Vulnerabilities > CVE-2016-0787 - Information Exposure vulnerability in multiple products

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
fedoraproject
opensuse
libssh2
debian
CWE-200
nessus
NVD
Published: 2016-04-13
Updated: 2018-10-30

Summary

The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug."

Vulnerable Configurations

Part Description Count
OS
Fedoraproject
2
OS
Opensuse
1
OS
Debian
2
Application
Libssh2
34

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-683.NASL
    descriptionA type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters.
    last seen2020-06-01
    modified2020-06-02
    plugin id90365
    published2016-04-07
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/90365
    titleAmazon Linux AMI : libssh2 (ALAS-2016-683)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2016-683.
#

include("compat.inc");

if (description)
{
  script_id(90365);
  script_version("2.4");
  script_cvs_date("Date: 2018/04/18 15:09:35");

  script_cve_id("CVE-2016-0787");
  script_xref(name:"ALAS", value:"2016-683");

  script_name(english:"Amazon Linux AMI : libssh2 (ALAS-2016-683)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux AMI host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A type confusion issue was found in the way libssh2 generated
ephemeral secrets for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods. This would cause an SSHv2
Diffie-Hellman handshake to use significantly less secure random
parameters."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/ALAS-2016-683.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Run 'yum update libssh2' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libssh2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libssh2-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libssh2-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libssh2-docs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/04/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/07");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"libssh2-1.4.2-2.13.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"libssh2-debuginfo-1.4.2-2.13.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"libssh2-devel-1.4.2-2.13.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"libssh2-docs-1.4.2-2.13.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2 / libssh2-debuginfo / libssh2-devel / libssh2-docs");
}
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-388.NASL
    descriptionThis update for libssh2_org fixes the following issues : Security issue fixed : - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added : - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed : - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2016-03-25
    plugin id90166
    published2016-03-25
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/90166
    titleopenSUSE Security Update : libssh2_org (openSUSE-2016-388)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2016-388.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(90166);
  script_version("2.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2016-0787");

  script_name(english:"openSUSE Security Update : libssh2_org (openSUSE-2016-388)");
  script_summary(english:"Check for the openSUSE-2016-388 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for libssh2_org fixes the following issues :

Security issue fixed :

  - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman
    secret key generation lead to much shorter DH groups
    then needed, which could be used to retrieve server
    keys.

A feature was added :

  - Support of SHA256 digests for DH group exchanges was
    added (fate#320343, bsc#961964)

Bug fixed :

  - Properly detect EVP_aes_128_ctr at configure time
    (bsc#933336)

This update was imported from the SUSE:SLE-12:Update update project."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=933336"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=961964"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=967026"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libssh2_org packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libssh2-1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libssh2-1-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libssh2-1-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libssh2-1-debuginfo-32bit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libssh2-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libssh2_org-debugsource");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/25");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE42.1", reference:"libssh2-1-1.4.3-12.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libssh2-1-debuginfo-1.4.3-12.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libssh2-devel-1.4.3-12.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", reference:"libssh2_org-debugsource-1.4.3-12.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libssh2-1-32bit-1.4.3-12.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libssh2-1-debuginfo-32bit-1.4.3-12.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2-1 / libssh2-1-32bit / libssh2-1-debuginfo / etc");
}
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-0718-1.NASL
    descriptionThis update for libssh2_org fixes the following issues : Security issue fixed : - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. A feature was added : - Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964) Bug fixed : - Properly detect EVP_aes_128_ctr at configure time (bsc#933336) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id89922
    published2016-03-14
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89922
    titleSUSE SLED12 / SLES12 Security Update : libssh2_org (SUSE-SU-2016:0718-1)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from SUSE update advisory SUSE-SU-2016:0718-1.
# The text itself is copyright (C) SUSE.
#

include("compat.inc");

if (description)
{
  script_id(89922);
  script_version("2.11");
  script_cvs_date("Date: 2019/09/11 11:22:13");

  script_cve_id("CVE-2016-0787");

  script_name(english:"SUSE SLED12 / SLES12 Security Update : libssh2_org (SUSE-SU-2016:0718-1)");
  script_summary(english:"Checks rpm output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SUSE host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for libssh2_org fixes the following issues :

Security issue fixed :

  - CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman
    secret key generation lead to much shorter DH groups
    then needed, which could be used to retrieve server
    keys.

