DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2014-9278", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2014-9278", "description": "The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.", "published": "2014-12-06T15:59:00", "modified": "2017-09-08T01:29:00", "epss": [{"cve": "CVE-2014-9278", "epss": 0.00239, "percentile": 0.61181, "modified": "2023-08-14"}], "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.0}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9278", "reporter": "secalert@redhat.com", "references": ["http://www.securityfocus.com/bid/71420", "http://www.openwall.com/lists/oss-security/2014/12/02/3", "https://bugzilla.redhat.com/show_bug.cgi?id=1169843", "https://bugzilla.mindrot.org/show_bug.cgi?id=1867", "http://www.openwall.com/lists/oss-security/2014/12/04/17", "http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855", "http://rhn.redhat.com/errata/RHSA-2015-0425.html", "https://exchange.xforce.ibmcloud.com/vulnerabilities/99090"], "cvelist": ["CVE-2014-9278"], "immutableFields": [], "lastseen": "2023-08-16T06:25:34", "viewCount": 2792, "enchantments": {"dependencies": {"references": [{"type": "centos", "idList": ["CESA-2015:0425"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2014-9278"]}, {"type": "f5", "idList": ["F5:K16009", "SOL16009"]}, {"type": "fedora", "idList": ["FEDORA:0429D60C85D7", "FEDORA:2E88760877A1"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2015-0425.NASL", "NEWSTART_CGSL_NS-SA-2019-0146_OPENSSH-LATEST.NASL", "ORACLELINUX_ELSA-2015-0425.NASL", "REDHAT-RHSA-2015-0425.NASL", "SL_20150305_OPENSSH_ON_SL7_X.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310123172", "OPENVAS:1361412562310869737", "OPENVAS:1361412562310869834", "OPENVAS:1361412562310871328"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-0425"]}, {"type": "redhat", "idList": ["RHSA-2015:0425"]}, {"type": "symantec", "idList": ["SMNTC-1337"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2014-9278"]}], "rev": 4}, "score": {"value": 6.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "centos", "idList": ["CESA-2015:0425"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2014-9278"]}, {"type": "f5", "idList": ["F5:K16009"]}, {"type": "fedora", "idList": ["FEDORA:2E88760877A1"]}, {"type": "nessus", "idList": ["NEWSTART_CGSL_NS-SA-2019-0146_OPENSSH-LATEST.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310868110"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-0425"]}, {"type": "redhat", "idList": ["RHSA-2015:0425"]}, {"type": "symantec", "idList": ["SMNTC-1337"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2014-9278"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2014-9278", "epss": 0.00239, "percentile": 0.60382, "modified": "2023-05-08"}], "vulnersScore": 6.0}, "_state": {"dependencies": 1692167203, "score": 1692167294, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "09308708f8478f417f0a316fd4b1fee6"}, "cna_cvss": {"cna": "redhat", "cvss": {}}, "cpe": ["cpe:/a:openbsd:openssh:-"], "cpe23": ["cpe:2.3:a:openbsd:openssh:-:*:*:*:*:*:*:*"], "cwe": ["CWE-287"], "affectedSoftware": [{"cpeName": "openbsd:openssh", "version": "-", "operator": "eq", "name": "openbsd openssh"}], "affectedConfiguration": [{"name": "redhat enterprise linux", "cpeName": "redhat:enterprise_linux", "version": "7.0", "operator": "eq"}, {"name": "redhat fedora", "cpeName": "redhat:fedora", "version": "7", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:openbsd:openssh:-:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": false, "cpe23Uri": "cpe:2.3:o:redhat:fedora:7:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "http://www.securityfocus.com/bid/71420", "name": "71420", "refsource": "BID", "tags": []}, {"url": "http://www.openwall.com/lists/oss-security/2014/12/02/3", "name": "[oss-security] 20141202 CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams)", "refsource": "MLIST", "tags": []}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169843", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1169843", "refsource": "CONFIRM", "tags": []}, {"url": "https://bugzilla.mindrot.org/show_bug.cgi?id=1867", "name": "https://bugzilla.mindrot.org/show_bug.cgi?id=1867", "refsource": "CONFIRM", "tags": []}, {"url": "http://www.openwall.com/lists/oss-security/2014/12/04/17", "name": "[oss-security] 20141204 Re: CVE request: OpenSSH ~/.k5users patch (Fedora and downstreams)", "refsource": "MLIST", "tags": []}, {"url": "http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855", "name": "http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855", "refsource": "MISC", "tags": []}, {"url": "http://rhn.redhat.com/errata/RHSA-2015-0425.html", "name": "RHSA-2015:0425", "refsource": "REDHAT", "tags": []}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99090", "name": "openssh-gssservkrb5-sec-bypass(99090)", "refsource": "XF", "tags": []}], "product_info": [{"vendor": "Openbsd", "product": "Openssh"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "exploits": [], "assigned": "2014-12-04T00:00:00"}

{"ubuntucve": [{"lastseen": "2023-08-16T21:33:38", "description": "The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and\nwhen running in a Kerberos environment, allows remote authenticated users\nto log in as another user when they are listed in the .k5users file of that\nuser, which might bypass intended authentication requirements that would\nforce a local login.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | vulnerable patch not included in Debian/Ubuntu\n", "cvss3": {}, "published": "2014-12-06T00:00:00", "type": "ubuntucve", "title": "CVE-2014-9278", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9278"], "modified": "2014-12-06T00:00:00", "id": "UB:CVE-2014-9278", "href": "https://ubuntu.com/security/CVE-2014-9278", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "f5": [{"lastseen": "2023-08-16T17:05:44", "description": " \n\n\nThe OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login. ([CVE-2014-9278](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9278>)) \n\n\nImpact \n\n\nNone. F5 products are not affected by this vulnerability. \n\n", "cvss3": {}, "published": "2015-01-22T01:54:00", "type": "f5", "title": "OpenSSH vulnerability CVE-2014-9278", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9278"], "modified": "2016-01-08T23:20:00", "id": "F5:K16009", "href": "https://support.f5.com/csp/article/K16009", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2016-09-26T17:22:55", "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "cvss3": {}, "published": "2015-01-21T00:00:00", "type": "f5", "title": "SOL16009 - OpenSSH vulnerability CVE-2014-9278", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9278"], "modified": "2015-01-21T00:00:00", "id": "SOL16009", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/000/sol16009.html", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "debiancve": [{"lastseen": "2023-09-03T22:15:45", "description": "The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.", "cvss3": {}, "published": "2014-12-06T15:59:00", "type": "debiancve", "title": "CVE-2014-9278", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9278"], "modified": "2014-12-06T15:59:00", "id": "DEBIANCVE:CVE-2014-9278", "href": "https://security-tracker.debian.org/tracker/CVE-2014-9278", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:37:06", "description": "Oracle Linux Local Security Checks ELSA-2015-0425", "cvss3": {}, "published": "2015-10-06T00:00:00", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-0425", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-2653", "CVE-2014-9278"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310123172", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123172", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-0425.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123172\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:00:17 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-0425\");\n script_tag(name:\"insight\", value:\"ELSA-2015-0425 - openssh security, bug fix and enhancement update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-0425\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-0425.html\");\n script_cve_id(\"CVE-2014-2653\", \"CVE-2014-9278\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~11.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~11.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~11.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~11.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-ldap\", rpm:\"openssh-ldap~6.6.1p1~11.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~11.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-server-sysvinit\", rpm:\"openssh-server-sysvinit~6.6.1p1~11.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"pam_ssh_agent_auth\", rpm:\"pam_ssh_agent_auth~0.9.3~9.11.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:37:00", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-08-11T00:00:00", "type": "openvas", "title": "Fedora Update for openssh FEDORA-2015-12054", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-5600", "CVE-2014-9278"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310869834", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869834", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for openssh FEDORA-2015-12054\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869834\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-11 11:56:26 +0530 (Tue, 11 Aug 2015)\");\n script_cve_id(\"CVE-2015-5600\", \"CVE-2014-9278\");\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for openssh FEDORA-2015-12054\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"openssh on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-12054\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163045.