Vulnerabilities > CVE-2014-2653 - Improper Input Validation vulnerability in Openbsd Openssh
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_OPENSSH-140607.NASL description This update for OpenSSH fixes the following issues : - Exit sshd normally when port is already in use. (bnc#832628) - Use hardware crypto engines where available. (bnc#826427) - Use correct options for login when it is used. (bnc#833605) - Move FIPS messages to higher debug level. (bnc#862875) - Fix forwarding with IPv6 addresses in DISPLAY. (bnc#847710) - Do not link OpenSSH binaries with LDAP libraries. (bnc#826906) - Parse AcceptEnv properly. (bnc#869101, CVE-2014-2532) - Check SSHFP DNS records even for server certificates. (bnc#870532, CVE-2014-2653) last seen 2020-06-05 modified 2014-06-19 plugin id 76141 published 2014-06-19 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76141 title SuSE 11.3 Security Update : openssh (SAT Patch Number 9357) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(76141); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_name(english:"SuSE 11.3 Security Update : openssh (SAT Patch Number 9357)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for OpenSSH fixes the following issues : - Exit sshd normally when port is already in use. (bnc#832628) - Use hardware crypto engines where available. (bnc#826427) - Use correct options for login when it is used. (bnc#833605) - Move FIPS messages to higher debug level. (bnc#862875) - Fix forwarding with IPv6 addresses in DISPLAY. (bnc#847710) - Do not link OpenSSH binaries with LDAP libraries. (bnc#826906) - Parse AcceptEnv properly. (bnc#869101, CVE-2014-2532) - Check SSHFP DNS records even for server certificates. (bnc#870532, CVE-2014-2653)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=826427" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=833605" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=847710" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=869101" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=870532" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-2532.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-2653.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 9357."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, "SuSE 11.3"); flag = 0; if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"openssh-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"openssh-askpass-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"openssh-askpass-gnome-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"openssh-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"openssh-askpass-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"openssh-askpass-gnome-6.2p2-0.13.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Fedora Local Security Checks NASL id FEDORA_2014-6569.NASL description - environment variables with embedded last seen 2020-03-17 modified 2014-06-10 plugin id 74384 published 2014-06-10 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74384 title Fedora 19 : openssh-6.2p2-8.fc19 (2014-6569) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2014-6569. # include("compat.inc"); if (description) { script_id(74384); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_bugtraq_id(66355, 66459); script_xref(name:"FEDORA", value:"2014-6569"); script_name(english:"Fedora 19 : openssh-6.2p2-8.fc19 (2014-6569)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - environment variables with embedded '=' or '0' characters are now ignored - prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys - /etc/ssh/moduli is readable by all now - ssh-copy-id is run in so called legacy mode when SSH_COPY_ID_LEGACY variable is set Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1077843" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1081338" ); # https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134026.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5ea8f7ac" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19"); script_set_attribute(attribute:"patch_publication_date", value:"2014/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC19", reference:"openssh-6.2p2-8.fc19")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-0425.NASL description Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 81894 published 2015-03-18 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81894 title CentOS 7 : openssh (CESA-2015:0425) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2015:0425 and # CentOS Errata and Security Advisory 2015:0425 respectively. # include("compat.inc"); if (description) { script_id(81894); script_version("1.8"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2014-2653", "CVE-2014-9278"); script_xref(name:"RHSA", value:"2015:0425"); script_name(english:"CentOS 7 : openssh (CESA-2015:0425)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) The openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1059667) Bug fixes : * An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. As a consequence, the sftp commands were not logged in the chroot setup without /dev/log in the internal sftp subsystem. With this update, openssh has been enhanced to detect whether /dev/log exists. If /dev/log does not exist, processes in the chroot environment use their master processes for logging. (BZ#1083482) * The buffer size for a host name was limited to 64 bytes. As a consequence, when a host name was 64 bytes long or longer, the ssh-keygen utility failed. The buffer size has been increased to fix this bug, and ssh-keygen no longer fails in the described situation. (BZ#1097665) * Non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly. (BZ#1104662) * Red Hat Enterprise Linux uses persistent Kerberos credential caches, which are shared between sessions. Previously, the GSSAPICleanupCredentials option was set to 'yes' by default. Consequently, removing a Kerberos cache on logout could remove unrelated credentials of other sessions, which could make the system unusable. To fix this bug, GSSAPICleanupCredentials is set by default to 'no'. (BZ#1134447) * Access permissions for the /etc/ssh/moduli file were set to 0600, which was unnecessarily strict. With this update, the permissions for /etc/ssh/moduli have been changed to 0644 to make the access to the file easier. (BZ#1134448) * Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was not found after login using a Kerberos-enabled SSH connection. The underlying source code has been modified to fix this bug, and Kerberos authentication works as expected in the described situation. (BZ#1161173) Enhancements : * When the sshd daemon is configured to force the internal SFTP session, a connection other then SFTP is used, the appropriate message is logged to the /var/log/secure file. (BZ#1130198) * The sshd-keygen service was run using the 'ExecStartPre=-/usr/sbin/sshd-keygen' option in the sshd.service unit file. With this update, the separate sshd-keygen.service unit file has been added, and sshd.service has been adjusted to require sshd-keygen.service. (BZ#1134997) Users of openssh are advised to upgrade to these updated packages, which correct these issues and add these enhancements." ); # https://lists.centos.org/pipermail/centos-cr-announce/2015-March/001725.