Vulnerabilities > CVE-2016-10708 - NULL Pointer Dereference vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
openbsd
debian
canonical
netapp
CWE-476
nessus

Summary

sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

Vulnerable Configurations

Part Description Count
Application
Openbsd
229
Application
Netapp
9
OS
Debian
2
OS
Canonical
3
OS
Netapp
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2029.NASL
    descriptionAn update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id102112
    published2017-08-02
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102112
    titleRHEL 7 : openssh (RHSA-2017:2029)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:2029. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102112);
      script_version("3.11");
      script_cvs_date("Date: 2019/10/24 15:35:43");
    
      script_cve_id("CVE-2016-10009", "CVE-2016-10011", "CVE-2016-10012", "CVE-2016-10708", "CVE-2016-6210", "CVE-2016-6515");
      script_xref(name:"RHSA", value:"2017:2029");
    
      script_name(english:"RHEL 7 : openssh (RHSA-2017:2029)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for openssh is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    OpenSSH is an SSH protocol implementation supported by a number of
    Linux, UNIX, and similar operating systems. It includes the core files
    necessary for both the OpenSSH client and server.
    
    The following packages have been upgraded to a later upstream version:
    openssh (7.4p1). (BZ#1341754)
    
    Security Fix(es) :
    
    * A covert timing channel flaw was found in the way OpenSSH handled
    authentication of non-existent users. A remote unauthenticated
    attacker could possibly use this flaw to determine valid user names by
    measuring the timing of server responses. (CVE-2016-6210)
    
    * It was found that OpenSSH did not limit password lengths for
    password authentication. A remote unauthenticated attacker could use
    this flaw to temporarily trigger high CPU consumption in sshd by
    sending long passwords. (CVE-2016-6515)
    
    * It was found that ssh-agent could load PKCS#11 modules from
    arbitrary paths. An attacker having control of the forwarded
    agent-socket on the server, and the ability to write to the filesystem
    of the client host, could use this flaw to execute arbitrary code with
    the privileges of the user running ssh-agent. (CVE-2016-10009)
    
    * It was found that the host private key material could possibly leak
    to the privilege-separated child processes via re-allocated memory. An
    attacker able to compromise the privilege-separated process could
    therefore obtain the leaked key information. (CVE-2016-10011)
    
    * It was found that the boundary checks in the code implementing
    support for pre-authentication compression could have been optimized
    out by certain compilers. An attacker able to compromise the
    privilege-separated process could possibly use this flaw for further
    attacks against the privileged monitor process. (CVE-2016-10012)
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.4 Release Notes linked from the References section."
      );
      # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3395ff0b"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2017:2029"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6210"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6515"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-10009"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-10011"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-10012"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-10708"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-cavs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server-sysvinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2017:2029";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-askpass-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-askpass-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-cavs-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-cavs-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-clients-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-clients-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"openssh-debuginfo-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-keycat-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-keycat-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-ldap-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-ldap-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-server-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-server-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-server-sysvinit-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-server-sysvinit-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"pam_ssh_agent_auth-0.10.3-1.11.el7")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-cavs / openssh-clients / etc");
      }
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2029.NASL
    descriptionFrom Red Hat Security Advisory 2017:2029 : An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id102296
    published2017-08-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102296
    titleOracle Linux 7 : openssh (ELSA-2017-2029)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2017:2029 and 
    # Oracle Linux Security Advisory ELSA-2017-2029 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102296);
      script_version("3.4");
      script_cvs_date("Date: 2019/09/27 13:00:38");
    
      script_cve_id("CVE-2016-10009", "CVE-2016-10011", "CVE-2016-10012", "CVE-2016-10708", "CVE-2016-6210", "CVE-2016-6515");
      script_xref(name:"RHSA", value:"2017:2029");
    
      script_name(english:"Oracle Linux 7 : openssh (ELSA-2017-2029)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2017:2029 :
    
    An update for openssh is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    OpenSSH is an SSH protocol implementation supported by a number of
    Linux, UNIX, and similar operating systems. It includes the core files
    necessary for both the OpenSSH client and server.
    
