{
  script_id(34321);
  script_version ("1.17");
  script_cvs_date("Date: 2019/10/25 13:36:33");

  script_cve_id("CVE-2008-4109");

  script_name(english:"SuSE 10 Security Update : OpenSSH (ZYPP Patch Number 5627)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SuSE 10 host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Due to a faulty signal handler repeated login attempts could exhaust
the maximum allowed connections and prevent further logins.
(CVE-2008-4109)

A problem where utmp entries where not deleted when users logged out
was also fixed."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2008-4109.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 5627.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_cwe_id(264);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2008/09/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2008/10/01");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");


flag = 0;
if (rpm_check(release:"SLED10", sp:1, reference:"openssh-4.2p1-18.38.3")) flag++;
if (rpm_check(release:"SLED10", sp:1, reference:"openssh-askpass-4.2p1-18.38.3")) flag++;
if (rpm_check(release:"SLED10", sp:2, reference:"openssh-4.2p1-18.38.3")) flag++;
if (rpm_check(release:"SLED10", sp:2, reference:"openssh-askpass-4.2p1-18.38.3")) flag++;
if (rpm_check(release:"SLES10", sp:1, reference:"openssh-4.2p1-18.38.3")) flag++;
if (rpm_check(release:"SLES10", sp:1, reference:"openssh-askpass-4.2p1-18.38.3")) flag++;
if (rpm_check(release:"SLES10", sp:2, reference:"openssh-4.2p1-18.38.3")) flag++;
if (rpm_check(release:"SLES10", sp:2, reference:"openssh-askpass-4.2p1-18.38.3")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else exit(0, "The host is not affected.");