A feature was added :

  - Support of SHA256 digests for DH group exchanges was
    added (fate#320343, bsc#961964)

Bug fixed :

  - Properly detect EVP_aes_128_ctr at configure time
    (bsc#933336)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=933336"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=961964"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.suse.com/show_bug.cgi?id=967026"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.suse.com/security/cve/CVE-2016-0787/"
  );
  # https://www.suse.com/support/update/announcement/2016/suse-su-20160718-1/
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?06984241"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 12-SP1 :

zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-413=1

SUSE Linux Enterprise Software Development Kit 12 :

zypper in -t patch SUSE-SLE-SDK-12-2016-413=1

SUSE Linux Enterprise Server 12-SP1 :

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-413=1

SUSE Linux Enterprise Server 12 :

zypper in -t patch SUSE-SLE-SERVER-12-2016-413=1

SUSE Linux Enterprise Desktop 12-SP1 :

zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-413=1

SUSE Linux Enterprise Desktop 12 :

zypper in -t patch SUSE-SLE-DESKTOP-12-2016-413=1

To bring your system up-to-date, use 'zypper patch'."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libssh2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libssh2-1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libssh2-1-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libssh2_org-debugsource");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/14");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
os_ver = os_ver[1];
if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);

if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);

sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES12" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1", os_ver + " SP" + sp);
if (os_ver == "SLED12" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP0/1", os_ver + " SP" + sp);


flag = 0;
if (rpm_check(release:"SLES12", sp:"1", reference:"libssh2-1-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLES12", sp:"1", reference:"libssh2-1-debuginfo-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLES12", sp:"1", reference:"libssh2_org-debugsource-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLES12", sp:"1", reference:"libssh2-1-32bit-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLES12", sp:"1", reference:"libssh2-1-debuginfo-32bit-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", reference:"libssh2-1-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", reference:"libssh2-1-debuginfo-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", reference:"libssh2_org-debugsource-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", reference:"libssh2-1-32bit-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLES12", sp:"0", reference:"libssh2-1-debuginfo-32bit-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libssh2-1-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libssh2-1-32bit-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libssh2-1-debuginfo-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libssh2-1-debuginfo-32bit-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libssh2_org-debugsource-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libssh2-1-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libssh2-1-32bit-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libssh2-1-debuginfo-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libssh2-1-debuginfo-32bit-1.4.3-16.1")) flag++;
if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"libssh2_org-debugsource-1.4.3-16.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2_org");
}
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2016-1005.NASL
    descriptionAccording to the version of the libssh2 package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-05-01
    plugin id99768
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99768
    titleEulerOS 2.0 SP1 : libssh2 (EulerOS-SA-2016-1005)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99768);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");

  script_cve_id(
    "CVE-2016-0787"
  );

  script_name(english:"EulerOS 2.0 SP1 : libssh2 (EulerOS-SA-2016-1005)");
  script_summary(english:"Checks the rpm output for the updated package.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"According to the version of the libssh2 package installed, the
EulerOS installation on the remote host is affected by the following
vulnerability :