    The following packages have been upgraded to a later upstream version:
    openssh (7.4p1). (BZ#1341754)
    
    Security Fix(es) :
    
    * A covert timing channel flaw was found in the way OpenSSH handled
    authentication of non-existent users. A remote unauthenticated
    attacker could possibly use this flaw to determine valid user names by
    measuring the timing of server responses. (CVE-2016-6210)
    
    * It was found that OpenSSH did not limit password lengths for
    password authentication. A remote unauthenticated attacker could use
    this flaw to temporarily trigger high CPU consumption in sshd by
    sending long passwords. (CVE-2016-6515)
    
    * It was found that ssh-agent could load PKCS#11 modules from
    arbitrary paths. An attacker having control of the forwarded
    agent-socket on the server, and the ability to write to the filesystem
    of the client host, could use this flaw to execute arbitrary code with
    the privileges of the user running ssh-agent. (CVE-2016-10009)
    
    * It was found that the host private key material could possibly leak
    to the privilege-separated child processes via re-allocated memory. An
    attacker able to compromise the privilege-separated process could
    therefore obtain the leaked key information. (CVE-2016-10011)
    
    * It was found that the boundary checks in the code implementing
    support for pre-authentication compression could have been optimized
    out by certain compilers. An attacker able to compromise the
    privilege-separated process could possibly use this flaw for further
    attacks against the privileged monitor process. (CVE-2016-10012)
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.4 Release Notes linked from the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-August/007091.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-cavs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server-sysvinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pam_ssh_agent_auth");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/09");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-askpass-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-cavs-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-clients-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-keycat-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-ldap-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-server-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-server-sysvinit-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pam_ssh_agent_auth-0.10.3-1.11.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-cavs / openssh-clients / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2275-1.NASL
    descriptionThis update for openssh fixes the following issues: Security issues fixed : - CVE-2016-10012: Fix pre-auth compression checks that could be optimized away (bsc#1016370). - CVE-2016-10708: Fix remote denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYSmessage (bsc#1076957). - CVE-2017-15906: Fix r/o sftp-server zero byte file creation (bsc#1065000). - CVE-2008-1483: Fix accidental re-introduction of CVE-2008-1483 (bsc#1069509). Bug fixes : - bsc#1017099: Match conditions with uppercase hostnames fail (bsc#1017099) - bsc#1053972: supportedKeyExchanges diffie-hellman-group1-sha1 is duplicated (bsc#1053972) - bsc#1023275: Messages suppressed after upgrade from SLES 11 SP3 to SP4 (bsc#1023275) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id111639
    published2018-08-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111639
    titleSUSE SLES11 Security Update : openssh (SUSE-SU-2018:2275-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:2275-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111639);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/10 13:51:48");
    
      script_cve_id("CVE-2008-1483", "CVE-2016-10012", "CVE-2016-10708", "CVE-2017-15906");
      script_bugtraq_id(28444);
    
      script_name(english:"SUSE SLES11 Security Update : openssh (SUSE-SU-2018:2275-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for openssh fixes the following issues: Security issues
    fixed :
    
      - CVE-2016-10012: Fix pre-auth compression checks that
        could be optimized away (bsc#1016370).
    
      - CVE-2016-10708: Fix remote denial of service (NULL
        pointer dereference and daemon crash) via an
        out-of-sequence NEWKEYSmessage (bsc#1076957).
    
      - CVE-2017-15906: Fix r/o sftp-server zero byte file
        creation (bsc#1065000).
    