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~15.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}, {"lastseen": "2019-05-29T18:36:08", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-07-11T00:00:00", "type": "openvas", "title": "Fedora Update for openssh FEDORA-2015-11067", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-5352", "CVE-2014-9278"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310869737", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869737", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for openssh FEDORA-2015-11067\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869737\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-11 06:04:00 +0200 (Sat, 11 Jul 2015)\");\n script_cve_id(\"CVE-2014-9278\", \"CVE-2015-5352\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for openssh FEDORA-2015-11067\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"openssh on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-11067\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-July/161610.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~13.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:36:08", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-03-06T00:00:00", "type": "openvas", "title": "RedHat Update for openssh RHSA-2015:0425-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-2653", "CVE-2014-9278"], "modified": "2018-11-23T00:00:00", "id": "OPENVAS:1361412562310871328", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871328", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for openssh RHSA-2015:0425-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871328\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-03-06 06:50:21 +0100 (Fri, 06 Mar 2015)\");\n script_cve_id(\"CVE-2014-2653\", \"CVE-2014-9278\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for openssh RHSA-2015:0425-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These\npackages include the core files necessary for both the OpenSSH client and\nserver.\n\nIt was discovered that OpenSSH clients did not correctly verify DNS SSHFP\nrecords. A malicious server could use this flaw to force a connecting\nclient to skip the DNS SSHFP record check and require the user to perform\nmanual host verification of the DNS SSHFP record. (CVE-2014-2653)\n\nIt was found that when OpenSSH was used in a Kerberos environment, remote\nauthenticated users were allowed to log in as a different user if they were\nlisted in the ~/.k5users file of that user, potentially bypassing intended\nauthentication restrictions. (CVE-2014-9278)\n\nThe openssh packages have been upgraded to upstream version 6.6.1, which\nprovides a number of bug fixes and enhancements over the previous version.\n(BZ#1059667)\n\nBug fixes:\n\n * An existing /dev/log socket is needed when logging using the syslog\nutility, which is not possible for all chroot environments based on the\nuser's home directories. As a consequence, the sftp commands were not\nlogged in the chroot setup without /dev/log in the internal sftp subsystem.\nWith this update, openssh has been enhanced to detect whether /dev/log\nexists. If /dev/log does not exist, processes in the chroot environment use\ntheir master processes for logging. (BZ#1083482)\n\n * The buffer size for a host name was limited to 64 bytes. As a\nconsequence, when a host name was 64 bytes long or longer, the ssh-keygen\nutility failed. The buffer size has been increased to fix this bug, and\nssh-keygen no longer fails in the described situation. (BZ#1097665)\n\n * Non-ASCII characters have been replaced by their octal representations in\nbanner messages in order to prevent terminal re-programming attacks.\nConsequently, banners containing UTF-8 strings were not correctly displayed\nin a client. With this update, banner messages are processed according to\nRFC 3454, control characters have been removed, and banners containing\nUTF-8 strings are now displayed correctly. (BZ#1104662)\n\n * Red Hat Enterprise Linux uses persistent Kerberos credential caches,\nwhich are shared between sessions. Previously, the GSSAPICleanupCredentials\noption was set to 'yes' by default. Consequently, removing a Kerberos cache\non logout could remove unrelated credentials of other sessions, which could\nmake the system unusable. To fix this bug, GSSAPICleanupCredentials is set\nby default to 'no'. (BZ#1134447)\n\n * Access permissions for the /etc/ssh/moduli file were set to 0600, which\nwas unnecessarily strict. With this update, the permissions ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"openssh on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:0425-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-March/msg00014.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~11.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~11.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~11.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~6.6.1p1~11.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~11.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~11.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "description": "SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. ", "cvss3": {}, "published": "2015-08-03T04:31:13", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: openssh-6.6.1p1-15.fc21", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9278", "CVE-2015-5600"], "modified": "2015-08-03T04:31:13", "id": "FEDORA:2E88760877A1", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BCKAJFAJ7TEVSIOUC7SPLOOSUIC45K45/", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "description": "SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. ", "cvss3": {}, "published": "2015-07-10T19:09:25", "type": "fedora", "title": "[SECURITY] Fedora 21 Update: openssh-6.6.1p1-13.fc21", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-9278", "CVE-2015-5352"], "modified": "2015-07-10T19:09:25", "id": "FEDORA:0429D60C85D7", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DVDHXZL46VWS7ZOGKSBRAZ3MU5PEOQ4C/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2023-05-18T14:11:33", "description": "Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.\n\nIt was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.\n(CVE-2014-2653)\n\nIt was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278)\n\nThe openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1059667)\n\nBug fixes :\n\n* An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. As a consequence, the sftp commands were not logged in the chroot setup without /dev/log in the internal sftp subsystem. With this update, openssh has been enhanced to detect whether /dev/log exists. If /dev/log does not exist, processes in the chroot environment use their master processes for logging.\n(BZ#1083482)\n\n* The buffer size for a host name was limited to 64 bytes. As a consequence, when a host name was 64 bytes long or longer, the ssh-keygen utility failed. The buffer size has been increased to fix this bug, and ssh-keygen no longer fails in the described situation.\n(BZ#1097665)\n\n* Non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly. (BZ#1104662)\n\n* Red Hat Enterprise Linux uses persistent Kerberos credential caches, which are shared between sessions. Previously, the GSSAPICleanupCredentials option was set to 'yes' by default.\nConsequently, removing a Kerberos cache on logout could remove unrelated credentials of other sessions, which could make the system unusable. To fix this bug, GSSAPICleanupCredentials is set by default to 'no'. (BZ#1134447)\n\n* Access permissions for the /etc/ssh/moduli file were set to 0600, which was unnecessarily strict. With this update, the permissions for /etc/ssh/moduli have been changed to 0644 to make the access to the file easier. (BZ#1134448)\n\n* Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was not found after login using a Kerberos-enabled SSH connection. The underlying source code has been modified to fix this bug, and Kerberos authentication works as expected in the described situation. (BZ#1161173)\n\nEnhancements :\n\n* When the sshd daemon is configured to force the internal SFTP session, a connection other then SFTP is used, the appropriate message is logged to the /var/log/secure file. (BZ#1130198)\n\n* The sshd-keygen service was run using the 'ExecStartPre=-/usr/sbin/sshd-keygen' option in the sshd.service unit file. With this update, the separate sshd-keygen.service unit file has been added, and sshd.service has been adjusted to require sshd-keygen.service. (BZ#1134997)\n\nUsers of openssh are advised to upgrade to these updated packages, which correct these issues and add these enhancements.", "cvss3": {}, "published": "2015-03-05T00:00:00", "type": "nessus", "title": "RHEL 7 : openssh (RHSA-2015:0425)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-2653", "CVE-2014-9278"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:openssh", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass", "p-cpe:/a:redhat:enterprise_linux:openssh-clients", "p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo", "p-cpe:/a:redhat:enterprise_linux:openssh-keycat", "p-cpe:/a:redhat:enterprise_linux:openssh-ldap", "p-cpe:/a:redhat:enterprise_linux:openssh-server", "p-cpe:/a:redhat:enterprise_linux:openssh-server-sysvinit", "p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:7.7"], "id": "REDHAT-RHSA-2015-0425.NASL", "href": "https://www.tenable.com/plugins/nessus/81635", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0425. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81635);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/10/24 15:35:39\");\n\n script_cve_id(\"CVE-2014-2653\", \"CVE-2014-9278\");\n script_xref(name:\"RHSA\", value:\"2015:0425\");\n\n script_name(english:\"RHEL 7 : openssh (RHSA-2015:0425)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix two security issues, several bugs,\nand add various enhancements are now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These\npackages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that OpenSSH clients did not correctly verify DNS\nSSHFP records. A malicious server could use this flaw to force a\nconnecting client to skip the DNS SSHFP record check and require the\nuser to perform manual host verification of the DNS SSHFP record.\n(CVE-2014-2653)\n\nIt was found that when OpenSSH was used in a Kerberos environment,\nremote authenticated users were allowed to log in as a different user\nif they were listed in the ~/.k5users file of that user, potentially\nbypassing intended authentication restrictions. (CVE-2014-9278)\n\nThe openssh packages have been upgraded to upstream version 6.6.1,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. (BZ#1059667)\n\nBug fixes :\n\n* An existing /dev/log socket is needed when logging using the syslog\nutility, which is not possible for all chroot environments based on\nthe user's home directories. As a consequence, the sftp commands were\nnot logged in the chroot setup without /dev/log in the internal sftp\nsubsystem. With this update, openssh has been enhanced to detect\nwhether /dev/log exists. If /dev/log does not exist, processes in the\nchroot environment use their master processes for logging.\n(BZ#1083482)\n\n* The buffer size for a host name was limited to 64 bytes. As a\nconsequence, when a host name was 64 bytes long or longer, the\nssh-keygen utility failed. The buffer size has been increased to fix\nthis bug, and ssh-keygen no longer fails in the described situation.\n(BZ#1097665)\n\n* Non-ASCII characters have been replaced by their octal\nrepresentations in banner messages in order to prevent terminal\nre-programming attacks. Consequently, banners containing UTF-8 strings\nwere not correctly displayed in a client. With this update, banner\nmessages are processed according to RFC 3454, control characters have\nbeen removed, and banners containing UTF-8 strings are now displayed\ncorrectly. (BZ#1104662)\n\n* Red Hat Enterprise Linux uses persistent Kerberos credential caches,\nwhich are shared between sessions. Previously, the\nGSSAPICleanupCredentials option was set to 'yes' by default.\nConsequently, removing a Kerberos cache on logout could remove\nunrelated credentials of other sessions, which could make the system\nunusable. To fix this bug, GSSAPICleanupCredentials is set by default\nto 'no'. (BZ#1134447)\n\n* Access permissions for the /etc/ssh/moduli file were set to 0600,\nwhich was unnecessarily strict. With this update, the permissions for\n/etc/ssh/moduli have been changed to 0644 to make the access to the\nfile easier. (BZ#1134448)\n\n* Due to the KRB5CCNAME variable being truncated, the Kerberos ticket\ncache was not found after login using a Kerberos-enabled SSH\nconnection. The underlying source code has been modified to fix this\nbug, and Kerberos authentication works as expected in the described\nsituation. (BZ#1161173)\n\nEnhancements :\n\n* When the sshd daemon is configured to force the internal SFTP\nsession, a connection other then SFTP is used, the appropriate message\nis logged to the /var/log/secure file. (BZ#1130198)\n\n* The sshd-keygen service was run using the\n'ExecStartPre=-/usr/sbin/sshd-keygen' option in the sshd.service unit\nfile. With this update, the separate sshd-keygen.service unit file has\nbeen added, and sshd.service has been adjusted to require\nsshd-keygen.service. (BZ#1134997)\n\nUsers of openssh are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0425\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-2653\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-9278\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server-sysvinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0425\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-askpass-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-askpass-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-clients-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-clients-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"openssh-debuginfo-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-keycat-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-keycat-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-ldap-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-ldap-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-server-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-server-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-server-sysvinit-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-server-sysvinit-6.6.1p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"pam_ssh_agent_auth-0.9.3-9.11.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:59", "description": "Updated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.\n\nIt was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.\n(CVE-2014-2653)\n\nIt was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278)\n\nThe openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1059667)\n\nBug fixes :\n\n* An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. As a consequence, the sftp commands were not logged in the chroot setup without /dev/log in the internal sftp subsystem. With this update, openssh has been enhanced to detect whether /dev/log exists. If /dev/log does not exist, processes in the chroot environment use their master processes for logging.\n(BZ#1083482)\n\n* The buffer size for a host name was limited to 64 bytes. As a consequence, when a host name was 64 bytes long or longer, the ssh-keygen utility failed. The buffer size has been increased to fix this bug, and ssh-keygen no longer fails in the described situation.\n(BZ#1097665)\n\n* Non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly. (BZ#1104662)\n\n* Red Hat Enterprise Linux uses persistent Kerberos credential caches, which are shared between sessions. Previously, the GSSAPICleanupCredentials option was set to 'yes' by default.\nConsequently, removing a Kerberos cache on logout could remove unrelated credentials of other sessions, which could make the system unusable. To fix this bug, GSSAPICleanupCredentials is set by default to 'no'. (BZ#1134447)\n\n* Access permissions for the /etc/ssh/moduli file were set to 0600, which was unnecessarily strict. With this update, the permissions for /etc/ssh/moduli have been changed to 0644 to make the access to the file easier. (BZ#1134448)\n\n* Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was not found after login using a Kerberos-enabled SSH connection. The underlying source code has been modified to fix this bug, and Kerberos authentication works as expected in the described situation. (BZ#1161173)\n\nEnhancements :\n\n* When the sshd daemon is configured to force the internal SFTP session, a connection other then SFTP is used, the appropriate message is logged to the /var/log/secure file. (BZ#1130198)\n\n* The sshd-keygen service was run using the 'ExecStartPre=-/usr/sbin/sshd-keygen' option in the sshd.service unit file. With this update, the separate sshd-keygen.service unit file has been added, and sshd.service has been adjusted to require sshd-keygen.service. (BZ#1134997)\n\nUsers of openssh are advised to upgrade to these updated packages, which correct these issues and add these enhancements.", "cvss3": {}, "published": "2015-03-18T00:00:00", "type": "nessus", "title": "CentOS 7 : openssh (CESA-2015:0425)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-2653", "CVE-2014-9278"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:openssh", "p-cpe:/a:centos:centos:openssh-askpass", "p-cpe:/a:centos:centos:openssh-clients", "p-cpe:/a:centos:centos:openssh-keycat", "p-cpe:/a:centos:centos:openssh-ldap", "p-cpe:/a:centos:centos:openssh-server", "p-cpe:/a:centos:centos:openssh-server-sysvinit", "p-cpe:/a:centos:centos:pam_ssh_agent_auth", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2015-0425.NASL", "href": "https://www.tenable.com/plugins/nessus/81894", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0425 and \n# CentOS Errata and Security Advisory 2015:0425 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81894);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2014-2653\", \"CVE-2014-9278\");\n script_xref(name:\"RHSA\", value:\"2015:0425\");\n\n script_name(english:\"CentOS 7 : openssh (CESA-2015:0425)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix two security issues, several bugs,\nand add various enhancements are now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These\npackages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that OpenSSH clients did not correctly verify DNS\nSSHFP records. A malicious server could use this flaw to force a\nconnecting client to skip the DNS SSHFP record check and require the\nuser to perform manual host verification of the DNS SSHFP record.