Vulnerabilities > CVE-2016-6515 - Improper Input Validation vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
openbsd
fedoraproject
CWE-20
nessus
exploit available

Summary

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Exploit-Db

descriptionOpenSSH 7.2 - Denial of Service. CVE-2016-6515. Dos exploit for Linux platform
fileexploits/linux/dos/40888.py
idEDB-ID:40888
last seen2016-12-07
modified2016-12-07
platformlinux
port
published2016-12-07
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/40888/
titleOpenSSH 7.2 - Denial of Service
typedos

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2029.NASL
    descriptionAn update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id102112
    published2017-08-02
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102112
    titleRHEL 7 : openssh (RHSA-2017:2029)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:2029. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102112);
      script_version("3.11");
      script_cvs_date("Date: 2019/10/24 15:35:43");
    
      script_cve_id("CVE-2016-10009", "CVE-2016-10011", "CVE-2016-10012", "CVE-2016-10708", "CVE-2016-6210", "CVE-2016-6515");
      script_xref(name:"RHSA", value:"2017:2029");
    
      script_name(english:"RHEL 7 : openssh (RHSA-2017:2029)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for openssh is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    OpenSSH is an SSH protocol implementation supported by a number of
    Linux, UNIX, and similar operating systems. It includes the core files
    necessary for both the OpenSSH client and server.
    
    The following packages have been upgraded to a later upstream version:
    openssh (7.4p1). (BZ#1341754)
    
    Security Fix(es) :
    
    * A covert timing channel flaw was found in the way OpenSSH handled
    authentication of non-existent users. A remote unauthenticated
    attacker could possibly use this flaw to determine valid user names by
    measuring the timing of server responses. (CVE-2016-6210)
    
    * It was found that OpenSSH did not limit password lengths for
    password authentication. A remote unauthenticated attacker could use
    this flaw to temporarily trigger high CPU consumption in sshd by
    sending long passwords. (CVE-2016-6515)
    
    * It was found that ssh-agent could load PKCS#11 modules from
    arbitrary paths. An attacker having control of the forwarded
    agent-socket on the server, and the ability to write to the filesystem
    of the client host, could use this flaw to execute arbitrary code with
    the privileges of the user running ssh-agent. (CVE-2016-10009)
    
    * It was found that the host private key material could possibly leak
    to the privilege-separated child processes via re-allocated memory. An
    attacker able to compromise the privilege-separated process could
    therefore obtain the leaked key information. (CVE-2016-10011)
    
    * It was found that the boundary checks in the code implementing
    support for pre-authentication compression could have been optimized
    out by certain compilers. An attacker able to compromise the
    privilege-separated process could possibly use this flaw for further
    attacks against the privileged monitor process. (CVE-2016-10012)
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.4 Release Notes linked from the References section."
      );
      # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3395ff0b"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2017:2029"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6210"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-6515"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-10009"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-10011"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-10012"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-10708"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-cavs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server-sysvinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2017:2029";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-askpass-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-askpass-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-cavs-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-cavs-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-clients-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-clients-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"openssh-debuginfo-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-keycat-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-keycat-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-ldap-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-ldap-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-server-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-server-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"openssh-server-sysvinit-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"openssh-server-sysvinit-7.4p1-11.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"pam_ssh_agent_auth-0.10.3-1.11.el7")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-cavs / openssh-clients / etc");
      }
    }
    
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL31510510.NASL
    descriptionThe auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. (CVE-2016-6515)
    last seen2020-06-01
    modified2020-06-02
    plugin id94147
    published2016-10-20
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94147
    titleF5 Networks BIG-IP : OpenSSH vulnerability (K31510510)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from F5 Networks BIG-IP Solution K31510510.
    #
    # The text description of this plugin is (C) F5 Networks.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(94147);
      script_version("2.11");
      script_cvs_date("Date: 2019/01/04 10:03:40");
    
      script_cve_id("CVE-2016-6515");
    
      script_name(english:"F5 Networks BIG-IP : OpenSSH vulnerability (K31510510)");
      script_summary(english:"Checks the BIG-IP version.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote device is missing a vendor-supplied security patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The auth_password function in auth-passwd.c in sshd in OpenSSH before
    7.3 does not limit password lengths for password authentication, which
    allows remote attackers to cause a denial of service (crypt CPU
    consumption) via a long string. (CVE-2016-6515)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://support.f5.com/csp/article/K31510510"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade to one of the non-vulnerable versions listed in the F5
    Solution K31510510."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_wan_optimization_manager");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator");
      script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");
      script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip_protocol_security_manager");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/10/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/20");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"F5 Networks Local Security Checks");
    
