Vulnerabilities > CVE-2016-10708 - NULL Pointer Dereference vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2029.NASL description An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 102112 published 2017-08-02 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102112 title RHEL 7 : openssh (RHSA-2017:2029) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2017:2029. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(102112); script_version("3.11"); script_cvs_date("Date: 2019/10/24 15:35:43"); script_cve_id("CVE-2016-10009", "CVE-2016-10011", "CVE-2016-10012", "CVE-2016-10708", "CVE-2016-6210", "CVE-2016-6515"); script_xref(name:"RHSA", value:"2017:2029"); script_name(english:"RHEL 7 : openssh (RHSA-2017:2029)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section." ); # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3395ff0b" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2017:2029" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-6210" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-6515" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-10009" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-10011" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-10012" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-10708" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-cavs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server-sysvinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/07"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2017:2029"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-askpass-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-askpass-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-cavs-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-cavs-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-clients-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-clients-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"openssh-debuginfo-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-keycat-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-keycat-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-ldap-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-ldap-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-server-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-server-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-server-sysvinit-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-server-sysvinit-7.4p1-11.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"pam_ssh_agent_auth-0.10.3-1.11.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-cavs / openssh-clients / etc"); } }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-2029.NASL description From Red Hat Security Advisory 2017:2029 : An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 102296 published 2017-08-09 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102296 title Oracle Linux 7 : openssh (ELSA-2017-2029) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2017:2029 and # Oracle Linux Security Advisory ELSA-2017-2029 respectively. # include("compat.inc"); if (description) { script_id(102296); script_version("3.4"); script_cvs_date("Date: 2019/09/27 13:00:38"); script_cve_id("CVE-2016-10009", "CVE-2016-10011", "CVE-2016-10012", "CVE-2016-10708", "CVE-2016-6210", "CVE-2016-6515"); script_xref(name:"RHSA", value:"2017:2029"); script_name(english:"Oracle Linux 7 : openssh (ELSA-2017-2029)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2017:2029 : An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2017-August/007091.html" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-cavs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server-sysvinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/07"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/09"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-7.4p1-11.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-askpass-7.4p1-11.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-cavs-7.4p1-11.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-clients-7.4p1-11.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-keycat-7.4p1-11.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-ldap-7.4p1-11.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-server-7.4p1-11.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-server-sysvinit-7.4p1-11.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pam_ssh_agent_auth-0.10.3-1.11.el7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-cavs / openssh-clients / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2275-1.NASL description This update for openssh fixes the following issues: Security issues fixed : - CVE-2016-10012: Fix pre-auth compression checks that could be optimized away (bsc#1016370). - CVE-2016-10708: Fix remote denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYSmessage (bsc#1076957). - CVE-2017-15906: Fix r/o sftp-server zero byte file creation (bsc#1065000). - CVE-2008-1483: Fix accidental re-introduction of CVE-2008-1483 (bsc#1069509). Bug fixes : - bsc#1017099: Match conditions with uppercase hostnames fail (bsc#1017099) - bsc#1053972: supportedKeyExchanges diffie-hellman-group1-sha1 is duplicated (bsc#1053972) - bsc#1023275: Messages suppressed after upgrade from SLES 11 SP3 to SP4 (bsc#1023275) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111639 published 2018-08-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111639 title SUSE SLES11 Security Update : openssh (SUSE-SU-2018:2275-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:2275-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(111639); script_version("1.5"); script_cvs_date("Date: 2019/09/10 13:51:48"); script_cve_id("CVE-2008-1483", "CVE-2016-10012", "CVE-2016-10708", "CVE-2017-15906"); script_bugtraq_id(28444); script_name(english:"SUSE SLES11 Security Update : openssh (SUSE-SU-2018:2275-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for openssh fixes the following issues: Security issues fixed : - CVE-2016-10012: Fix pre-auth compression checks that could be optimized away (bsc#1016370). - CVE-2016-10708: Fix remote denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYSmessage (bsc#1076957). - CVE-2017-15906: Fix r/o sftp-server zero byte file creation (bsc#1065000). - CVE-2008-1483: Fix accidental re-introduction of CVE-2008-1483 (bsc#1069509). Bug fixes : - bsc#1017099: Match conditions with uppercase hostnames fail (bsc#1017099) - bsc#1053972: supportedKeyExchanges diffie-hellman-group1-sha1 is duplicated (bsc#1053972) - bsc#1023275: Messages suppressed after upgrade from SLES 11 SP3 to SP4 (bsc#1023275) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1016370" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1017099" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1023275" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1053972" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1065000" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1069509" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2008-1483/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10012/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10708/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-15906/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20182275-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?26523b41" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-openssh-13719=1 SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-openssh-13719=1" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/24"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-6.6p1-36.3.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-askpass-gnome-6.6p1-36.3.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-fips-6.6p1-36.3.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-helpers-6.6p1-36.3.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3809-1.NASL description Robert Swiecki discovered that OpenSSH incorrectly handled certain messages. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10708) It was discovered that OpenSSH incorrectly handled certain requests. An attacker could possibly use this issue to access sensitive information. (CVE-2018-15473). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 118795 published 2018-11-07 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118795 title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : openssh vulnerabilities (USN-3809-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3809-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(118795); script_version("1.4"); script_cvs_date("Date: 2019/09/18 12:31:48"); script_cve_id("CVE-2016-10708", "CVE-2018-15473"); script_xref(name:"USN", value:"3809-1"); script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : openssh vulnerabilities (USN-3809-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Robert Swiecki discovered that OpenSSH incorrectly handled certain messages. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10708) It was discovered that OpenSSH incorrectly handled certain requests. An attacker could possibly use this issue to access sensitive information. (CVE-2018-15473). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3809-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh-server package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/21"); script_set_attribute(attribute:"patch_publication_date", value:"2018/11/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 18.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"openssh-server", pkgver:"1:6.6p1-2ubuntu2.11")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"openssh-server", pkgver:"1:7.2p2-4ubuntu2.6")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"openssh-server", pkgver:"1:7.6p1-4ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-server"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2530-1.NASL description This update for openssh fixes the following issues: Security issue fixed : - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 112148 published 2018-08-28 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112148 title SUSE SLES12 Security Update : openssh (SUSE-SU-2018:2530-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:2530-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(112148); script_version("1.3"); script_cvs_date("Date: 2019/09/10 13:51:48"); script_cve_id("CVE-2016-10708"); script_name(english:"SUSE SLES12 Security Update : openssh (SUSE-SU-2018:2530-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for openssh fixes the following issues: Security issue fixed : - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10708/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20182530-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6889ae1f" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE OpenStack Cloud 7:zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1766=1 SUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1766=1 SUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1766=1 SUSE Enterprise Storage 4:zypper in -t patch SUSE-Storage-4-2018-1766=1 OpenStack Cloud Magnum Orchestration 7:zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-1766=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/21"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-askpass-gnome-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-debuginfo-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-debugsource-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-fips-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-helpers-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-helpers-debuginfo-7.2p2-74.25.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-2029.NASL description An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 102751 published 2017-08-25 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102751 title CentOS 7 : openssh (CESA-2017:2029) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2017:2029 and # CentOS Errata and Security Advisory 2017:2029 respectively. # include("compat.inc"); if (description) { script_id(102751); script_version("3.6"); script_cvs_date("Date: 2019/12/31"); script_cve_id("CVE-2016-10009", "CVE-2016-10011", "CVE-2016-10012", "CVE-2016-10708", "CVE-2016-6210", "CVE-2016-6515"); script_xref(name:"RHSA", value:"2017:2029"); script_name(english:"CentOS 7 : openssh (CESA-2017:2029)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section." ); # https://lists.centos.org/pipermail/centos-cr-announce/2017-August/004417.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5ff4711b" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6515"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-cavs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server-sysvinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/07"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/25"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-7.4p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-askpass-7.4p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-cavs-7.4p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-clients-7.4p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-keycat-7.4p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-ldap-7.4p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-server-7.4p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-server-sysvinit-7.4p1-11.el7")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"pam_ssh_agent_auth-0.10.3-1.11.el7")) flag++; if (flag) { cr_plugin_caveat = '\n' + 'NOTE: The security advisory associated with this vulnerability has a\n' + 'fixed package version that may only be available in the continuous\n' + 'release (CR) repository for CentOS, until it is present in the next\n' + 'point release of CentOS.\n\n' + 'If an equal or higher package level does not exist in the baseline\n' + 'repository for your major version of CentOS, then updates from the CR\n' + 'repository will need to be applied in order to address the\n' + 'vulnerability.\n'; security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + cr_plugin_caveat ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-cavs / openssh-clients / etc"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1254.NASL description According to the version of the openssh packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.