\n(CVE-2014-2653)\n\nIt was found that when OpenSSH was used in a Kerberos environment,\nremote authenticated users were allowed to log in as a different user\nif they were listed in the ~/.k5users file of that user, potentially\nbypassing intended authentication restrictions. (CVE-2014-9278)\n\nThe openssh packages have been upgraded to upstream version 6.6.1,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. (BZ#1059667)\n\nBug fixes :\n\n* An existing /dev/log socket is needed when logging using the syslog\nutility, which is not possible for all chroot environments based on\nthe user's home directories. As a consequence, the sftp commands were\nnot logged in the chroot setup without /dev/log in the internal sftp\nsubsystem. With this update, openssh has been enhanced to detect\nwhether /dev/log exists. If /dev/log does not exist, processes in the\nchroot environment use their master processes for logging.\n(BZ#1083482)\n\n* The buffer size for a host name was limited to 64 bytes. As a\nconsequence, when a host name was 64 bytes long or longer, the\nssh-keygen utility failed. The buffer size has been increased to fix\nthis bug, and ssh-keygen no longer fails in the described situation.\n(BZ#1097665)\n\n* Non-ASCII characters have been replaced by their octal\nrepresentations in banner messages in order to prevent terminal\nre-programming attacks. Consequently, banners containing UTF-8 strings\nwere not correctly displayed in a client. With this update, banner\nmessages are processed according to RFC 3454, control characters have\nbeen removed, and banners containing UTF-8 strings are now displayed\ncorrectly. (BZ#1104662)\n\n* Red Hat Enterprise Linux uses persistent Kerberos credential caches,\nwhich are shared between sessions. Previously, the\nGSSAPICleanupCredentials option was set to 'yes' by default.\nConsequently, removing a Kerberos cache on logout could remove\nunrelated credentials of other sessions, which could make the system\nunusable. To fix this bug, GSSAPICleanupCredentials is set by default\nto 'no'. (BZ#1134447)\n\n* Access permissions for the /etc/ssh/moduli file were set to 0600,\nwhich was unnecessarily strict. With this update, the permissions for\n/etc/ssh/moduli have been changed to 0644 to make the access to the\nfile easier. (BZ#1134448)\n\n* Due to the KRB5CCNAME variable being truncated, the Kerberos ticket\ncache was not found after login using a Kerberos-enabled SSH\nconnection. The underlying source code has been modified to fix this\nbug, and Kerberos authentication works as expected in the described\nsituation. (BZ#1161173)\n\nEnhancements :\n\n* When the sshd daemon is configured to force the internal SFTP\nsession, a connection other then SFTP is used, the appropriate message\nis logged to the /var/log/secure file. (BZ#1130198)\n\n* The sshd-keygen service was run using the\n'ExecStartPre=-/usr/sbin/sshd-keygen' option in the sshd.service unit\nfile. With this update, the separate sshd-keygen.service unit file has\nbeen added, and sshd.service has been adjusted to require\nsshd-keygen.service. (BZ#1134997)\n\nUsers of openssh are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements.\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2015-March/001725.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9f2883d9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-2653\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-server-sysvinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-askpass-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-clients-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-keycat-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-ldap-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-server-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-server-sysvinit-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"pam_ssh_agent_auth-0.9.3-9.11.el7\")) flag++;\n\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-clients / openssh-keycat / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-21T14:21:37", "description": "From Red Hat Security Advisory 2015:0425 :\n\nUpdated openssh packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.\n\nIt was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.\n(CVE-2014-2653)\n\nIt was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278)\n\nThe openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1059667)\n\nBug fixes :\n\n* An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. As a consequence, the sftp commands were not logged in the chroot setup without /dev/log in the internal sftp subsystem. With this update, openssh has been enhanced to detect whether /dev/log exists. If /dev/log does not exist, processes in the chroot environment use their master processes for logging.\n(BZ#1083482)\n\n* The buffer size for a host name was limited to 64 bytes. As a consequence, when a host name was 64 bytes long or longer, the ssh-keygen utility failed. The buffer size has been increased to fix this bug, and ssh-keygen no longer fails in the described situation.\n(BZ#1097665)\n\n* Non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly. (BZ#1104662)\n\n* Red Hat Enterprise Linux uses persistent Kerberos credential caches, which are shared between sessions. Previously, the GSSAPICleanupCredentials option was set to 'yes' by default.\nConsequently, removing a Kerberos cache on logout could remove unrelated credentials of other sessions, which could make the system unusable. To fix this bug, GSSAPICleanupCredentials is set by default to 'no'. (BZ#1134447)\n\n* Access permissions for the /etc/ssh/moduli file were set to 0600, which was unnecessarily strict. With this update, the permissions for /etc/ssh/moduli have been changed to 0644 to make the access to the file easier. (BZ#1134448)\n\n* Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was not found after login using a Kerberos-enabled SSH connection. The underlying source code has been modified to fix this bug, and Kerberos authentication works as expected in the described situation. (BZ#1161173)\n\nEnhancements :\n\n* When the sshd daemon is configured to force the internal SFTP session, a connection other then SFTP is used, the appropriate message is logged to the /var/log/secure file. (BZ#1130198)\n\n* The sshd-keygen service was run using the 'ExecStartPre=-/usr/sbin/sshd-keygen' option in the sshd.service unit file. With this update, the separate sshd-keygen.service unit file has been added, and sshd.service has been adjusted to require sshd-keygen.service. (BZ#1134997)\n\nUsers of openssh are advised to upgrade to these updated packages, which correct these issues and add these enhancements.", "cvss3": {}, "published": "2015-03-10T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : openssh (ELSA-2015-0425)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-2653", "CVE-2014-9278"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:openssh", "p-cpe:/a:oracle:linux:openssh-askpass", "p-cpe:/a:oracle:linux:openssh-clients", "p-cpe:/a:oracle:linux:openssh-keycat", "p-cpe:/a:oracle:linux:openssh-ldap", "p-cpe:/a:oracle:linux:openssh-server", "p-cpe:/a:oracle:linux:openssh-server-sysvinit", "p-cpe:/a:oracle:linux:pam_ssh_agent_auth", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2015-0425.NASL", "href": "https://www.tenable.com/plugins/nessus/81725", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:0425 and \n# Oracle Linux Security Advisory ELSA-2015-0425 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81725);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-2653\", \"CVE-2014-9278\");\n script_bugtraq_id(66459, 71420);\n script_xref(name:\"RHSA\", value:\"2015:0425\");\n\n script_name(english:\"Oracle Linux 7 : openssh (ELSA-2015-0425)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:0425 :\n\nUpdated openssh packages that fix two security issues, several bugs,\nand add various enhancements are now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These\npackages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that OpenSSH clients did not correctly verify DNS\nSSHFP records. A malicious server could use this flaw to force a\nconnecting client to skip the DNS SSHFP record check and require the\nuser to perform manual host verification of the DNS SSHFP record.\n(CVE-2014-2653)\n\nIt was found that when OpenSSH was used in a Kerberos environment,\nremote authenticated users were allowed to log in as a different user\nif they were listed in the ~/.k5users file of that user, potentially\nbypassing intended authentication restrictions. (CVE-2014-9278)\n\nThe openssh packages have been upgraded to upstream version 6.6.1,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. (BZ#1059667)\n\nBug fixes :\n\n* An existing /dev/log socket is needed when logging using the syslog\nutility, which is not possible for all chroot environments based on\nthe user's home directories. As a consequence, the sftp commands were\nnot logged in the chroot setup without /dev/log in the internal sftp\nsubsystem. With this update, openssh has been enhanced to detect\nwhether /dev/log exists. If /dev/log does not exist, processes in the\nchroot environment use their master processes for logging.\n(BZ#1083482)\n\n* The buffer size for a host name was limited to 64 bytes. As a\nconsequence, when a host name was 64 bytes long or longer, the\nssh-keygen utility failed. The buffer size has been increased to fix\nthis bug, and ssh-keygen no longer fails in the described situation.\n(BZ#1097665)\n\n* Non-ASCII characters have been replaced by their octal\nrepresentations in banner messages in order to prevent terminal\nre-programming attacks. Consequently, banners containing UTF-8 strings\nwere not correctly displayed in a client. With this update, banner\nmessages are processed according to RFC 3454, control characters have\nbeen removed, and banners containing UTF-8 strings are now displayed\ncorrectly. (BZ#1104662)\n\n* Red Hat Enterprise Linux uses persistent Kerberos credential caches,\nwhich are shared between sessions. Previously, the\nGSSAPICleanupCredentials option was set to 'yes' by default.