Vulnerabilities > CVE-2014-2532 - Permissions, Privileges, and Access Controls vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Blue Boxing This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
- Target Programs with Elevated Privileges This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2014-086-06.NASL description New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 73252 published 2014-03-31 reporter This script is Copyright (C) 2014-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73252 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssh (SSA:2014-086-06) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2014-086-06. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(73252); script_version("$Revision: 1.6 $"); script_cvs_date("$Date: 2016/12/09 20:54:58 $"); script_cve_id("CVE-2014-2532"); script_bugtraq_id(66355); script_xref(name:"SSA", value:"2014-086-06"); script_name(english:"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssh (SSA:2014-086-06)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.523534 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ca896db4" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.37"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1"); script_set_attribute(attribute:"patch_publication_date", value:"2014/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2016 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"13.0", pkgname:"openssh", pkgver:"5.9p1", pkgarch:"i486", pkgnum:"1_slack13.0")) flag++; if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"openssh", pkgver:"5.9p1", pkgarch:"x86_64", pkgnum:"1_slack13.0")) flag++; if (slackware_check(osver:"13.1", pkgname:"openssh", pkgver:"5.9p1", pkgarch:"i486", pkgnum:"1_slack13.1")) flag++; if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"openssh", pkgver:"5.9p1", pkgarch:"x86_64", pkgnum:"1_slack13.1")) flag++; if (slackware_check(osver:"13.37", pkgname:"openssh", pkgver:"5.9p1", pkgarch:"i486", pkgnum:"3_slack13.37")) flag++; if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"openssh", pkgver:"5.9p1", pkgarch:"x86_64", pkgnum:"3_slack13.37")) flag++; if (slackware_check(osver:"14.0", pkgname:"openssh", pkgver:"6.6p1", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"openssh", pkgver:"6.6p1", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.1", pkgname:"openssh", pkgver:"6.6p1", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"openssh", pkgver:"6.6p1", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"current", pkgname:"openssh", pkgver:"6.6p1", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"openssh", pkgver:"6.6p1", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_11_OPENSSH-140607.NASL description This update for OpenSSH fixes the following issues : - Exit sshd normally when port is already in use. (bnc#832628) - Use hardware crypto engines where available. (bnc#826427) - Use correct options for login when it is used. (bnc#833605) - Move FIPS messages to higher debug level. (bnc#862875) - Fix forwarding with IPv6 addresses in DISPLAY. (bnc#847710) - Do not link OpenSSH binaries with LDAP libraries. (bnc#826906) - Parse AcceptEnv properly. (bnc#869101, CVE-2014-2532) - Check SSHFP DNS records even for server certificates. (bnc#870532, CVE-2014-2653) last seen 2020-06-05 modified 2014-06-19 plugin id 76141 published 2014-06-19 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76141 title SuSE 11.3 Security Update : openssh (SAT Patch Number 9357) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(76141); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_name(english:"SuSE 11.3 Security Update : openssh (SAT Patch Number 9357)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for OpenSSH fixes the following issues : - Exit sshd normally when port is already in use. (bnc#832628) - Use hardware crypto engines where available. (bnc#826427) - Use correct options for login when it is used. (bnc#833605) - Move FIPS messages to higher debug level. (bnc#862875) - Fix forwarding with IPv6 addresses in DISPLAY. (bnc#847710) - Do not link OpenSSH binaries with LDAP libraries. (bnc#826906) - Parse AcceptEnv properly. (bnc#869101, CVE-2014-2532) - Check SSHFP DNS records even for server certificates. (bnc#870532, CVE-2014-2653)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=826427" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=833605" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=847710" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=869101" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=870532" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-2532.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-2653.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 9357."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, "SuSE 11.3"); flag = 0; if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"openssh-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"openssh-askpass-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"openssh-askpass-gnome-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"openssh-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"openssh-askpass-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"openssh-askpass-gnome-6.2p2-0.13.