  - A type confusion issue was found in the way libssh2
    generated ephemeral secrets for the
    diffie-hellman-group1 and diffie-hellman-group14 key
    exchange methods. This would cause an SSHv2
    Diffie-Hellman handshake to use significantly less
    secure random parameters. (CVE-2016-0787)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1005
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f7cb8949");
  script_set_attribute(attribute:"solution", value:
"Update the affected libssh2 package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/01");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libssh2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["libssh2-1.4.3-10.1"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2");
}
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-7942EE2CC5.NASL
    descriptionDuring the SSHv2 handshake when libssh2 is to get a suitable value for
    last seen2020-06-05
    modified2016-03-10
    plugin id89802
    published2016-03-10
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89802
    titleFedora 22 : libssh2-1.5.0-2.fc22 (2016-7942ee2cc5)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2016-7942ee2cc5.
#

include("compat.inc");

if (description)
{
  script_id(89802);
  script_version("2.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2016-0787");
  script_xref(name:"FEDORA", value:"2016-7942ee2cc5");

  script_name(english:"Fedora 22 : libssh2-1.5.0-2.fc22 (2016-7942ee2cc5)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"During the SSHv2 handshake when libssh2 is to get a suitable value for
'group order' in the Diffle Hellman negotiation, it would pass in
number of bytes to a function that expected number of bits. This would
result in the library generating numbers using only an 8th the number
of random bits than what were intended: 128 or 256 bits instead of
1023 or 2047 Using such drastically reduced amount of random bits for
Diffie Hellman weakened the handshake security significantly. The
Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2016-0787 to this issue.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1306021"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178573.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?567b4046"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libssh2 package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libssh2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/10");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC22", reference:"libssh2-1.5.0-2.fc22")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2");
}
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-426.NASL
    descriptionAndreas Schneider reported that libssh2, an SSH2 protocol implementation used by many applications, did not generate sufficiently long Diffie-Hellman secrets. This vulnerability could be exploited by an eavesdropper to decrypt and to intercept SSH sessions. For the oldoldstable distribution (squeeze), this has been fixed in version 1.2.6-1+deb6u2. Although the changelog refers to
    last seen2020-03-17
    modified2016-02-24
    plugin id88914
    published2016-02-24
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/88914
    titleDebian DLA-426-1 : libssh2 security update
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-426-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(88914);
  script_version("2.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2016-0787");

  script_name(english:"Debian DLA-426-1 : libssh2 security update");
  script_summary(english:"Checks dpkg output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Andreas Schneider reported that libssh2, an SSH2 protocol
implementation used by many applications, did not generate
sufficiently long Diffie-Hellman secrets.

This vulnerability could be exploited by an eavesdropper to decrypt
and to intercept SSH sessions.

For the oldoldstable distribution (squeeze), this has been fixed in
version 1.2.6-1+deb6u2. Although the changelog refers to 'sha256',
this version only supports DH SHA-1 key exchange and it is that key
exchange method that has been fixed.

For the oldstable (wheezy) and stable (jessie) distributions, this
will be fixed soon.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2016/02/msg00018.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/squeeze-lts/libssh2"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libssh2-1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libssh2-1-dbg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libssh2-1-dev");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/02/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/02/24");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"6.0", prefix:"libssh2-1", reference:"1.2.6-1+deb6u2")) flag++;
if (deb_check(release:"6.0", prefix:"libssh2-1-dbg", reference:"1.2.6-1+deb6u2")) flag++;
if (deb_check(release:"6.0", prefix:"libssh2-1-dev", reference:"1.2.6-1+deb6u2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-0428.NASL
    descriptionUpdated libssh2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libssh2 packages provide a library that implements the SSHv2 protocol. A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Red Hat would like to thank Aris Adamantiadis for reporting this issue. All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id89849
    published2016-03-11
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89849
    titleCentOS 6 / 7 : libssh2 (CESA-2016:0428)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2016:0428 and 
# CentOS Errata and Security Advisory 2016:0428 respectively.
#

include("compat.inc");

if (description)
{
  script_id(89849);
  script_version("2.9");
  script_cvs_date("Date: 2020/01/02");

  script_cve_id("CVE-2016-0787");
  script_xref(name:"RHSA", value:"2016:0428");

  script_name(english:"CentOS 6 / 7 : libssh2 (CESA-2016:0428)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote CentOS host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated libssh2 packages that fix one security issue are now available
for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The libssh2 packages provide a library that implements the SSHv2
protocol.