\nConsequently, removing a Kerberos cache on logout could remove\nunrelated credentials of other sessions, which could make the system\nunusable. To fix this bug, GSSAPICleanupCredentials is set by default\nto 'no'. (BZ#1134447)\n\n* Access permissions for the /etc/ssh/moduli file were set to 0600,\nwhich was unnecessarily strict. With this update, the permissions for\n/etc/ssh/moduli have been changed to 0644 to make the access to the\nfile easier. (BZ#1134448)\n\n* Due to the KRB5CCNAME variable being truncated, the Kerberos ticket\ncache was not found after login using a Kerberos-enabled SSH\nconnection. The underlying source code has been modified to fix this\nbug, and Kerberos authentication works as expected in the described\nsituation. (BZ#1161173)\n\nEnhancements :\n\n* When the sshd daemon is configured to force the internal SFTP\nsession, a connection other then SFTP is used, the appropriate message\nis logged to the /var/log/secure file. (BZ#1130198)\n\n* The sshd-keygen service was run using the\n'ExecStartPre=-/usr/sbin/sshd-keygen' option in the sshd.service unit\nfile. With this update, the separate sshd-keygen.service unit file has\nbeen added, and sshd.service has been adjusted to require\nsshd-keygen.service. (BZ#1134997)\n\nUsers of openssh are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-March/004875.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-server-sysvinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-askpass-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-clients-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-keycat-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-ldap-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-server-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-server-sysvinit-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"pam_ssh_agent_auth-0.9.3-9.11.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-clients / openssh-keycat / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:11:08", "description": "It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.\n(CVE-2014-2653)\n\nIt was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278)\n\nThe openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version.\n\nBug fixes :\n\n - An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. As a consequence, the sftp commands were not logged in the chroot setup without /dev/log in the internal sftp subsystem. With this update, openssh has been enhanced to detect whether /dev/log exists. If /dev/log does not exist, processes in the chroot environment use their master processes for logging.\n\n - The buffer size for a host name was limited to 64 bytes.\n As a consequence, when a host name was 64 bytes long or longer, the ssh-keygen utility failed. The buffer size has been increased to fix this bug, and ssh-keygen no longer fails in the described situation.\n\n - Non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly.\n\n - Scientific Linux uses persistent Kerberos credential caches, which are shared between sessions. Previously, the GSSAPICleanupCredentials option was set to 'yes' by default. Consequently, removing a Kerberos cache on logout could remove unrelated credentials of other sessions, which could make the system unusable. To fix this bug, GSSAPICleanupCredentials is set by default to 'no'.\n\n - Access permissions for the /etc/ssh/moduli file were set to 0600, which was unnecessarily strict. With this update, the permissions for /etc/ssh/moduli have been changed to 0644 to make the access to the file easier.\n\n - Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was not found after login using a Kerberos-enabled SSH connection. The underlying source code has been modified to fix this bug, and Kerberos authentication works as expected in the described situation.\n\nEnhancements :\n\n - When the sshd daemon is configured to force the internal SFTP session, a connection other then SFTP is used, the appropriate message is logged to the /var/log/secure file.\n\n - The sshd-keygen service was run using the 'ExecStartPre=-/usr/sbin/sshd- keygen' option in the sshd.service unit file. With this update, the separate sshd-keygen.service unit file has been added, and sshd.service has been adjusted to require sshd-keygen.service.", "cvss3": {}, "published": "2015-03-26T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : openssh on SL7.x x86_64 (20150305)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-2653", "CVE-2014-9278"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:openssh", "p-cpe:/a:fermilab:scientific_linux:openssh-askpass", "p-cpe:/a:fermilab:scientific_linux:openssh-clients", "p-cpe:/a:fermilab:scientific_linux:openssh-debuginfo", "p-cpe:/a:fermilab:scientific_linux:openssh-keycat", "p-cpe:/a:fermilab:scientific_linux:openssh-ldap", "p-cpe:/a:fermilab:scientific_linux:openssh-server", "p-cpe:/a:fermilab:scientific_linux:openssh-server-sysvinit", "p-cpe:/a:fermilab:scientific_linux:pam_ssh_agent_auth", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20150305_OPENSSH_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/82258", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82258);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-2653\", \"CVE-2014-9278\");\n\n script_name(english:\"Scientific Linux Security Update : openssh on SL7.x x86_64 (20150305)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that OpenSSH clients did not correctly verify DNS\nSSHFP records. A malicious server could use this flaw to force a\nconnecting client to skip the DNS SSHFP record check and require the\nuser to perform manual host verification of the DNS SSHFP record.\n(CVE-2014-2653)\n\nIt was found that when OpenSSH was used in a Kerberos environment,\nremote authenticated users were allowed to log in as a different user\nif they were listed in the ~/.k5users file of that user, potentially\nbypassing intended authentication restrictions. (CVE-2014-9278)\n\nThe openssh packages have been upgraded to upstream version 6.6.1,\nwhich provides a number of bug fixes and enhancements over the\nprevious version.\n\nBug fixes :\n\n - An existing /dev/log socket is needed when logging using\n the syslog utility, which is not possible for all chroot\n environments based on the user's home directories. As a\n consequence, the sftp commands were not logged in the\n chroot setup without /dev/log in the internal sftp\n subsystem. With this update, openssh has been enhanced\n to detect whether /dev/log exists. If /dev/log does not\n exist, processes in the chroot environment use their\n master processes for logging.\n\n - The buffer size for a host name was limited to 64 bytes.\n As a consequence, when a host name was 64 bytes long or\n longer, the ssh-keygen utility failed. The buffer size\n has been increased to fix this bug, and ssh-keygen no\n longer fails in the described situation.\n\n - Non-ASCII characters have been replaced by their octal\n representations in banner messages in order to prevent\n terminal re-programming attacks. Consequently, banners\n containing UTF-8 strings were not correctly displayed in\n a client. With this update, banner messages are\n processed according to RFC 3454, control characters have\n been removed, and banners containing UTF-8 strings are\n now displayed correctly.\n\n - Scientific Linux uses persistent Kerberos credential\n caches, which are shared between sessions. Previously,\n the GSSAPICleanupCredentials option was set to 'yes' by\n default. Consequently, removing a Kerberos cache on\n logout could remove unrelated credentials of other\n sessions, which could make the system unusable. To fix\n this bug, GSSAPICleanupCredentials is set by default to\n 'no'.\n\n - Access permissions for the /etc/ssh/moduli file were set\n to 0600, which was unnecessarily strict. With this\n update, the permissions for /etc/ssh/moduli have been\n changed to 0644 to make the access to the file easier.\n\n - Due to the KRB5CCNAME variable being truncated, the\n Kerberos ticket cache was not found after login using a\n Kerberos-enabled SSH connection. The underlying source\n code has been modified to fix this bug, and Kerberos\n authentication works as expected in the described\n situation.\n\nEnhancements :\n\n - When the sshd daemon is configured to force the internal\n SFTP session, a connection other then SFTP is used, the\n appropriate message is logged to the /var/log/secure\n file.\n\n - The sshd-keygen service was run using the\n 'ExecStartPre=-/usr/sbin/sshd- keygen' option in the\n sshd.service unit file. With this update, the separate\n sshd-keygen.service unit file has been added, and\n sshd.service has been adjusted to require\n sshd-keygen.service.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1503&L=scientific-linux-errata&T=0&P=3247\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?55568abc\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-server-sysvinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-askpass-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-clients-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-debuginfo-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-keycat-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-ldap-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-server-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-server-sysvinit-6.6.1p1-11.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"pam_ssh_agent_auth-0.9.3-9.11.