      - CVE-2008-1483: Fix accidental re-introduction of
        CVE-2008-1483 (bsc#1069509). Bug fixes :
    
      - bsc#1017099: Match conditions with uppercase hostnames
        fail (bsc#1017099)
    
      - bsc#1053972: supportedKeyExchanges
        diffie-hellman-group1-sha1 is duplicated (bsc#1053972)
    
      - bsc#1023275: Messages suppressed after upgrade from SLES
        11 SP3 to SP4 (bsc#1023275)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1016370"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1017099"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1023275"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1053972"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065000"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1069509"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2008-1483/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10012/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10708/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15906/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20182275-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?26523b41"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-openssh-13719=1
    
    SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
    dbgsp4-openssh-13719=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/08/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-6.6p1-36.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-askpass-gnome-6.6p1-36.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-fips-6.6p1-36.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-helpers-6.6p1-36.3.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3809-1.NASL
    descriptionRobert Swiecki discovered that OpenSSH incorrectly handled certain messages. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10708) It was discovered that OpenSSH incorrectly handled certain requests. An attacker could possibly use this issue to access sensitive information. (CVE-2018-15473). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118795
    published2018-11-07
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118795
    titleUbuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : openssh vulnerabilities (USN-3809-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3809-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118795);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2016-10708", "CVE-2018-15473");
      script_xref(name:"USN", value:"3809-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : openssh vulnerabilities (USN-3809-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Robert Swiecki discovered that OpenSSH incorrectly handled certain
    messages. An attacker could possibly use this issue to cause a denial
    of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04
    LTS. (CVE-2016-10708)
    
    It was discovered that OpenSSH incorrectly handled certain requests.
    An attacker could possibly use this issue to access sensitive
    information. (CVE-2018-15473).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3809-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh-server package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"openssh-server", pkgver:"1:6.6p1-2ubuntu2.11")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"openssh-server", pkgver:"1:7.2p2-4ubuntu2.6")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"openssh-server", pkgver:"1:7.6p1-4ubuntu0.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-server");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2530-1.NASL
    descriptionThis update for openssh fixes the following issues: Security issue fixed : - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id112148
    published2018-08-28
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112148
    titleSUSE SLES12 Security Update : openssh (SUSE-SU-2018:2530-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:2530-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(112148);
      script_version("1.3");
      script_cvs_date("Date: 2019/09/10 13:51:48");
    
      script_cve_id("CVE-2016-10708");
    
      script_name(english:"SUSE SLES12 Security Update : openssh (SUSE-SU-2018:2530-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for openssh fixes the following issues: Security issue
    fixed :
    
      - CVE-2016-10708: Prevent DoS due to crashes caused by
        out-of-sequence NEWKEYS message (bsc#1076957).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10708/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20182530-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6889ae1f"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE OpenStack Cloud 7:zypper in -t patch
    SUSE-OpenStack-Cloud-7-2018-1766=1
    
    SUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch
    SUSE-SLE-SAP-12-SP2-2018-1766=1
    
    SUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2018-1766=1
    
    SUSE Enterprise Storage 4:zypper in -t patch
    SUSE-Storage-4-2018-1766=1
    
    OpenStack Cloud Magnum Orchestration 7:zypper in -t patch
    SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-1766=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/08/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-askpass-gnome-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-debuginfo-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-debugsource-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-fips-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-helpers-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"openssh-helpers-debuginfo-7.2p2-74.25.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2029.NASL
    descriptionAn update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id102751
    published2017-08-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102751
    titleCentOS 7 : openssh (CESA-2017:2029)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:2029 and 
    # CentOS Errata and Security Advisory 2017:2029 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102751);
      script_version("3.6");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2016-10009", "CVE-2016-10011", "CVE-2016-10012", "CVE-2016-10708", "CVE-2016-6210", "CVE-2016-6515");
      script_xref(name:"RHSA", value:"2017:2029");
    
      script_name(english:"CentOS 7 : openssh (CESA-2017:2029)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for openssh is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    OpenSSH is an SSH protocol implementation supported by a number of
    Linux, UNIX, and similar operating systems. It includes the core files
    necessary for both the OpenSSH client and server.
    