      script_dependencies("f5_bigip_detect.nbin");
      script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    
    include("f5_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    version = get_kb_item("Host/BIG-IP/version");
    if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
    if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
    if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");
    
    sol = "K31510510";
    vmatrix = make_array();
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    # AFM
    vmatrix["AFM"] = make_array();
    vmatrix["AFM"]["affected"  ] = make_list("11.6.0-11.6.1","11.4.0-11.5.5");
    vmatrix["AFM"]["unaffected"] = make_list("13.0.0","12.0.0-12.1.2","11.6.1HF2","11.5.6");
    
    # AM
    vmatrix["AM"] = make_array();
    vmatrix["AM"]["affected"  ] = make_list("11.6.0-11.6.1","11.4.0-11.5.5");
    vmatrix["AM"]["unaffected"] = make_list("13.0.0","12.0.0-12.1.2","11.6.1HF2","11.5.6");
    
    # APM
    vmatrix["APM"] = make_array();
    vmatrix["APM"]["affected"  ] = make_list("11.6.0-11.6.1","11.4.0-11.5.5","11.2.1","10.2.1-10.2.4");
    vmatrix["APM"]["unaffected"] = make_list("13.0.0","12.0.0-12.1.2","11.6.1HF2","11.5.6");
    
    # ASM
    vmatrix["ASM"] = make_array();
    vmatrix["ASM"]["affected"  ] = make_list("11.6.0-11.6.1","11.4.0-11.5.5","11.2.1","10.2.1-10.2.4");
    vmatrix["ASM"]["unaffected"] = make_list("13.0.0","12.0.0-12.1.2","11.6.1HF2","11.5.6");
    
    # AVR
    vmatrix["AVR"] = make_array();
    vmatrix["AVR"]["affected"  ] = make_list("11.6.0-11.6.1","11.4.0-11.5.5","11.2.1");
    vmatrix["AVR"]["unaffected"] = make_list("13.0.0","12.0.0-12.1.2","11.6.1HF2","11.5.6");
    
    # GTM
    vmatrix["GTM"] = make_array();
    vmatrix["GTM"]["affected"  ] = make_list("11.6.0-11.6.1","11.4.0-11.5.5","11.2.1","10.2.1-10.2.4");
    vmatrix["GTM"]["unaffected"] = make_list("11.6.1HF2","11.5.6");
    
    # LC
    vmatrix["LC"] = make_array();
    vmatrix["LC"]["affected"  ] = make_list("11.6.0-11.6.1","11.4.0-11.5.5","11.2.1","10.2.1-10.2.4");
    vmatrix["LC"]["unaffected"] = make_list("13.0.0","12.0.0-12.1.2","11.6.1HF2","11.5.6");
    
    # LTM
    vmatrix["LTM"] = make_array();
    vmatrix["LTM"]["affected"  ] = make_list("11.6.0-11.6.1","11.4.0-11.5.5","11.2.1","10.2.1-10.2.4");
    vmatrix["LTM"]["unaffected"] = make_list("13.0.0","12.0.0-12.1.2","11.6.1HF2","11.5.6");
    
    # PEM
    vmatrix["PEM"] = make_array();
    vmatrix["PEM"]["affected"  ] = make_list("11.6.0-11.6.1","11.4.0-11.5.5");
    vmatrix["PEM"]["unaffected"] = make_list("13.0.0","12.0.0-12.1.2","11.6.1HF2","11.5.6");
    
    
    if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
    {
      if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = bigip_get_tested_modules();
      audit_extra = "For BIG-IP module(s) " + tested + ",";
      if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
      else audit(AUDIT_HOST_NOT, "running any of the affected modules");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_SA-17-06_OPENSSH.NASL
    descriptionThe version of the FreeBSD kernel running on the remote host is prior to 10.3-RELEASE-p21, 11.0 prior to 11.0-RELEASE-p12, or 11.1 prior to 11.1-RELEASE-p1. It, therefore, affected by a flaw in built-in password authentication in OpenSSH. An unauthenticated, remote attacker can exploit this issue by sending very long passwords when PasswordAuthentication is enabled by the system administrator, resulting in a denial of service condition. Note that this issue only affects hosts with PasswordAuthentication enabled in /etc/ssh/sshd_config (the default FreeBSD configuration). You may workaround this issue by disabling PasswordAuthentication and restarting sshd.
    last seen2020-06-01
    modified2020-06-02
    plugin id102917
    published2017-09-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102917
    titleFreeBSD < 10.3-RELEASE-p21 / 11.0 < 11.0-RELEASE-p12 / 11.1 < 11.1-RELEASE-p1 OpenSSH Password Length DoS (FreeBSD-SA-17:06.openssh)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102917);
      script_version("1.3");
      script_cvs_date("Date: 2019/04/10 16:10:17");
    