(CVE-2016-10708) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 117563 published 2018-09-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117563 title EulerOS Virtualization 2.5.0 : openssh (EulerOS-SA-2018-1254) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(117563); script_version("1.5"); script_cvs_date("Date: 2019/06/28 11:31:59"); script_cve_id( "CVE-2016-10708" ); script_name(english:"EulerOS Virtualization 2.5.0 : openssh (EulerOS-SA-2018-1254)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS Virtualization host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the openssh packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.(CVE-2016-10708) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1254 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?45fca2ed"); script_set_attribute(attribute:"solution", value: "Update the affected openssh package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/18"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.5.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (uvp != "2.5.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.5.0"); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["openssh-6.6.1p1-25.4.h6", "openssh-clients-6.6.1p1-25.4.h6", "openssh-keycat-6.6.1p1-25.4.h6", "openssh-server-6.6.1p1-25.4.h6"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2530-2.NASL description This update for openssh fixes the following issues : Security issue fixed : CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 118285 published 2018-10-22 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118285 title SUSE SLES12 Security Update : openssh (SUSE-SU-2018:2530-2) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:2530-2. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(118285); script_version("1.3"); script_cvs_date("Date: 2019/09/10 13:51:48"); script_cve_id("CVE-2016-10708"); script_name(english:"SUSE SLES12 Security Update : openssh (SUSE-SU-2018:2530-2)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for openssh fixes the following issues : Security issue fixed : CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10708/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20182530-2/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?560ab79c" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2018-1766=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/21"); script_set_attribute(attribute:"patch_publication_date", value:"2018/10/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-askpass-gnome-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-debuginfo-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-debugsource-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-fips-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-helpers-7.2p2-74.25.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-helpers-debuginfo-7.2p2-74.25.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1068.NASL description According to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.(CVE-2016-10708) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-03-20 plugin id 108472 published 2018-03-20 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108472 title EulerOS 2.0 SP1 : openssh (EulerOS-SA-2018-1068) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(108472); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2016-10708" ); script_name(english:"EulerOS 2.0 SP1 : openssh (EulerOS-SA-2018-1068)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.(CVE-2016-10708) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1068 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?db513eef"); script_set_attribute(attribute:"solution", value: "Update the affected openssh package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["openssh-6.6.1p1-28.h15", "openssh-askpass-6.6.1p1-28.h15", "openssh-clients-6.6.1p1-28.h15", "openssh-keycat-6.6.1p1-28.h15", "openssh-server-6.6.1p1-28.h15"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2685-1.NASL description This update for openssh provides the following fixes : Security issues fixed : CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). CVE-2016-10012: Remove pre-auth compression support from the server to prevent possible cryptographic attacks (bsc#1016370). CVE-2008-1483: Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Bug fixes: bsc#1017099: Enable case-insensitive hostname matching. bsc#1023275: Add a new switch for printing diagnostic messages in sftp client last seen 2020-06-01 modified 2020-06-02 plugin id 117452 published 2018-09-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117452 title SUSE SLES12 Security Update : openssh (SUSE-SU-2018:2685-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:2685-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(117452); script_version("1.4"); script_cvs_date("Date: 2019/09/10 13:51:49"); script_cve_id("CVE-2008-1483", "CVE-2016-10012", "CVE-2016-10708", "CVE-2017-15906"); script_bugtraq_id(28444); script_name(english:"SUSE SLES12 Security Update : openssh (SUSE-SU-2018:2685-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for openssh provides the following fixes : Security issues fixed : CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). CVE-2016-10012: Remove pre-auth compression support from the server to prevent possible cryptographic attacks (bsc#1016370). CVE-2008-1483: Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Bug fixes: bsc#1017099: Enable case-insensitive hostname matching. bsc#1023275: Add a new switch for printing diagnostic messages in sftp client's batch mode. bsc#1048367: systemd integration to work around various race conditions. bsc#1053972: Remove duplicate KEX method. bsc#1092582: Add missing piece of systemd integration. Remove the limit on the amount of tasks sshd can run. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1016370" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1017099" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1023275" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1048367" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1053972" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1065000" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1069509" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1092582" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2008-1483/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10012/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10708/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-15906/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20182685-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7a57860a" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1876=1 SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1876=1 SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2018-1876=1" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/24"); script_set_attribute(attribute:"patch_publication_date", value:"2018/09/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-6.6p1-54.15.2")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-askpass-gnome-6.6p1-54.15.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-askpass-gnome-debuginfo-6.6p1-54.15.