    The following packages have been upgraded to a later upstream version:
    openssh (7.4p1). (BZ#1341754)
    
    Security Fix(es) :
    
    * A covert timing channel flaw was found in the way OpenSSH handled
    authentication of non-existent users. A remote unauthenticated
    attacker could possibly use this flaw to determine valid user names by
    measuring the timing of server responses. (CVE-2016-6210)
    
    * It was found that OpenSSH did not limit password lengths for
    password authentication. A remote unauthenticated attacker could use
    this flaw to temporarily trigger high CPU consumption in sshd by
    sending long passwords. (CVE-2016-6515)
    
    * It was found that ssh-agent could load PKCS#11 modules from
    arbitrary paths. An attacker having control of the forwarded
    agent-socket on the server, and the ability to write to the filesystem
    of the client host, could use this flaw to execute arbitrary code with
    the privileges of the user running ssh-agent. (CVE-2016-10009)
    
    * It was found that the host private key material could possibly leak
    to the privilege-separated child processes via re-allocated memory. An
    attacker able to compromise the privilege-separated process could
    therefore obtain the leaked key information. (CVE-2016-10011)
    
    * It was found that the boundary checks in the code implementing
    support for pre-authentication compression could have been optimized
    out by certain compilers. An attacker able to compromise the
    privilege-separated process could possibly use this flaw for further
    attacks against the privileged monitor process. (CVE-2016-10012)
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.4 Release Notes linked from the References section."
      );
      # https://lists.centos.org/pipermail/centos-cr-announce/2017-August/004417.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5ff4711b"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6515");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-cavs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server-sysvinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pam_ssh_agent_auth");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/25");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-askpass-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-cavs-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-clients-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-keycat-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-ldap-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-server-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-server-sysvinit-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"pam_ssh_agent_auth-0.10.3-1.11.el7")) flag++;
    
    
    if (flag)
    {
      cr_plugin_caveat = '\n' +
        'NOTE: The security advisory associated with this vulnerability has a\n' +
        'fixed package version that may only be available in the continuous\n' +
        'release (CR) repository for CentOS, until it is present in the next\n' +
        'point release of CentOS.\n\n' +
    
        'If an equal or higher package level does not exist in the baseline\n' +
        'repository for your major version of CentOS, then updates from the CR\n' +
        'repository will need to be applied in order to address the\n' +
        'vulnerability.\n';
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get() + cr_plugin_caveat
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-cavs / openssh-clients / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1254.NASL
    descriptionAccording to the version of the openssh packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.(CVE-2016-10708) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id117563
    published2018-09-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117563
    titleEulerOS Virtualization 2.5.0 : openssh (EulerOS-SA-2018-1254)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(117563);
      script_version("1.5");
      script_cvs_date("Date: 2019/06/28 11:31:59");
    
      script_cve_id(
        "CVE-2016-10708"
      );
    
      script_name(english:"EulerOS Virtualization 2.5.0 : openssh (EulerOS-SA-2018-1254)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the openssh packages installed, the
    EulerOS Virtualization installation on the remote host is affected by
    the following vulnerability :
    
      - sshd in OpenSSH before 7.4 allows remote attackers to
        cause a denial of service (NULL pointer dereference and
        daemon crash) via an out-of-sequence NEWKEYS message,
        as demonstrated by Honggfuzz, related to kex.c and
        packet.c.(CVE-2016-10708)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1254
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?45fca2ed");
      script_set_attribute(attribute:"solution", value:
    "Update the affected openssh package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.5.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "2.5.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.5.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["openssh-6.6.1p1-25.4.h6",
            "openssh-clients-6.6.1p1-25.4.h6",
            "openssh-keycat-6.6.1p1-25.4.h6",
            "openssh-server-6.6.1p1-25.4.h6"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2530-2.NASL
    descriptionThis update for openssh fixes the following issues : Security issue fixed : CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118285
    published2018-10-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118285
    titleSUSE SLES12 Security Update : openssh (SUSE-SU-2018:2530-2)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:2530-2.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118285);
      script_version("1.3");
      script_cvs_date("Date: 2019/09/10 13:51:48");
    
      script_cve_id("CVE-2016-10708");
    
      script_name(english:"SUSE SLES12 Security Update : openssh (SUSE-SU-2018:2530-2)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for openssh fixes the following issues :
    
