Vulnerabilities > CVE-2014-2532 - Permissions, Privileges, and Access Controls vulnerability in multiple products

047910
CVSS 4.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
LOW
Integrity impact
LOW
Availability impact
NONE
network
high complexity
oracle
openbsd
CWE-264
nessus

Summary

sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.

Vulnerable Configurations

Part Description Count
Application
Oracle
1
Application
Openbsd
204

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2014-086-06.NASL
    descriptionNew openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id73252
    published2014-03-31
    reporterThis script is Copyright (C) 2014-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/73252
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssh (SSA:2014-086-06)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2014-086-06. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(73252);
      script_version("$Revision: 1.6 $");
      script_cvs_date("$Date: 2016/12/09 20:54:58 $");
    
      script_cve_id("CVE-2014-2532");
      script_bugtraq_id(66355);
      script_xref(name:"SSA", value:"2014-086-06");
    
      script_name(english:"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssh (SSA:2014-086-06)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New openssh packages are available for Slackware 13.0, 13.1, 13.37,
    14.0, 14.1, and -current to fix a security issue."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.523534
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ca896db4"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.37");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"13.0", pkgname:"openssh", pkgver:"5.9p1", pkgarch:"i486", pkgnum:"1_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"openssh", pkgver:"5.9p1", pkgarch:"x86_64", pkgnum:"1_slack13.0")) flag++;
    
    if (slackware_check(osver:"13.1", pkgname:"openssh", pkgver:"5.9p1", pkgarch:"i486", pkgnum:"1_slack13.1")) flag++;
    if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"openssh", pkgver:"5.9p1", pkgarch:"x86_64", pkgnum:"1_slack13.1")) flag++;
    
    if (slackware_check(osver:"13.37", pkgname:"openssh", pkgver:"5.9p1", pkgarch:"i486", pkgnum:"3_slack13.37")) flag++;
    if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"openssh", pkgver:"5.9p1", pkgarch:"x86_64", pkgnum:"3_slack13.37")) flag++;
    
    if (slackware_check(osver:"14.0", pkgname:"openssh", pkgver:"6.6p1", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"openssh", pkgver:"6.6p1", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++;
    
    if (slackware_check(osver:"14.1", pkgname:"openssh", pkgver:"6.6p1", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"openssh", pkgver:"6.6p1", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"openssh", pkgver:"6.6p1", pkgarch:"i486", pkgnum:"1")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"openssh", pkgver:"6.6p1", pkgarch:"x86_64", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_OPENSSH-140607.NASL
    descriptionThis update for OpenSSH fixes the following issues : - Exit sshd normally when port is already in use. (bnc#832628) - Use hardware crypto engines where available. (bnc#826427) - Use correct options for login when it is used. (bnc#833605) - Move FIPS messages to higher debug level. (bnc#862875) - Fix forwarding with IPv6 addresses in DISPLAY. (bnc#847710) - Do not link OpenSSH binaries with LDAP libraries. (bnc#826906) - Parse AcceptEnv properly. (bnc#869101, CVE-2014-2532) - Check SSHFP DNS records even for server certificates. (bnc#870532, CVE-2014-2653)
    last seen2020-06-05
    modified2014-06-19
    plugin id76141
    published2014-06-19
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/76141
    titleSuSE 11.3 Security Update : openssh (SAT Patch Number 9357)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from SuSE 11 update information. The text itself is
    # copyright (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(76141);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2014-2532", "CVE-2014-2653");
    
      script_name(english:"SuSE 11.3 Security Update : openssh (SAT Patch Number 9357)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 11 host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for OpenSSH fixes the following issues :
    
      - Exit sshd normally when port is already in use.
        (bnc#832628)
    
      - Use hardware crypto engines where available.
        (bnc#826427)
    
      - Use correct options for login when it is used.
        (bnc#833605)
    
      - Move FIPS messages to higher debug level. (bnc#862875)
    
      - Fix forwarding with IPv6 addresses in DISPLAY.
        (bnc#847710)
    