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:27:42", "description": "The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by multiple vulnerabilities:\n\n - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.\n (CVE-2006-0225)\n\n - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924)\n\n - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051)\n\n - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication.\n NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist.\n (CVE-2006-5794)\n\n - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information.\n (CVE-2007-3102)\n\n - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.\n (CVE-2010-4755)\n\n - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107)\n\n - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions.\n (CVE-2014-2532)\n\n - It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.\n (CVE-2014-2653)\n\n - It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278)\n\n - It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600)\n\n - It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. (CVE-2015-8325)\n\n - An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client.\n (CVE-2016-0777)\n\n - An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908)\n\n - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225", "CVE-2006-4924", "CVE-2006-5051", "CVE-2006-5794", "CVE-2007-3102", "CVE-2010-2632", "CVE-2010-4755", "CVE-2010-5107", "CVE-2014-2532", "CVE-2014-2653", "CVE-2014-9278", "CVE-2015-5600", "CVE-2015-8325", "CVE-2016-0777", "CVE-2016-1908", "CVE-2016-6210"], "modified": "2022-05-19T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2019-0146_OPENSSH-LATEST.NASL", "href": "https://www.tenable.com/plugins/nessus/127415", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0146. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127415);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/19\");\n\n script_cve_id(\n \"CVE-2006-0225\",\n \"CVE-2006-4924\",\n \"CVE-2006-5051\",\n \"CVE-2006-5794\",\n \"CVE-2007-3102\",\n \"CVE-2010-4755\",\n \"CVE-2010-5107\",\n \"CVE-2014-2532\",\n \"CVE-2014-2653\",\n \"CVE-2014-9278\",\n \"CVE-2015-5600\",\n \"CVE-2015-8325\",\n \"CVE-2016-0777\",\n \"CVE-2016-1908\",\n \"CVE-2016-6210\"\n );\n\n script_name(english:\"NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by\nmultiple vulnerabilities:\n\n - scp in OpenSSH 4.2p1 allows attackers to execute\n arbitrary commands via filenames that contain shell\n metacharacters or spaces, which are expanded twice.\n (CVE-2006-0225)\n\n - sshd in OpenSSH before 4.4, when using the version 1 SSH\n protocol, allows remote attackers to cause a denial of\n service (CPU consumption) via an SSH packet that\n contains duplicate blocks, which is not properly handled\n by the CRC compensation attack detector. (CVE-2006-4924)\n\n - Signal handler race condition in OpenSSH before 4.4\n allows remote attackers to cause a denial of service\n (crash), and possibly execute arbitrary code if GSSAPI\n authentication is enabled, via unspecified vectors that\n lead to a double-free. (CVE-2006-5051)\n\n - Unspecified vulnerability in the sshd Privilege\n Separation Monitor in OpenSSH before 4.5 causes weaker\n verification that authentication has been successful,\n which might allow attackers to bypass authentication.\n NOTE: as of 20061108, it is believed that this issue is\n only exploitable by leveraging vulnerabilities in the\n unprivileged process, which are not known to exist.\n (CVE-2006-5794)\n\n - Unspecified vulnerability in the\n linux_audit_record_event function in OpenSSH 4.3p2, as\n used on Fedora Core 6 and possibly other systems, allows\n remote attackers to write arbitrary characters to an\n audit log via a crafted username. NOTE: some of these\n details are obtained from third party information.\n (CVE-2007-3102)\n\n - The (1) remote_glob function in sftp-glob.c and the (2)\n process_put function in sftp.c in OpenSSH 5.8 and\n earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2,\n OpenBSD 4.7, and other products, allow remote\n authenticated users to cause a denial of service (CPU\n and memory consumption) via crafted glob expressions\n that do not match any pathnames, as demonstrated by glob\n expressions in SSH_FXP_STAT requests to an sftp daemon,\n a different vulnerability than CVE-2010-2632.\n (CVE-2010-4755)\n\n - The default configuration of OpenSSH through 6.1\n enforces a fixed time limit between establishing a TCP\n connection and completing a login, which makes it easier\n for remote attackers to cause a denial of service\n (connection-slot exhaustion) by periodically making many\n new TCP connections. (CVE-2010-5107)\n\n - It was found that OpenSSH did not properly handle\n certain AcceptEnv parameter values with wildcard\n characters. A remote attacker could use this flaw to\n bypass intended environment variable restrictions.\n (CVE-2014-2532)\n\n - It was discovered that OpenSSH clients did not correctly\n verify DNS SSHFP records. A malicious server could use\n this flaw to force a connecting client to skip the DNS\n SSHFP record check and require the user to perform\n manual host verification of the DNS SSHFP record.\n (CVE-2014-2653)\n\n - It was found that when OpenSSH was used in a Kerberos\n environment, remote authenticated users were allowed to\n log in as a different user if they were listed in the\n ~/.k5users file of that user, potentially bypassing\n intended authentication restrictions. (CVE-2014-9278)\n\n - It was discovered that the OpenSSH sshd daemon did not\n check the list of keyboard-interactive authentication\n methods for duplicates. A remote attacker could use this\n flaw to bypass the MaxAuthTries limit, making it easier\n to perform password guessing attacks. (CVE-2015-5600)\n\n - It was discovered that the OpenSSH sshd daemon fetched\n PAM environment settings before running the login\n program. In configurations with UseLogin=yes and the\n pam_env PAM module configured to read user environment\n settings, a local user could use this flaw to execute\n arbitrary code as root. (CVE-2015-8325)\n\n - An information leak flaw was found in the way the\n OpenSSH client roaming feature was implemented. A\n malicious server could potentially use this flaw to leak\n portions of memory (possibly including private SSH keys)\n of a successfully authenticated OpenSSH client.\n (CVE-2016-0777)\n\n - An access flaw was discovered in OpenSSH; the OpenSSH\n client did not correctly handle failures to generate\n authentication cookies for untrusted X11 forwarding. A\n malicious or compromised remote X application could\n possibly use this flaw to establish a trusted connection\n to the local X server, even if only untrusted X11\n forwarding was requested. (CVE-2016-1908)\n\n - A covert timing channel flaw was found in the way\n OpenSSH handled authentication of non-existent users. A\n remote unauthenticated attacker could possibly use this\n flaw to determine valid user names by measuring the\n timing of server responses. (CVE-2016-6210)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0146\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL openssh-latest packages. Note that updated packages may not be available yet. Please contact\nZTE for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-5051\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2016-1908\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(362, 399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL MAIN 4.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL MAIN 4.05\": [\n \"openssh-latest-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-askpass-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-cavs-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-clients-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-debuginfo-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-keycat-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-ldap-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-server-7.9p1-1.el6.cgsl7741\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh-latest\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhat": [{"lastseen": "2023-05-26T12:21:26", "description": "OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages\ninclude the core files necessary for both the OpenSSH client and server.\n\nIt was discovered that OpenSSH clients did not correctly verify DNS SSHFP\nrecords. A malicious server could use this flaw to force a connecting client to\nskip the DNS SSHFP record check and require the user to perform manual host\nverification of the DNS SSHFP record. (CVE-2014-2653)\n\nIt was found that when OpenSSH was used in a Kerberos environment, remote\nauthenticated users were allowed to log in as a different user if they were\nlisted in the ~/.k5users file of that user, potentially bypassing intended\nauthentication restrictions. (CVE-2014-9278)\n\nThe openssh packages have been upgraded to upstream version 6.6.1, which\nprovides a number of bug fixes and enhancements over the previous version.\n(BZ#1059667)\n\nBug fixes:\n\n* An existing /dev/log socket is needed when logging using the syslog utility,\nwhich is not possible for all chroot environments based on the user's home\ndirectories. As a consequence, the sftp commands were not logged in the chroot\nsetup without /dev/log in the internal sftp subsystem. With this update, openssh\nhas been enhanced to detect whether /dev/log exists. If /dev/log does not exist,\nprocesses in the chroot environment use their master processes for logging.