    Security issue fixed :
    
    CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence
    NEWKEYS message (bsc#1076957).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10708/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20182530-2/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?560ab79c"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-BCL-2018-1766=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-askpass-gnome-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-debuginfo-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-debugsource-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-fips-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-helpers-7.2p2-74.25.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"openssh-helpers-debuginfo-7.2p2-74.25.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1068.NASL
    descriptionAccording to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.(CVE-2016-10708) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-03-20
    plugin id108472
    published2018-03-20
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108472
    titleEulerOS 2.0 SP1 : openssh (EulerOS-SA-2018-1068)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108472);
      script_version("1.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2016-10708"
      );
    
      script_name(english:"EulerOS 2.0 SP1 : openssh (EulerOS-SA-2018-1068)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the openssh packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerability :
    
      - sshd in OpenSSH before 7.4 allows remote attackers to
        cause a denial of service (NULL pointer dereference and
        daemon crash) via an out-of-sequence NEWKEYS message,
        as demonstrated by Honggfuzz, related to kex.c and
        packet.c.(CVE-2016-10708)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1068
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?db513eef");
      script_set_attribute(attribute:"solution", value:
    "Update the affected openssh package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["openssh-6.6.1p1-28.h15",
            "openssh-askpass-6.6.1p1-28.h15",
            "openssh-clients-6.6.1p1-28.h15",
            "openssh-keycat-6.6.1p1-28.h15",
            "openssh-server-6.6.1p1-28.h15"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2685-1.NASL
    descriptionThis update for openssh provides the following fixes : Security issues fixed : CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). CVE-2016-10012: Remove pre-auth compression support from the server to prevent possible cryptographic attacks (bsc#1016370). CVE-2008-1483: Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Bug fixes: bsc#1017099: Enable case-insensitive hostname matching. bsc#1023275: Add a new switch for printing diagnostic messages in sftp client
    last seen2020-06-01
    modified2020-06-02
    plugin id117452
    published2018-09-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117452
    titleSUSE SLES12 Security Update : openssh (SUSE-SU-2018:2685-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:2685-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(117452);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/10 13:51:49");
    
      script_cve_id("CVE-2008-1483", "CVE-2016-10012", "CVE-2016-10708", "CVE-2017-15906");
      script_bugtraq_id(28444);
    
      script_name(english:"SUSE SLES12 Security Update : openssh (SUSE-SU-2018:2685-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for openssh provides the following fixes :
    
    Security issues fixed :
    
    CVE-2017-15906: Stricter checking of operations in read-only mode in
    sftp server (bsc#1065000).
    
    CVE-2016-10012: Remove pre-auth compression support from the server to
    prevent possible cryptographic attacks (bsc#1016370).
    
    CVE-2008-1483: Refine handling of sockets for X11 forwarding to remove
    reintroduced CVE-2008-1483 (bsc#1069509).
    
    CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence
    NEWKEYS message (bsc#1076957).
    
    Bug fixes: bsc#1017099: Enable case-insensitive hostname matching.
    
    bsc#1023275: Add a new switch for printing diagnostic messages in sftp
    client's batch mode.
    
    bsc#1048367: systemd integration to work around various race
    conditions.
    
    bsc#1053972: Remove duplicate KEX method.
    
    bsc#1092582: Add missing piece of systemd integration.
    
    Remove the limit on the amount of tasks sshd can run.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1016370"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1017099"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1023275"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1048367"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1053972"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065000"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1069509"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1092582"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2008-1483/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10012/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10708/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15906/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20182685-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7a57860a"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch
    SUSE-SLE-SAP-12-SP1-2018-1876=1
    
    SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP1-2018-1876=1
    
    SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-2018-1876=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/09/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-6.6p1-54.15.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-askpass-gnome-6.6p1-54.15.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-askpass-gnome-debuginfo-6.6p1-54.15.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-debuginfo-6.6p1-54.15.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-debugsource-6.6p1-54.15.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-fips-6.6p1-54.15.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-helpers-6.6p1-54.15.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-helpers-debuginfo-6.6p1-54.15.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-6.6p1-54.15.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-askpass-gnome-6.6p1-54.15.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-askpass-gnome-debuginfo-6.6p1-54.15.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-debuginfo-6.6p1-54.15.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-debugsource-6.6p1-54.15.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-fips-6.6p1-54.15.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-helpers-6.6p1-54.15.2")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-helpers-debuginfo-6.6p1-54.15.2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1989-1.NASL
    descriptionThis update for openssh fixes the following issues: Security issue fixed : - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id111200
    published2018-07-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111200
    titleSUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2018:1989-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:1989-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111200);
      script_version("1.6");
      script_cvs_date("Date: 2019/09/10 13:51:48");
    
      script_cve_id("CVE-2016-10708");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2018:1989-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for openssh fixes the following issues: Security issue
    fixed :
    
      - CVE-2016-10708: Prevent DoS due to crashes caused by
        out-of-sequence NEWKEYS message (bsc#1076957).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10708/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20181989-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c3f32754"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-2018-1352=1
    
    SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP3-2018-1352=1
    
    SUSE CaaS Platform ALL :
    
    To install this update, use the SUSE CaaS Platform Velum dashboard. It
    will inform you if it detects new updates and let you then trigger
    updating of the complete cluster in a controlled way.
    
    OpenStack Cloud Magnum Orchestration 7:zypper in -t patch
    SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-1352=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:X");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP3", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-askpass-gnome-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-debuginfo-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-debugsource-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-fips-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-helpers-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"openssh-helpers-debuginfo-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-askpass-gnome-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-askpass-gnome-debuginfo-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-debuginfo-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-debugsource-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-helpers-7.2p2-74.19.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"openssh-helpers-debuginfo-7.2p2-74.19.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-765.NASL
    descriptionThis update for openssh fixes the following issues : Security issue fixed : - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2018-07-30
    plugin id111417
    published2018-07-30
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111417
    titleopenSUSE Security Update : openssh (openSUSE-2018-765)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-765.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111417);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-10708");
    
      script_name(english:"openSUSE Security Update : openssh (openSUSE-2018-765)");
      script_summary(english:"Check for the openSUSE-2018-765 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for openssh fixes the following issues :
    
    Security issue fixed :
    
      - CVE-2016-10708: Prevent DoS due to crashes caused by
        out-of-sequence NEWKEYS message (bsc#1076957).
    
    This update was imported from the SUSE:SLE-12-SP2:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1076957"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-fips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-7.2p2-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-askpass-gnome-7.2p2-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-askpass-gnome-debuginfo-7.2p2-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-cavs-7.2p2-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-cavs-debuginfo-7.2p2-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-debuginfo-7.2p2-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-debugsource-7.2p2-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-fips-7.2p2-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-helpers-7.2p2-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"openssh-helpers-debuginfo-7.2p2-21.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-askpass-gnome / openssh-askpass-gnome-debuginfo / openssh / etc");
    }
    
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL32485746.NASL
    descriptionsshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. (CVE-2016-10708) Impact This vulnerability allows a remote attacker to disrupt service.
    last seen2020-03-17
    modified2019-12-31
    plugin id132548
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132548
    titleF5 Networks BIG-IP : OpenSSH vulnerability (K32485746)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from F5 Networks BIG-IP Solution K32485746.
    #
    # The text description of this plugin is (C) F5 Networks.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(132548);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/09");
    
      script_cve_id("CVE-2016-10708");
    
      script_name(english:"F5 Networks BIG-IP : OpenSSH vulnerability (K32485746)");
      script_summary(english:"Checks the BIG-IP version.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote device is missing a vendor-supplied security patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "sshd in OpenSSH before 7.4 allows remote attackers to cause a denial
    of service (NULL pointer dereference and daemon crash) via an
    out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related
    to kex.c and packet.c. (CVE-2016-10708)
    
    Impact
    
    This vulnerability allows a remote attacker to disrupt service."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://support.f5.com/csp/article/K32485746"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade to one of the non-vulnerable versions listed in the F5
    Solution K32485746."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator");
      script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"F5 Networks Local Security Checks");
    
      script_dependencies("f5_bigip_detect.nbin");
      script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version");
    
      exit(0);
    }
    
    
    include("f5_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    version = get_kb_item("Host/BIG-IP/version");
    if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
    if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
    if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");
    
    sol = "K32485746";
    vmatrix = make_array();
    
    # AFM
    vmatrix["AFM"] = make_array();
    vmatrix["AFM"]["affected"  ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5");
    vmatrix["AFM"]["unaffected"] = make_list("14.1.0");
    
    # AM
    vmatrix["AM"] = make_array();
    vmatrix["AM"]["affected"  ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5");
    vmatrix["AM"]["unaffected"] = make_list("14.1.0");
    
    # APM
    vmatrix["APM"] = make_array();
    vmatrix["APM"]["affected"  ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5");
    vmatrix["APM"]["unaffected"] = make_list("14.1.0");
    
    # ASM
    vmatrix["ASM"] = make_array();
    vmatrix["ASM"]["affected"  ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5");
    vmatrix["ASM"]["unaffected"] = make_list("14.1.0");
    
    # AVR
    vmatrix["AVR"] = make_array();
    vmatrix["AVR"]["affected"  ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5");
    vmatrix["AVR"]["unaffected"] = make_list("14.1.0");
    
    # GTM
    vmatrix["GTM"] = make_array();
    vmatrix["GTM"]["affected"  ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5");
    vmatrix["GTM"]["unaffected"] = make_list("14.1.0");
    
    # LC
    vmatrix["LC"] = make_array();
    vmatrix["LC"]["affected"  ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5");
    vmatrix["LC"]["unaffected"] = make_list("14.1.0");
    
    # LTM
    vmatrix["LTM"] = make_array();
    vmatrix["LTM"]["affected"  ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5");
    vmatrix["LTM"]["unaffected"] = make_list("14.1.0");
    
    # PEM
    vmatrix["PEM"] = make_array();
    vmatrix["PEM"]["affected"  ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5");
    vmatrix["PEM"]["unaffected"] = make_list("14.1.0");
    
    # WAM
    vmatrix["WAM"] = make_array();
    vmatrix["WAM"]["affected"  ] = make_list("14.0.0-14.0.1","13.1.0-13.1.3","12.1.0-12.1.5","11.2.1-11.6.5");
    vmatrix["WAM"]["unaffected"] = make_list("14.1.0");
    
    
    if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
    {
      if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = bigip_get_tested_modules();
      audit_extra = "For BIG-IP module(s) " + tested + ",";
      if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
      else audit(AUDIT_HOST_NOT, "running any of the affected modules");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1069.NASL
    descriptionAccording to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.(CVE-2016-10708) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-03-20
    plugin id108473
    published2018-03-20
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108473
    titleEulerOS 2.0 SP2 : openssh (EulerOS-SA-2018-1069)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108473);
      script_version("1.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2016-10708"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : openssh (EulerOS-SA-2018-1069)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the openssh packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerability :
    
      - sshd in OpenSSH before 7.4 allows remote attackers to
        cause a denial of service (NULL pointer dereference and
        daemon crash) via an out-of-sequence NEWKEYS message,
        as demonstrated by Honggfuzz, related to kex.c and
        packet.c.(CVE-2016-10708)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1069
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6a5ed3e8");
      script_set_attribute(attribute:"solution", value:
    "Update the affected openssh package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["openssh-6.6.1p1-28.h15",
            "openssh-askpass-6.6.1p1-28.h15",
            "openssh-clients-6.6.1p1-28.h15",
            "openssh-keycat-6.6.1p1-28.h15",
            "openssh-server-6.6.1p1-28.h15"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3540-1.NASL
    descriptionThis update for openssh fixes the following issues : Security issues fixed : CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to treat such a username enumeration (or
    last seen2020-06-01
    modified2020-06-02
    plugin id118498
    published2018-10-30
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118498
    titleSUSE SLES11 Security Update : openssh (SUSE-SU-2018:3540-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:3540-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118498);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/10 13:51:49");
    
      script_cve_id("CVE-2016-10012", "CVE-2016-10708", "CVE-2017-15906", "CVE-2018-15473", "CVE-2018-15919");
    
      script_name(english:"SUSE SLES11 Security Update : openssh (SUSE-SU-2018:3540-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for openssh fixes the following issues :
    
    Security issues fixed :
    
    CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in
    OpenSSH could be used by remote attackers to detect existence of users
    on a target system when GSS2 is in use. OpenSSH developers do not want
    to treat such a username enumeration (or 'oracle') as a vulnerability.
    (bsc#1106163)
    
    CVE-2017-15906: The process_open function in sftp-server.c in OpenSSH
    did not properly prevent write operations in readonly mode, which
    allowed attackers to create zero-length files. (bsc#1065000,
    bsc#1106726)
    
    CVE-2016-10708: sshd allowed remote attackers to cause a denial of
    service (NULL pointer dereference and daemon crash) via an
    out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related
    to kex.c and packet.c. (bsc#1076957)
    
    CVE-2018-15473: OpenSSH was prone to a user existance oracle
    vulnerability due to not delaying bailout for an invalid
    authenticating user until after the packet containing the request has
    been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and
    auth2-pubkey.c. (bsc#1105010)
    
    CVE-2016-10012: Removed pre-auth compression support from the server
    to prevent possible cryptographic attacks. (bsc#1016370)
    
    Bugs fixed: Fixed failing 'AuthorizedKeysCommand' within a 'Match
    User' block in sshd_config (bsc#1105180)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1016370"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065000"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1105010"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1105180"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1106163"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1106726"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10012/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10708/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15906/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-15473/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-15919/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20183540-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?bf4c0b95"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch
    slessp3-openssh-13848=1
    
    SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch
    sleposp3-openssh-13848=1
    
    SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch
    dbgsp3-openssh-13848=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"3", reference:"openssh-6.2p2-0.41.5.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", reference:"openssh-askpass-6.2p2-0.41.5.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", reference:"openssh-askpass-gnome-6.2p2-0.41.5.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1257.NASL
    descriptionOpenSSH was found to be vulnerable to out of order NEWKEYS messages which could crash the daemon, resulting in a denial of service attack. For Debian 7
    last seen2020-03-17
    modified2018-01-29
    plugin id106407
    published2018-01-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106407
    titleDebian DLA-1257-1 : openssh security update

Redhat

rpms
  • openssh-0:7.4p1-11.el7
  • openssh-askpass-0:7.4p1-11.el7
  • openssh-cavs-0:7.4p1-11.el7
  • openssh-clients-0:7.4p1-11.el7
  • openssh-debuginfo-0:7.4p1-11.el7
  • openssh-keycat-0:7.4p1-11.el7
  • openssh-ldap-0:7.4p1-11.el7
  • openssh-server-0:7.4p1-11.el7
  • openssh-server-sysvinit-0:7.4p1-11.el7
  • pam_ssh_agent_auth-0:0.10.3-1.11.el7