Vulnerabilities > CVE-2016-0787 - Information Exposure vulnerability in multiple products

CVSS 5.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

high complexity

nessus

NVD

Published: 2016-04-13

Updated: 2018-10-30

Summary

The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug."

Vulnerable Configurations

Part	Description	Count
OS	Fedoraproject Fedoraproject Fedora 22 Fedoraproject Fedora 23	2
OS	Opensuse Opensuse Opensuse 13.2	1
OS	Debian Debian Debian Linux 8.0 Debian Debian Linux 7.0	2
Application	Libssh2 Libssh2 Libssh2 - Libssh2 Libssh2 0.1 Libssh2 Libssh2 0.3 Libssh2 Libssh2 0.5 Libssh2 Libssh2 0.6 Libssh2 Libssh2 0.7 Libssh2 Libssh2 0.8 Libssh2 Libssh2 0.10 Libssh2 Libssh2 0.11 Libssh2 Libssh2 0.12 Libssh2 Libssh2 0.13 Libssh2 Libssh2 0.14 Libssh2 Libssh2 0.15 Libssh2 Libssh2 0.16 Libssh2 Libssh2 0.17 Libssh2 Libssh2 0.18 Libssh2 Libssh2 1.0 Libssh2 Libssh2 1.1 Libssh2 Libssh2 1.2 Libssh2 Libssh2 1.2.1 Libssh2 Libssh2 1.2.2 Libssh2 Libssh2 1.2.3 Libssh2 Libssh2 1.2.4 Libssh2 Libssh2 1.2.5 Libssh2 Libssh2 1.2.6 Libssh2 Libssh2 1.2.7 Libssh2 Libssh2 1.2.8 Libssh2 Libssh2 1.2.9 Libssh2 Libssh2 1.3.0 Libssh2 Libssh2 1.4.0 Libssh2 Libssh2 1.4.1 Libssh2 Libssh2 1.4.2 Libssh2 Libssh2 1.4.3 Libssh2 Libssh2 1.5.0 Libssh2 Libssh2 1.6.0	35

Common Weakness Enumeration (CWE)

CWE-200 - Information Exposure

Common Attack Pattern Enumeration and Classification (CAPEC)

Subverting Environment Variable Values
The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
Footprinting
An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
Exploiting Trust in Client (aka Make the Client Invisible)
An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
Browser Fingerprinting
An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2016-683.NASL
description	A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters.
last seen	2020-06-01
modified	2020-06-02
plugin id	90365
published	2016-04-07
reporter	This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/90365
title	Amazon Linux AMI : libssh2 (ALAS-2016-683)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2016-683. # include("compat.inc"); if (description) { script_id(90365); script_version("2.4"); script_cvs_date("Date: 2018/04/18 15:09:35"); script_cve_id("CVE-2016-0787"); script_xref(name:"ALAS", value:"2016-683"); script_name(english:"Amazon Linux AMI : libssh2 (ALAS-2016-683)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters." ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2016-683.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update libssh2' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libssh2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libssh2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libssh2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libssh2-docs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) \|\| !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A\|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"libssh2-1.4.2-2.13.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"libssh2-debuginfo-1.4.2-2.13.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"libssh2-devel-1.4.2-2.13.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"libssh2-docs-1.4.2-2.13.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2 / libssh2-debuginfo / libssh2-devel / libssh2-docs"); }

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2016-388.NASL
description	This update for libssh2_org fixes the following issues : Security issue fixed : - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added : - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed : - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) This update was imported from the SUSE:SLE-12:Update update project.
last seen	2020-06-05
modified	2016-03-25
plugin id	90166
published	2016-03-25
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/90166
title	openSUSE Security Update : libssh2_org (openSUSE-2016-388)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2016-388. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(90166); script_version("2.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-0787"); script_name(english:"openSUSE Security Update : libssh2_org (openSUSE-2016-388)"); script_summary(english:"Check for the openSUSE-2016-388 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for libssh2_org fixes the following issues : Security issue fixed : - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added : - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed : - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) This update was imported from the SUSE:SLE-12:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=933336" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=961964" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=967026" ); script_set_attribute( attribute:"solution", value:"Update the affected libssh2_org packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libssh2-1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libssh2-1-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libssh2-1-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libssh2-1-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libssh2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libssh2_org-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586\|i686\|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.1", reference:"libssh2-1-1.4.3-12.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libssh2-1-debuginfo-1.4.3-12.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libssh2-devel-1.4.3-12.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"libssh2_org-debugsource-1.4.3-12.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libssh2-1-32bit-1.4.3-12.1") ) flag++; if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libssh2-1-debuginfo-32bit-1.4.3-12.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2-1 / libssh2-1-32bit / libssh2-1-debuginfo / etc"); }