\n(BZ#1083482)\n\n* The buffer size for a host name was limited to 64 bytes. As a consequence,\nwhen a host name was 64 bytes long or longer, the ssh-keygen utility failed. The\nbuffer size has been increased to fix this bug, and ssh-keygen no longer fails\nin the described situation. (BZ#1097665)\n\n* Non-ASCII characters have been replaced by their octal representations in\nbanner messages in order to prevent terminal re-programming attacks.\nConsequently, banners containing UTF-8 strings were not correctly displayed in a\nclient. With this update, banner messages are processed according to RFC 3454,\ncontrol characters have been removed, and banners containing UTF-8 strings are\nnow displayed correctly. (BZ#1104662)\n\n* Red Hat Enterprise Linux uses persistent Kerberos credential caches, which are\nshared between sessions. Previously, the GSSAPICleanupCredentials option was set\nto \"yes\" by default. Consequently, removing a Kerberos cache on logout could\nremove unrelated credentials of other sessions, which could make the system\nunusable. To fix this bug, GSSAPICleanupCredentials is set by default to \"no\".\n(BZ#1134447)\n\n* Access permissions for the /etc/ssh/moduli file were set to 0600, which was\nunnecessarily strict. With this update, the permissions for /etc/ssh/moduli have\nbeen changed to 0644 to make the access to the file easier. (BZ#1134448)\n\n* Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was\nnot found after login using a Kerberos-enabled SSH connection. The underlying\nsource code has been modified to fix this bug, and Kerberos authentication works\nas expected in the described situation. (BZ#1161173)\n\nEnhancements:\n\n* When the sshd daemon is configured to force the internal SFTP session, a\nconnection other then SFTP is used, the appropriate message is logged to the\n/var/log/secure file. (BZ#1130198)\n\n* The sshd-keygen service was run using the\n\"ExecStartPre=-/usr/sbin/sshd-keygen\" option in the sshd.service unit file. With\nthis update, the separate sshd-keygen.service unit file has been added, and\nsshd.service has been adjusted to require sshd-keygen.service. (BZ#1134997)\n\nUsers of openssh are advised to upgrade to these updated packages, which correct\nthese issues and add these enhancements.\n", "cvss3": {}, "published": "2015-03-05T00:00:00", "type": "redhat", "title": "(RHSA-2015:0425) Moderate: openssh security, bug fix and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2653", "CVE-2014-9278"], "modified": "2018-04-11T23:33:36", "id": "RHSA-2015:0425", "href": "https://access.redhat.com/errata/RHSA-2015:0425", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:35:02", "description": "[6.6.1p1-11 + 0.9.3-9]\n- fix direction in CRYPTO_SESSION audit message (#1171248)\n[6.6.1p1-10 + 0.9.3-9]\n- add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278\n (#1169843)\n[6.6.1p1-9 + 0.9.3-9]\n- log via monitor in chroots without /dev/log (#1083482)\n[6.6.1p1-8 + 0.9.3-9]\n- increase size of AUDIT_LOG_SIZE to 256 (#1171163)\n- record pfs= field in CRYPTO_SESSION audit event (#1171248)\n[6.6.1p1-7 + 0.9.3-9]\n- fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request (#1118005)\n[6.6.1p1-6 + 0.9.3-9]\n- correct the calculation of bytes for authctxt->krb5_ccname \n (#1161073)\n[6.6.1p1-5 + 0.9.3-9]\n- change audit trail for unknown users (#1158521)\n[6.6.1p1-4 + 0.9.3-9]\n- revert the default of KerberosUseKuserok back to yes\n- fix kuserok patch which checked for the existence of .k5login unconditionally\n and hence prevented other mechanisms to be used properly\n[6.6.1p1-3 + 0.9.3-9]\n- fix parsing empty options in sshd_conf\n- ignore SIGXFSZ in postauth monitor\n[6.6.1p1-2 + 0.9.3-9]\n- slightly change systemd units logic - use sshd-keygen.service (#1066615)\n- log when a client requests an interactive session and only sftp is allowed (#1130198)\n- sshd-keygen - don't generate DSA and ED25519 host keys in FIPS mode (#1143867)\n[6.6.1p1-1 + 0.9.3-9]\n- new upstream release (#1059667)\n- prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338)\n- make /etc/ssh/moduli file public (#1134448)\n- test existence of /etc/ssh/ssh_host_ecdsa_key in sshd-keygen.service\n- don't clean up gssapi credentials by default (#1134447)\n- ssh-agent - try CLOCK_BOOTTIME with fallback (#1134449)\n- disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6\n- add support for ED25519 keys to sshd-keygen and sshd.sysconfig\n- standardise on NI_MAXHOST for gethostname() string lengths (#1097665)\n- set a client's address right after a connection is set (mindrot#2257) (#912792)\n- apply RFC3454 stringprep to banners when possible (mindrot#2058) (#1104662)\n- don't consider a partial success as a failure (mindrot#2270) (#1112972)", "cvss3": {}, "published": "2015-03-09T00:00:00", "type": "oraclelinux", "title": "openssh security, bug fix and enhancement update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2014-2653", "CVE-2014-9278"], "modified": "2015-03-09T00:00:00", "id": "ELSA-2015-0425", "href": "http://linux.oracle.com/errata/ELSA-2015-0425.html", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "centos": [{"lastseen": "2023-08-23T21:23:50", "description": "**CentOS Errata and Security Advisory** CESA-2015:0425\n\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages\ninclude the core files necessary for both the OpenSSH client and server.\n\nIt was discovered that OpenSSH clients did not correctly verify DNS SSHFP\nrecords. A malicious server could use this flaw to force a connecting client to\nskip the DNS SSHFP record check and require the user to perform manual host\nverification of the DNS SSHFP record. (CVE-2014-2653)\n\nIt was found that when OpenSSH was used in a Kerberos environment, remote\nauthenticated users were allowed to log in as a different user if they were\nlisted in the ~/.k5users file of that user, potentially bypassing intended\nauthentication restrictions. (CVE-2014-9278)\n\nThe openssh packages have been upgraded to upstream version 6.6.1, which\nprovides a number of bug fixes and enhancements over the previous version.\n(BZ#1059667)\n\nBug fixes:\n\n* An existing /dev/log socket is needed when logging using the syslog utility,\nwhich is not possible for all chroot environments based on the user's home\ndirectories. As a consequence, the sftp commands were not logged in the chroot\nsetup without /dev/log in the internal sftp subsystem. With this update, openssh\nhas been enhanced to detect whether /dev/log exists. If /dev/log does not exist,\nprocesses in the chroot environment use their master processes for logging.\n(BZ#1083482)\n\n* The buffer size for a host name was limited to 64 bytes. As a consequence,\nwhen a host name was 64 bytes long or longer, the ssh-keygen utility failed. The\nbuffer size has been increased to fix this bug, and ssh-keygen no longer fails\nin the described situation. (BZ#1097665)\n\n* Non-ASCII characters have been replaced by their octal representations in\nbanner messages in order to prevent terminal re-programming attacks.\nConsequently, banners containing UTF-8 strings were not correctly displayed in a\nclient. With this update, banner messages are processed according to RFC 3454,\ncontrol characters have been removed, and banners containing UTF-8 strings are\nnow displayed correctly. (BZ#1104662)\n\n* Red Hat Enterprise Linux uses persistent Kerberos credential caches, which are\nshared between sessions. Previously, the GSSAPICleanupCredentials option was set\nto \"yes\" by default. Consequently, removing a Kerberos cache on logout could\nremove unrelated credentials of other sessions, which could make the system\nunusable. To fix this bug, GSSAPICleanupCredentials is set by default to \"no\".\n(BZ#1134447)\n\n* Access permissions for the /etc/ssh/moduli file were set to 0600, which was\nunnecessarily strict. With this update, the permissions for /etc/ssh/moduli have\nbeen changed to 0644 to make the access to the file easier. (BZ#1134448)\n\n* Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was\nnot found after login using a Kerberos-enabled SSH connection. The underlying\nsource code has been modified to fix this bug, and Kerberos authentication works\nas expected in the described situation. (BZ#1161173)\n\nEnhancements:\n\n* When the sshd daemon is configured to force the internal SFTP session, a\nconnection other then SFTP is used, the appropriate message is logged to the\n/var/log/secure file. (BZ#1130198)\n\n* The sshd-keygen service was run using the\n\"ExecStartPre=-/usr/sbin/sshd-keygen\" option in the sshd.service unit file. With\nthis update, the separate sshd-keygen.service unit file has been added, and\nsshd.service has been adjusted to require sshd-keygen.service. (BZ#1134997)\n\nUsers of openssh are advised to upgrade to these updated packages, which correct\nthese issues and add these enhancements.\n\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-cr-announce/2015-March/021305.