      - Do not link OpenSSH binaries with LDAP libraries.
        (bnc#826906)
    
      - Parse AcceptEnv properly. (bnc#869101, CVE-2014-2532)
    
      - Check SSHFP DNS records even for server certificates.
        (bnc#870532, CVE-2014-2653)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=826427"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=833605"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=847710"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=869101"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=870532"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2014-2532.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2014-2653.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply SAT patch number 9357.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/06/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/19");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);
    
    pl = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, "SuSE 11.3");
    
    
    flag = 0;
    if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"openssh-6.2p2-0.13.1")) flag++;
    if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"openssh-askpass-6.2p2-0.13.1")) flag++;
    if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"openssh-askpass-gnome-6.2p2-0.13.1")) flag++;
    if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"openssh-6.2p2-0.13.1")) flag++;
    if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"openssh-askpass-6.2p2-0.13.1")) flag++;
    if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"openssh-askpass-gnome-6.2p2-0.13.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-6569.NASL
    description - environment variables with embedded
    last seen2020-03-17
    modified2014-06-10
    plugin id74384
    published2014-06-10
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74384
    titleFedora 19 : openssh-6.2p2-8.fc19 (2014-6569)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2014-6569.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(74384);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2014-2532", "CVE-2014-2653");
      script_bugtraq_id(66355, 66459);
      script_xref(name:"FEDORA", value:"2014-6569");
    
      script_name(english:"Fedora 19 : openssh-6.2p2-8.fc19 (2014-6569)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - environment variables with embedded '=' or '0'
        characters are now ignored
    
        - prevents a server from skipping SSHFP lookup and
          forcing a new-hostkey dialog by offering only
          certificate keys
    
        - /etc/ssh/moduli is readable by all now
    
        - ssh-copy-id is run in so called legacy mode when
          SSH_COPY_ID_LEGACY variable is set
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1077843"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=1081338"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134026.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5ea8f7ac"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2014/05/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC19", reference:"openssh-6.2p2-8.fc19")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familyMisc.
    NASL idOPENSSH_66.NASL
    descriptionAccording to its banner, the version of OpenSSH running on the remote host is prior to 6.6. It is, therefore, affected by the following vulnerabilities : - A flaw exists due to a failure to initialize certain data structures when makefile.inc is modified to enable the J-PAKE protocol. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition and potentially the execution of arbitrary code. (CVE-2014-1692) - An error exists related to the
    last seen2020-06-01
    modified2020-06-02
    plugin id73079
    published2014-03-18
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/73079
    titleOpenSSH < 6.6 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(73079);
      script_version("1.10");
      script_cvs_date("Date: 2018/11/15 20:50:23");
    
      script_cve_id("CVE-2014-1692", "CVE-2014-2532");
      script_bugtraq_id(65230, 66355);
    
      script_name(english:"OpenSSH < 6.6 Multiple Vulnerabilities");
      script_summary(english:"Checks OpenSSH banner version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The SSH server on the remote host is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of OpenSSH running on the remote
    host is prior to 6.6. It is, therefore, affected by the following
    vulnerabilities :
    
      - A flaw exists due to a failure to initialize certain
        data structures when makefile.inc is modified to enable
        the J-PAKE protocol. An unauthenticated, remote attacker
        can exploit this to corrupt memory, resulting in a
        denial of service condition and potentially the
        execution of arbitrary code. (CVE-2014-1692)
    
      - An error exists related to the 'AcceptEnv' configuration
        setting in sshd_config due to improper processing of
        wildcard characters. An unauthenticated, remote attacker
        can exploit this, via a specially crafted request, to
        bypass intended environment restrictions.
        (CVE-2014-2532)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-6.6");
      script_set_attribute(attribute:"see_also", value:"https://lists.gt.net/openssh/dev/57663#57663");
      script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSH version 6.6 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/03/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/18");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_detect.nasl");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("Services/ssh");
    
      exit(0);
    }
    
    include("audit.inc");
    include("backport.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Ensure the port is open.
    port = get_service(svc:"ssh", exit_on_fail:TRUE);
    
    # Get banner for service.
    banner = get_kb_item_or_exit("SSH/banner/"+port);
    
    bp_banner = tolower(get_backport_banner(banner:banner));
    if ("openssh" >!< bp_banner) audit(AUDIT_NOT_LISTEN, "OpenSSH", port);
    if (backported) audit(code:0, AUDIT_BACKPORT_SERVICE, port, "OpenSSH");
    
    # Check the version in the backported banner.
    match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)");
    if (isnull(match)) audit(AUDIT_SERVICE_VER_FAIL, "OpenSSH", port);
    version = match[1];
    
    # Does not affect all configurations
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    # Affected : < 6.6
    if (
      version =~ "^[0-5]\." ||
      version =~ "^6\.[0-5]($|[^0-9])"
    )
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source    : ' + banner +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 6.6\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "OpenSSH", port, version);
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2155-1.NASL
    descriptionJann Horn discovered that OpenSSH incorrectly handled wildcards in AcceptEnv lines. A remote attacker could use this issue to possibly bypass certain intended environment variable restrictions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2014-03-26
    plugin id73202
    published2014-03-26
    reporterUbuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73202
    titleUbuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : openssh vulnerability (USN-2155-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-2155-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(73202);
      script_version("1.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2014-2532");
      script_bugtraq_id(66355);
      script_xref(name:"USN", value:"2155-1");
    
      script_name(english:"Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : openssh vulnerability (USN-2155-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Jann Horn discovered that OpenSSH incorrectly handled wildcards in
    AcceptEnv lines. A remote attacker could use this issue to possibly
    bypass certain intended environment variable restrictions.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/2155-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh-server package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:13.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/03/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(10\.04|12\.04|12\.10|13\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04 / 12.04 / 12.10 / 13.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"10.04", pkgname:"openssh-server", pkgver:"1:5.3p1-3ubuntu7.1")) flag++;
    if (ubuntu_check(osver:"12.04", pkgname:"openssh-server", pkgver:"1:5.9p1-5ubuntu1.2")) flag++;
    if (ubuntu_check(osver:"12.10", pkgname:"openssh-server", pkgver:"1:6.0p1-3ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"13.10", pkgname:"openssh-server", pkgver:"1:6.2p2-6ubuntu0.2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-server");
    }
    
  • NASL familyAIX Local Security Checks
    NASL idAIX_OPENSSH_ADVISORY4.NASL
    descriptionThe version of OpenSSH running on the remote host is affected by multiple security bypass vulnerabilities : - sshd in OpenSSH versions before 6.6 do not properly support wildcards on AcceptEnv lines in sshd_config, which allow a remote attacker to bypass intended environment restrictions by using a substring located before a wildcard character. (CVE-2014-2532) - The verify_host_key function in sshconnect.c in the OpenSSH client for versions 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS checking by presenting an unacceptable HostCertificate. (CVE-2014-2653)
    last seen2020-06-01
    modified2020-06-02
    plugin id76168
    published2014-06-20
    reporterThis script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76168
    titleAIX OpenSSH Vulnerability : openssh_advisory4.asc
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text in the description was extracted from AIX Security
    # Advisory openssh_advisory4.asc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(76168);
      script_version("1.10");
      script_cvs_date("Date: 2018/11/28 22:47:41");
    
      script_cve_id("CVE-2014-2532", "CVE-2014-2653");
      script_bugtraq_id(66355, 66459);
    
      script_name(english:"AIX OpenSSH Vulnerability : openssh_advisory4.asc");
      script_summary(english:"Checks the version of the openssh client and server packages");
    
      script_set_attribute(attribute:"synopsis", value:"The remote AIX host has a vulnerable version of OpenSSH.");
      script_set_attribute(attribute:"description", value:
    "The version of OpenSSH running on the remote host is affected by
    multiple security bypass vulnerabilities :
    
      - sshd in OpenSSH versions before 6.6 do not properly
        support wildcards on AcceptEnv lines in sshd_config,
        which allow a remote attacker to bypass intended
        environment restrictions by using a substring located
        before a wildcard character. (CVE-2014-2532)
    
      - The verify_host_key function in sshconnect.c in the
        OpenSSH client for versions 6.6 and earlier allows
        remote servers to trigger the skipping of SSHFP DNS
        checking by presenting an unacceptable HostCertificate.
        (CVE-2014-2653)");
      script_set_attribute(attribute:"see_also", value:"http://aix.software.ibm.com/aix/efixes/security/openssh_advisory4.asc");
      script_set_attribute(attribute:"see_also", value:"https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp");
      script_set_attribute(attribute:"solution", value:
    "A fix is available and can be downloaded from the AIX website.
    
    To extract the fixes from the tar file :
    
      zcat OpenSSH_6.0.0.6107.tar.Z | tar xvf -
    
    IMPORTANT : If possible, it is recommended that an mksysb backup of
    the system be created. Verify it is both bootable and readable before
    proceeding.
    
    To preview the fix installation :
    
      installp -apYd . OpenSSH_6.0.0.6107
    
    To install the fix package :
    
      installp -aXYd . OpenSSH_6.0.0.6107");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:5.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:6.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:7.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/06/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/20");
    
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"AIX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version");
    
      exit(0);
    }
    
    
    include("aix.inc");
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    oslevel = get_kb_item_or_exit("Host/AIX/version");
    if ( oslevel != "AIX-5.3" && oslevel != "AIX-6.1" && oslevel != "AIX-7.1" )
    {
      oslevel = ereg_replace(string:oslevel, pattern:"-", replace:" ");
      audit(AUDIT_OS_NOT, "AIX 5.3 / 6.1 / 7.1", oslevel);
    }
    if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    flag = 0;
    
    if (aix_check_package(release:"5.3", package:"openssh.base.client", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++;
    if (aix_check_package(release:"6.1", package:"openssh.base.client", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++;
    if (aix_check_package(release:"7.1", package:"openssh.base.client", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++;
    if (aix_check_package(release:"5.3", package:"openssh.base.server", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++;
    if (aix_check_package(release:"6.1", package:"openssh.base.server", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++;
    if (aix_check_package(release:"7.1", package:"openssh.base.server", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : aix_report_get()
      );
    }
    else
    {
      tested = aix_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh.base.client / openssh.base.server");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2014-1552.NASL
    descriptionUpdated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id79184
    published2014-11-12
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79184
    titleCentOS 6 : openssh (CESA-2014:1552)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2014:1552 and 
    # CentOS Errata and Security Advisory 2014:1552 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79184);
      script_version("1.13");
      script_cvs_date("Date: 2020/01/06");
    
      script_cve_id("CVE-2014-2532", "CVE-2014-2653");
      script_bugtraq_id(66355, 66459);
      script_xref(name:"RHSA", value:"2014:1552");
    
      script_name(english:"CentOS 6 : openssh (CESA-2014:1552)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated openssh packages that fix two security issues, several bugs,
    and add various enhancements are now available for Red Hat Enterprise
    Linux 6.
    
    Red Hat Product Security has rated this update as having Moderate
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These
    packages include the core files necessary for both the OpenSSH client
    and server.
    
    It was discovered that OpenSSH clients did not correctly verify DNS
    SSHFP records. A malicious server could use this flaw to force a
    connecting client to skip the DNS SSHFP record check and require the
    user to perform manual host verification of the DNS SSHFP record.
    (CVE-2014-2653)
    
    It was found that OpenSSH did not properly handle certain AcceptEnv
    parameter values with wildcard characters. A remote attacker could use
    this flaw to bypass intended environment variable restrictions.
    (CVE-2014-2532)
    
    This update also fixes the following bugs :
    
    * Based on the SP800-131A information security standard, the
    generation of a digital signature using the Digital Signature
    Algorithm (DSA) with the key size of 1024 bits and RSA with the key
    size of less than 2048 bits is disallowed after the year 2013. After
    this update, ssh-keygen no longer generates keys with less than 2048
    bits in FIPS mode. However, the sshd service accepts keys of size 1024
    bits as well as larger keys for compatibility reasons. (BZ#993580)
    