A type confusion issue was found in the way libssh2 generated
ephemeral secrets for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods. This would cause an SSHv2
Diffie-Hellman handshake to use significantly less secure random
parameters. (CVE-2016-0787)

Red Hat would like to thank Aris Adamantiadis for reporting this
issue.

All libssh2 users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue. After
installing these updated packages, all running applications using
libssh2 must be restarted for this update to take effect."
  );
  # https://lists.centos.org/pipermail/centos-announce/2016-March/021726.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?fa47b59d"
  );
  # https://lists.centos.org/pipermail/centos-announce/2016-March/021727.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?d1ccf498"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libssh2 packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0787");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libssh2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libssh2-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libssh2-docs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/11");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CentOS Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/CentOS/release");
if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
os_ver = os_ver[1];
if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x / 7.x", "CentOS " + os_ver);

if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);


flag = 0;
if (rpm_check(release:"CentOS-6", reference:"libssh2-1.4.2-2.el6_7.1")) flag++;
if (rpm_check(release:"CentOS-6", reference:"libssh2-devel-1.4.2-2.el6_7.1")) flag++;
if (rpm_check(release:"CentOS-6", reference:"libssh2-docs-1.4.2-2.el6_7.1")) flag++;

if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libssh2-1.4.3-10.el7_2.1")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libssh2-devel-1.4.3-10.el7_2.1")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libssh2-docs-1.4.3-10.el7_2.1")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2 / libssh2-devel / libssh2-docs");
}
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-215A2219B1.NASL
    descriptionDuring the SSHv2 handshake when libssh2 is to get a suitable value for
    last seen2020-06-05
    modified2016-03-04
    plugin id89491
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89491
    titleFedora 23 : libssh2-1.6.0-4.fc23 (2016-215a2219b1)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2016-215a2219b1.
#

include("compat.inc");

if (description)
{
  script_id(89491);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2016-0787");
  script_xref(name:"FEDORA", value:"2016-215a2219b1");

  script_name(english:"Fedora 23 : libssh2-1.6.0-4.fc23 (2016-215a2219b1)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"During the SSHv2 handshake when libssh2 is to get a suitable value for
'group order' in the Diffle Hellman negotiation, it would pass in
number of bytes to a function that expected number of bits. This would
result in the library generating numbers using only an 8th the number
of random bits than what were intended: 128 or 256 bits instead of
1023 or 2047 Using such drastically reduced amount of random bits for
Diffie Hellman weakened the handshake security significantly. The
Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2016-0787 to this issue.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1306021"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177980.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?08d11e0e"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libssh2 package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libssh2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23");

  script_set_attribute(attribute:"patch_publication_date", value:"2016/02/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/04");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^23([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC23", reference:"libssh2-1.6.0-4.fc23")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2");
}
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-0428.NASL
    descriptionFrom Red Hat Security Advisory 2016:0428 : Updated libssh2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libssh2 packages provide a library that implements the SSHv2 protocol. A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Red Hat would like to thank Aris Adamantiadis for reporting this issue. All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id89858
    published2016-03-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89858
    titleOracle Linux 6 / 7 : libssh2 (ELSA-2016-0428)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2016:0428 and 
# Oracle Linux Security Advisory ELSA-2016-0428 respectively.
#

include("compat.inc");

if (description)
{
  script_id(89858);
  script_version("2.7");
  script_cvs_date("Date: 2019/09/27 13:00:36");

  script_cve_id("CVE-2016-0787");
  script_xref(name:"RHSA", value:"2016:0428");

  script_name(english:"Oracle Linux 6 / 7 : libssh2 (ELSA-2016-0428)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Oracle Linux host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"From Red Hat Security Advisory 2016:0428 :

Updated libssh2 packages that fix one security issue are now available
for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The libssh2 packages provide a library that implements the SSHv2
protocol.

A type confusion issue was found in the way libssh2 generated
ephemeral secrets for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods. This would cause an SSHv2
Diffie-Hellman handshake to use significantly less secure random
parameters. (CVE-2016-0787)

Red Hat would like to thank Aris Adamantiadis for reporting this
issue.