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-0718-1.NASL
description	This update for libssh2_org fixes the following issues : Security issue fixed : - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added : - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed : - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	89922
published	2016-03-14
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89922
title	SUSE SLED12 / SLES12 Security Update : libssh2_org (SUSE-SU-2016:0718-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:0718-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(89922); script_version("2.11"); script_cvs_date("Date: 2019/09/11 11:22:13"); script_cve_id("CVE-2016-0787"); script_name(english:"SUSE SLED12 / SLES12 Security Update : libssh2_org (SUSE-SU-2016:0718-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for libssh2_org fixes the following issues : Security issue fixed : - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added : - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed : - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=933336" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=961964" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=967026" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-0787/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20160718-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?06984241" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 12-SP1 : zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-413=1 SUSE Linux Enterprise Software Development Kit 12 : zypper in -t patch SUSE-SLE-SDK-12-2016-413=1 SUSE Linux Enterprise Server 12-SP1 : zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-413=1 SUSE Linux Enterprise Server 12 : zypper in -t patch SUSE-SLE-SERVER-12-2016-413=1 SUSE Linux Enterprise Desktop 12-SP1 : zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-413=1 SUSE Linux Enterprise Desktop 12 : zypper in -t patch SUSE-SLE-DESKTOP-12-2016-413=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libssh2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libssh2-1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libssh2-1-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libssh2_org-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/13"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12\|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0\|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(0\|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP0/1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", reference:"libssh2-1-1.4.3-16.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libssh2-1-debuginfo-1.4.3-16.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libssh2_org-debugsource-1.4.3-16.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libssh2-1-32bit-1.4.3-16.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"libssh2-1-debuginfo-32bit-1.4.3-16.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libssh2-1-1.4.3-16.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libssh2-1-debuginfo-1.4.3-16.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libssh2_org-debugsource-1.4.3-16.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libssh2-1-32bit-1.4.3-16.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"libssh2-1-debuginfo-32bit-1.4.3-16.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libssh2-1-1.4.3-16.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libssh2-1-32bit-1.4.3-16.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libssh2-1-debuginfo-1.4.3-16.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libssh2-1-debuginfo-32bit-1.4.3-16.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libssh2_org-debugsource-1.4.3-16.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libssh2-1-1.4.3-16.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libssh2-1-32bit-1.4.3-16.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libssh2-1-debuginfo-1.4.3-16.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libssh2-1-debuginfo-32bit-1.4.3-16.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libssh2_org-debugsource-1.4.3-16.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2_org"); }