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9f2883d9" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-2653"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server-sysvinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/27"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-askpass-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-clients-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-keycat-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-ldap-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-server-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-server-sysvinit-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"pam_ssh_agent_auth-0.9.3-9.11.el7")) flag++; if (flag) { cr_plugin_caveat = '\n' + 'NOTE: The security advisory associated with this vulnerability has a\n' + 'fixed package version that may only be available in the continuous\n' + 'release (CR) repository for CentOS, until it is present in the next\n' + 'point release of CentOS.\n\n' + 'If an equal or higher package level does not exist in the baseline\n' + 'repository for your major version of CentOS, then updates from the CR\n' + 'repository will need to be applied in order to address the\n' + 'vulnerability.\n'; security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + cr_plugin_caveat ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-keycat / etc"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-0425.NASL description Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 81635 published 2015-03-05 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81635 title RHEL 7 : openssh (RHSA-2015:0425) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2015:0425. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(81635); script_version("1.12"); script_cvs_date("Date: 2019/10/24 15:35:39"); script_cve_id("CVE-2014-2653", "CVE-2014-9278"); script_xref(name:"RHSA", value:"2015:0425"); script_name(english:"RHEL 7 : openssh (RHSA-2015:0425)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) The openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1059667) Bug fixes : * An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. As a consequence, the sftp commands were not logged in the chroot setup without /dev/log in the internal sftp subsystem. With this update, openssh has been enhanced to detect whether /dev/log exists. If /dev/log does not exist, processes in the chroot environment use their master processes for logging. (BZ#1083482) * The buffer size for a host name was limited to 64 bytes. As a consequence, when a host name was 64 bytes long or longer, the ssh-keygen utility failed. The buffer size has been increased to fix this bug, and ssh-keygen no longer fails in the described situation. (BZ#1097665) * Non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly. (BZ#1104662) * Red Hat Enterprise Linux uses persistent Kerberos credential caches, which are shared between sessions. Previously, the GSSAPICleanupCredentials option was set to 'yes' by default. Consequently, removing a Kerberos cache on logout could remove unrelated credentials of other sessions, which could make the system unusable. To fix this bug, GSSAPICleanupCredentials is set by default to 'no'. (BZ#1134447) * Access permissions for the /etc/ssh/moduli file were set to 0600, which was unnecessarily strict. With this update, the permissions for /etc/ssh/moduli have been changed to 0644 to make the access to the file easier. (BZ#1134448) * Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was not found after login using a Kerberos-enabled SSH connection. The underlying source code has been modified to fix this bug, and Kerberos authentication works as expected in the described situation. (BZ#1161173) Enhancements : * When the sshd daemon is configured to force the internal SFTP session, a connection other then SFTP is used, the appropriate message is logged to the /var/log/secure file. (BZ#1130198) * The sshd-keygen service was run using the 'ExecStartPre=-/usr/sbin/sshd-keygen' option in the sshd.service unit file. With this update, the separate sshd-keygen.service unit file has been added, and sshd.service has been adjusted to require sshd-keygen.service. (BZ#1134997) Users of openssh are advised to upgrade to these updated packages, which correct these issues and add these enhancements." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2015:0425" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2014-2653" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2014-9278" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server-sysvinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/27"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2015:0425"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-askpass-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-askpass-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-clients-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-clients-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"openssh-debuginfo-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-keycat-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-keycat-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-ldap-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-ldap-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-server-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-server-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-server-sysvinit-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-server-sysvinit-6.6.1p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"pam_ssh_agent_auth-0.9.3-9.11.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc"); } }