All libssh2 users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue. After
installing these updated packages, all running applications using
libssh2 must be restarted for this update to take effect."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2016-March/005851.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2016-March/005852.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected libssh2 packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libssh2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libssh2-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libssh2-docs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/11");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);

flag = 0;
if (rpm_check(release:"EL6", reference:"libssh2-1.4.2-2.el6_7.1")) flag++;
if (rpm_check(release:"EL6", reference:"libssh2-devel-1.4.2-2.el6_7.1")) flag++;
if (rpm_check(release:"EL6", reference:"libssh2-docs-1.4.2-2.el6_7.1")) flag++;

if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libssh2-1.4.3-10.el7_2.1")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libssh2-devel-1.4.3-10.el7_2.1")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libssh2-docs-1.4.3-10.el7_2.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2 / libssh2-devel / libssh2-docs");
}
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20160310_LIBSSH2_ON_SL6_X.NASL
    descriptionA type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect.
    last seen2020-03-18
    modified2016-03-11
    plugin id89863
    published2016-03-11
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89863
    titleScientific Linux Security Update : libssh2 on SL6.x, SL7.x i386/x86_64 (20160310)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#

include("compat.inc");

if (description)
{
  script_id(89863);
  script_version("2.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25");

  script_cve_id("CVE-2016-0787");

  script_name(english:"Scientific Linux Security Update : libssh2 on SL6.x, SL7.x i386/x86_64 (20160310)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Scientific Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A type confusion issue was found in the way libssh2 generated
ephemeral secrets for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods. This would cause an SSHv2
Diffie-Hellman handshake to use significantly less secure random
parameters. (CVE-2016-0787)

After installing these updated packages, all running applications
using libssh2 must be restarted for this update to take effect."
  );
  # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1603&L=scientific-linux-errata&F=&S=&P=4184
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?eae86def"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libssh2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libssh2-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libssh2-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libssh2-docs");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/11");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Scientific Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);


flag = 0;
if (rpm_check(release:"SL6", reference:"libssh2-1.4.2-2.el6_7.1")) flag++;
if (rpm_check(release:"SL6", reference:"libssh2-debuginfo-1.4.2-2.el6_7.1")) flag++;
if (rpm_check(release:"SL6", reference:"libssh2-devel-1.4.2-2.el6_7.1")) flag++;
if (rpm_check(release:"SL6", reference:"libssh2-docs-1.4.2-2.el6_7.1")) flag++;

if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libssh2-1.4.3-10.el7_2.1")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libssh2-debuginfo-1.4.3-10.el7_2.1")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"libssh2-devel-1.4.3-10.el7_2.1")) flag++;
if (rpm_check(release:"SL7", reference:"libssh2-docs-1.4.3-10.el7_2.1")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2 / libssh2-debuginfo / libssh2-devel / libssh2-docs");
}
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-0428.NASL
    descriptionUpdated libssh2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The libssh2 packages provide a library that implements the SSHv2 protocol. A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. (CVE-2016-0787) Red Hat would like to thank Aris Adamantiadis for reporting this issue. All libssh2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing these updated packages, all running applications using libssh2 must be restarted for this update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id89820
    published2016-03-10
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89820
    titleRHEL 6 / 7 : libssh2 (RHSA-2016:0428)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2016:0428. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(89820);
  script_version("2.13");
  script_cvs_date("Date: 2019/10/24 15:35:41");

  script_cve_id("CVE-2016-0787");
  script_xref(name:"RHSA", value:"2016:0428");

  script_name(english:"RHEL 6 / 7 : libssh2 (RHSA-2016:0428)");
  script_summary(english:"Checks the rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated libssh2 packages that fix one security issue are now available
for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

The libssh2 packages provide a library that implements the SSHv2
protocol.

A type confusion issue was found in the way libssh2 generated
ephemeral secrets for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods. This would cause an SSHv2
Diffie-Hellman handshake to use significantly less secure random
parameters. (CVE-2016-0787)

Red Hat would like to thank Aris Adamantiadis for reporting this
issue.