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-debuginfo-6.6p1-54.15.2")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-debugsource-6.6p1-54.15.2")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-fips-6.6p1-54.15.2")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-helpers-6.6p1-54.15.2")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-helpers-debuginfo-6.6p1-54.15.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-6.6p1-54.15.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-askpass-gnome-6.6p1-54.15.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-askpass-gnome-debuginfo-6.6p1-54.15.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-debuginfo-6.6p1-54.15.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-debugsource-6.6p1-54.15.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-fips-6.6p1-54.15.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-helpers-6.6p1-54.15.2")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-helpers-debuginfo-6.6p1-54.15.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1989-1.NASL description This update for openssh fixes the following issues: Security issue fixed : - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111200 published 2018-07-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111200 title SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2018:1989-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:1989-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(111200); script_version("1.6"); script_cvs_date("Date: 2019/09/10 13:51:48"); script_cve_id("CVE-2016-10708"); script_name(english:"SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2018:1989-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for openssh fixes the following issues: Security issue fixed : - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10708/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20181989-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?c3f32754" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 12-SP3:zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1352=1 SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1352=1 SUSE CaaS Platform ALL : To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. OpenStack Cloud Magnum Orchestration 7:zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-1352=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:X"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/21"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/20"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP3", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP3", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-askpass-gnome-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-debuginfo-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-debugsource-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-fips-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-helpers-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-helpers-debuginfo-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-askpass-gnome-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-debuginfo-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-debugsource-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-helpers-7.2p2-74.19.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-helpers-debuginfo-7.2p2-74.19.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-765.NASL description This update for openssh fixes the following issues : Security issue fixed : - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2018-07-30 plugin id 111417 published 2018-07-30 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111417 title openSUSE Security Update : openssh (openSUSE-2018-765) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-765. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(111417); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-10708"); script_name(english:"openSUSE Security Update : openssh (openSUSE-2018-765)"); script_summary(english:"Check for the openSUSE-2018-765 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for openssh fixes the following issues : Security issue fixed : - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). This update was imported from the SUSE:SLE-12-SP2:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1076957" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"openssh-7.2p2-21.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-askpass-gnome-7.2p2-21.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-askpass-gnome-debuginfo-7.2p2-21.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-cavs-7.2p2-21.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-cavs-debuginfo-7.2p2-21.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-debuginfo-7.2p2-21.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-debugsource-7.2p2-21.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-fips-7.2p2-21.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-helpers-7.2p2-21.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"openssh-helpers-debuginfo-7.2p2-21.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-askpass-gnome / openssh-askpass-gnome-debuginfo / openssh / etc"); }
NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL32485746.NASL description sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. (CVE-2016-10708) Impact This vulnerability allows a remote attacker to disrupt service. last seen 2020-03-17 modified 2019-12-31 plugin id 132548 published 2019-12-31 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132548 title F5 Networks BIG-IP : OpenSSH vulnerability (K32485746) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from F5 Networks BIG-IP Solution K32485746. # # The text description of this plugin is (C) F5 Networks. # include("compat.inc"); if (description) { script_id(132548); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/09"); script_cve_id("CVE-2016-10708"); script_name(english:"F5 Networks BIG-IP : OpenSSH vulnerability (K32485746)"); script_summary(english:"Checks the BIG-IP version."); script_set_attribute( attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch." ); script_set_attribute( attribute:"description", value: "sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. (CVE-2016-10708) Impact This vulnerability allows a remote attacker to disrupt service." ); script_set_attribute( attribute:"see_also", value:"https://support.f5.com/csp/article/K32485746" ); script_set_attribute( attribute:"solution", value: "Upgrade to one of the non-vulnerable versions listed in the F5 Solution K32485746." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/21"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/31"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"F5 Networks Local Security Checks"); script_dependencies("f5_bigip_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version"); exit(0); } include("f5_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); version = get_kb_item("Host/BIG-IP/version"); if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP"); if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix"); if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules"); sol = "K32485746"; vmatrix = make_array(); # AFM vmatrix["AFM"] = make_array(); vmatrix["AFM"]["affected" ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5"); vmatrix["AFM"]["unaffected"] = make_list("14.1.0"); # AM vmatrix["AM"] = make_array(); vmatrix["AM"]["affected" ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5"); vmatrix["AM"]["unaffected"] = make_list("14.1.0"); # APM vmatrix["APM"] = make_array(); vmatrix["APM"]["affected" ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5"); vmatrix["APM"]["unaffected"] = make_list("14.1.0"); # ASM vmatrix["ASM"] = make_array(); vmatrix["ASM"]["affected" ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5"); vmatrix["ASM"]["unaffected"] = make_list("14.1.0"); # AVR vmatrix["AVR"] = make_array(); vmatrix["AVR"]["affected" ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5"); vmatrix["AVR"]["unaffected"] = make_list("14.1.0"); # GTM vmatrix["GTM"] = make_array(); vmatrix["GTM"]["affected" ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5"); vmatrix["GTM"]["unaffected"] = make_list("14.1.0"); # LC vmatrix["LC"] = make_array(); vmatrix["LC"]["affected" ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5"); vmatrix["LC"]["unaffected"] = make_list("14.1.0"); # LTM vmatrix["LTM"] = make_array(); vmatrix["LTM"]["affected" ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5"); vmatrix["LTM"]["unaffected"] = make_list("14.1.0"); # PEM vmatrix["PEM"] = make_array(); vmatrix["PEM"]["affected" ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5"); vmatrix["PEM"]["unaffected"] = make_list("14.1.0"); # WAM vmatrix["WAM"] = make_array(); vmatrix["WAM"]["affected" ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5"); vmatrix["WAM"]["unaffected"] = make_list("14.1.0"); if (bigip_is_affected(vmatrix:vmatrix, sol:sol)) { if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get()); else security_warning(0); exit(0); } else { tested = bigip_get_tested_modules(); audit_extra = "For BIG-IP module(s) " + tested + ","; if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version); else audit(AUDIT_HOST_NOT, "running any of the affected modules"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1069.NASL description According to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.(CVE-2016-10708) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-03-20 plugin id 108473 published 2018-03-20 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108473 title EulerOS 2.0 SP2 : openssh (EulerOS-SA-2018-1069) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(108473); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2016-10708" ); script_name(english:"EulerOS 2.0 SP2 : openssh (EulerOS-SA-2018-1069)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.(CVE-2016-10708) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1069 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6a5ed3e8"); script_set_attribute(attribute:"solution", value: "Update the affected openssh package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["openssh-6.6.1p1-28.h15", "openssh-askpass-6.6.1p1-28.h15", "openssh-clients-6.6.1p1-28.h15", "openssh-keycat-6.6.1p1-28.h15", "openssh-server-6.6.1p1-28.h15"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-3540-1.NASL description This update for openssh fixes the following issues : Security issues fixed : CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to treat such a username enumeration (or last seen 2020-06-01 modified 2020-06-02 plugin id 118498 published 2018-10-30 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118498 title SUSE SLES11 Security Update : openssh (SUSE-SU-2018:3540-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:3540-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(118498); script_version("1.5"); script_cvs_date("Date: 2019/09/10 13:51:49"); script_cve_id("CVE-2016-10012", "CVE-2016-10708", "CVE-2017-15906", "CVE-2018-15473", "CVE-2018-15919"); script_name(english:"SUSE SLES11 Security Update : openssh (SUSE-SU-2018:3540-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for openssh fixes the following issues : Security issues fixed : CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to treat such a username enumeration (or 'oracle') as a vulnerability. (bsc#1106163) CVE-2017-15906: The process_open function in sftp-server.c in OpenSSH did not properly prevent write operations in readonly mode, which allowed attackers to create zero-length files. (bsc#1065000, bsc#1106726) CVE-2016-10708: sshd allowed remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. (bsc#1076957) CVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010) CVE-2016-10012: Removed pre-auth compression support from the server to prevent possible cryptographic attacks. (bsc#1016370) Bugs fixed: Fixed failing 'AuthorizedKeysCommand' within a 'Match User' block in sshd_config (bsc#1105180) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1016370" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1065000" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1105010" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1105180" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1106163" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1106726" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10012/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10708/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-15906/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-15473/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-15919/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20183540-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?bf4c0b95" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch slessp3-openssh-13848=1 SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch sleposp3-openssh-13848=1 SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch dbgsp3-openssh-13848=1" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/05"); script_set_attribute(attribute:"patch_publication_date", value:"2018/10/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"3", reference:"openssh-6.2p2-0.41.5.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"openssh-askpass-6.2p2-0.41.5.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"openssh-askpass-gnome-6.2p2-0.41.5.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1257.NASL description OpenSSH was found to be vulnerable to out of order NEWKEYS messages which could crash the daemon, resulting in a denial of service attack. For Debian 7 last seen 2020-03-17 modified 2018-01-29 plugin id 106407 published 2018-01-29 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106407 title Debian DLA-1257-1 : openssh security update
Redhat
rpms |
|
References
- https://www.openssh.com/releasenotes.html
- https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737
- http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html
- http://www.securityfocus.com/bid/102780
- https://lists.debian.org/debian-lts-announce/2018/01/msg00031.html
- https://security.netapp.com/advisory/ntap-20180423-0003/
- https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
- https://usn.ubuntu.com/3809-1/
- https://kc.mcafee.com/corporate/index?page=content&id=SB10284
- https://cert-portal.siemens.com/productcert/pdf/ssa-676336.pdf
- https://support.f5.com/csp/article/K32485746?utm_source=f5support&%3Butm_medium=RSS