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2014-6569.NASL description - environment variables with embedded last seen 2020-03-17 modified 2014-06-10 plugin id 74384 published 2014-06-10 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74384 title Fedora 19 : openssh-6.2p2-8.fc19 (2014-6569) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2014-6569. # include("compat.inc"); if (description) { script_id(74384); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_bugtraq_id(66355, 66459); script_xref(name:"FEDORA", value:"2014-6569"); script_name(english:"Fedora 19 : openssh-6.2p2-8.fc19 (2014-6569)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - environment variables with embedded '=' or '0' characters are now ignored - prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys - /etc/ssh/moduli is readable by all now - ssh-copy-id is run in so called legacy mode when SSH_COPY_ID_LEGACY variable is set Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1077843" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1081338" ); # https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134026.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5ea8f7ac" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19"); script_set_attribute(attribute:"patch_publication_date", value:"2014/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC19", reference:"openssh-6.2p2-8.fc19")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }NASL family Misc. NASL id OPENSSH_66.NASL description According to its banner, the version of OpenSSH running on the remote host is prior to 6.6. It is, therefore, affected by the following vulnerabilities : - A flaw exists due to a failure to initialize certain data structures when makefile.inc is modified to enable the J-PAKE protocol. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition and potentially the execution of arbitrary code. (CVE-2014-1692) - An error exists related to the last seen 2020-06-01 modified 2020-06-02 plugin id 73079 published 2014-03-18 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73079 title OpenSSH < 6.6 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(73079); script_version("1.10"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2014-1692", "CVE-2014-2532"); script_bugtraq_id(65230, 66355); script_name(english:"OpenSSH < 6.6 Multiple Vulnerabilities"); script_summary(english:"Checks OpenSSH banner version."); script_set_attribute(attribute:"synopsis", value: "The SSH server on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of OpenSSH running on the remote host is prior to 6.6. It is, therefore, affected by the following vulnerabilities : - A flaw exists due to a failure to initialize certain data structures when makefile.inc is modified to enable the J-PAKE protocol. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition and potentially the execution of arbitrary code. (CVE-2014-1692) - An error exists related to the 'AcceptEnv' configuration setting in sshd_config due to improper processing of wildcard characters. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to bypass intended environment restrictions. (CVE-2014-2532) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-6.6"); script_set_attribute(attribute:"see_also", value:"https://lists.gt.net/openssh/dev/57663#57663"); script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSH version 6.6 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2014/03/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/18"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/ssh"); exit(0); } include("audit.inc"); include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) audit(AUDIT_NOT_LISTEN, "OpenSSH", port); if (backported) audit(code:0, AUDIT_BACKPORT_SERVICE, port, "OpenSSH"); # Check the version in the backported banner. match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)"); if (isnull(match)) audit(AUDIT_SERVICE_VER_FAIL, "OpenSSH", port); version = match[1]; # Does not affect all configurations if (report_paranoia < 2) audit(AUDIT_PARANOID); # Affected : < 6.6 if ( version =~ "^[0-5]\." || version =~ "^6\.[0-5]($|[^0-9])" ) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 6.6\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "OpenSSH", port, version);NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2155-1.NASL description Jann Horn discovered that OpenSSH incorrectly handled wildcards in AcceptEnv lines. A remote attacker could use this issue to possibly bypass certain intended environment variable restrictions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2014-03-26 plugin id 73202 published 2014-03-26 reporter Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73202 title Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : openssh vulnerability (USN-2155-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2155-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(73202); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-2532"); script_bugtraq_id(66355); script_xref(name:"USN", value:"2155-1"); script_name(english:"Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : openssh vulnerability (USN-2155-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Jann Horn discovered that OpenSSH incorrectly handled wildcards in AcceptEnv lines. A remote attacker could use this issue to possibly bypass certain intended environment variable restrictions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2155-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh-server package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:13.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/18"); script_set_attribute(attribute:"patch_publication_date", value:"2014/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(10\.04|12\.04|12\.10|13\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04 / 12.04 / 12.10 / 13.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"10.04", pkgname:"openssh-server", pkgver:"1:5.3p1-3ubuntu7.1")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"openssh-server", pkgver:"1:5.9p1-5ubuntu1.2")) flag++; if (ubuntu_check(osver:"12.10", pkgname:"openssh-server", pkgver:"1:6.0p1-3ubuntu1.1")) flag++; if (ubuntu_check(osver:"13.10", pkgname:"openssh-server", pkgver:"1:6.2p2-6ubuntu0.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-server"); }NASL family AIX Local Security Checks NASL id AIX_OPENSSH_ADVISORY4.NASL description The version of OpenSSH running on the remote host is affected by multiple security bypass vulnerabilities : - sshd in OpenSSH versions before 6.6 do not properly support wildcards on AcceptEnv lines in sshd_config, which allow a remote attacker to bypass intended environment restrictions by using a substring located before a wildcard character. (CVE-2014-2532) - The verify_host_key function in sshconnect.c in the OpenSSH client for versions 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS checking by presenting an unacceptable HostCertificate. (CVE-2014-2653) last seen 2020-06-01 modified 2020-06-02 plugin id 76168 published 2014-06-20 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76168 title AIX OpenSSH Vulnerability : openssh_advisory4.asc code # # (C) Tenable Network Security, Inc. # # The text in the description was extracted from AIX Security # Advisory openssh_advisory4.asc. # include("compat.inc"); if (description) { script_id(76168); script_version("1.10"); script_cvs_date("Date: 2018/11/28 22:47:41"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_bugtraq_id(66355, 66459); script_name(english:"AIX OpenSSH Vulnerability : openssh_advisory4.asc"); script_summary(english:"Checks the version of the openssh client and server packages"); script_set_attribute(attribute:"synopsis", value:"The remote AIX host has a vulnerable version of OpenSSH."); script_set_attribute(attribute:"description", value: "The version of OpenSSH running on the remote host is affected by multiple security bypass vulnerabilities : - sshd in OpenSSH versions before 6.6 do not properly support wildcards on AcceptEnv lines in sshd_config, which allow a remote attacker to bypass intended environment restrictions by using a substring located before a wildcard character. (CVE-2014-2532) - The verify_host_key function in sshconnect.c in the OpenSSH client for versions 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS checking by presenting an unacceptable HostCertificate. (CVE-2014-2653)"); script_set_attribute(attribute:"see_also", value:"http://aix.software.ibm.com/aix/efixes/security/openssh_advisory4.asc"); script_set_attribute(attribute:"see_also", value:"https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp"); script_set_attribute(attribute:"solution", value: "A fix is available and can be downloaded from the AIX website. To extract the fixes from the tar file : zcat OpenSSH_6.0.0.6107.tar.Z | tar xvf - IMPORTANT : If possible, it is recommended that an mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview the fix installation : installp -apYd . OpenSSH_6.0.0.6107 To install the fix package : installp -aXYd . OpenSSH_6.0.0.6107"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:5.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:6.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:7.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"AIX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version"); exit(0); } include("aix.inc"); include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); oslevel = get_kb_item_or_exit("Host/AIX/version"); if ( oslevel != "AIX-5.3" && oslevel != "AIX-6.1" && oslevel != "AIX-7.1" ) { oslevel = ereg_replace(string:oslevel, pattern:"-", replace:" "); audit(AUDIT_OS_NOT, "AIX 5.3 / 6.1 / 7.1", oslevel); } if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (aix_check_package(release:"5.3", package:"openssh.base.client", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++; if (aix_check_package(release:"6.1", package:"openssh.base.client", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++; if (aix_check_package(release:"7.1", package:"openssh.base.client", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++; if (aix_check_package(release:"5.3", package:"openssh.base.server", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++; if (aix_check_package(release:"6.1", package:"openssh.base.server", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++; if (aix_check_package(release:"7.1", package:"openssh.base.server", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : aix_report_get() ); } else { tested = aix_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh.base.client / openssh.base.server"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-1552.NASL description Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 79184 published 2014-11-12 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79184 title CentOS 6 : openssh (CESA-2014:1552) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2014:1552 and # CentOS Errata and Security Advisory 2014:1552 respectively. # include("compat.inc"); if (description) { script_id(79184); script_version("1.13"); script_cvs_date("Date: 2020/01/06"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_bugtraq_id(66355, 66459); script_xref(name:"RHSA", value:"2014:1552"); script_name(english:"CentOS 6 : openssh (CESA-2014:1552)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) This update also fixes the following bugs : * Based on the SP800-131A information security standard, the generation of a digital signature using the Digital Signature Algorithm (DSA) with the key size of 1024 bits and RSA with the key size of less than 2048 bits is disallowed after the year 2013. After this update, ssh-keygen no longer generates keys with less than 2048 bits in FIPS mode. However, the sshd service accepts keys of size 1024 bits as well as larger keys for compatibility reasons. (BZ#993580) * Previously, the openssh utility incorrectly set the oom_adj value to -17 for all of its children processes. This behavior was incorrect because the children processes were supposed to have this value set to 0. This update applies a patch to fix this bug and oom_adj is now properly set to 0 for all children processes as expected. (BZ#1010429) * Previously, if the sshd service failed to verify the checksum of an installed FIPS module using the fipscheck library, the information about this failure was only provided at the standard error output of sshd. As a consequence, the user could not notice this message and be uninformed when a system had not been properly configured for FIPS mode. To fix this bug, this behavior has been changed and sshd now sends such messages via the syslog service. (BZ#1020803) * When keys provided by the pkcs11 library were removed from the ssh agent using the 'ssh-add -e' command, the user was prompted to enter a PIN. With this update, a patch has been applied to allow the user to remove the keys provided by pkcs11 without the PIN. (BZ#1042519) In addition, this update adds the following enhancements : * With this update, ControlPersist has been added to OpenSSH. The option in conjunction with the ControlMaster configuration directive specifies that the master connection remains open in the background after the initial client connection has been closed. (BZ#953088) * When the sshd daemon is configured to force the internal SFTP session, and the user attempts to use a connection other than SFTP, the appropriate message is logged to the /var/log/secure file. (BZ#997377) * Support for Elliptic Curve Cryptography modes for key exchange (ECDH) and host user keys (ECDSA) as specified by RFC5656 has been added to the openssh packages. However, they are not enabled by default and the user has to enable them manually. For more information on how to configure ECDSA and ECDH with OpenSSH, see: https://access.redhat.com/solutions/711953 (BZ#1028335) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements." ); # https://lists.centos.org/pipermail/centos-cr-announce/2014-October/001318.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cc014a58" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-2532"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/18"); script_set_attribute(attribute:"patch_publication_date", value:"2014/10/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-6", reference:"openssh-5.3p1-104.el6")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-askpass-5.3p1-104.el6")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-clients-5.3p1-104.el6")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-ldap-5.3p1-104.el6")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-server-5.3p1-104.el6")) flag++; if (rpm_check(release:"CentOS-6", reference:"pam_ssh_agent_auth-0.9.3-104.el6")) flag++; if (flag) { cr_plugin_caveat = '\n' + 'NOTE: The security advisory associated with this vulnerability has a\n' + 'fixed package version that may only be available in the continuous\n' + 'release (CR) repository for CentOS, until it is present in the next\n' + 'point release of CentOS.\n\n' + 'If an equal or higher package level does not exist in the baseline\n' + 'repository for your major version of CentOS, then updates from the CR\n' + 'repository will need to be applied in order to address the\n' + 'vulnerability.\n'; security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + cr_plugin_caveat ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-ldap / etc"); }NASL family MacOS X Local Security Checks NASL id MACOSX_10_11.NASL description The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components : - Address Book - AirScan - apache_mod_php - Apple Online Store Kit - AppleEvents - Audio - bash - Certificate Trust Policy - CFNetwork Cookies - CFNetwork FTPProtocol - CFNetwork HTTPProtocol - CFNetwork Proxies - CFNetwork SSL - CoreCrypto - CoreText - Dev Tools - Disk Images - dyld - EFI - Finder - Game Center - Heimdal - ICU - Install Framework Legacy - Intel Graphics Driver - IOAudioFamily - IOGraphics - IOHIDFamily - IOStorageFamily - Kernel - libc - libpthread - libxpc - Login Window - lukemftpd - Mail - Multipeer Connectivity - NetworkExtension - Notes - OpenSSH - OpenSSL - procmail - remote_cmds - removefile - Ruby - Safari - Safari Downloads - Safari Extensions - Safari Safe Browsing - Security - SMB - SQLite - Telephony - Terminal - tidy - Time Machine - WebKit - WebKit CSS - WebKit JavaScript Bindings - WebKit Page Loading - WebKit Plug-ins Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 86270 published 2015-10-05 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86270 title Mac OS X < 10.11 Multiple Vulnerabilities (GHOST) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-1552.NASL description From Red Hat Security Advisory 2014:1552 : Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 78526 published 2014-10-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78526 title Oracle Linux 6 : openssh (ELSA-2014-1552) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-068.NASL description Updated openssh packages fixes security vulnerabilities : sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character (CVE-2014-2532). Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn last seen 2020-06-01 modified 2020-06-02 plugin id 73444 published 2014-04-10 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73444 title Mandriva Linux Security Advisory : openssh (MDVSA-2014:068) NASL family SuSE Local Security Checks NASL id SUSE_11_OPENSSH-140606.NASL description This update for OpenSSH fixes the following issues : - Exit sshd normally when port is already in use. (bnc#832628) - Use hardware crypto engines where available. (bnc#826427) - Use correct options for login when it is used. (bnc#833605) - Move FIPS messages to higher debug level. (bnc#862875) - Fix forwarding with IPv6 addresses in DISPLAY. (bnc#847710) - Do not link OpenSSH binaries with LDAP libraries. (bnc#826906) - Parse AcceptEnv properly. (bnc#869101, CVE-2014-2532) - Check SSHFP DNS records even for server certificates. (bnc#870532, CVE-2014-2653) last seen 2020-06-05 modified 2014-06-19 plugin id 76140 published 2014-06-19 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76140 title SuSE 11.3 Security Update : openssh (SAT Patch Number 9357) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0146_OPENSSH-LATEST.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) - It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) - It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) - It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) - It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. (CVE-2015-8325) - An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. (CVE-2016-0777) - An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127415 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127415 title NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-369.NASL description sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. last seen 2020-06-01 modified 2020-06-02 plugin id 78312 published 2014-10-12 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78312 title Amazon Linux AMI : openssh (ALAS-2014-369) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0036_OPENSSH.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127206 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127206 title NewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0036) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201405-06.NASL description The remote host is affected by the vulnerability described in GLSA-201405-06 (OpenSSH: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could execute arbitrary code, cause a Denial of Service condition, obtain sensitive information, or bypass environment restrictions. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 73958 published 2014-05-12 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73958 title GLSA-201405-06 : OpenSSH: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2894.NASL description Two vulnerabilities were discovered in OpenSSH, an implementation of the SSH protocol suite. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2014-2532 Jann Horn discovered that OpenSSH incorrectly handled wildcards in AcceptEnv lines. A remote attacker could use this issue to trick OpenSSH into accepting any environment variable that contains the characters before the wildcard character. - CVE-2014-2653 Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn last seen 2020-03-17 modified 2014-04-07 plugin id 73350 published 2014-04-07 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73350 title Debian DSA-2894-1 : openssh - security update NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-095.NASL description Updated openssh packages fix security vulnerabilities : sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character (CVE-2014-2532). Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn last seen 2020-06-01 modified 2020-06-02 plugin id 82348 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82348 title Mandriva Linux Security Advisory : openssh (MDVSA-2015:095) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2016-0038.