Vulnerabilities > CVE-2016-8858 - Resource Management Errors vulnerability in Openbsd Openssh
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 |
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-184.NASL description This update for openssh fixes several issues. These security issues were fixed : - CVE-2016-8858: The kex_input_kexinit function in kex.c allowed remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests (bsc#1005480). - CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) did not ensure that a bounds check is enforced by all compilers, which might allowed local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures (bsc#1016370). - CVE-2016-10009: Untrusted search path vulnerability in ssh-agent.c allowed remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket (bsc#1016366). - CVE-2016-10010: When forwarding unix domain sockets with privilege separation disabled, the resulting sockets have be created as last seen 2020-06-05 modified 2017-02-01 plugin id 96919 published 2017-02-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96919 title openSUSE Security Update : openssh (openSUSE-2017-184) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-184. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(96919); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10011", "CVE-2016-10012", "CVE-2016-8858"); script_name(english:"openSUSE Security Update : openssh (openSUSE-2017-184)"); script_summary(english:"Check for the openSUSE-2017-184 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for openssh fixes several issues. These security issues were fixed : - CVE-2016-8858: The kex_input_kexinit function in kex.c allowed remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests (bsc#1005480). - CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) did not ensure that a bounds check is enforced by all compilers, which might allowed local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures (bsc#1016370). - CVE-2016-10009: Untrusted search path vulnerability in ssh-agent.c allowed remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket (bsc#1016366). - CVE-2016-10010: When forwarding unix domain sockets with privilege separation disabled, the resulting sockets have be created as 'root' instead of the authenticated user. Forwarding unix domain sockets without privilege separation enabled is now rejected. - CVE-2016-10011: authfile.c in sshd did not properly consider the effects of realloc on buffer contents, which might allowed local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process (bsc#1016369). These non-security issues were fixed : - Adjusted suggested command for removing conflicting server keys from the known_hosts file (bsc#1006221) - Properly verify CIDR masks in configuration (bsc#1005893 bsc#1021626) This update was imported from the SUSE:SLE-12-SP2:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1005480" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1005893" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1006221" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1016366" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1016368" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1016369" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1016370" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021626" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-cavs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-fips"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"openssh-7.2p2-9.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-askpass-gnome-7.2p2-9.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-askpass-gnome-debuginfo-7.2p2-9.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-cavs-7.2p2-9.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-debuginfo-7.2p2-9.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-debugsource-7.2p2-9.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-fips-7.2p2-9.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-helpers-7.2p2-9.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"openssh-helpers-debuginfo-7.2p2-9.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh-askpass-gnome / openssh-askpass-gnome-debuginfo / openssh / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0606-1.NASL description This update for openssh fixes the following issues: Security issues fixed : - CVE-2016-8858: prevent resource depletion during key exchange (bsc#1005480) - CVE-2016-10009: limit directories for loading PKCS11 modules to avoid privilege escalation (bsc#1016366) - CVE-2016-10011: Prevent possible leaks of host private keys to low-privilege process handling authentication (bsc#1016369) Non security issues fixed : - Properly verify CIDR masks in the AllowUsers and DenyUsers configuration lists (bsc#1005893) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 97570 published 2017-03-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97570 title SUSE SLES11 Security Update : openssh (SUSE-SU-2017:0606-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2017:0606-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(97570); script_version("3.5"); script_cvs_date("Date: 2019/09/11 11:22:15"); script_cve_id("CVE-2016-10009", "CVE-2016-10011", "CVE-2016-8858"); script_name(english:"SUSE SLES11 Security Update : openssh (SUSE-SU-2017:0606-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for openssh fixes the following issues: Security issues fixed : - CVE-2016-8858: prevent resource depletion during key exchange (bsc#1005480) - CVE-2016-10009: limit directories for loading PKCS11 modules to avoid privilege escalation (bsc#1016366) - CVE-2016-10011: Prevent possible leaks of host private keys to low-privilege process handling authentication (bsc#1016369) Non security issues fixed : - Properly verify CIDR masks in the AllowUsers and DenyUsers configuration lists (bsc#1005893) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1005480" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1005893" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1016366" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1016369" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10009/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10011/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-8858/" ); # https://www.suse.com/support/update/announcement/2017/suse-su-20170606-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?67b25b28" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE OpenStack Cloud 5:zypper in -t patch sleclo50sp3-openssh-13005=1 SUSE Manager Proxy 2.1:zypper in -t patch slemap21-openssh-13005=1 SUSE Manager 2.1:zypper in -t patch sleman21-openssh-13005=1 SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch slessp3-openssh-13005=1 SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch sleposp3-openssh-13005=1 SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch dbgsp3-openssh-13005=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/09"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"3", reference:"openssh-6.2p2-0.40.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"openssh-askpass-6.2p2-0.40.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"openssh-askpass-gnome-6.2p2-0.40.3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0264-1.NASL description This update for openssh fixes several issues. These security issues were fixed : - CVE-2016-8858: The kex_input_kexinit function in kex.c allowed remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests (bsc#1005480). - CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) did not ensure that a bounds check is enforced by all compilers, which might allowed local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures (bsc#1016370). - CVE-2016-10009: Untrusted search path vulnerability in ssh-agent.c allowed remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket (bsc#1016366). - CVE-2016-10010: When forwarding unix domain sockets with privilege separation disabled, the resulting sockets have be created as last seen 2020-06-01 modified 2020-06-02 plugin id 96718 published 2017-01-24 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96718 title SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2017:0264-1) NASL family Junos Local Security Checks NASL id JUNIPER_JSA10837.NASL description According to its self-reported version number, the remote Junos device is affected by a denial of service vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 106394 published 2018-01-26 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106394 title Juniper Junos Key Exchange Initialization Handling Memory Exhaustion Remote DoS (JSA10837) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0607-1.NASL description This update for openssh fixes the following issues : - CVE-2016-8858: prevent resource depletion during key exchange (bsc#1005480) - CVE-2016-10009: limit directories for loading PKCS11 modules to avoid privilege escalation (bsc#1016366) - CVE-2016-10011: Prevent possible leaks of host private keys to low-privilege process handling authentication (bsc#1016369) - Fix suggested command for removing conflicting server keys from the known_hosts file (bsc#1006221) - Properly verify CIDR masks in the AllowUsers and DenyUsers configuration lists (bsc#1005893) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 97571 published 2017-03-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97571 title SUSE SLES12 Security Update : openssh (SUSE-SU-2017:0607-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2016-0014.NASL description An update of [ openssh , linux ] packages for PhotonOS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111848 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111848 title Photon OS 1.0: Linux / Openssh PHSA-2016-0014 (deprecated) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-18.NASL description The remote host is affected by the vulnerability described in GLSA-201612-18 (OpenSSH: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. Impact : Remote attackers could cause Denial of Service and conduct user enumeration. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 95604 published 2016-12-07 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95604 title GLSA-201612-18 : OpenSSH: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-339.NASL description This update for openssh fixes the following issues : - CVE-2016-8858: prevent resource depletion during key exchange (bsc#1005480) - CVE-2016-10009: limit directories for loading PKCS11 modules to avoid privilege escalation (bsc#1016366) - CVE-2016-10011: Prevent possible leaks of host private keys to low-privilege process handling authentication (bsc#1016369) - Fix suggested command for removing conflicting server keys from the known_hosts file (bsc#1006221) - Properly verify CIDR masks in the AllowUsers and DenyUsers configuration lists (bsc#1005893) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2017-03-14 plugin id 97716 published 2017-03-14 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97716 title openSUSE Security Update : openssh (openSUSE-2017-339) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2016-0014_OPENSSH.NASL description An update of the openssh package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121659 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121659 title Photon OS 1.0: Openssh PHSA-2016-0014 NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0607-3.NASL description This update for openssh fixes the following issues : - CVE-2016-8858: prevent resource depletion during key exchange (bsc#1005480) - CVE-2016-10009: limit directories for loading PKCS11 modules to avoid privilege escalation (bsc#1016366) - CVE-2016-10011: Prevent possible leaks of host private keys to low-privilege process handling