NASL family AIX Local Security Checks NASL id AIX_OPENSSH_ADVISORY4.NASL description The version of OpenSSH running on the remote host is affected by multiple security bypass vulnerabilities : - sshd in OpenSSH versions before 6.6 do not properly support wildcards on AcceptEnv lines in sshd_config, which allow a remote attacker to bypass intended environment restrictions by using a substring located before a wildcard character. (CVE-2014-2532) - The verify_host_key function in sshconnect.c in the OpenSSH client for versions 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS checking by presenting an unacceptable HostCertificate. (CVE-2014-2653) last seen 2020-06-01 modified 2020-06-02 plugin id 76168 published 2014-06-20 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76168 title AIX OpenSSH Vulnerability : openssh_advisory4.asc code # # (C) Tenable Network Security, Inc. # # The text in the description was extracted from AIX Security # Advisory openssh_advisory4.asc. # include("compat.inc"); if (description) { script_id(76168); script_version("1.10"); script_cvs_date("Date: 2018/11/28 22:47:41"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_bugtraq_id(66355, 66459); script_name(english:"AIX OpenSSH Vulnerability : openssh_advisory4.asc"); script_summary(english:"Checks the version of the openssh client and server packages"); script_set_attribute(attribute:"synopsis", value:"The remote AIX host has a vulnerable version of OpenSSH."); script_set_attribute(attribute:"description", value: "The version of OpenSSH running on the remote host is affected by multiple security bypass vulnerabilities : - sshd in OpenSSH versions before 6.6 do not properly support wildcards on AcceptEnv lines in sshd_config, which allow a remote attacker to bypass intended environment restrictions by using a substring located before a wildcard character. (CVE-2014-2532) - The verify_host_key function in sshconnect.c in the OpenSSH client for versions 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS checking by presenting an unacceptable HostCertificate. (CVE-2014-2653)"); script_set_attribute(attribute:"see_also", value:"http://aix.software.ibm.com/aix/efixes/security/openssh_advisory4.asc"); script_set_attribute(attribute:"see_also", value:"https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp"); script_set_attribute(attribute:"solution", value: "A fix is available and can be downloaded from the AIX website. To extract the fixes from the tar file : zcat OpenSSH_6.0.0.6107.tar.Z | tar xvf - IMPORTANT : If possible, it is recommended that an mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview the fix installation : installp -apYd . OpenSSH_6.0.0.6107 To install the fix package : installp -aXYd . OpenSSH_6.0.0.6107"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:5.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:6.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:7.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"AIX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version"); exit(0); } include("aix.inc"); include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); oslevel = get_kb_item_or_exit("Host/AIX/version"); if ( oslevel != "AIX-5.3" && oslevel != "AIX-6.1" && oslevel != "AIX-7.1" ) { oslevel = ereg_replace(string:oslevel, pattern:"-", replace:" "); audit(AUDIT_OS_NOT, "AIX 5.3 / 6.1 / 7.1", oslevel); } if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (aix_check_package(release:"5.3", package:"openssh.base.client", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++; if (aix_check_package(release:"6.1", package:"openssh.base.client", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++; if (aix_check_package(release:"7.1", package:"openssh.base.client", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++; if (aix_check_package(release:"5.3", package:"openssh.base.server", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++; if (aix_check_package(release:"6.1", package:"openssh.base.server", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++; if (aix_check_package(release:"7.1", package:"openssh.base.server", minpackagever:"4.0.0.5200", maxpackagever:"6.0.0.6106", fixpackagever:"6.0.0.6107") > 0) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : aix_report_get() ); } else { tested = aix_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh.base.client / openssh.base.server"); }
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-1552.NASL description Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 79184 published 2014-11-12 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79184 title CentOS 6 : openssh (CESA-2014:1552) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2014:1552 and # CentOS Errata and Security Advisory 2014:1552 respectively. # include("compat.inc"); if (description) { script_id(79184); script_version("1.13"); script_cvs_date("Date: 2020/01/06"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_bugtraq_id(66355, 66459); script_xref(name:"RHSA", value:"2014:1552"); script_name(english:"CentOS 6 : openssh (CESA-2014:1552)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) This update also fixes the following bugs : * Based on the SP800-131A information security standard, the generation of a digital signature using the Digital Signature Algorithm (DSA) with the key size of 1024 bits and RSA with the key size of less than 2048 bits is disallowed after the year 2013. After this update, ssh-keygen no longer generates keys with less than 2048 bits in FIPS mode. However, the sshd service accepts keys of size 1024 bits as well as larger keys for compatibility reasons. (BZ#993580) * Previously, the openssh utility incorrectly set the oom_adj value to -17 for all of its children processes. This behavior was incorrect because the children processes were supposed to have this value set to 0. This update applies a patch to fix this bug and oom_adj is now properly set to 0 for all children processes as expected. (BZ#1010429) * Previously, if the sshd service failed to verify the checksum of an installed FIPS module using the fipscheck library, the information about this failure was only provided at the standard error output of sshd. As a consequence, the user could not notice this message and be uninformed when a system had not been properly configured for FIPS mode. To fix this bug, this behavior has been changed and sshd now sends such messages via the syslog service. (BZ#1020803) * When keys provided by the pkcs11 library were removed from the ssh agent using the 'ssh-add -e' command, the user was prompted to enter a PIN. With this update, a patch has been applied to allow the user to remove the keys provided by pkcs11 without the PIN. (BZ#1042519) In addition, this update adds the following enhancements : * With this update, ControlPersist has been added to OpenSSH. The option in conjunction with the ControlMaster configuration directive specifies that the master connection remains open in the background after the initial client connection has been closed. (BZ#953088) * When the sshd daemon is configured to force the internal SFTP session, and the user attempts to use a connection other than SFTP, the appropriate message is logged to the /var/log/secure file. (BZ#997377) * Support for Elliptic Curve Cryptography modes for key exchange (ECDH) and host user keys (ECDSA) as specified by RFC5656 has been added to the openssh packages. However, they are not enabled by default and the user has to enable them manually. For more information on how to configure ECDSA and ECDH with OpenSSH, see: https://access.redhat.com/solutions/711953 (BZ#1028335) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements." ); # https://lists.centos.org/pipermail/centos-cr-announce/2014-October/001318.