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (#1245969) - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317816) - SSH2_MSG_DISCONNECT for user initiated disconnect follow RFC 4253 (#1222500) - Add missing dot in ssh manual page (#1197763) - Fix minor problems found by covscan/gcc (#1196063) - Add missing options in man ssh (#1197763) - Add KbdInteractiveAuthentication documentation to man sshd_config (#1109251) - Correct freeing newkeys structure when privileged monitor exits (#1208584) - Fix problems with failing persistent connections (#1131585) - Fix memory leaks in auditing patch (#1208584) - Better approach to logging sftp commands in chroot - Make sshd -T write all config options and add missing Cipher, MAC to man (#1109251) - Add missing ControlPersist option to man ssh (#1197763) - Add sftp option to force mode of created files (#1191055) - Do not load RSA1 keys in FIPS mode (#1197072) - Add missing support for ECDSA in ssh-keyscan (#1196331) - Fix coverity/gcc issues (#1196063) - Backport wildcard functionality for PermitOpen in sshd_config file (#1159055) - Ability to specify an arbitrary LDAP filter in ldap.conf (#1119506) - Fix ControlPersist option with ProxyCommand (#1160487) - Backport fix of ssh-keygen with error : gethostname: File name too long (#1161454) - Backport show remote address instead of UNKNOWN after timeout at password prompt (#1161449) - Fix printing of extensions in v01 certificates (#1093869) - Fix confusing audit trail for unsuccessful logins (#1127312) - Don last seen 2020-06-01 modified 2020-06-02 plugin id 90076 published 2016-03-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90076 title OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0038) NASL family Fedora Local Security Checks NASL id FEDORA_2014-6380.NASL description - environment variables with embedded last seen 2020-03-17 modified 2014-05-22 plugin id 74133 published 2014-05-22 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74133 title Fedora 20 : openssh-6.4p1-4.fc20 (2014-6380) NASL family Scientific Linux Local Security Checks NASL id SL_20141014_OPENSSH_ON_SL6_X.NASL description It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) This update also fixes the following bugs : - Based on the SP800-131A information security standard, the generation of a digital signature using the Digital Signature Algorithm (DSA) with the key size of 1024 bits and RSA with the key size of less than 2048 bits is disallowed after the year 2013. After this update, ssh-keygen no longer generates keys with less than 2048 bits in FIPS mode. However, the sshd service accepts keys of size 1024 bits as well as larger keys for compatibility reasons. - Previously, the openssh utility incorrectly set the oom_adj value to -17 for all of its children processes. This behavior was incorrect because the children processes were supposed to have this value set to 0. This update applies a patch to fix this bug and oom_adj is now properly set to 0 for all children processes as expected. - Previously, if the sshd service failed to verify the checksum of an installed FIPS module using the fipscheck library, the information about this failure was only provided at the standard error output of sshd. As a consequence, the user could not notice this message and be uninformed when a system had not been properly configured for FIPS mode. To fix this bug, this behavior has been changed and sshd now sends such messages via the syslog service. - When keys provided by the pkcs11 library were removed from the ssh agent using the last seen 2020-03-18 modified 2014-10-23 plugin id 78641 published 2014-10-23 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78641 title Scientific Linux Security Update : openssh on SL6.x i386/x86_64 (20141014) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL15780.NASL description CVE-2014-2653 The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. CVE-2014-2532 sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. last seen 2020-06-01 modified 2020-06-02 plugin id 91617 published 2016-06-15 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91617 title F5 Networks BIG-IP : OpenSSH vulnerabilities (K15780) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1552.NASL description Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 78413 published 2014-10-14 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78413 title RHEL 6 : openssh (RHSA-2014:1552)
Redhat
| advisories |
| ||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | Bugtraq ID:66355 CVE ID:CVE-2014-2532 OpenSSH是一种开放源码的SSH协议的实现。 OpenSSH "child_set_env()"函数(usr.bin/ssh/session.c)存在错误,允许恶意本地用户在通配符之前使用子串来绕过环境限制。 0 OpenSSH 6.x OpenSSH 6.6已经修复该漏洞,建议用户下载更新: http://www.openssh.com |
| id | SSV:61911 |
| last seen | 2017-11-19 |
| modified | 2014-03-25 |
| published | 2014-03-25 |
| reporter | Root |
| title | OpenSSH 'child_set_env()'函数安全绕过漏洞 |
References
- http://advisories.mageia.org/MGASA-2014-0143.html
- http://aix.software.ibm.com/aix/efixes/security/openssh_advisory4.asc
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134026.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-May/133537.html
- http://marc.info/?l=bugtraq&m=141576985122836&w=2
- http://marc.info/?l=openbsd-security-announce&m=139492048027313&w=2
- http://rhn.redhat.com/errata/RHSA-2014-1552.html
- http://secunia.com/advisories/57488
- http://secunia.com/advisories/57574
- http://secunia.com/advisories/59313
- http://secunia.com/advisories/59855
- http://www.debian.org/security/2014/dsa-2894
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:068
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:095
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.securityfocus.com/bid/66355
- http://www.securitytracker.com/id/1029925
- http://www.ubuntu.com/usn/USN-2155-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/91986
- https://support.apple.com/HT205267