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2016-1005.NASL
description	According to the version of the libssh2 package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2017-05-01
plugin id	99768
published	2017-05-01
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/99768
title	EulerOS 2.0 SP1 : libssh2 (EulerOS-SA-2016-1005)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99768); script_version("1.11"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2016-0787" ); script_name(english:"EulerOS 2.0 SP1 : libssh2 (EulerOS-SA-2016-1005)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the libssh2 package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1005 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f7cb8949"); script_set_attribute(attribute:"solution", value: "Update the affected libssh2 package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libssh2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) \|\| release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) \|\| sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["libssh2-1.4.3-10.1"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-7942EE2CC5.NASL
description	During the SSHv2 handshake when libssh2 is to get a suitable value for
last seen	2020-06-05
modified	2016-03-10
plugin id	89802
published	2016-03-10
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/89802
title	Fedora 22 : libssh2-1.5.0-2.fc22 (2016-7942ee2cc5)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2016-7942ee2cc5. # include("compat.inc"); if (description) { script_id(89802); script_version("2.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-0787"); script_xref(name:"FEDORA", value:"2016-7942ee2cc5"); script_name(english:"Fedora 22 : libssh2-1.5.0-2.fc22 (2016-7942ee2cc5)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "During the SSHv2 handshake when libssh2 is to get a suitable value for 'group order' in the Diffle Hellman negotiation, it would pass in number of bytes to a function that expected number of bits. This would result in the library generating numbers using only an 8th the number of random bits than what were intended: 128 or 256 bits instead of 1023 or 2047 Using such drastically reduced amount of random bits for Diffie Hellman weakened the handshake security significantly. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-0787 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1306021" ); # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178573.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?567b4046" ); script_set_attribute( attribute:"solution", value:"Update the affected libssh2 package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libssh2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^22([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC22", reference:"libssh2-1.5.0-2.fc22")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2"); }

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-426.NASL
description	Andreas Schneider reported that libssh2, an SSH2 protocol implementation used by many applications, did not generate sufficiently long Diffie-Hellman secrets. This vulnerability could be exploited by an eavesdropper to decrypt and to intercept SSH sessions. For the oldoldstable distribution (squeeze), this has been fixed in version 1.2.6-1+deb6u2. Although the changelog refers to
last seen	2020-03-17
modified	2016-02-24
plugin id	88914
published	2016-02-24
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/88914
title	Debian DLA-426-1 : libssh2 security update
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-426-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(88914); script_version("2.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2016-0787"); script_name(english:"Debian DLA-426-1 : libssh2 security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Andreas Schneider reported that libssh2, an SSH2 protocol implementation used by many applications, did not generate sufficiently long Diffie-Hellman secrets. This vulnerability could be exploited by an eavesdropper to decrypt and to intercept SSH sessions. For the oldoldstable distribution (squeeze), this has been fixed in version 1.2.6-1+deb6u2. Although the changelog refers to 'sha256', this version only supports DH SHA-1 key exchange and it is that key exchange method that has been fixed. For the oldstable (wheezy) and stable (jessie) distributions, this will be fixed soon. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2016/02/msg00018.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze-lts/libssh2" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libssh2-1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libssh2-1-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libssh2-1-dev"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2016/02/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/02/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"libssh2-1", reference:"1.2.6-1+deb6u2")) flag++; if (deb_check(release:"6.0", prefix:"libssh2-1-dbg", reference:"1.2.6-1+deb6u2")) flag++; if (deb_check(release:"6.0", prefix:"libssh2-1-dev", reference:"1.2.6-1+deb6u2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2016-0428.NASL
description	Updated libssh2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libssh2 packages provide a library that implements the SSHv2 protocol. A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Red Hat would like to thank Aris Adamantiadis for reporting this issue. All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	89849
published	2016-03-11
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89849
title	CentOS 6 / 7 : libssh2 (CESA-2016:0428)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0428 and # CentOS Errata and Security Advisory 2016:0428 respectively. # include("compat.inc"); if (description) { script_id(89849); script_version("2.9"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2016-0787"); script_xref(name:"RHSA", value:"2016:0428"); script_name(english:"CentOS 6 / 7 : libssh2 (CESA-2016:0428)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated libssh2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libssh2 packages provide a library that implements the SSHv2 protocol. A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Red Hat would like to thank Aris Adamantiadis for reporting this issue. All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect." ); # https://lists.centos.org/pipermail/centos-announce/2016-March/021726.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?fa47b59d" ); # https://lists.centos.org/pipermail/centos-announce/2016-March/021727.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d1ccf498" ); script_set_attribute( attribute:"solution", value:"Update the affected libssh2 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0787"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libssh2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libssh2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libssh2-docs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/13"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) \|\| "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(6\|7)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x / 7.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-6", reference:"libssh2-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"CentOS-6", reference:"libssh2-devel-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"CentOS-6", reference:"libssh2-docs-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libssh2-1.4.3-10.el7_2.1")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libssh2-devel-1.4.3-10.el7_2.1")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libssh2-docs-1.4.3-10.el7_2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2 / libssh2-devel / libssh2-docs"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-215A2219B1.NASL
description	During the SSHv2 handshake when libssh2 is to get a suitable value for
last seen	2020-06-05
modified	2016-03-04
plugin id	89491
published	2016-03-04
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/89491
title	Fedora 23 : libssh2-1.6.0-4.fc23 (2016-215a2219b1)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2016-215a2219b1. # include("compat.inc"); if (description) { script_id(89491); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-0787"); script_xref(name:"FEDORA", value:"2016-215a2219b1"); script_name(english:"Fedora 23 : libssh2-1.6.0-4.fc23 (2016-215a2219b1)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "During the SSHv2 handshake when libssh2 is to get a suitable value for 'group order' in the Diffle Hellman negotiation, it would pass in number of bytes to a function that expected number of bits. This would result in the library generating numbers using only an 8th the number of random bits than what were intended: 128 or 256 bits instead of 1023 or 2047 Using such drastically reduced amount of random bits for Diffie Hellman weakened the handshake security significantly. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-0787 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1306021" ); # https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177980.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?08d11e0e" ); script_set_attribute( attribute:"solution", value:"Update the affected libssh2 package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libssh2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23"); script_set_attribute(attribute:"patch_publication_date", value:"2016/02/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^23([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC23", reference:"libssh2-1.6.0-4.fc23")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2"); }