      script_cve_id("CVE-2016-6515");
      script_bugtraq_id(92212);
    
      script_name(english:"FreeBSD < 10.3-RELEASE-p21 / 11.0 < 11.0-RELEASE-p12 / 11.1 < 11.1-RELEASE-p1 OpenSSH Password Length DoS (FreeBSD-SA-17:06.openssh)");
      script_summary(english:"Checks for the version of the FreeBSD kernel.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote FreeBSD host is missing a security-related update.");
      script_set_attribute(attribute:"description", value:
    "The version of the FreeBSD kernel running on the remote host is prior
    to 10.3-RELEASE-p21, 11.0 prior to 11.0-RELEASE-p12, or 11.1 prior to
    11.1-RELEASE-p1. It, therefore, affected by a flaw in built-in
    password authentication in OpenSSH. An unauthenticated, remote
    attacker can exploit this issue by sending very long passwords when
    PasswordAuthentication is enabled by the system administrator,
    resulting in a denial of service condition.
    
    Note that this issue only affects hosts with PasswordAuthentication
    enabled in /etc/ssh/sshd_config (the default FreeBSD configuration).
    
    You may workaround this issue by disabling PasswordAuthentication and
    restarting sshd.");
      # https://www.freebsd.org/security/advisories/FreeBSD-SA-17:06.openssh.asc
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?beaa28e9");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to FreeBSD version 10.3-RELEASE-p21 / 11.0-RELEASE-p12 /
    11.1-RELEASE-p1 or later. Alternatively, apply the workaround
    referenced in the advisory to disable PasswordAuthentication.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"FreeBSD Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("freebsd_package.inc");
    include("misc_func.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/FreeBSD/release");
    if (!release) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    # Patches are available and ipfilter must be enabled with
    # "keep state" or "keep frags" rule options enabled
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    fix = NULL;
    
    if (release =~ "^FreeBSD-([0-9]|10\.[0-3])($|[^0-9])")
      fix = "FreeBSD-10.3_21";
    else if (release =~ "^FreeBSD-11\.0($|[^0-9])")
      fix = "FreeBSD-11.0_12";
    else if (release =~ "^FreeBSD-11\.1($|[^0-9])")
      fix = "FreeBSD-11.1_1";
    
    if (isnull(fix) || pkg_cmp(pkg:release, reference:fix) >= 0)
      audit(AUDIT_HOST_NOT, "affected");
    
    report =
      '\n  Installed version : ' + release +
      '\n  Fixed version     : ' + fix +
      '\n';
    security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3061-1.NASL
    descriptionEddie Harari discovered that OpenSSH incorrectly handled password hashing when authenticating non-existing users. A remote attacker could perform a timing attack and enumerate valid users. (CVE-2016-6210) Tomas Kuthan, Andres Rojas, and Javier Nieto discovered that OpenSSH did not limit password lengths. A remote attacker could use this issue to cause OpenSSH to consume resources, leading to a denial of service. (CVE-2016-6515). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id92985
    published2016-08-16
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92985
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : openssh vulnerabilities (USN-3061-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3061-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92985);
      script_version("2.7");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2016-6210", "CVE-2016-6515");
      script_xref(name:"USN", value:"3061-1");
    
      script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : openssh vulnerabilities (USN-3061-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Eddie Harari discovered that OpenSSH incorrectly handled password
    hashing when authenticating non-existing users. A remote attacker
    could perform a timing attack and enumerate valid users.
    (CVE-2016-6210)
    
    Tomas Kuthan, Andres Rojas, and Javier Nieto discovered that OpenSSH
    did not limit password lengths. A remote attacker could use this issue
    to cause OpenSSH to consume resources, leading to a denial of service.
    (CVE-2016-6515).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3061-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh-server package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/08/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(12\.04|14\.04|16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"12.04", pkgname:"openssh-server", pkgver:"1:5.9p1-5ubuntu1.10")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"openssh-server", pkgver:"1:6.6p1-2ubuntu2.8")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"openssh-server", pkgver:"1:7.2p2-4ubuntu2.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-server");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2029.NASL
    descriptionFrom Red Hat Security Advisory 2017:2029 : An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id102296
    published2017-08-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102296
    titleOracle Linux 7 : openssh (ELSA-2017-2029)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2017:2029 and 
    # Oracle Linux Security Advisory ELSA-2017-2029 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102296);
      script_version("3.4");
      script_cvs_date("Date: 2019/09/27 13:00:38");
    
      script_cve_id("CVE-2016-10009", "CVE-2016-10011", "CVE-2016-10012", "CVE-2016-10708", "CVE-2016-6210", "CVE-2016-6515");
      script_xref(name:"RHSA", value:"2017:2029");
    
      script_name(english:"Oracle Linux 7 : openssh (ELSA-2017-2029)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2017:2029 :
    
    An update for openssh is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    OpenSSH is an SSH protocol implementation supported by a number of
    Linux, UNIX, and similar operating systems. It includes the core files
    necessary for both the OpenSSH client and server.
    
    The following packages have been upgraded to a later upstream version:
    openssh (7.4p1). (BZ#1341754)
    
    Security Fix(es) :
    
    * A covert timing channel flaw was found in the way OpenSSH handled
    authentication of non-existent users. A remote unauthenticated
    attacker could possibly use this flaw to determine valid user names by
    measuring the timing of server responses. (CVE-2016-6210)
    
    * It was found that OpenSSH did not limit password lengths for
    password authentication. A remote unauthenticated attacker could use
    this flaw to temporarily trigger high CPU consumption in sshd by
    sending long passwords. (CVE-2016-6515)
    
    * It was found that ssh-agent could load PKCS#11 modules from
    arbitrary paths. An attacker having control of the forwarded
    agent-socket on the server, and the ability to write to the filesystem
    of the client host, could use this flaw to execute arbitrary code with
    the privileges of the user running ssh-agent. (CVE-2016-10009)
    
    * It was found that the host private key material could possibly leak
    to the privilege-separated child processes via re-allocated memory. An
    attacker able to compromise the privilege-separated process could
    therefore obtain the leaked key information. (CVE-2016-10011)
    
    * It was found that the boundary checks in the code implementing
    support for pre-authentication compression could have been optimized
    out by certain compilers. An attacker able to compromise the
    privilege-separated process could possibly use this flaw for further
    attacks against the privileged monitor process. (CVE-2016-10012)
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.4 Release Notes linked from the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-August/007091.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-cavs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server-sysvinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pam_ssh_agent_auth");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/09");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-askpass-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-cavs-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-clients-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-keycat-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-ldap-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-server-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-server-sysvinit-7.4p1-11.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pam_ssh_agent_auth-0.10.3-1.11.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-cavs / openssh-clients / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-4A3DEBC3A6.NASL
    descriptionSecurity fix for CVE-2016-6515 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-08-11
    plugin id92849
    published2016-08-11
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92849
    titleFedora 24 : openssh (2016-4a3debc3a6)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2029.NASL
    descriptionAn update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754) Security Fix(es) : * A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) * It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) * It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) * It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id102751
    published2017-08-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102751
    titleCentOS 7 : openssh (CESA-2017:2029)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-898.NASL
    descriptionA covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012)
    last seen2020-06-01
    modified2020-06-02
    plugin id103650
    published2017-10-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103650
    titleAmazon Linux AMI : openssh (ALAS-2017-898)
  • NASL familyMisc.
    NASL idOPENSSH_73.NASL
    descriptionAccording to its banner, the version of OpenSSH running on the remote host is prior to 7.3. It is, therefore, affected by multiple vulnerabilities : - A local privilege escalation when the UseLogin feature is enabled and PAM is configured to read .pam_environment files from home directories. (CVE-2015-8325) - A flaw exists that is due to the program returning shorter response times for authentication requests with overly long passwords for invalid users than for valid users. This may allow a remote attacker to conduct a timing attack and enumerate valid usernames. (CVE-2016-6210) - A denial of service vulnerability exists in the auth_password() function in auth-passwd.c due to a failure to limit password lengths for password authentication. An unauthenticated, remote attacker can exploit this, via a long string, to consume excessive CPU resources, resulting in a denial of service condition. (CVE-2016-6515) - An unspecified flaw exists in the CBC padding oracle countermeasures that allows an unauthenticated, remote attacker to conduct a timing attack. - A flaw exists due to improper operation ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms when verifying the MAC before decrypting any ciphertext. An unauthenticated, remote attacker can exploit this, via a timing attack, to disclose sensitive information. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-04-30
    modified2016-08-29
    plugin id93194
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93194
    titleOpenSSH < 7.3 Multiple Vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6ED5C5E3A84011E7B5AFA4BADB2F4699.NASL
    descriptionThere is no limit on the password length. Impact : A remote attacker may be able to cause an affected SSH server to use excessive amount of CPU by sending very long passwords, when PasswordAuthentication is enabled by the system administrator.
    last seen2020-06-01
    modified2020-06-02
    plugin id103657
    published2017-10-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103657
    titleFreeBSD : FreeBSD -- OpenSSH Denial of Service vulnerability (6ed5c5e3-a840-11e7-b5af-a4badb2f4699)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2280-1.NASL
    descriptionThis update for openssh fixes the following issues : - Prevent user enumeration through the timing of password processing (bsc#989363, CVE-2016-6210) [-prevent_timing_user_enumeration] - Allow lowering the DH groups parameter limit in server as well as when GSSAPI key exchange is used (bsc#948902) - limit accepted password length (prevents possible DoS) (bsc#992533, CVE-2016-6515) Bug fixes : - avoid complaining about unset DISPLAY variable (bsc#981654) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93455
    published2016-09-13
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93455
    titleSUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2016:2280-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-594.NASL
    descriptionOpenSSH secure shell client and server had a denial of service vulnerability reported. CVE-2016-6515 The password authentication function in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. For Debian 7
    last seen2020-03-17
    modified2016-08-15
    plugin id92953
    published2016-08-15
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92953
    titleDebian DLA-594-1 : openssh security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2281-1.NASL
    descriptionThis update for openssh fixes the following issues : - CVE-2016-6210: Prevent user enumeration through the timing of password processing (bsc#989363) [-prevent_timing_user_enumeration] - Allow lowering the DH groups parameter limit in server as well as when GSSAPI key exchange is used (bsc#948902) - CVE-2016-6515: Limiting the accepted password length to prevent possible DoS (bsc#992533) Bug fixes : - avoid complaining about unset DISPLAY variable (bsc#981654) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93456
    published2016-09-13
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93456
    titleSUSE SLES11 Security Update : openssh (SUSE-SU-2016:2281-1)
  • NASL familyAIX Local Security Checks
    NASL idAIX_OPENSSH_ADVISORY9.NASL
    descriptionThe remote AIX host has a version of OpenSSH installed that is affected by the following vulnerabilities : - An elevation of privilege vulnerability exists in the do_setup_env() function within file session.c when handling user-supplied environmental variables. A local attacker can exploit this to gain elevated privileges by triggering a crafted environment for the /bin/login program. This vulnerability requires that the UseLogin feature is enabled and that PAM is configured to read .pam_environment files in user home directories. (CVE-2015-8325) - A flaw exists when handling authentication requests that involve overly long passwords due to returning shorter response times for requests for invalid users than for valid users. An unauthenticated, remote attacker can exploit this to enumerate valid usernames by conducting a timing attack. (CVE-2016-6210) - A denial of service vulnerability exists in the auth_password() function within auth-passwd.c due to a a failure to limit password lengths. An unauthenticated, remote attacker can exploit this, via overly long passwords, to cause the excessive consumption of CPU resources. (CVE-2016-6515)
    last seen2020-06-01
    modified2020-06-02
    plugin id95477
    published2016-12-02
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/95477
    titleAIX OpenSSH Advisory : openssh_advisory9.asc
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1096.NASL
    descriptionThis update for openssh fixes the following issues : - Prevent user enumeration through the timing of password processing (bsc#989363, CVE-2016-6210) - Allow lowering the DH groups parameter limit in server as well as when GSSAPI key exchange is used (bsc#948902) - limit accepted password length (prevents possible DoS) (bsc#992533, CVE-2016-6515) Bug fixes : - avoid complaining about unset DISPLAY variable (bsc#981654) This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2016-09-20
    plugin id93598
    published2016-09-20
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93598
    titleopenSUSE Security Update : openssh (openSUSE-2016-1096)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170801_OPENSSH_ON_SL7_X.NASL
    descriptionThe following packages have been upgraded to a later upstream version: openssh (7.4p1). Security Fix(es) : - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210) - It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515) - It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009) - It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011) - It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012)
    last seen2020-03-18
    modified2017-08-22
    plugin id102650
    published2017-08-22
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102650
    titleScientific Linux Security Update : openssh on SL7.x x86_64 (20170801)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2388-1.NASL
    descriptionThis update for OpenSSH fixes the following issues : - Prevent user enumeration through the timing of password processing. (bsc#989363, CVE-2016-6210) - Allow lowering the DH groups parameter limit in server as well as when GSSAPI key exchange is used. (bsc#948902) - Sanitize input for xauth(1). (bsc#970632, CVE-2016-3115) - Prevent X11 SECURITY circumvention when forwarding X11 connections. (bsc#962313, CVE-2016-1908) - Disable DH parameters under 2048 bits by default and allow lowering the limit back to the RFC 4419 specified minimum through an option. (bsc#932483, bsc#948902) - Ignore PAM environment when using login. (bsc#975865, CVE-2015-8325) - Limit the accepted password length (prevents a possible denial of service). (bsc#992533, CVE-2016-6515) - Relax version requires for the openssh-askpass sub-package. (bsc#962794) - Avoid complaining about unset DISPLAY variable. (bsc#981654) - Initialize message id to prevent connection breakups in some cases. (bsc#959096) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93735
    published2016-09-27
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93735
    titleSUSE SLES11 Security Update : openssh (SUSE-SU-2016:2388-1)
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10940.NASL
    descriptionThe version of Junos OS installed on the remote host is prior to 12.3X48-D55, 12.3R12-S13, 15.1X49-D100, 15.1F6-S12, 16.1R3-S4, 16.2R1-S4, 17.1R1-S2, or 17.2R1. It is, therefore, affected by a vulnerability as referenced in the JSA10940 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id130514
    published2019-11-06
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130514
    titleJuniper JSA10940