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cc014a58" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-2532"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/18"); script_set_attribute(attribute:"patch_publication_date", value:"2014/10/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-6", reference:"openssh-5.3p1-104.el6")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-askpass-5.3p1-104.el6")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-clients-5.3p1-104.el6")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-ldap-5.3p1-104.el6")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-server-5.3p1-104.el6")) flag++; if (rpm_check(release:"CentOS-6", reference:"pam_ssh_agent_auth-0.9.3-104.el6")) flag++; if (flag) { cr_plugin_caveat = '\n' + 'NOTE: The security advisory associated with this vulnerability has a\n' + 'fixed package version that may only be available in the continuous\n' + 'release (CR) repository for CentOS, until it is present in the next\n' + 'point release of CentOS.\n\n' + 'If an equal or higher package level does not exist in the baseline\n' + 'repository for your major version of CentOS, then updates from the CR\n' + 'repository will need to be applied in order to address the\n' + 'vulnerability.\n'; security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + cr_plugin_caveat ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-ldap / etc"); }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-1552.NASL description From Red Hat Security Advisory 2014:1552 : Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 78526 published 2014-10-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78526 title Oracle Linux 6 : openssh (ELSA-2014-1552) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2014:1552 and # Oracle Linux Security Advisory ELSA-2014-1552 respectively. # include("compat.inc"); if (description) { script_id(78526); script_version("1.13"); script_cvs_date("Date: 2019/09/30 10:58:19"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_bugtraq_id(66355, 66459); script_xref(name:"RHSA", value:"2014:1552"); script_name(english:"Oracle Linux 6 : openssh (ELSA-2014-1552)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2014:1552 : Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) This update also fixes the following bugs : * Based on the SP800-131A information security standard, the generation of a digital signature using the Digital Signature Algorithm (DSA) with the key size of 1024 bits and RSA with the key size of less than 2048 bits is disallowed after the year 2013. After this update, ssh-keygen no longer generates keys with less than 2048 bits in FIPS mode. However, the sshd service accepts keys of size 1024 bits as well as larger keys for compatibility reasons. (BZ#993580) * Previously, the openssh utility incorrectly set the oom_adj value to -17 for all of its children processes. This behavior was incorrect because the children processes were supposed to have this value set to 0. This update applies a patch to fix this bug and oom_adj is now properly set to 0 for all children processes as expected. (BZ#1010429) * Previously, if the sshd service failed to verify the checksum of an installed FIPS module using the fipscheck library, the information about this failure was only provided at the standard error output of sshd. As a consequence, the user could not notice this message and be uninformed when a system had not been properly configured for FIPS mode. To fix this bug, this behavior has been changed and sshd now sends such messages via the syslog service. (BZ#1020803) * When keys provided by the pkcs11 library were removed from the ssh agent using the 'ssh-add -e' command, the user was prompted to enter a PIN. With this update, a patch has been applied to allow the user to remove the keys provided by pkcs11 without the PIN. (BZ#1042519) In addition, this update adds the following enhancements : * With this update, ControlPersist has been added to OpenSSH. The option in conjunction with the ControlMaster configuration directive specifies that the master connection remains open in the background after the initial client connection has been closed. (BZ#953088) * When the sshd daemon is configured to force the internal SFTP session, and the user attempts to use a connection other than SFTP, the appropriate message is logged to the /var/log/secure file. (BZ#997377) * Support for Elliptic Curve Cryptography modes for key exchange (ECDH) and host user keys (ECDSA) as specified by RFC5656 has been added to the openssh packages. However, they are not enabled by default and the user has to enable them manually. For more information on how to configure ECDSA and ECDH with OpenSSH, see: https://access.redhat.com/solutions/711953 (BZ#1028335) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2014-October/004529.html" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/18"); script_set_attribute(attribute:"patch_publication_date", value:"2014/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL6", reference:"openssh-5.3p1-104.el6")) flag++; if (rpm_check(release:"EL6", reference:"openssh-askpass-5.3p1-104.el6")) flag++; if (rpm_check(release:"EL6", reference:"openssh-clients-5.3p1-104.el6")) flag++; if (rpm_check(release:"EL6", reference:"openssh-ldap-5.3p1-104.el6")) flag++; if (rpm_check(release:"EL6", reference:"openssh-server-5.3p1-104.el6")) flag++; if (rpm_check(release:"EL6", reference:"pam_ssh_agent_auth-0.9.3-104.el6")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-ldap / etc"); }
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-068.NASL description Updated openssh packages fixes security vulnerabilities : sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character (CVE-2014-2532). Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn last seen 2020-06-01 modified 2020-06-02 plugin id 73444 published 2014-04-10 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73444 title Mandriva Linux Security Advisory : openssh (MDVSA-2014:068) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2014:068. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(73444); script_version("1.7"); script_cvs_date("Date: 2019/08/02 13:32:55"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_bugtraq_id(66355, 66459); script_xref(name:"MDVSA", value:"2014:068"); script_name(english:"Mandriva Linux Security Advisory : openssh (MDVSA-2014:068)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages fixes security vulnerabilities : sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character (CVE-2014-2532). Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn't accept, then the client doesn't check the DNS for SSHFP records. As a consequence a malicious server can disable SSHFP-checking by presenting a certificate (CVE-2014-2653)." ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0143.html" ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0166.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2014/04/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"openssh-5.9p1-6.3.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"openssh-askpass-5.9p1-6.3.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"openssh-askpass-common-5.9p1-6.3.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"openssh-askpass-gnome-5.9p1-6.3.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"openssh-clients-5.9p1-6.3.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"openssh-server-5.9p1-6.3.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id SUSE_11_OPENSSH-140606.NASL description This update for OpenSSH fixes the following issues : - Exit sshd normally when port is already in use. (bnc#832628) - Use hardware crypto engines where available. (bnc#826427) - Use correct options for login when it is used. (bnc#833605) - Move FIPS messages to higher debug level. (bnc#862875) - Fix forwarding with IPv6 addresses in DISPLAY. (bnc#847710) - Do not link OpenSSH binaries with LDAP libraries. (bnc#826906) - Parse AcceptEnv properly. (bnc#869101, CVE-2014-2532) - Check SSHFP DNS records even for server certificates. (bnc#870532, CVE-2014-2653) last seen 2020-06-05 modified 2014-06-19 plugin id 76140 published 2014-06-19 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76140 title SuSE 11.3 Security Update : openssh (SAT Patch Number 9357) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(76140); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_name(english:"SuSE 11.3 Security Update : openssh (SAT Patch Number 9357)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for OpenSSH fixes the following issues : - Exit sshd normally when port is already in use. (bnc#832628) - Use hardware crypto engines where available. (bnc#826427) - Use correct options for login when it is used. (bnc#833605) - Move FIPS messages to higher debug level. (bnc#862875) - Fix forwarding with IPv6 addresses in DISPLAY. (bnc#847710) - Do not link OpenSSH binaries with LDAP libraries. (bnc#826906) - Parse AcceptEnv properly. (bnc#869101, CVE-2014-2532) - Check SSHFP DNS records even for server certificates. (bnc#870532, CVE-2014-2653)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=826427" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=833605" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=847710" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=869101" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=870532" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-2532.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-2653.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 9357."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, "SuSE 11.3"); flag = 0; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"openssh-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"openssh-askpass-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"openssh-askpass-gnome-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"openssh-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"openssh-askpass-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"openssh-askpass-gnome-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"openssh-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"openssh-askpass-6.2p2-0.13.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"openssh-askpass-gnome-6.2p2-0.13.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0146_OPENSSH-LATEST.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) - It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) - It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) - It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) - It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. (CVE-2015-8325) - An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. (CVE-2016-0777) - An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127415 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127415 title NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from ZTE advisory NS-SA-2019-0146. The text # itself is copyright (C) ZTE, Inc. include("compat.inc"); if (description) { script_id(127415); script_version("1.3"); script_cvs_date("Date: 2019/09/24 11:01:33"); script_cve_id( "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-5051", "CVE-2006-5794", "CVE-2007-3102", "CVE-2010-4755", "CVE-2010-5107", "CVE-2014-2532", "CVE-2014-2653", "CVE-2014-9278", "CVE-2015-5600", "CVE-2015-8325", "CVE-2016-0777", "CVE-2016-1908", "CVE-2016-6210" ); script_name(english:"NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)"); script_set_attribute(attribute:"synopsis", value: "The remote machine is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by multiple vulnerabilities: - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2006-0225) - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924) - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794) - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. (CVE-2007-3102) - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755) - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107) - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) - It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) - It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) - It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) - It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. (CVE-2015-8325) - An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. (CVE-2016-0777) - An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0146"); script_set_attribute(attribute:"solution", value: "Upgrade the vulnerable CGSL openssh-latest packages. Note that updated packages may not be available yet. Please contact ZTE for more information."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-5051"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(362, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/25"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"NewStart CGSL Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/ZTE-CGSL/release"); if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux"); if (release !~ "CGSL MAIN 4.05") audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05'); if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu); flag = 0; pkgs = { "CGSL MAIN 4.05": [ "openssh-latest-7.9p1-1.el6.cgsl7741", "openssh-latest-askpass-7.9p1-1.el6.cgsl7741", "openssh-latest-cavs-7.9p1-1.el6.cgsl7741", "openssh-latest-clients-7.9p1-1.el6.cgsl7741", "openssh-latest-debuginfo-7.9p1-1.el6.cgsl7741", "openssh-latest-keycat-7.9p1-1.el6.cgsl7741", "openssh-latest-ldap-7.9p1-1.el6.cgsl7741", "openssh-latest-server-7.9p1-1.el6.cgsl7741" ] }; pkg_list = pkgs[release]; foreach (pkg in pkg_list) if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-latest"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2164-1.NASL description Matthew Vernon discovered that OpenSSH did not correctly check SSHFP DNS records if a server presented an unacceptable host certificate. A malicious server could use this issue to disable SSHFP checking. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2014-04-08 plugin id 73401 published 2014-04-08 reporter Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73401 title Ubuntu 12.04 LTS / 12.10 / 13.10 : openssh vulnerability (USN-2164-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2164-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(73401); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-2653"); script_bugtraq_id(66459); script_xref(name:"USN", value:"2164-1"); script_name(english:"Ubuntu 12.04 LTS / 12.10 / 13.10 : openssh vulnerability (USN-2164-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Matthew Vernon discovered that OpenSSH did not correctly check SSHFP DNS records if a server presented an unacceptable host certificate. A malicious server could use this issue to disable SSHFP checking. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2164-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh-client package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-client"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:13.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/27"); script_set_attribute(attribute:"patch_publication_date", value:"2014/04/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04|12\.10|13\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 12.10 / 13.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"openssh-client", pkgver:"1:5.9p1-5ubuntu1.3")) flag++; if (ubuntu_check(osver:"12.10", pkgname:"openssh-client", pkgver:"1:6.0p1-3ubuntu1.2")) flag++; if (ubuntu_check(osver:"13.10", pkgname:"openssh-client", pkgver:"1:6.2p2-6ubuntu0.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-client"); }
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-369.NASL description sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. last seen 2020-06-01 modified 2020-06-02 plugin id 78312 published 2014-10-12 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78312 title Amazon Linux AMI : openssh (ALAS-2014-369) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2014-369. # include("compat.inc"); if (description) { script_id(78312); script_version("1.6"); script_cvs_date("Date: 2018/04/18 15:09:35"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_xref(name:"ALAS", value:"2014-369"); script_name(english:"Amazon Linux AMI : openssh (ALAS-2014-369)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate." ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2014-369.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update openssh' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2014/07/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"openssh-6.2p2-8.41.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-clients-6.2p2-8.41.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-debuginfo-6.2p2-8.41.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-keycat-6.2p2-8.41.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-ldap-6.2p2-8.41.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-server-6.2p2-8.41.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"pam_ssh_agent_auth-0.9.3-5.8.41.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-clients / openssh-debuginfo / openssh-keycat / etc"); }
NASL family Firewalls NASL id PFSENSE_SA-15_08.NASL description According to its self-reported version number, the remote pfSense install is prior to 2.2.5. It is, therefore, affected by multiple vulnerabilities as stated in the referenced vendor advisories. last seen 2020-06-01 modified 2020-06-02 plugin id 106497 published 2018-01-31 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106497 title pfSense < 2.2.5 Multiple Vulnerabilities (SA-15_08) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(106497); script_version("1.6"); script_cvs_date("Date: 2018/07/24 18:56:11"); script_cve_id( "CVE-2014-2653", "CVE-2015-1283", "CVE-2015-1416", "CVE-2015-1418", "CVE-2015-5600", "CVE-2015-5675", "CVE-2015-6563", "CVE-2015-6564", "CVE-2015-6565", "CVE-2015-7691", "CVE-2015-7692", "CVE-2015-7701", "CVE-2015-7702", "CVE-2015-7703", "CVE-2015-7704", "CVE-2015-7705", "CVE-2015-7803", "CVE-2015-7804", "CVE-2015-7848", "CVE-2015-7849", "CVE-2015-7850", "CVE-2015-7851", "CVE-2015-7852", "CVE-2015-7853", "CVE-2015-7854", "CVE-2015-7855", "CVE-2015-7871" ); script_bugtraq_id( 66459, 75990, 76116, 76236, 76317, 76485, 76497, 77273, 77274, 77275, 77276, 77277, 77278, 77279, 77280, 77281, 77282, 77283, 77284, 77285, 77286, 77287, 77288 ); script_xref(name:"FreeBSD", value:"SA-15:14.bsdpatch"); script_xref(name:"FreeBSD", value:"SA-15:16.openssh"); script_xref(name:"FreeBSD", value:"SA-15:18.bsdpatch"); script_xref(name:"FreeBSD", value:"SA-15:20.expat"); script_xref(name:"FreeBSD", value:"SA-15:21.amd64"); script_xref(name:"FreeBSD", value:"SA-15:22.openssh"); script_xref(name:"FreeBSD", value:"SA-15:25.ntp"); script_xref(name:"TRA", value:"TRA-2015-04"); script_name(english:"pfSense < 2.2.5 Multiple Vulnerabilities (SA-15_08)"); script_summary(english:"Checks the version of pfSense."); script_set_attribute(attribute:"synopsis", value: "The remote firewall host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the remote pfSense install is prior to 2.2.5. It is, therefore, affected by multiple vulnerabilities as stated in the referenced vendor advisories."); script_set_attribute(attribute:"see_also", value:"https://doc.pfsense.org/index.php/2.2.5_New_Features_and_Changes"); # https://www.pfsense.org/security/advisories/pfSense-SA-15_08.webgui.asc script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ec9ba339"); script_set_attribute(attribute:"solution", value: "Upgrade to pfSense version 2.2.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/09/04"); script_set_attribute(attribute:"patch_publication_date", value:"2015/09/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/31"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:pfsense:pfsense"); script_set_attribute(attribute:"cpe", value:"cpe:/a:bsdperimeter:pfsense"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Firewalls"); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("pfsense_detect.nbin"); script_require_keys("Host/pfSense"); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); if (!get_kb_item("Host/pfSense")) audit(AUDIT_HOST_NOT, "pfSense"); app_info = vcf::pfsense::get_app_info(); constraints = [ { "fixed_version" : "2.2.5" } ]; vcf::pfsense::check_version_and_report( app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE} );
NASL family Misc. NASL id OPENSSH_SSHFP_VERIFICATION_WEAKNESS.NASL description According to its banner, the version of OpenSSH running on the remote host is 6.1 through 6.6. It is, therefore, affected by a host verification bypass vulnerability related to SSHFP and certificates that could allow a malicious SSH server to cause the supplied client to inappropriately trust the server. last seen 2020-04-30 modified 2014-10-23 plugin id 78655 published 2014-10-23 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78655 title OpenSSH SSHFP Record Verification Weakness code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(78655); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27"); script_cve_id("CVE-2014-2653"); script_bugtraq_id(66459); script_name(english:"OpenSSH SSHFP Record Verification Weakness"); script_summary(english:"Checks the version reported in the SSH banner."); script_set_attribute(attribute:"synopsis", value: "A secure shell client on the remote host could be used to bypass host verification methods."); script_set_attribute(attribute:"description", value: "According to its banner, the version of OpenSSH running on the remote host is 6.1 through 6.6. It is, therefore, affected by a host verification bypass vulnerability related to SSHFP and certificates that could allow a malicious SSH server to cause the supplied client to inappropriately trust the server."); # Vendor patch and note script_set_attribute(attribute:"see_also", value:"http://thread.gmane.org/gmane.network.openssh.devel/20679"); # SSHFP RFC "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" script_set_attribute(attribute:"see_also", value:"https://tools.ietf.org/html/rfc4255"); # CVE assignment script_set_attribute(attribute:"see_also", value:"https://seclists.org/oss-sec/2014/q1/663"); script_set_attribute(attribute:"solution", value:"Update to OpenSSH version 6.7 or later or apply the vendor patch."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-2653"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/24"); script_set_attribute(attribute:"patch_publication_date", value:"2014/10/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/23"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); script_require_keys("Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) audit(AUDIT_NOT_LISTEN, "OpenSSH", port); # Check the version in the backported banner. match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)"); if (empty_or_null(match)) audit(AUDIT_SERVICE_VER_FAIL, "OpenSSH", port); version = match[1]; if (report_paranoia < 2) audit(AUDIT_PARANOID); # Affected : 6.1 through 6.6 if (version =~ "^6\.[1-6]($|[^0-9])") { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 6.7' + '\n'; security_warning(port:port, extra:report); } else security_warning(port); } else audit(AUDIT_LISTEN_NOT_VULN, "OpenSSH", port, version);
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2894.NASL description Two vulnerabilities were discovered in OpenSSH, an implementation of the SSH protocol suite. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2014-2532 Jann Horn discovered that OpenSSH incorrectly handled wildcards in AcceptEnv lines. A remote attacker could use this issue to trick OpenSSH into accepting any environment variable that contains the characters before the wildcard character. - CVE-2014-2653 Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn last seen 2020-03-17 modified 2014-04-07 plugin id 73350 published 2014-04-07 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73350 title Debian DSA-2894-1 : openssh - security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2894. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(73350); script_version("1.11"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-2532", "CVE-2014-2653"); script_bugtraq_id(66355, 66459); script_xref(name:"DSA", value:"2894"); script_name(english:"Debian DSA-2894-1 : openssh - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Two vulnerabilities were discovered in OpenSSH, an implementation of the SSH protocol suite. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2014-2532 Jann Horn discovered that OpenSSH incorrectly handled wildcards in AcceptEnv lines. A remote attacker could use this issue to trick OpenSSH into accepting any environment variable that contains the characters before the wildcard character. - CVE-2014-2653 Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn't accept, then the client doesn't check the DNS for SSHFP records. As a consequence a malicious server can disable SSHFP-checking by presenting a certificate. Note that a host verification prompt is still displayed before connecting." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-2532" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-2653" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze/openssh" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/openssh" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2014/dsa-2894" ); script_set_attribute( attribute:"solution", value: "Upgrade the openssh packages. For the oldstable distribution (squeeze), these problems have been fixed in version 1:5.5p1-6+squeeze5. For the stable distribution (wheezy), these problems have been fixed in version 1:6.0p1-4+deb7u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2014/04/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"openssh-client", reference:"1:5.5p1-6+squeeze5")) flag++; if (deb_check(release:"6.0", prefix:"openssh-client-udeb", reference:"1:5.5p1-6+squeeze5")) flag++; if (deb_check(release:"6.0", prefix:"openssh-server", reference:"1:5.5p1-6+squeeze5")) flag++; if (deb_check(release:"6.0", prefix:"openssh-server-udeb", reference:"1:5.5p1-6+squeeze5")) flag++; if (deb_check(release:"6.0", prefix:"ssh", reference:"1:5.5p1-6+squeeze5")) flag++; if (deb_check(release:"6.0", prefix:"ssh-askpass-gnome", reference:"1:5.5p1-6+squeeze5")) flag++; if (deb_check(release:"6.0", prefix:"ssh-krb5", reference:"1:5.5p1-6+squeeze5")) flag++; if (deb_check(release:"7.0", prefix:"openssh-client", reference:"1:6.0p1-4+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"openssh-client-udeb", reference:"1:6.0p1-4+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"openssh-server", reference:"1:6.0p1-4+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"openssh-server-udeb", reference:"1:6.0p1-4+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"ssh", reference:"1:6.0p1-4+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"ssh-askpass-gnome", reference:"1:6.0p1-4+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"ssh-krb5", reference:"1:6.0p1-4+deb7u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-095.NASL description Updated openssh packages fix security vulnerabilities : sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character (CVE-2014-2532). Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn last seen 2020-06-01 modified 2020-06-02 plugin id 82348 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82348 title Mandriva Linux Security Advisory : openssh (MDVSA-2015:095) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2016-0038.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (#1245969) - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317816) - SSH2_MSG_DISCONNECT for user initiated disconnect follow RFC 4253 (#1222500) - Add missing dot in ssh manual page (#1197763) - Fix minor problems found by covscan/gcc (#1196063) - Add missing options in man ssh (#1197763) - Add KbdInteractiveAuthentication documentation to man sshd_config (#1109251) - Correct freeing newkeys structure when privileged monitor exits (#1208584) - Fix problems with failing persistent connections (#1131585) - Fix memory leaks in auditing patch (#1208584) - Better approach to logging sftp commands in chroot - Make sshd -T write all config options and add missing Cipher, MAC to man (#1109251) - Add missing ControlPersist option to man ssh (#1197763) - Add sftp option to force mode of created files (#1191055) - Do not load RSA1 keys in FIPS mode (#1197072) - Add missing support for ECDSA in ssh-keyscan (#1196331) - Fix coverity/gcc issues (#1196063) - Backport wildcard functionality for PermitOpen in sshd_config file (#1159055) - Ability to specify an arbitrary LDAP filter in ldap.conf (#1119506) - Fix ControlPersist option with ProxyCommand (#1160487) - Backport fix of ssh-keygen with error : gethostname: File name too long (#1161454) - Backport show remote address instead of UNKNOWN after timeout at password prompt (#1161449) - Fix printing of extensions in v01 certificates (#1093869) - Fix confusing audit trail for unsuccessful logins (#1127312) - Don last seen 2020-06-01 modified 2020-06-02 plugin id 90076 published 2016-03-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90076 title OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0038) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-0425.NASL description From Red Hat Security Advisory 2015:0425 : Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 81725 published 2015-03-10 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81725 title Oracle Linux 7 : openssh (ELSA-2015-0425) NASL family Scientific Linux Local Security Checks NASL id SL_20150305_OPENSSH_ON_SL7_X.NASL description It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278) The openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version. Bug fixes : - An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user last seen 2020-03-18 modified 2015-03-26 plugin id 82258 published 2015-03-26 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82258 title Scientific Linux Security Update : openssh on SL7.x x86_64 (20150305) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2014-293-01.NASL description New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 78588 published 2014-10-21 reporter This script is Copyright (C) 2014 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78588 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssh (SSA:2014-293-01) NASL family Fedora Local Security Checks NASL id FEDORA_2014-6380.NASL description - environment variables with embedded last seen 2020-03-17 modified 2014-05-22 plugin id 74133 published 2014-05-22 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74133 title Fedora 20 : openssh-6.4p1-4.fc20 (2014-6380) NASL family Scientific Linux Local Security Checks NASL id SL_20141014_OPENSSH_ON_SL6_X.NASL description It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653) It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions. (CVE-2014-2532) This update also fixes the following bugs : - Based on the SP800-131A information security standard, the generation of a digital signature using the Digital Signature Algorithm (DSA) with the key size of 1024 bits and RSA with the key size of less than 2048 bits is disallowed after the year 2013. After this update, ssh-keygen no longer generates keys with less than 2048 bits in FIPS mode. However, the sshd service accepts keys of size 1024 bits as well as larger keys for compatibility reasons. - Previously, the openssh utility incorrectly set the oom_adj value to -17 for all of its children processes. This behavior was incorrect because the children processes were supposed to have this value set to 0. This update applies a patch to fix this bug and oom_adj is now properly set to 0 for all children processes as expected. - Previously, if the sshd service failed to verify the checksum of an installed FIPS module using the fipscheck library, the information about this failure was only provided at the standard error output of sshd. As a consequence, the user could not notice this message and be uninformed when a system had not been properly configured for FIPS mode. To fix this bug, this behavior has been changed and sshd now sends such messages via the syslog service. - When keys provided by the pkcs11 library were removed from the ssh agent using the last seen 2020-03-18 modified 2014-10-23 plugin id 78641 published 2014-10-23 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78641 title Scientific Linux Security Update : openssh on SL6.x i386/x86_64 (20141014) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL15780.NASL description CVE-2014-2653 The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. CVE-2014-2532 sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. last seen 2020-06-01 modified 2020-06-02 plugin id 91617 published 2016-06-15 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91617 title F5 Networks BIG-IP : OpenSSH vulnerabilities (K15780) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1552.NASL description Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 78413 published 2014-10-14 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78413 title RHEL 6 : openssh (RHSA-2014:1552)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- http://advisories.mageia.org/MGASA-2014-0166.html
- http://aix.software.ibm.com/aix/efixes/security/openssh_advisory4.asc
- http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134026.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-May/133537.html
- http://marc.info/?l=bugtraq&m=141576985122836&w=2
- http://openwall.com/lists/oss-security/2014/03/26/7
- http://rhn.redhat.com/errata/RHSA-2014-1552.html
- http://rhn.redhat.com/errata/RHSA-2015-0425.html
- http://secunia.com/advisories/59855
- http://www.debian.org/security/2014/dsa-2894
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:068
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:095
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/66459
- http://www.ubuntu.com/usn/USN-2164-1
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742513