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2016-0428.NASL
description	From Red Hat Security Advisory 2016:0428 : Updated libssh2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libssh2 packages provide a library that implements the SSHv2 protocol. A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Red Hat would like to thank Aris Adamantiadis for reporting this issue. All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	89858
published	2016-03-11
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89858
title	Oracle Linux 6 / 7 : libssh2 (ELSA-2016-0428)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0428 and # Oracle Linux Security Advisory ELSA-2016-0428 respectively. # include("compat.inc"); if (description) { script_id(89858); script_version("2.7"); script_cvs_date("Date: 2019/09/27 13:00:36"); script_cve_id("CVE-2016-0787"); script_xref(name:"RHSA", value:"2016:0428"); script_name(english:"Oracle Linux 6 / 7 : libssh2 (ELSA-2016-0428)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2016:0428 : Updated libssh2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libssh2 packages provide a library that implements the SSHv2 protocol. A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Red Hat would like to thank Aris Adamantiadis for reporting this issue. All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2016-March/005851.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2016-March/005852.html" ); script_set_attribute( attribute:"solution", value:"Update the affected libssh2 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libssh2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libssh2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libssh2-docs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/13"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| !pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^(6\|7)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL6", reference:"libssh2-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"EL6", reference:"libssh2-devel-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"EL6", reference:"libssh2-docs-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libssh2-1.4.3-10.el7_2.1")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libssh2-devel-1.4.3-10.el7_2.1")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libssh2-docs-1.4.3-10.el7_2.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2 / libssh2-devel / libssh2-docs"); }

