Vulnerabilities > CVE-2010-4755 - Resource Management Errors vulnerability in multiple products

#
# (C) Tenable Network Security, Inc.
#

# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2019-0146. The text
# itself is copyright (C) ZTE, Inc.

include("compat.inc");

if (description)
{
  script_id(127415);
  script_version("1.3");
  script_cvs_date("Date: 2019/09/24 11:01:33");

  script_cve_id(
    "CVE-2006-0225",
    "CVE-2006-4924",
    "CVE-2006-5051",
    "CVE-2006-5794",
    "CVE-2007-3102",
    "CVE-2010-4755",
    "CVE-2010-5107",
    "CVE-2014-2532",
    "CVE-2014-2653",
    "CVE-2014-9278",
    "CVE-2015-5600",
    "CVE-2015-8325",
    "CVE-2016-0777",
    "CVE-2016-1908",
    "CVE-2016-6210"
  );

  script_name(english:"NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)");

  script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by
multiple vulnerabilities:

  - scp in OpenSSH 4.2p1 allows attackers to execute
    arbitrary commands via filenames that contain shell
    metacharacters or spaces, which are expanded twice.
    (CVE-2006-0225)

  - sshd in OpenSSH before 4.4, when using the version 1 SSH
    protocol, allows remote attackers to cause a denial of
    service (CPU consumption) via an SSH packet that
    contains duplicate blocks, which is not properly handled
    by the CRC compensation attack detector. (CVE-2006-4924)

  - Signal handler race condition in OpenSSH before 4.4
    allows remote attackers to cause a denial of service
    (crash), and possibly execute arbitrary code if GSSAPI
    authentication is enabled, via unspecified vectors that
    lead to a double-free. (CVE-2006-5051)

  - Unspecified vulnerability in the sshd Privilege
    Separation Monitor in OpenSSH before 4.5 causes weaker
    verification that authentication has been successful,
    which might allow attackers to bypass authentication.
    NOTE: as of 20061108, it is believed that this issue is
    only exploitable by leveraging vulnerabilities in the
    unprivileged process, which are not known to exist.
    (CVE-2006-5794)

  - Unspecified vulnerability in the
    linux_audit_record_event function in OpenSSH 4.3p2, as
    used on Fedora Core 6 and possibly other systems, allows
    remote attackers to write arbitrary characters to an
    audit log via a crafted username. NOTE: some of these
    details are obtained from third party information.
    (CVE-2007-3102)

  - The (1) remote_glob function in sftp-glob.c and the (2)
    process_put function in sftp.c in OpenSSH 5.8 and
    earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2,
    OpenBSD 4.7, and other products, allow remote
    authenticated users to cause a denial of service (CPU
    and memory consumption) via crafted glob expressions
    that do not match any pathnames, as demonstrated by glob
    expressions in SSH_FXP_STAT requests to an sftp daemon,
    a different vulnerability than CVE-2010-2632.
    (CVE-2010-4755)

  - The default configuration of OpenSSH through 6.1
    enforces a fixed time limit between establishing a TCP
    connection and completing a login, which makes it easier
    for remote attackers to cause a denial of service
    (connection-slot exhaustion) by periodically making many
    new TCP connections. (CVE-2010-5107)

  - It was found that OpenSSH did not properly handle
    certain AcceptEnv parameter values with wildcard
    characters. A remote attacker could use this flaw to
    bypass intended environment variable restrictions.
    (CVE-2014-2532)

  - It was discovered that OpenSSH clients did not correctly
    verify DNS SSHFP records. A malicious server could use
    this flaw to force a connecting client to skip the DNS
    SSHFP record check and require the user to perform
    manual host verification of the DNS SSHFP record.
    (CVE-2014-2653)

  - It was found that when OpenSSH was used in a Kerberos
    environment, remote authenticated users were allowed to
    log in as a different user if they were listed in the
    ~/.k5users file of that user, potentially bypassing
    intended authentication restrictions. (CVE-2014-9278)

  - It was discovered that the OpenSSH sshd daemon did not
    check the list of keyboard-interactive authentication
    methods for duplicates. A remote attacker could use this
    flaw to bypass the MaxAuthTries limit, making it easier
    to perform password guessing attacks. (CVE-2015-5600)

  - It was discovered that the OpenSSH sshd daemon fetched
    PAM environment settings before running the login
    program. In configurations with UseLogin=yes and the
    pam_env PAM module configured to read user environment
    settings, a local user could use this flaw to execute
    arbitrary code as root. (CVE-2015-8325)

  - An information leak flaw was found in the way the
    OpenSSH client roaming feature was implemented. A
    malicious server could potentially use this flaw to leak
    portions of memory (possibly including private SSH keys)
    of a successfully authenticated OpenSSH client.
    (CVE-2016-0777)

  - An access flaw was discovered in OpenSSH; the OpenSSH
    client did not correctly handle failures to generate
    authentication cookies for untrusted X11 forwarding. A
    malicious or compromised remote X application could
    possibly use this flaw to establish a trusted connection
    to the local X server, even if only untrusted X11
    forwarding was requested. (CVE-2016-1908)

  - A covert timing channel flaw was found in the way
    OpenSSH handled authentication of non-existent users. A
    remote unauthenticated attacker could possibly use this
    flaw to determine valid user names by measuring the
    timing of server responses. (CVE-2016-6210)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0146");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL openssh-latest packages. Note that updated packages may not be available yet. Please contact
ZTE for more information.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-5051");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(362, 399);

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/ZTE-CGSL/release");
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");

if (release !~ "CGSL MAIN 4.05")
  audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');

if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);

flag = 0;

pkgs = {
  "CGSL MAIN 4.05": [
    "openssh-latest-7.9p1-1.el6.cgsl7741",
    "openssh-latest-askpass-7.9p1-1.el6.cgsl7741",
    "openssh-latest-cavs-7.9p1-1.el6.cgsl7741",
    "openssh-latest-clients-7.9p1-1.el6.cgsl7741",
    "openssh-latest-debuginfo-7.9p1-1.el6.cgsl7741",
    "openssh-latest-keycat-7.9p1-1.el6.cgsl7741",
    "openssh-latest-ldap-7.9p1-1.el6.cgsl7741",
    "openssh-latest-server-7.9p1-1.el6.cgsl7741"
  ]
};
pkg_list = pkgs[release];

foreach (pkg in pkg_list)
  if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-latest");
}

#
# (C) Tenable Network Security, Inc.
#

# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2019-0036. The text
# itself is copyright (C) ZTE, Inc.

include("compat.inc");

if (description)
{
  script_id(127206);
  script_version("1.3");
  script_cvs_date("Date: 2019/09/24 11:01:33");

  script_cve_id(
    "CVE-2006-0225",
    "CVE-2006-4924",
    "CVE-2006-5051",
    "CVE-2006-5794",
    "CVE-2007-3102",
    "CVE-2010-4755",
    "CVE-2010-5107",
    "CVE-2014-2532"
  );

  script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0036)");

  script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected
by multiple vulnerabilities:

  - scp in OpenSSH 4.2p1 allows attackers to execute
    arbitrary commands via filenames that contain shell
    metacharacters or spaces, which are expanded twice.
    (CVE-2006-0225)

  - sshd in OpenSSH before 4.4, when using the version 1 SSH
    protocol, allows remote attackers to cause a denial of
    service (CPU consumption) via an SSH packet that
    contains duplicate blocks, which is not properly handled
    by the CRC compensation attack detector. (CVE-2006-4924)

  - Signal handler race condition in OpenSSH before 4.4
    allows remote attackers to cause a denial of service
    (crash), and possibly execute arbitrary code if GSSAPI
    authentication is enabled, via unspecified vectors that
    lead to a double-free. (CVE-2006-5051)

  - Unspecified vulnerability in the sshd Privilege
    Separation Monitor in OpenSSH before 4.5 causes weaker
    verification that authentication has been successful,
    which might allow attackers to bypass authentication.
    NOTE: as of 20061108, it is believed that this issue is
    only exploitable by leveraging vulnerabilities in the
    unprivileged process, which are not known to exist.
    (CVE-2006-5794)

  - Unspecified vulnerability in the
    linux_audit_record_event function in OpenSSH 4.3p2, as
    used on Fedora Core 6 and possibly other systems, allows
    remote attackers to write arbitrary characters to an
    audit log via a crafted username. NOTE: some of these
    details are obtained from third party information.
    (CVE-2007-3102)

  - The (1) remote_glob function in sftp-glob.c and the (2)
    process_put function in sftp.c in OpenSSH 5.8 and
    earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2,
    OpenBSD 4.7, and other products, allow remote
    authenticated users to cause a denial of service (CPU
    and memory consumption) via crafted glob expressions
    that do not match any pathnames, as demonstrated by glob
    expressions in SSH_FXP_STAT requests to an sftp daemon,
    a different vulnerability than CVE-2010-2632.
    (CVE-2010-4755)

  - The default configuration of OpenSSH through 6.1
    enforces a fixed time limit between establishing a TCP
    connection and completing a login, which makes it easier
    for remote attackers to cause a denial of service
    (connection-slot exhaustion) by periodically making many
    new TCP connections. (CVE-2010-5107)

  - It was found that OpenSSH did not properly handle
    certain AcceptEnv parameter values with wildcard
    characters. A remote attacker could use this flaw to
    bypass intended environment variable restrictions.
    (CVE-2014-2532)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0036");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL openssh packages. Note that updated packages may not be available yet. Please contact ZTE
for more information.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-5051");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(362, 399);

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/ZTE-CGSL/release");
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");

if (release !~ "CGSL CORE 5.04" &&
    release !~ "CGSL MAIN 5.04")
  audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');

if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);

flag = 0;

pkgs = {
  "CGSL CORE 5.04": [
    "openssh-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-askpass-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-cavs-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-clients-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-debuginfo-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-keycat-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-ldap-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-server-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "pam_ssh_agent_auth-0.10.3-6.1.el7.cgslv5.0.2.gc747ef6"
  ],
  "CGSL MAIN 5.04": [
    "openssh-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-askpass-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-cavs-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-clients-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-debuginfo-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-keycat-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-ldap-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "openssh-server-7.9p1-1.el7.cgslv5.0.2.gc747ef6",
    "pam_ssh_agent_auth-0.10.3-6.1.el7.cgslv5.0.2.gc747ef6"
  ]
};
pkg_list = pkgs[release];

foreach (pkg in pkg_list)
  if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201405-06.
#
# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(73958);
  script_version("1.12");
  script_cvs_date("Date: 2018/07/13 15:08:46");

  script_cve_id("CVE-2008-5161", "CVE-2010-4478", "CVE-2010-4755", "CVE-2010-5107", "CVE-2011-5000", "CVE-2012-0814", "CVE-2014-2532");
  script_bugtraq_id(32319, 45304, 51702, 54114, 58162, 66355);
  script_xref(name:"GLSA", value:"201405-06");

  script_name(english:"GLSA-201405-06 : OpenSSH: Multiple vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201405-06
(OpenSSH: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in OpenSSH. Please review
      the CVE identifiers referenced below for details.
  
Impact :

    A remote attacker could execute arbitrary code, cause a Denial of
      Service condition, obtain sensitive information, or bypass environment
      restrictions.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201405-06"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All OpenSSH users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=net-misc/openssh-6.6_p1-r1'
    NOTE: One or more of the issues described in this advisory have been
      fixed in previous updates. They are included in this advisory for the
      sake of completeness. It is likely that your system is already no longer
      affected by them."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(200);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openssh");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/05/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/12");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"net-misc/openssh", unaffected:make_list("ge 6.6_p1-r1"), vulnerable:make_list("lt 6.6_p1-r1"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenSSH");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(17703);
  script_version("1.7");
  script_cvs_date("Date: 2018/07/16 14:09:13");

  script_cve_id("CVE-2010-4755","CVE-2011-5000");
  script_bugtraq_id(54114, 68757);

  script_name(english:"OpenSSH < 5.9 Multiple DoS");
  script_summary(english:"Checks OpenSSH banner version");

  script_set_attribute(attribute:"synopsis", value:
"The SSH server on the remote host has multiple denial of service
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of OpenSSH running on the remote
host is prior to version 5.9. Such versions are affected by multiple
denial of service vulnerabilities :

  - A denial of service vulnerability exists in the
    gss-serv.c 'ssh_gssapi_parse_ename' function.  A remote
    attacker may be able to trigger this vulnerability if
    gssapi-with-mic is enabled to create a denial of service
    condition via a large value in a certain length field.
    (CVE-2011-5000)

  - On FreeBSD, NetBSD, OpenBSD, and other products, a
    remote, authenticated attacker could exploit the
    remote_glob() and process_put() functions to cause a
    denial of service (CPU and memory consumption).
    (CVE-2010-4755)");
  script_set_attribute(attribute:"see_also", value:"http://cxsecurity.com/research/89");
  script_set_attribute(attribute:"see_also",value:"http://site.pi3.com.pl/adv/ssh_1.txt");
  script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSH 5.9 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/07/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/09/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Denial of Service");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_detect.nasl");
  script_require_keys("Settings/PCI_DSS");
  script_require_ports("Services/ssh");

  exit(0);
}

include("backport.inc");
include("global_settings.inc");
include("misc_func.inc");

# Ensure the port is open.
port = get_service(svc:"ssh", exit_on_fail:TRUE);

# OpenSSH is only affected on certain OSes.
if (!get_kb_item("Settings/PCI_DSS")) exit(0, "PCI-DSS compliance checking is not enabled.");

# Get banner for service.
banner = get_kb_item_or_exit("SSH/banner/"+port);

bp_banner = tolower(get_backport_banner(banner:banner));
if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");


# Check the version in the backported banner.
match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)");
if (isnull(match)) exit(1, "Could not parse the version string in the banner from port "+port+".");
version = match[1];


if (
  version =~ "^[0-4]\." ||
  version =~ "^5\.[0-8]($|[^0-9])")
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source    : ' + banner +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 5.9\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else exit(0, "The OpenSSH version "+version+" server listening on port "+port+" is not affected.");