authentication (bsc#1016369) - Fix suggested command for removing conflicting server keys from the known_hosts file (bsc#1006221) - Properly verify CIDR masks in the AllowUsers and DenyUsers configuration lists (bsc#1005893) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 97653 published 2017-03-10 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97653 title SUSE SLES12 Security Update : openssh (SUSE-SU-2017:0607-3) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1006.NASL description According to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that last seen 2020-05-06 modified 2017-05-01 plugin id 99852 published 2017-05-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99852 title EulerOS 2.0 SP1 : openssh (EulerOS-SA-2017-1006) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0607-2.NASL description This update for openssh fixes the following issues : - CVE-2016-8858: prevent resource depletion during key exchange (bsc#1005480) - CVE-2016-10009: limit directories for loading PKCS11 modules to avoid privilege escalation (bsc#1016366) - CVE-2016-10011: Prevent possible leaks of host private keys to low-privilege process handling authentication (bsc#1016369) - Fix suggested command for removing conflicting server keys from the known_hosts file (bsc#1006221) - Properly verify CIDR masks in the AllowUsers and DenyUsers configuration lists (bsc#1005893) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 97652 published 2017-03-10 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97652 title SUSE SLED12 Security Update : openssh (SUSE-SU-2017:0607-2) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6A2CFCDC9DEA11E6A29814DAE9D210B8.NASL description When processing the SSH_MSG_KEXINIT message, the server could allocate up to a few hundreds of megabytes of memory per each connection, before any authentication take place. Impact : A remote attacker may be able to cause a SSH server to allocate an excessive amount of memory. Note that the default MaxStartups setting on FreeBSD will limit the effectiveness of this attack. last seen 2020-06-01 modified 2020-06-02 plugin id 94418 published 2016-10-31 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94418 title FreeBSD : FreeBSD -- OpenSSH Remote Denial of Service vulnerability (6a2cfcdc-9dea-11e6-a298-14dae9d210b8) NASL family Firewalls NASL id PFSENSE_SA-17_03.NASL description According to its self-reported version number, the remote pfSense install is affected by multiple vulnerabilities as stated in the referenced vendor advisories. last seen 2020-06-01 modified 2020-06-02 plugin id 106503 published 2018-01-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106503 title pfSense < 2.3.3 Multiple Vulnerabilities (SA-17_01 - SA-17_03) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0603-1.NASL description This update for openssh fixes the following issues: Security issues fixed : - CVE-2016-8858: prevent resource depletion during key exchange (bsc#1005480) - CVE-2016-10009: limit directories for loading PKCS11 modules to avoid privilege escalation (bsc#1016366) - CVE-2016-10011: Prevent possible leaks of host private keys to low-privilege process handling authentication (bsc#1016369) Non security issues fixed : - Properly verify CIDR masks in the AllowUsers and DenyUsers configuration lists (bsc#1005893) - fix suggested command for removing conflicting server keys from the known_hosts file (bsc#1006221) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 97549 published 2017-03-06 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97549 title SUSE SLES11 Security Update : openssh (SUSE-SU-2017:0603-1) NASL family AIX Local Security Checks NASL id AIX_OPENSSH_ADVISORY10.NASL description The remote AIX host has a version of OpenSSH installed that is affected by the following vulnerabilities : - OpenSSH is vulnerable to a denial of service, caused by an error in the kex_input_kexinit() function. By sending specially crafted data during the key exchange process, a remote attacker could exploit this vulnerability to consume all available memory resources. (CVE-2016-8858) - OpenSSH could allow a remote authenticated attacker to execute arbitrary code on the system, caused by the loading of a specially crafted PKCS#11 module across a forwarded agent channel. An attacker could exploit this vulnerability to write files or execute arbitrary code on the system. (CVE-2016-10009) - OpenSSH could allow a local authenticated attacker to obtain sensitive information, caused by a privilege separation flaw. An attacker could exploit this vulnerability to obtain host private key material and other sensitive information. (CVE-2016-10011) - OpenSSH could allow a local attacker to gain elevated privileges on the system, caused by improper bounds checking in the shared memory manager. An attacker could exploit this vulnerability to gain elevated privileges on the system. (CVE-2016-10012) last seen 2020-05-06 modified 2020-05-05 plugin id 136324 published 2020-05-05 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136324 title AIX OpenSSH Advisory : openssh_advisory10.asc
References
- http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c.diff?r1=1.126&r2=1.127&f=h
- http://www.openwall.com/lists/oss-security/2016/10/20/1
- http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.127&content-type=text/x-cvsweb-markup
- http://www.openwall.com/lists/oss-security/2016/10/19/3
- https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad
- http://www.securityfocus.com/bid/93776
- https://bugzilla.redhat.com/show_bug.cgi?id=1384860
- https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/013_ssh_kexinit.patch.sig
- https://security.gentoo.org/glsa/201612-18
- http://www.securitytracker.com/id/1037057
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:33.openssh.asc
- https://security.netapp.com/advisory/ntap-20180201-0001/
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf