Vulnerabilities > CVE-2017-15906 - Incorrect Permission Assignment for Critical Resource vulnerability in multiple products

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
LOW
Availability impact
NONE
network
low complexity
openbsd
oracle
debian
netapp
redhat
CWE-732
nessus

Summary

The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

Vulnerable Configurations

Part Description Count
Application
Openbsd
235
Application
Oracle
1
Application
Netapp
14
OS
Debian
1
OS
Netapp
1
OS
Redhat
9
Hardware
Netapp
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing Functionality Not Properly Constrained by ACLs
    In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.
  • Privilege Abuse
    An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.
  • Directory Indexing
    An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Exploiting Incorrectly Configured Access Control Security Levels
    An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, "Accessing Functionality Not Properly Constrained by ACLs" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured.

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1018.NASL
    descriptionImproper write operations in readonly mode allow for zero-length file creation The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.(CVE-2017-15906)
    last seen2020-06-01
    modified2020-06-02
    plugin id109700
    published2018-05-11
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109700
    titleAmazon Linux AMI : openssh (ALAS-2018-1018)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2018-1018.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109700);
      script_version("1.1");
      script_cvs_date("Date: 2018/05/11 12:23:24");
    
      script_cve_id("CVE-2017-15906");
      script_xref(name:"ALAS", value:"2018-1018");
    
      script_name(english:"Amazon Linux AMI : openssh (ALAS-2018-1018)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Improper write operations in readonly mode allow for zero-length file
    creation
    
    The process_open function in sftp-server.c in OpenSSH before 7.6 does
    not properly prevent write operations in readonly mode, which allows
    attackers to create zero-length files.(CVE-2017-15906)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2018-1018.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update openssh' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-cavs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:pam_ssh_agent_auth");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/11");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"openssh-7.4p1-16.69.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"openssh-cavs-7.4p1-16.69.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"openssh-clients-7.4p1-16.69.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"openssh-debuginfo-7.4p1-16.69.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"openssh-keycat-7.4p1-16.69.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"openssh-ldap-7.4p1-16.69.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"openssh-server-7.4p1-16.69.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"pam_ssh_agent_auth-0.10.3-2.16.69.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-cavs / openssh-clients / openssh-debuginfo / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2275-1.NASL
    descriptionThis update for openssh fixes the following issues: Security issues fixed : - CVE-2016-10012: Fix pre-auth compression checks that could be optimized away (bsc#1016370). - CVE-2016-10708: Fix remote denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYSmessage (bsc#1076957). - CVE-2017-15906: Fix r/o sftp-server zero byte file creation (bsc#1065000). - CVE-2008-1483: Fix accidental re-introduction of CVE-2008-1483 (bsc#1069509). Bug fixes : - bsc#1017099: Match conditions with uppercase hostnames fail (bsc#1017099) - bsc#1053972: supportedKeyExchanges diffie-hellman-group1-sha1 is duplicated (bsc#1053972) - bsc#1023275: Messages suppressed after upgrade from SLES 11 SP3 to SP4 (bsc#1023275) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id111639
    published2018-08-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111639
    titleSUSE SLES11 Security Update : openssh (SUSE-SU-2018:2275-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:2275-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111639);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/10 13:51:48");
    
      script_cve_id("CVE-2008-1483", "CVE-2016-10012", "CVE-2016-10708", "CVE-2017-15906");
      script_bugtraq_id(28444);
    
      script_name(english:"SUSE SLES11 Security Update : openssh (SUSE-SU-2018:2275-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for openssh fixes the following issues: Security issues
    fixed :
    
      - CVE-2016-10012: Fix pre-auth compression checks that
        could be optimized away (bsc#1016370).
    
      - CVE-2016-10708: Fix remote denial of service (NULL
        pointer dereference and daemon crash) via an
        out-of-sequence NEWKEYSmessage (bsc#1076957).
    
      - CVE-2017-15906: Fix r/o sftp-server zero byte file
        creation (bsc#1065000).
    
      - CVE-2008-1483: Fix accidental re-introduction of
        CVE-2008-1483 (bsc#1069509). Bug fixes :
    
      - bsc#1017099: Match conditions with uppercase hostnames
        fail (bsc#1017099)
    
      - bsc#1053972: supportedKeyExchanges
        diffie-hellman-group1-sha1 is duplicated (bsc#1053972)
    
      - bsc#1023275: Messages suppressed after upgrade from SLES
        11 SP3 to SP4 (bsc#1023275)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1016370"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1017099"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1023275"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1053972"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065000"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1069509"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076957"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2008-1483/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10012/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10708/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15906/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20182275-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?26523b41"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-openssh-13719=1
    
    SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
    dbgsp4-openssh-13719=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-fips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:openssh-helpers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/08/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-6.6p1-36.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-askpass-gnome-6.6p1-36.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-fips-6.6p1-36.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"openssh-helpers-6.6p1-36.3.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1140.NASL
    descriptionAccording to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.(CVE-2017-15906) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-05-29
    plugin id110144
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110144
    titleEulerOS 2.0 SP1 : openssh (EulerOS-SA-2018-1140)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110144);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2017-15906"
      );
    
      script_name(english:"EulerOS 2.0 SP1 : openssh (EulerOS-SA-2018-1140)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the openssh packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerability :
    
      - The process_open function in sftp-server.c in OpenSSH
        before 7.6 does not properly prevent write operations
        in readonly mode, which allows attackers to create
        zero-length files.(CVE-2017-15906)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1140
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?17c2ee8b");
      script_set_attribute(attribute:"solution", value:
    "Update the affected openssh package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/29");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["openssh-6.6.1p1-28.h16",
            "openssh-askpass-6.6.1p1-28.h16",
            "openssh-clients-6.6.1p1-28.h16",
            "openssh-keycat-6.6.1p1-28.h16",
            "openssh-server-6.6.1p1-28.h16"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180410_OPENSSH_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - openssh: Improper write operations in readonly mode allow for zero- length file creation (CVE-2017-15906) Additional Changes :
    last seen2020-03-18
    modified2018-05-01
    plugin id109454
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109454
    titleScientific Linux Security Update : openssh on SL7.x x86_64 (20180410)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109454);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24");
    
      script_cve_id("CVE-2017-15906");
    
      script_name(english:"Scientific Linux Security Update : openssh on SL7.x x86_64 (20180410)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security Fix(es) :
    
      - openssh: Improper write operations in readonly mode
        allow for zero- length file creation (CVE-2017-15906)
    
    Additional Changes :"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1804&L=scientific-linux-errata&F=&S=&P=5953
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6b8fe913"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:openssh-cavs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:openssh-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:openssh-server-sysvinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:pam_ssh_agent_auth");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"openssh-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"openssh-askpass-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"openssh-cavs-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"openssh-clients-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"openssh-debuginfo-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"openssh-keycat-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"openssh-ldap-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"openssh-server-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"openssh-server-sysvinit-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"pam_ssh_agent_auth-0.10.3-2.16.el7")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-cavs / openssh-clients / etc");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-0980.NASL
    descriptionFrom Red Hat Security Advisory 2018:0980 : An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix(es) : * openssh: Improper write operations in readonly mode allow for zero-length file creation (CVE-2017-15906) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109111
    published2018-04-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109111
    titleOracle Linux 7 : openssh (ELSA-2018-0980)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2018:0980 and 
    # Oracle Linux Security Advisory ELSA-2018-0980 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109111);
      script_version("1.2");
      script_cvs_date("Date: 2019/09/27 13:00:38");
    
      script_cve_id("CVE-2017-15906");
      script_xref(name:"RHSA", value:"2018:0980");
    
      script_name(english:"Oracle Linux 7 : openssh (ELSA-2018-0980)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2018:0980 :
    
    An update for openssh is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Low. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link (s) in the References section.
    
    OpenSSH is an SSH protocol implementation supported by a number of
    Linux, UNIX, and similar operating systems. It includes the core files
    necessary for both the OpenSSH client and server.
    
    Security Fix(es) :
    
    * openssh: Improper write operations in readonly mode allow for
    zero-length file creation (CVE-2017-15906)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.5 Release Notes linked from the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2018-April/007617.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-cavs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server-sysvinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:pam_ssh_agent_auth");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/18");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-askpass-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-cavs-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-clients-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-keycat-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-ldap-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-server-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"openssh-server-sysvinit-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"pam_ssh_agent_auth-0.10.3-2.16.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-cavs / openssh-clients / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-96D1995B70.NASL
    descriptionThis update provides new upstream release OpenSSH 7.6 with several bug fixes and new features, including CVE-2017-15906, compatibility with WinSCP, improvement for PAM stack, enablement for s390x sandbox, new GSSAPI key exchange methods and improvement of handling kerberos tickets. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-15
    plugin id105931
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105931
    titleFedora 27 : openssh (2017-96d1995b70)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-96d1995b70.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105931);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-15906");
      script_xref(name:"FEDORA", value:"2017-96d1995b70");
    
      script_name(english:"Fedora 27 : openssh (2017-96d1995b70)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update provides new upstream release OpenSSH 7.6 with several bug
    fixes and new features, including CVE-2017-15906, compatibility with
    WinSCP, improvement for PAM stack, enablement for s390x sandbox, new
    GSSAPI key exchange methods and improvement of handling kerberos
    tickets.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-96d1995b70"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:openssh");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/12/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC27", reference:"openssh-7.6p1-2.fc27")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1426.NASL
    descriptionAccording to the versions of the openssh packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.(CVE-2017-15906) - In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.(CVE-2018-20685) - An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.(CVE-2019-6109) - An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).(CVE-2019-6111) - OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.(CVE-2018-15473) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124929
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124929
    titleEulerOS Virtualization 3.0.1.0 : openssh (EulerOS-SA-2019-1426)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124929);
      script_version("1.5");
      script_cvs_date("Date: 2019/06/27 13:33:25");
    
      script_cve_id(
        "CVE-2017-15906",
        "CVE-2018-15473",
        "CVE-2018-20685",
        "CVE-2019-6109",
        "CVE-2019-6111"
      );
    
      script_name(english:"EulerOS Virtualization 3.0.1.0 : openssh (EulerOS-SA-2019-1426)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the openssh packages installed, the
    EulerOS Virtualization installation on the remote host is affected by
    the following vulnerabilities :
    
      - The process_open function in sftp-server.c in OpenSSH
        before 7.6 does not properly prevent write operations
        in readonly mode, which allows attackers to create
        zero-length files.(CVE-2017-15906)
    
      - In OpenSSH 7.9, scp.c in the scp client allows remote
        SSH servers to bypass intended access restrictions via
        the filename of . or an empty filename. The impact is
        modifying the permissions of the target directory on
        the client side.(CVE-2018-20685)
    
      - An issue was discovered in OpenSSH 7.9. Due to missing
        character encoding in the progress display, a malicious
        server (or Man-in-The-Middle attacker) can employ
        crafted object names to manipulate the client output,
        e.g., by using ANSI control codes to hide additional
        files being transferred. This affects
        refresh_progress_meter() in
        progressmeter.c.(CVE-2019-6109)
    
      - An issue was discovered in OpenSSH 7.9. Due to the scp
        implementation being derived from 1983 rcp, the server
        chooses which files/directories are sent to the client.
        However, the scp client only performs cursory
        validation of the object name returned (only directory
        traversal attacks are prevented). A malicious scp
        server (or Man-in-The-Middle attacker) can overwrite
        arbitrary files in the scp client target directory. If
        recursive operation (-r) is performed, the server can
        manipulate subdirectories as well (for example, to
        overwrite the .ssh/authorized_keys
        file).(CVE-2019-6111)
    
      - OpenSSH through 7.7 is prone to a user enumeration
        vulnerability due to not delaying bailout for an
        invalid authenticating user until after the packet
        containing the request has been fully parsed, related
        to auth2-gss.c, auth2-hostbased.c, and
        auth2-pubkey.c.(CVE-2018-15473)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1426
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?18436e35");
      script_set_attribute(attribute:"solution", value:
    "Update the affected openssh packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:pam_ssh_agent_auth");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["openssh-7.4p1-16.h8",
            "openssh-clients-7.4p1-16.h8",
            "openssh-keycat-7.4p1-16.h8",
            "openssh-server-7.4p1-16.h8",
            "pam_ssh_agent_auth-0.10.3-2.16"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-0980.NASL
    descriptionAn update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix(es) : * openssh: Improper write operations in readonly mode allow for zero-length file creation (CVE-2017-15906) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109378
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109378
    titleCentOS 7 : openssh (CESA-2018:0980)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:0980 and 
    # CentOS Errata and Security Advisory 2018:0980 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109378);
      script_version("1.4");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2017-15906");
      script_xref(name:"RHSA", value:"2018:0980");
    
      script_name(english:"CentOS 7 : openssh (CESA-2018:0980)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for openssh is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Low. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link (s) in the References section.
    
    OpenSSH is an SSH protocol implementation supported by a number of
    Linux, UNIX, and similar operating systems. It includes the core files
    necessary for both the OpenSSH client and server.
    
    Security Fix(es) :
    
    * openssh: Improper write operations in readonly mode allow for
    zero-length file creation (CVE-2017-15906)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.5 Release Notes linked from the References section."
      );
      # https://lists.centos.org/pipermail/centos-cr-announce/2018-April/005029.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c64b1751"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-15906");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-cavs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server-sysvinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pam_ssh_agent_auth");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-askpass-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-cavs-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-clients-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-keycat-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-ldap-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-server-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"openssh-server-sysvinit-7.4p1-16.el7")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"pam_ssh_agent_auth-0.10.3-2.16.el7")) flag++;
    
    
    if (flag)
    {
      cr_plugin_caveat = '\n' +
        'NOTE: The security advisory associated with this vulnerability has a\n' +
        'fixed package version that may only be available in the continuous\n' +
        'release (CR) repository for CentOS, until it is present in the next\n' +
        'point release of CentOS.\n\n' +
    
        'If an equal or higher package level does not exist in the baseline\n' +
        'repository for your major version of CentOS, then updates from the CR\n' +
        'repository will need to be applied in order to address the\n' +
        'vulnerability.\n';
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get() + cr_plugin_caveat
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-cavs / openssh-clients / etc");
    }
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2018-067-01.NASL
    descriptionNew openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and 14.2 to fix a security issue.
    last seen2020-03-17
    modified2018-03-09
    plugin id107233
    published2018-03-09
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/107233
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : openssh (SSA:2018-067-01)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2018-067-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(107233);
      script_version("1.1");
      script_cvs_date("2018/03/09 11:17:04");
    
      script_cve_id("CVE-2017-15906");
      script_xref(name:"SSA", value:"2018-067-01");
    
      script_name(english:"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : openssh (SSA:2018-067-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New openssh packages are available for Slackware 13.0, 13.1, 13.37,
    14.0, 14.1, and 14.2 to fix a security issue."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2018&m=slackware-security.554315
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?037c691b"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.37");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"13.0", pkgname:"openssh", pkgver:"7.4p1", pkgarch:"i486", pkgnum:"2_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"openssh", pkgver:"7.4p1", pkgarch:"x86_64", pkgnum:"2_slack13.0")) flag++;
    
    if (slackware_check(osver:"13.1", pkgname:"openssh", pkgver:"7.4p1", pkgarch:"i486", pkgnum:"2_slack13.1")) flag++;
    if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"openssh", pkgver:"7.4p1", pkgarch:"x86_64", pkgnum:"2_slack13.1")) flag++;
    
    if (slackware_check(osver:"13.37", pkgname:"openssh", pkgver:"7.4p1", pkgarch:"i486", pkgnum:"2_slack13.37")) flag++;
    if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"openssh", pkgver:"7.4p1", pkgarch:"x86_64", pkgnum:"2_slack13.37")) flag++;
    
    if (slackware_check(osver:"14.0", pkgname:"openssh", pkgver:"7.4p1", pkgarch:"i486", pkgnum:"2_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"openssh", pkgver:"7.4p1", pkgarch:"x86_64", pkgnum:"2_slack14.0")) flag++;
    
    if (slackware_check(osver:"14.1", pkgname:"openssh", pkgver:"7.4p1", pkgarch:"i486", pkgnum:"2_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"openssh", pkgver:"7.4p1", pkgarch:"x86_64", pkgnum:"2_slack14.1")) flag++;
    
    if (slackware_check(osver:"14.2", pkgname:"openssh", pkgver:"7.4p1", pkgarch:"i586", pkgnum:"2_slack14.2")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"openssh", pkgver:"7.4p1", pkgarch:"x86_64", pkgnum:"2_slack14.2")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"openssh", pkgver:"7.6p1", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"openssh", pkgver:"7.6p1", pkgarch:"x86_64", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1042.NASL
    descriptionThe process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.(CVE-2017-15906)
    last seen2020-06-01
    modified2020-06-02
    plugin id110781
    published2018-06-29
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110781
    titleAmazon Linux 2 : openssh (ALAS-2018-1042)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux 2 Security Advisory ALAS-2018-1042.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110781);
      script_version("1.1");
      script_cvs_date("Date: 2018/06/29 12:00:54");
    
      script_cve_id("CVE-2017-15906");
      script_xref(name:"ALAS", value:"2018-1042");
    
      script_name(english:"Amazon Linux 2 : openssh (ALAS-2018-1042)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux 2 host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The process_open function in sftp-server.c in OpenSSH before 7.6 does
    not properly prevent write operations in readonly mode, which allows
    attackers to create zero-length files.(CVE-2017-15906)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/AL2/ALAS-2018-1042.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update openssh' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-cavs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-keycat");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:openssh-server-sysvinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:pam_ssh_agent_auth");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "2")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"openssh-7.4p1-16.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"openssh-askpass-7.4p1-16.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"openssh-cavs-7.4p1-16.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"openssh-clients-7.4p1-16.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"openssh-debuginfo-7.4p1-16.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"openssh-keycat-7.4p1-16.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"openssh-ldap-7.4p1-16.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"openssh-server-7.4p1-16.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"openssh-server-sysvinit-7.4p1-16.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"pam_ssh_agent_auth-0.10.3-2.16.amzn2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-cavs / openssh-clients / etc");
    }
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0052.NASL
    descriptionAn update of [rsync,python2,procmail,libvirt,linux,mongodb,openssh,binutils,glibc] packages for photonOS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111901
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111901
    titlePhoton OS 1.0: Binutils / Glibc / Linux / Mongodb / Openssh / Procmail / Python2 / Rsync PHSA-2017-0052 (deprecated)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # @DEPRECATED@
    #
    # Disabled on 2/7/2019
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2017-0052. The text
    # itself is copyright (C) VMware, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111901);
      script_version("1.2");
      script_cvs_date("Date: 2019/02/07 18:59:50");
    
      script_cve_id(
        "CVE-2016-5417",
        "CVE-2017-15115",
        "CVE-2017-15535",
        "CVE-2017-15906",
        "CVE-2017-16548",
        "CVE-2017-16826",
        "CVE-2017-16827",
        "CVE-2017-16828",
        "CVE-2017-16829",
        "CVE-2017-16830",
        "CVE-2017-16831",
        "CVE-2017-16832",
        "CVE-2017-16844",
        "CVE-2017-1000158",
        "CVE-2017-1000256"
      );
    
      script_name(english:"Photon OS 1.0: Binutils / Glibc / Linux / Mongodb / Openssh / Procmail / Python2 / Rsync PHSA-2017-0052 (deprecated)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "This plugin has been deprecated.");
      script_set_attribute(attribute:"description", value:
    "An update of
    [rsync,python2,procmail,libvirt,linux,mongodb,openssh,binutils,glibc]
    packages for photonOS has been released.");
      # https://github.com/vmware/photon/wiki/Security-Updates-91
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a72c45fb");
      script_set_attribute(attribute:"solution", value:"n/a.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-16844");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:binutils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:linux");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:mongodb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:procmail");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:python2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:rsync");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    exit(0, "This plugin has been deprecated.");
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    pkgs = [
      "binutils-2.29.1-2.ph1",
      "binutils-debuginfo-2.29.1-2.ph1",
      "binutils-devel-2.29.1-2.ph1",
      "glibc-2.22-17.ph1",
      "glibc-devel-2.22-17.ph1",
      "glibc-lang-2.22-17.ph1",
      "linux-4.4.103-1.ph1",
      "linux-api-headers-4.4.103-1.ph1",
      "linux-debuginfo-4.4.103-1.ph1",
      "linux-dev-4.4.103-1.ph1",
      "linux-docs-4.4.103-1.ph1",
      "linux-drivers-gpu-4.4.103-1.ph1",
      "linux-esx-4.4.103-1.ph1",
      "linux-esx-debuginfo-4.4.103-1.ph1",
      "linux-esx-devel-4.4.103-1.ph1",
      "linux-esx-docs-4.4.103-1.ph1",
      "linux-oprofile-4.4.103-1.ph1",
      "linux-sound-4.4.103-1.ph1",
      "linux-tools-4.4.103-1.ph1",
      "mongodb-3.4.10-1.ph1",
      "mongodb-debuginfo-3.4.10-1.ph1",
      "openssh-7.4p1-7.ph1",
      "openssh-debuginfo-7.4p1-7.ph1",
      "procmail-3.22-4.ph1",
      "python2-2.7.13-4.ph1",
      "python2-debuginfo-2.7.13-4.ph1",
      "python2-devel-2.7.13-4.ph1",
      "python2-libs-2.7.13-4.ph1",
      "python2-tools-2.7.13-4.ph1",
      "rsync-3.1.2-3.ph1",
      "rsync-debuginfo-3.1.2-3.ph1"
    ];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"PhotonOS-1.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "binutils / glibc / linux / mongodb / openssh / procmail / python2 / rsync");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-78F0991378.NASL
    descriptionSecurity fix for CVE-2017-15906: Improper write operations in readonly mode (#1506630) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-12-13
    plugin id105202
    published2017-12-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105202
    titleFedora 25 : openssh (2017-78f0991378)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1351.NASL
    descriptionThis update for openssh fixes the following issues : Security issue fixed : - CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). Bug fixes : - FIPS: Startup selfchecks (bsc#1068310). - FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166). - Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). - Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2017-12-14
    plugin id105237
    published2017-12-14
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/105237
    titleopenSUSE Security Update : openssh (openSUSE-2017-1351)
  • NASL familyAIX Local Security Checks
    NASL idAIX_OPENSSH_ADVISORY11.NASL
    descriptionThe version of OpenSSH installed on the remote AIX host is affected by a vulnerability in the process_open function of sftp-server.c in OpenSSH in that it does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
    last seen2020-06-01
    modified2020-06-02
    plugin id136323
    published2020-05-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136323
    titleAIX OpenSSH Advisory : openssh_advisory11.asc
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_SPACE_JSA10880.NASL
    descriptionAccording to its self-reported version number, the version of Junos Space running on the remote device is < 18.2R1, and is therefore affected by multiple vulnerabilities: - Due to untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4, unauthenticated, remote attacker can execute execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket. (CVE-2016-10009) - In OpenSSH before 7.4, an authenticated local attacker can escalate privileges via unspecified vectors, related to serverloop.c. (CVE-2016-10010) - authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents. an authenticated local attacker can obtain sensitive private-key information by leveraging access to a privilege-separated child process. (CVE-2016-10011) - In sshd in OpenSSH before 7.4, a local attacker can gain privileges by leveraging access to a sandboxed privilege-separation process due to a bounds check that
    last seen2020-06-01
    modified2020-06-02
    plugin id126510
    published2019-07-05
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126510
    titleJuniper Junos Space < 18.2R1 Multiple Vulnerabilities (JSA10880)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-3230-1.NASL
    descriptionThis update for openssh fixes the following issues: Security issue fixed : - CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). Bug fixes : - FIPS: Startup selfchecks (bsc#1068310). - FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166). - Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). - Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id105093
    published2017-12-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105093
    titleSUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2017:3230-1)
  • NASL familyMisc.
    NASL idOPENSSH_76.NASL
    descriptionAccording to its banner, the version of OpenSSH running on the remote host is prior to 7.6. It is, therefore, affected by a file creation restriction bypass vulnerability related to the
    last seen2020-06-01
    modified2020-06-02
    plugin id103781
    published2017-10-11
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103781
    titleOpenSSH < 7.6
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2685-1.NASL
    descriptionThis update for openssh provides the following fixes : Security issues fixed : CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). CVE-2016-10012: Remove pre-auth compression support from the server to prevent possible cryptographic attacks (bsc#1016370). CVE-2008-1483: Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Bug fixes: bsc#1017099: Enable case-insensitive hostname matching. bsc#1023275: Add a new switch for printing diagnostic messages in sftp client
    last seen2020-06-01
    modified2020-06-02
    plugin id117452
    published2018-09-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117452
    titleSUSE SLES12 Security Update : openssh (SUSE-SU-2018:2685-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1141.NASL
    descriptionAccording to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.(CVE-2017-15906) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-05-29
    plugin id110145
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110145
    titleEulerOS 2.0 SP2 : openssh (EulerOS-SA-2018-1141)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201801-05.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201801-05 (OpenSSH: Permission issue) The process_open function in sftp-server.c in OpenSSH did not properly prevent write operations in readonly mode. Impact : A remote attacker could cause the creation of zero-length files. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id105631
    published2018-01-08
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/105631
    titleGLSA-201801-05 : OpenSSH: Permission issue
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0051_OPENSSH.NASL
    descriptionAn update of the openssh package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121772
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121772
    titlePhoton OS 2.0: Openssh PHSA-2017-0051
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0051.NASL
    descriptionAn update of [rsync,linux,openssh,procmail,python2,libvirt] packages for PhotonOS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111900
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111900
    titlePhoton OS 2.0: Libvirt / Linux / Openssh / Procmail / Python2 / Rsync PHSA-2017-0051 (deprecated)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-4862A3BFB1.NASL
    descriptionSecurity fix for CVE-2017-15906: Improper write operations in readonly mode Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-11-29
    plugin id104824
    published2017-11-29
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104824
    titleFedora 26 : openssh (2017-4862a3bfb1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3540-1.NASL
    descriptionThis update for openssh fixes the following issues : Security issues fixed : CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to treat such a username enumeration (or
    last seen2020-06-01
    modified2020-06-02
    plugin id118498
    published2018-10-30
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118498
    titleSUSE SLES11 Security Update : openssh (SUSE-SU-2018:3540-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0980.NASL
    descriptionAn update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix(es) : * openssh: Improper write operations in readonly mode allow for zero-length file creation (CVE-2017-15906) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id108992
    published2018-04-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108992
    titleRHEL 7 : openssh (RHSA-2018:0980)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3538-1.NASL
    descriptionJann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from untrusted directories. A remote attacker could possibly use this issue to execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10009) Jann Horn discovered that OpenSSH incorrectly handled permissions on Unix-domain sockets when privilege separation is disabled. A local attacker could possibly use this issue to gain privileges. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-10010) Jann Horn discovered that OpenSSH incorrectly handled certain buffer memory operations. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10011) Guido Vranken discovered that OpenSSH incorrectly handled certain shared memory manager operations. A local attacker could possibly use issue to gain privileges. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10012) Michal Zalewski discovered that OpenSSH incorrectly prevented write operations in readonly mode. A remote attacker could possibly use this issue to create zero-length files, leading to a denial of service. (CVE-2017-15906). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106266
    published2018-01-23
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106266
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.10 : openssh vulnerabilities (USN-3538-1)

Redhat

advisories
bugzilla
id1506630
titleCVE-2017-15906 openssh: Improper write operations in readonly mode allow for zero-length file creation
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentopenssh is earlier than 0:7.4p1-16.el7
          ovaloval:com.redhat.rhsa:tst:20180980001
        • commentopenssh is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120884004
      • AND
        • commentopenssh-clients is earlier than 0:7.4p1-16.el7
          ovaloval:com.redhat.rhsa:tst:20180980003
        • commentopenssh-clients is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120884002
      • AND
        • commentopenssh-keycat is earlier than 0:7.4p1-16.el7
          ovaloval:com.redhat.rhsa:tst:20180980005
        • commentopenssh-keycat is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20150425016
      • AND
        • commentopenssh-server is earlier than 0:7.4p1-16.el7
          ovaloval:com.redhat.rhsa:tst:20180980007
        • commentopenssh-server is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120884006
      • AND
        • commentopenssh-askpass is earlier than 0:7.4p1-16.el7
          ovaloval:com.redhat.rhsa:tst:20180980009
        • commentopenssh-askpass is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120884008
      • AND
        • commentopenssh-server-sysvinit is earlier than 0:7.4p1-16.el7
          ovaloval:com.redhat.rhsa:tst:20180980011
        • commentopenssh-server-sysvinit is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20150425002
      • AND
        • commentpam_ssh_agent_auth is earlier than 0:0.10.3-2.16.el7
          ovaloval:com.redhat.rhsa:tst:20180980013
        • commentpam_ssh_agent_auth is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120884012
      • AND
        • commentopenssh-cavs is earlier than 0:7.4p1-16.el7
          ovaloval:com.redhat.rhsa:tst:20180980015
        • commentopenssh-cavs is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20172029008
      • AND
        • commentopenssh-ldap is earlier than 0:7.4p1-16.el7
          ovaloval:com.redhat.rhsa:tst:20180980017
        • commentopenssh-ldap is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20120884010
rhsa
idRHSA-2018:0980
released2018-04-10
severityLow
titleRHSA-2018:0980: openssh security, bug fix, and enhancement update (Low)
rpms
  • openssh-0:7.4p1-16.el7
  • openssh-askpass-0:7.4p1-16.el7
  • openssh-cavs-0:7.4p1-16.el7
  • openssh-clients-0:7.4p1-16.el7
  • openssh-debuginfo-0:7.4p1-16.el7
  • openssh-keycat-0:7.4p1-16.el7
  • openssh-ldap-0:7.4p1-16.el7
  • openssh-server-0:7.4p1-16.el7
  • openssh-server-sysvinit-0:7.4p1-16.el7
  • pam_ssh_agent_auth-0:0.10.3-2.16.el7