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/140070/openssh72-dos.txt
idPACKETSTORM:140070
last seen2016-12-08
published2016-12-08
reporterKashinath T
sourcehttps://packetstormsecurity.com/files/140070/OpenSSH-7.2-Denial-Of-Service.html
titleOpenSSH 7.2 Denial Of Service

Redhat

advisories
bugzilla
id1450361
titlepam_ssh_agent_auth i686 and x86_64 can't be installed side by side
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentpam_ssh_agent_auth is earlier than 0:0.10.3-1.11.el7
          ovaloval:com.redhat.rhsa:tst:20172029001
        • commentpam_ssh_agent_auth is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120884012
      • AND
        • commentopenssh-server-sysvinit is earlier than 0:7.4p1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172029003
        • commentopenssh-server-sysvinit is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20150425002
      • AND
        • commentopenssh-ldap is earlier than 0:7.4p1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172029005
        • commentopenssh-ldap is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120884010
      • AND
        • commentopenssh-cavs is earlier than 0:7.4p1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172029007
        • commentopenssh-cavs is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172029008
      • AND
        • commentopenssh-askpass is earlier than 0:7.4p1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172029009
        • commentopenssh-askpass is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120884008
      • AND
        • commentopenssh-keycat is earlier than 0:7.4p1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172029011
        • commentopenssh-keycat is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20150425016
      • AND
        • commentopenssh-clients is earlier than 0:7.4p1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172029013
        • commentopenssh-clients is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120884002
      • AND
        • commentopenssh-server is earlier than 0:7.4p1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172029015
        • commentopenssh-server is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120884006
      • AND
        • commentopenssh is earlier than 0:7.4p1-11.el7
          ovaloval:com.redhat.rhsa:tst:20172029017
        • commentopenssh is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120884004
rhsa
idRHSA-2017:2029
released2017-08-01
severityModerate
titleRHSA-2017:2029: openssh security, bug fix, and enhancement update (Moderate)
rpms
  • openssh-0:7.4p1-11.el7
  • openssh-askpass-0:7.4p1-11.el7
  • openssh-cavs-0:7.4p1-11.el7
  • openssh-clients-0:7.4p1-11.el7
  • openssh-debuginfo-0:7.4p1-11.el7
  • openssh-keycat-0:7.4p1-11.el7
  • openssh-ldap-0:7.4p1-11.el7
  • openssh-server-0:7.4p1-11.el7
  • openssh-server-sysvinit-0:7.4p1-11.el7
  • pam_ssh_agent_auth-0:0.10.3-1.11.el7

References