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20160310_LIBSSH2_ON_SL6_X.NASL
description	A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect.
last seen	2020-03-18
modified	2016-03-11
plugin id	89863
published	2016-03-11
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89863
title	Scientific Linux Security Update : libssh2 on SL6.x, SL7.x i386/x86_64 (20160310)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(89863); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25"); script_cve_id("CVE-2016-0787"); script_name(english:"Scientific Linux Security Update : libssh2 on SL6.x, SL7.x i386/x86_64 (20160310)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1603&L=scientific-linux-errata&F=&S=&P=4184 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?eae86def" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libssh2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libssh2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libssh2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libssh2-docs"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/13"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"libssh2-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"SL6", reference:"libssh2-debuginfo-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"SL6", reference:"libssh2-devel-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"SL6", reference:"libssh2-docs-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libssh2-1.4.3-10.el7_2.1")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libssh2-debuginfo-1.4.3-10.el7_2.1")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libssh2-devel-1.4.3-10.el7_2.1")) flag++; if (rpm_check(release:"SL7", reference:"libssh2-docs-1.4.3-10.el7_2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2 / libssh2-debuginfo / libssh2-devel / libssh2-docs"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2016-0428.NASL
description	Updated libssh2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libssh2 packages provide a library that implements the SSHv2 protocol. A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Red Hat would like to thank Aris Adamantiadis for reporting this issue. All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	89820
published	2016-03-10
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89820
title	RHEL 6 / 7 : libssh2 (RHSA-2016:0428)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0428. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(89820); script_version("2.13"); script_cvs_date("Date: 2019/10/24 15:35:41"); script_cve_id("CVE-2016-0787"); script_xref(name:"RHSA", value:"2016:0428"); script_name(english:"RHEL 6 / 7 : libssh2 (RHSA-2016:0428)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated libssh2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libssh2 packages provide a library that implements the SSHv2 protocol. A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Red Hat would like to thank Aris Adamantiadis for reporting this issue. All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2016:0428" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-0787" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libssh2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libssh2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libssh2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libssh2-docs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/13"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(6\|7)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x / 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2016:0428"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", reference:"libssh2-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"RHEL6", reference:"libssh2-debuginfo-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"RHEL6", reference:"libssh2-devel-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"libssh2-docs-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"libssh2-docs-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"libssh2-docs-1.4.2-2.el6_7.1")) flag++; if (rpm_check(release:"RHEL7", reference:"libssh2-1.4.3-10.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", reference:"libssh2-debuginfo-1.4.3-10.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", reference:"libssh2-devel-1.4.3-10.el7_2.1")) flag++; if (rpm_check(release:"RHEL7", reference:"libssh2-docs-1.4.3-10.el7_2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2 / libssh2-debuginfo / libssh2-devel / libssh2-docs"); } }

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1393.NASL
description	According to the versions of the libssh2 package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters.(CVE-2016-0787) - An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3856) - A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.(CVE-2019-3863) - An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3855) - An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3857) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	124896
published	2019-05-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124896
title	EulerOS Virtualization for ARM 64 3.0.1.0 : libssh2 (EulerOS-SA-2019-1393)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1429.NASL
description	According to the versions of the libssh2 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters.(CVE-2016-0787) - A flaw was found in the way the kex_agree_methods() function of libssh2 performed a key exchange when negotiating a new SSH session. A man-in-the-middle attacker could use a crafted SSH_MSG_KEXINIT packet to crash a connecting libssh2 client.(CVE-2015-1782) - An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3857) - An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3862) - An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3856) - A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.(CVE-2019-3863) - An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3855) - An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3858) - An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3859) - An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3860) - An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3861) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	124932
published	2019-05-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124932
title	EulerOS Virtualization 3.0.1.0 : libssh2 (EulerOS-SA-2019-1429)

NASL family	F5 Networks Local Security Checks
NASL id	F5_BIGIP_SOL21531693.NASL
description	The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a
last seen	2020-06-01
modified	2020-06-02
plugin id	92876
published	2016-08-12
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/92876
title	F5 Networks BIG-IP : libssh2 vulnerability (K21531693)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201606-12.NASL
description	The remote host is affected by the vulnerability described in GLSA-201606-12 (libssh and libssh2: Multiple vulnerabilities) libssh and libssh2 both have a bits/bytes confusion bug and generate an abnormaly short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. Additionally, a double free on dangling pointers in initial key exchange packets within libssh could leave dangling pointers in the session crypto structures. It is possible to send a malicious kexinit package to eventually cause a server to do a double-free before this fix. This could be used for a Denial of Service attack. Impact : Remote attackers may gain access to confidential information due to the short keysize generated by libssh and libssh2, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	91843
published	2016-06-27
reporter	This script is Copyright (C) 2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/91843
title	GLSA-201606-12 : libssh and libssh2: Multiple vulnerabilities

NASL family	Misc.
NASL id	SECURITYCENTER_5_4.NASL
description	According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is prior to 5.4.0. It is, therefore, affected by multiple vulnerabilities : - An arbitrary code execution vulnerability exists in the bundled version of libcurl due to using an insecure path to look for specific libraries, including the current working directory, which may not be under user control. A remote attacker can exploit this to inject and execute arbitrary code in the context of the current user. (CVE-2016-4802) - Multiple flaws exist in the bundled version of libssh due to a failure to securely generate Diffie-Hellman secret keys. A man-in-the-middle attacker can exploit these flaws to intercept and decrypt SSH sessions. (CVE-2016-0739, CVE-2016-0787) - An integer overflow condition exists in the bundled version of libcurl due to improper validation of user-supplied input when handling
last seen	2020-06-01
modified	2020-06-02
plugin id	92558
published	2016-07-26
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/92558
title	Tenable SecurityCenter < 5.4.0 Multiple Vulnerabilities (TNS-2016-12)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2016-295.NASL
description	This update for libssh2_org fixes the following issues : - fix CVE-2016-0787 (boo#967026) - Weakness in diffie-hellman secret key generation - add CVE-2016-0787.patch
last seen	2020-06-05
modified	2016-03-04
plugin id	89652
published	2016-03-04
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/89652
title	openSUSE Security Update : libssh2_org (openSUSE-2016-295)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-3487.NASL
description	Andreas Schneider reported that libssh2, a SSH2 client-side library, passes the number of bytes to a function that expects number of bits during the SSHv2 handshake when libssh2 is to get a suitable value for
last seen	2020-06-01
modified	2020-06-02
plugin id	88915
published	2016-02-24
reporter	This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/88915
title	Debian DSA-3487-1 : libssh2 - security update

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2016-0035.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787) - fix basic functionality of libssh2 in FIPS mode (#968575)
last seen	2020-06-01
modified	2020-06-02
plugin id	89860
published	2016-03-11
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89860
title	OracleVM 3.3 / 3.4 : libssh2 (OVMSA-2016-0035)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-0723-1.NASL
description	This update for libssh2_org fixes the following issues : - Add SHA256 support for DH group exchange (fate#320343, bsc#961964) - fix CVE-2016-0787 (bsc#967026) - Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	89923
published	2016-03-14
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89923
title	SUSE SLED11 / SLES11 Security Update : libssh2_org (SUSE-SU-2016:0723-1)

Redhat

advisories

bugzilla

id	1306021
title	CVE-2016-0787 libssh2: bits/bytes confusion resulting in truncated Diffie-Hellman secret length

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 6 is installed
oval oval:com.redhat.rhba:tst:20111656003

AND
comment libssh2 is earlier than 0:1.4.2-2.el6_7.1
oval oval:com.redhat.rhsa:tst:20160428001
comment libssh2 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152140006
AND
comment libssh2-devel is earlier than 0:1.4.2-2.el6_7.1
oval oval:com.redhat.rhsa:tst:20160428003
comment libssh2-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152140004
AND
comment libssh2-docs is earlier than 0:1.4.2-2.el6_7.1
oval oval:com.redhat.rhsa:tst:20160428005
comment libssh2-docs is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152140002

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND
comment libssh2-docs is earlier than 0:1.4.3-10.el7_2.1
oval oval:com.redhat.rhsa:tst:20160428008
comment libssh2-docs is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152140002
AND
comment libssh2-devel is earlier than 0:1.4.3-10.el7_2.1
oval oval:com.redhat.rhsa:tst:20160428009
comment libssh2-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152140004
AND
comment libssh2 is earlier than 0:1.4.3-10.el7_2.1
oval oval:com.redhat.rhsa:tst:20160428010
comment libssh2 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20152140006

rhsa

id	RHSA-2016:0428
released	2016-03-10
severity	Moderate
title	RHSA-2016:0428: libssh2 security update (Moderate)

rpms

libssh2-0:1.4.2-2.el6_7.1
libssh2-0:1.4.3-10.el7_2.1
libssh2-debuginfo-0:1.4.2-2.el6_7.1
libssh2-debuginfo-0:1.4.3-10.el7_2.1
libssh2-devel-0:1.4.2-2.el6_7.1
libssh2-devel-0:1.4.3-10.el7_2.1
libssh2-docs-0:1.4.2-2.el6_7.1
libssh2-docs-0:1.4.3-10.el7_2.1

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Redhat

References