All libssh2 users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue. After
installing these updated packages, all running applications using
libssh2 must be restarted for this update to take effect."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2016:0428"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2016-0787"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libssh2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libssh2-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libssh2-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libssh2-docs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/10");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x / 7.x", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2016:0428";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL6", reference:"libssh2-1.4.2-2.el6_7.1")) flag++;

  if (rpm_check(release:"RHEL6", reference:"libssh2-debuginfo-1.4.2-2.el6_7.1")) flag++;

  if (rpm_check(release:"RHEL6", reference:"libssh2-devel-1.4.2-2.el6_7.1")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"i686", reference:"libssh2-docs-1.4.2-2.el6_7.1")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"libssh2-docs-1.4.2-2.el6_7.1")) flag++;

  if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"libssh2-docs-1.4.2-2.el6_7.1")) flag++;


  if (rpm_check(release:"RHEL7", reference:"libssh2-1.4.3-10.el7_2.1")) flag++;

  if (rpm_check(release:"RHEL7", reference:"libssh2-debuginfo-1.4.3-10.el7_2.1")) flag++;

  if (rpm_check(release:"RHEL7", reference:"libssh2-devel-1.4.3-10.el7_2.1")) flag++;

  if (rpm_check(release:"RHEL7", reference:"libssh2-docs-1.4.3-10.el7_2.1")) flag++;


  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2 / libssh2-debuginfo / libssh2-devel / libssh2-docs");
  }
}
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1393.NASL
    descriptionAccording to the versions of the libssh2 package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters.(CVE-2016-0787) - An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3856) - A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.(CVE-2019-3863) - An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3855) - An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3857) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124896
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124896
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : libssh2 (EulerOS-SA-2019-1393)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1429.NASL
    descriptionAccording to the versions of the libssh2 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters.(CVE-2016-0787) - A flaw was found in the way the kex_agree_methods() function of libssh2 performed a key exchange when negotiating a new SSH session. A man-in-the-middle attacker could use a crafted SSH_MSG_KEXINIT packet to crash a connecting libssh2 client.(CVE-2015-1782) - An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3857) - An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3862) - An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3856) - A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.(CVE-2019-3863) - An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3855) - An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3858) - An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3859) - An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3860) - An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3861) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124932
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124932
    titleEulerOS Virtualization 3.0.1.0 : libssh2 (EulerOS-SA-2019-1429)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL21531693.NASL
    descriptionThe diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id92876
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92876
    titleF5 Networks BIG-IP : libssh2 vulnerability (K21531693)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201606-12.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201606-12 (libssh and libssh2: Multiple vulnerabilities) libssh and libssh2 both have a bits/bytes confusion bug and generate an abnormaly short ephemeral secret for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. The resulting secret is 128 bits long, instead of the recommended sizes of 1024 and 2048 bits respectively. Additionally, a double free on dangling pointers in initial key exchange packets within libssh could leave dangling pointers in the session crypto structures. It is possible to send a malicious kexinit package to eventually cause a server to do a double-free before this fix. This could be used for a Denial of Service attack. Impact : Remote attackers may gain access to confidential information due to the short keysize generated by libssh and libssh2, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id91843
    published2016-06-27
    reporterThis script is Copyright (C) 2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/91843
    titleGLSA-201606-12 : libssh and libssh2: Multiple vulnerabilities
  • NASL familyMisc.
    NASL idSECURITYCENTER_5_4.NASL
    descriptionAccording to its self-reported version, the Tenable SecurityCenter application installed on the remote host is prior to 5.4.0. It is, therefore, affected by multiple vulnerabilities : - An arbitrary code execution vulnerability exists in the bundled version of libcurl due to using an insecure path to look for specific libraries, including the current working directory, which may not be under user control. A remote attacker can exploit this to inject and execute arbitrary code in the context of the current user. (CVE-2016-4802) - Multiple flaws exist in the bundled version of libssh due to a failure to securely generate Diffie-Hellman secret keys. A man-in-the-middle attacker can exploit these flaws to intercept and decrypt SSH sessions. (CVE-2016-0739, CVE-2016-0787) - An integer overflow condition exists in the bundled version of libcurl due to improper validation of user-supplied input when handling
    last seen2020-06-01
    modified2020-06-02
    plugin id92558
    published2016-07-26
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92558
    titleTenable SecurityCenter < 5.4.0 Multiple Vulnerabilities (TNS-2016-12)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-295.NASL
    descriptionThis update for libssh2_org fixes the following issues : - fix CVE-2016-0787 (boo#967026) - Weakness in diffie-hellman secret key generation - add CVE-2016-0787.patch
    last seen2020-06-05
    modified2016-03-04
    plugin id89652
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89652
    titleopenSUSE Security Update : libssh2_org (openSUSE-2016-295)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3487.NASL
    descriptionAndreas Schneider reported that libssh2, a SSH2 client-side library, passes the number of bytes to a function that expects number of bits during the SSHv2 handshake when libssh2 is to get a suitable value for
    last seen2020-06-01
    modified2020-06-02
    plugin id88915
    published2016-02-24
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88915
    titleDebian DSA-3487-1 : libssh2 - security update
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2016-0035.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787) - fix basic functionality of libssh2 in FIPS mode (#968575)
    last seen2020-06-01
    modified2020-06-02
    plugin id89860
    published2016-03-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89860
    titleOracleVM 3.3 / 3.4 : libssh2 (OVMSA-2016-0035)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-0723-1.NASL
    descriptionThis update for libssh2_org fixes the following issues : - Add SHA256 support for DH group exchange (fate#320343, bsc#961964) - fix CVE-2016-0787 (bsc#967026) - Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id89923
    published2016-03-14
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89923
    titleSUSE SLED11 / SLES11 Security Update : libssh2_org (SUSE-SU-2016:0723-1)

Redhat

advisories
bugzilla
id1306021
titleCVE-2016-0787 libssh2: bits/bytes confusion resulting in truncated Diffie-Hellman secret length
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • commentlibssh2 is earlier than 0:1.4.2-2.el6_7.1
          ovaloval:com.redhat.rhsa:tst:20160428001
        • commentlibssh2 is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20152140006
      • AND
        • commentlibssh2-devel is earlier than 0:1.4.2-2.el6_7.1
          ovaloval:com.redhat.rhsa:tst:20160428003
        • commentlibssh2-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20152140004
      • AND
        • commentlibssh2-docs is earlier than 0:1.4.2-2.el6_7.1
          ovaloval:com.redhat.rhsa:tst:20160428005
        • commentlibssh2-docs is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20152140002
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentlibssh2-docs is earlier than 0:1.4.3-10.el7_2.1
          ovaloval:com.redhat.rhsa:tst:20160428008
        • commentlibssh2-docs is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20152140002
      • AND
        • commentlibssh2-devel is earlier than 0:1.4.3-10.el7_2.1
          ovaloval:com.redhat.rhsa:tst:20160428009
        • commentlibssh2-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20152140004
      • AND
        • commentlibssh2 is earlier than 0:1.4.3-10.el7_2.1
          ovaloval:com.redhat.rhsa:tst:20160428010
        • commentlibssh2 is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20152140006
rhsa
idRHSA-2016:0428
released2016-03-10
severityModerate
titleRHSA-2016:0428: libssh2 security update (Moderate)
rpms
  • libssh2-0:1.4.2-2.el6_7.1
  • libssh2-0:1.4.3-10.el7_2.1
  • libssh2-debuginfo-0:1.4.2-2.el6_7.1
  • libssh2-debuginfo-0:1.4.3-10.el7_2.1
  • libssh2-devel-0:1.4.2-2.el6_7.1
  • libssh2-devel-0:1.4.3-10.el7_2.1
  • libssh2-docs-0:1.4.2-2.el6_7.1
  • libssh2-docs-0:1.4.3-10.el7_2.1

References