    * Previously, the openssh utility incorrectly set the oom_adj value to
    -17 for all of its children processes. This behavior was incorrect
    because the children processes were supposed to have this value set to
    0. This update applies a patch to fix this bug and oom_adj is now
    properly set to 0 for all children processes as expected. (BZ#1010429)
    
    * Previously, if the sshd service failed to verify the checksum of an
    installed FIPS module using the fipscheck library, the information
    about this failure was only provided at the standard error output of
    sshd. As a consequence, the user could not notice this message and be
    uninformed when a system had not been properly configured for FIPS
    mode. To fix this bug, this behavior has been changed and sshd now
    sends such messages via the syslog service. (BZ#1020803)
    
    * When keys provided by the pkcs11 library were removed from the ssh
    agent using the 'ssh-add -e' command, the user was prompted to enter a
    PIN. With this update, a patch has been applied to allow the user to
    remove the keys provided by pkcs11 without the PIN. (BZ#1042519)
    
    In addition, this update adds the following enhancements :
    
    * With this update, ControlPersist has been added to OpenSSH. The
    option in conjunction with the ControlMaster configuration directive
    specifies that the master connection remains open in the background
    after the initial client connection has been closed. (BZ#953088)
    
    * When the sshd daemon is configured to force the internal SFTP
    session, and the user attempts to use a connection other than SFTP,
    the appropriate message is logged to the /var/log/secure file.
    (BZ#997377)
    
    * Support for Elliptic Curve Cryptography modes for key exchange
    (ECDH) and host user keys (ECDSA) as specified by RFC5656 has been
    added to the openssh packages. However, they are not enabled by
    default and the user has to enable them manually. For more information
    on how to configure ECDSA and ECDH with OpenSSH, see:
    https://access.redhat.com/solutions/711953 (BZ#1028335)
    
    All openssh users are advised to upgrade to these updated packages,
    which contain backported patches to correct these issues and add these
    enhancements."
      );
      # https://lists.centos.org/pipermail/centos-cr-announce/2014-October/001318.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?cc014a58"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-2532");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pam_ssh_agent_auth");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/10/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-6", reference:"openssh-5.3p1-104.el6")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"openssh-askpass-5.3p1-104.el6")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"openssh-clients-5.3p1-104.el6")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"openssh-ldap-5.3p1-104.el6")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"openssh-server-5.3p1-104.el6")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"pam_ssh_agent_auth-0.9.3-104.el6")) flag++;
    
    
    if (flag)
    {
      cr_plugin_caveat = '\n' +
        'NOTE: The security advisory associated with this vulnerability has a\n' +
        'fixed package version that may only be available in the continuous\n' +
        'release (CR) repository for CentOS, until it is present in the next\n' +
        'point release of CentOS.\n\n' +
    
        'If an equal or higher package level does not exist in the baseline\n' +
        'repository for your major version of CentOS, then updates from the CR\n' +
        'repository will need to be applied in order to address the\n' +
        'vulnerability.\n';
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get() + cr_plugin_caveat
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-ldap / etc");
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_11.NASL
    descriptionThe remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components : - Address Book - AirScan - apache_mod_php - Apple Online Store Kit - AppleEvents - Audio - bash - Certificate Trust Policy - CFNetwork Cookies - CFNetwork FTPProtocol - CFNetwork HTTPProtocol - CFNetwork Proxies - CFNetwork SSL - CoreCrypto - CoreText - Dev Tools - Disk Images - dyld - EFI - Finder - Game Center - Heimdal - ICU - Install Framework Legacy - Intel Graphics Driver - IOAudioFamily - IOGraphics - IOHIDFamily - IOStorageFamily - Kernel - libc - libpthread - libxpc - Login Window - lukemftpd - Mail - Multipeer Connectivity - NetworkExtension - Notes - OpenSSH - OpenSSL - procmail - remote_cmds - removefile - Ruby - Safari - Safari Downloads - Safari Extensions - Safari Safe Browsing - Security - SMB - SQLite - Telephony - Terminal - tidy - Time Machine - WebKit - WebKit CSS - WebKit JavaScript Bindings - WebKit Page Loading - WebKit Plug-ins Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id86270
    published2015-10-05
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86270
    titleMac OS X < 10.11 Multiple Vulnerabilities (GHOST)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-1552.NASL
    descriptionFrom Red Hat Security Advisory 2014:1552 : Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id78526
    published2014-10-17
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78526
    titleOracle Linux 6 : openssh (ELSA-2014-1552)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2014-068.NASL
    descriptionUpdated openssh packages fixes security vulnerabilities : sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character (CVE-2014-2532). Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id73444
    published2014-04-10
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73444
    titleMandriva Linux Security Advisory : openssh (MDVSA-2014:068)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_OPENSSH-140606.NASL
    descriptionThis update for OpenSSH fixes the following issues : - Exit sshd normally when port is already in use. (bnc#832628) - Use hardware crypto engines where available. (bnc#826427) - Use correct options for login when it is used. (bnc#833605) - Move FIPS messages to higher debug level. (bnc#862875) - Fix forwarding with IPv6 addresses in DISPLAY. (bnc#847710) - Do not link OpenSSH binaries with LDAP libraries. (bnc#826906) - Parse AcceptEnv properly. (bnc#869101, CVE-2014-2532) - Check SSHFP DNS records even for server certificates. (bnc#870532, CVE-2014-2653)
    last seen2020-06-05
    modified2014-06-19
    plugin id76140
    published2014-06-19
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/76140
    titleSuSE 11.3 Security Update : openssh (SAT Patch Number 9357)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0146_OPENSSH-LATEST.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) - It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) - It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) - It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) - It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. (CVE-2015-8325) - An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. (CVE-2016-0777) - An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127415
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127415
    titleNewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2014-369.NASL
    descriptionsshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.
    last seen2020-06-01
    modified2020-06-02
    plugin id78312
    published2014-10-12
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78312
    titleAmazon Linux AMI : openssh (ALAS-2014-369)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0036_OPENSSH.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127206
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127206
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0036)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201405-06.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201405-06 (OpenSSH: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could execute arbitrary code, cause a Denial of Service condition, obtain sensitive information, or bypass environment restrictions. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id73958
    published2014-05-12
    reporterThis script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73958
    titleGLSA-201405-06 : OpenSSH: Multiple vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2894.NASL
    descriptionTwo vulnerabilities were discovered in OpenSSH, an implementation of the SSH protocol suite. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2014-2532 Jann Horn discovered that OpenSSH incorrectly handled wildcards in AcceptEnv lines. A remote attacker could use this issue to trick OpenSSH into accepting any environment variable that contains the characters before the wildcard character. - CVE-2014-2653 Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn
    last seen2020-03-17
    modified2014-04-07
    plugin id73350
    published2014-04-07
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73350
    titleDebian DSA-2894-1 : openssh - security update
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-095.NASL
    descriptionUpdated openssh packages fix security vulnerabilities : sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character (CVE-2014-2532). Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id82348
    published2015-03-30
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82348
    titleMandriva Linux Security Advisory : openssh (MDVSA-2015:095)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2016-0038.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (#1245969) - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317816) - SSH2_MSG_DISCONNECT for user initiated disconnect follow RFC 4253 (#1222500) - Add missing dot in ssh manual page (#1197763) - Fix minor problems found by covscan/gcc (#1196063) - Add missing options in man ssh (#1197763) - Add KbdInteractiveAuthentication documentation to man sshd_config (#1109251) - Correct freeing newkeys structure when privileged monitor exits (#1208584) - Fix problems with failing persistent connections (#1131585) - Fix memory leaks in auditing patch (#1208584) - Better approach to logging sftp commands in chroot - Make sshd -T write all config options and add missing Cipher, MAC to man (#1109251) - Add missing ControlPersist option to man ssh (#1197763) - Add sftp option to force mode of created files (#1191055) - Do not load RSA1 keys in FIPS mode (#1197072) - Add missing support for ECDSA in ssh-keyscan (#1196331) - Fix coverity/gcc issues (#1196063) - Backport wildcard functionality for PermitOpen in sshd_config file (#1159055) - Ability to specify an arbitrary LDAP filter in ldap.conf (#1119506) - Fix ControlPersist option with ProxyCommand (#1160487) - Backport fix of ssh-keygen with error : gethostname: File name too long (#1161454) - Backport show remote address instead of UNKNOWN after timeout at password prompt (#1161449) - Fix printing of extensions in v01 certificates (#1093869) - Fix confusing audit trail for unsuccessful logins (#1127312) - Don
    last seen2020-06-01
    modified2020-06-02
    plugin id90076
    published2016-03-22
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90076
    titleOracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0038)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-6380.NASL
    description - environment variables with embedded
    last seen2020-03-17
    modified2014-05-22
    plugin id74133
    published2014-05-22
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74133
    titleFedora 20 : openssh-6.4p1-4.fc20 (2014-6380)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20141014_OPENSSH_ON_SL6_X.NASL
    descriptionIt was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) This update also fixes the following bugs : - Based on the SP800-131A information security standard, the generation of a digital signature using the Digital Signature Algorithm (DSA) with the key size of 1024 bits and RSA with the key size of less than 2048 bits is disallowed after the year 2013. After this update, ssh-keygen no longer generates keys with less than 2048 bits in FIPS mode. However, the sshd service accepts keys of size 1024 bits as well as larger keys for compatibility reasons. - Previously, the openssh utility incorrectly set the oom_adj value to -17 for all of its children processes. This behavior was incorrect because the children processes were supposed to have this value set to 0. This update applies a patch to fix this bug and oom_adj is now properly set to 0 for all children processes as expected. - Previously, if the sshd service failed to verify the checksum of an installed FIPS module using the fipscheck library, the information about this failure was only provided at the standard error output of sshd. As a consequence, the user could not notice this message and be uninformed when a system had not been properly configured for FIPS mode. To fix this bug, this behavior has been changed and sshd now sends such messages via the syslog service. - When keys provided by the pkcs11 library were removed from the ssh agent using the
    last seen2020-03-18
    modified2014-10-23
    plugin id78641
    published2014-10-23
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78641
    titleScientific Linux Security Update : openssh on SL6.x i386/x86_64 (20141014)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL15780.NASL
    descriptionCVE-2014-2653 The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. CVE-2014-2532 sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
    last seen2020-06-01
    modified2020-06-02
    plugin id91617
    published2016-06-15
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91617
    titleF5 Networks BIG-IP : OpenSSH vulnerabilities (K15780)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-1552.NASL
    descriptionUpdated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id78413
    published2014-10-14
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78413
    titleRHEL 6 : openssh (RHSA-2014:1552)

Redhat

advisories
rhsa
idRHSA-2014:1552
rpms
  • openssh-0:5.3p1-104.el6
  • openssh-askpass-0:5.3p1-104.el6
  • openssh-clients-0:5.3p1-104.el6
  • openssh-debuginfo-0:5.3p1-104.el6
  • openssh-ldap-0:5.3p1-104.el6
  • openssh-server-0:5.3p1-104.el6
  • pam_ssh_agent_auth-0:0.9.3-104.el6

Seebug

bulletinFamilyexploit
descriptionBugtraq ID:66355 CVE ID:CVE-2014-2532 OpenSSH是一种开放源码的SSH协议的实现。 OpenSSH &quot;child_set_env()&quot;函数(usr.bin/ssh/session.c)存在错误,允许恶意本地用户在通配符之前使用子串来绕过环境限制。 0 OpenSSH 6.x OpenSSH 6.6已经修复该漏洞,建议用户下载更新: http://www.openssh.com
idSSV:61911
last seen2017-11-19
modified2014-03-25
published2014-03-25
reporterRoot
titleOpenSSH 'child_set_env()'函数安全绕过漏洞

References