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-clients\nopenssh-keycat\nopenssh-ldap\nopenssh-server\nopenssh-server-sysvinit\npam_ssh_agent_auth\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2015:0425", "cvss3": {}, "published": "2015-03-17T13:29:24", "type": "centos", "title": "openssh, pam_ssh_agent_auth security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2653", "CVE-2014-9278"], "modified": "2015-03-17T13:29:24", "id": "CESA-2015:0425", "href": "https://lists.centos.org/pipermail/centos-cr-announce/2015-March/021305.html", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "symantec": [{"lastseen": "2021-11-07T10:51:00", "description": "### SUMMARY\n\nBlue Coat products using affected versions of OpenSSH are susceptible to multiple vulnerabilities. An attacker, with access to the management interface, may exploit these vulnerabilities to conduct brute-force password guessing attacks, bypass access restrictions, log in as a different user, achieve privilege escalation, execute arbitrary code, and force SSH clients to skip security checks. The attacker can also cause denial of service due to memory corruption and illegal memory accesses. \n \n\n\n### AFFECTED PRODUCTS\n\nThe following products are vulnerable:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 6.7 and later | Not vulnerable, fixed in 6.7.2.1 \nCVE-2014-2653 | 6.6 | Upgrade to 6.6.3.1. \nCVE-2014-2532 | 6.6 (not vulnerable to known vectors of attack) | Upgrade to 6.6.3.1. \nCVE-2015-5600, CVE-2015-6563, \nCVE-2015-6564 | 6.6 (not vulnerable to known vectors of attack) | Upgrade to 6.6.5.1. \n \n \n\n**Content Analysis System (CAS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 2.1 and later | Not vulnerable, fixed in 2.1.1.1 \nCVE-2014-2532, CVE-2014-2653 | 1.3 | Upgrade to 1.3.6.1. \n1.1, 1.2 | Upgrade to later release with fixes. \nCVE-2015-6563, CVE-2015-6564 | 1.3 | Upgrade to 1.3.7.1. \n1.1, 1.2 | Upgrade to later release with fixes. \nCVE-2015-5352, CVE-2015-5600 | 1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.7.1. \n1.1, 1.2 (not vulnerable to known vectors of attack0 | Upgrade to later release with fixes. \n \n \n\n**Director** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2014-2532, CVE-2014-2653, \nCVE-2015-5600, CVE-2015-6563, \nCVE-2015-6564 | 6.1 | Upgrade to 6.1.22.1. \n \n \n\n**Mail Threat Defense (MTD)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-6563, CVE-2015-6564 | 1.1 | Not available at this time \nCVE-2015-5600 | 1.1 (not vulnerable to known vectors of attack) | Upgrade to 1.1.2.1. \nCVE-2015-5352 | 1.1 (not vulnerable to known vectors of attack) | Not available at this time \n \n \n\n**Malware Analysis Appliance (MAA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2014-2532, CVE-2014-2653, \nCVE-2015-5600, CVE-2015-6563, \nCVE-2015-6564 | 4.2 | Upgrade to 4.2.8. \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2014-2532, CVE-2014-2653 | 1.5 and later | Not vulnerable, fixed in 1.5.1.1 \n1.4 | Upgrade to later release with fixes. \nCVE-2015-6563, CVE-2015-6564 | 1.6 and later | Not vulnerable, fixed in 1.6.1.1 \n1.4, 1.5 | Upgrade to later release with fixes. \n \n \n\n**Norman Shark Industrial Control System Protection (ICSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-5352, CVE-2015-5600, \nCVE-2015-6563, CVE-2015-6564 | 5.4 | Not vulnerable, fixed in 5.4.1 \n5.3 | Upgrade to 5.3.6. \n \n \n\n**Norman Shark Network Protection (NNP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-5352, CVE-2015-5600, \nCVE-2015-6563, CVE-2015-6564 | 5.3 | Upgrade to 5.3.6. \n \n \n\n**Norman Shark SCADA Protection (NSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-5352, CVE-2015-5600, \nCVE-2015-6563, CVE-2015-6564 | 5.3 | Upgrade to 5.3.6. \n \n \n\n**PacketShaper (PS) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 11.6 and later | Not vulnerable, fixed in 11.6.1.1 \nCVE-2014-2532, CVE-2015-5600 | 11.5 | Upgrade to 11.5.2.1. \n11.2, 11.3, 11.4 | Upgrade to later release with fixes. \nCVE-2015-6563, CVE-2015-6564 | 11.5 | Upgrade to 11.5.3.2. \n11.2, 11.3, 11.4 | Upgrade to later release with fixes. \n \n \n\n**PolicyCenter (PC) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-6563, CVE-2015-6564 | 1.1 | Upgrade to 1.1.2.2. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2014-2532, CVE-2014-2653 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1 \n10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.3.1. \nCVE-2014-9278 | 10.1 and later | Not vulnerable \nCVE-2015-5352, CVE-2015-5600 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1 \n10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.4.2. \nCVE-2015-6563, CVE-2015-6564 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1 \n10.1 | Upgrade to 10.1.4.2. \nAll CVEs | 9.4, 9.5 | Not vulnerable \n \n \n\n**Security Analytics (SA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2014-2532 | 7.2 and later | Not vulnerable, fixed in 7.2.1 \n7.1 | Upgrade to 7.1.11. \n7.0 | Upgrade to later release with fixes. \n6.6 | Upgrade to 6.6.12. \nCVE-2014-2653, \nCVE-2015-5600, CVE-2015-6563, \nCVE-2015-6564 | 7.2 and later | Not vulnerable, fixed in 7.2.1 \n7.1 | Upgrade to 7.1.11. \n7.0 | Upgrade to later release with fixes. \n6.6 | Upgrade to 6.6.12. \nCVE-2015-5352 | 7.2 and later | Not vulnerable, fixed in 7.2.1 \n7.1 (not vulnerable to known vectors of attack) | Apply patch RPM available from customer support. \n7.0 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes. \n6.6 (not vulnerable to known vectors of attack) | Apply patch RPM available from customer support. \n \n \n\n**SSL Visibility (SSLV)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-6563, CVE-2015-6564 | 3.10 and later | Fixed in 3.10.1.1 \n3.9 | Upgrade to 3.9.3.6. \n3.8.4FC | Upgrade to 3.8.4FC-55. \n3.8 | Upgrade to later release with fixes. \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2014-2532, CVE-2014-2653, \nCVE-2015-5600, CVE-2015-6563, \nCVE-2015-6564 | 11.0 | Not available at this time \n10.0 | Not available at this time \n9.7 | Not available at this time \n \n \n\n### ADDITIONAL PRODUCT INFORMATION\n\nIn SSL Visibility, the OpenSSH vulnerabilities can be exploited only the product&#x27;s management interfaces (web UI, CLD). Limiting the machines, IP addresses and subnets able to reach this physical network port reduces the threat. This reduces the CVSS v2 scores for multiple CVEs. The adjusted CVSS v2 base scores and severity are:\n\n * CVE-2014-2532 - 4.3 (MEDIUM) (AV:A/AC:M/Au:N/C:P/I:P/A:N)\n * CVE-2014-2653 - 4.3 (MEDIUM) (AV:A/AC:M/Au:N/C:P/I:P/A:N)\n * CVE-2015-5352 - 2.9 (LOW) (AV:A/AC:M/Au:N/C:N/I:P/A:N)\n * CVE-2015-5600 - 6.8 (MEDIUM) (AV:A/AC:L/Au:N/C:P/I:N/A:C)\n\nBlue Coat products do not enable or use all functionality within OpenSSH. Products that do not utilize or enable the functionality described in a CVE are not vulnerable to that CVE. However, fixes for those CVEs will be included in the patches that are provided. The following products include vulnerable versions of OpenSSH, but do not use the functionality described in the CVEs and are not known to be vulnerable.\n\n * **ASG:** CVE-2014-2532, CVE-2015-5600, CVE-2015-6563, and CVE-2015-6564\n * **CAS:** CVE-2015-5352 and CVE-2015-5600\n * **Director:** CVE-2015-5352\n * **MAA:** CVE-2015-5352\n * **MTD:** CVE-2015-5352 and CVE-2015-5600\n * **MC:** CVE-2015-5352 and CVE-2015-5600\n * **PS S-Series:** CVE-2014-2653 and CVE-2015-5352\n * **PC S-Series:** CVE-2015-5352\n * **Reporter 10.1:** CVE-2014-2532, CVE-2014-2653, CVE-2015-5352, and CVE-2015-5600\n * **Security Analytics:** CVE-2015-5352\n * **SSLV:** CVE-2014-2653, CVE-2015-5352, and CVE-2015-5600\n * **XOS:** CVE-2015-5352\n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nBlue Coat HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nPacketShaper \nPolicyCenter \nProxyAV \nProxyAV ConLog and ConLogXP \nProxyClient \nProxySG \nUnified Agent \nWeb Isolation**\n\nBlue Coat no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP. \n \n\n\n### ISSUES\n\n**CVE-2014-1692** \n--- \n**Severity / CVSSv2** | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n**References** | SecurityFocus: [BID 65230](<https://www.securityfocus.com/bid/65230>) / NVD: [CVE-2014-1692](<https://nvd.nist.gov/vuln/detail/CVE-2014-1692>) \n**Impact** | Denial of service, unspecified other impact \n**Description** | A flaw allows an attacker to cause memory corruption, resulting in a denial of service or unspecified other impact. \n \n \n\n**CVE-2014-2532** \n--- \n**Severity / CVSSv2** | Medium / 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) \n**References** | SecurityFocus: [BID 66355](<https://www.securityfocus.com/bid/66355>) / NVD: [CVE-2014-2532](<https://nvd.nist.gov/vuln/detail/CVE-2014-2532>) \n**Impact** | Security control bypass \n**Description** | A flaw allows an attacker to pass environment variables to a server SSH session and bypass intended environment variable restrictions. \n \n \n\n**CVE-2014-2653** \n--- \n**Severity / CVSSv2** | Medium / 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) \n**References** | SecurityFocus: [BID 66459](<https://www.securityfocus.com/bid/66459>) / NVD: [CVE-2014-2653](<https://nvd.nist.gov/vuln/detail/CVE-2014-2653>) \n**Impact** | Security control bypass \n**Description** | A flaw allows an attacker to cause SSH clients to skip SSHFP DNS record checks when establishing SSH connections. \n \n \n\n**CVE-2014-9278** \n--- \n**Severity / CVSSv2** | Medium / 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) \n**References** | SecurityFocus: [BID 71420](<https://www.securityfocus.com/bid/71420>) / NVD: [CVE-2014-9278](<https://nvd.nist.gov/vuln/detail/CVE-2014-9278>) \n**Impact** | Security control bypass \n**Description** | A flaw allows a remote attacker in a Kerberos environment to log in as a different user if changing users is allowed only after local authentication. \n \n \n\n**CVE-2015-5352** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n**References** | SecurityFocus: [BID 75525](<https://www.securityfocus.com/bid/75525>) / NVD: [CVE-2015-5352](<https://nvd.nist.gov/vuln/detail/CVE-2015-5352>) \n**Impact** | Security control bypass \n**Description** | A flaw allows an attacker to bypass intended time window access restrictions when establishing X11 connections to SSH clients. \n \n \n\n**CVE-2015-5600** \n--- \n**Severity / CVSSv2** | High / 8.5 (AV:N/AC:L/Au:N/C:P/I:N/A:C) \n**References** | SecurityFocus: [BID 75990](<https://www.securityfocus.com/bid/75990>) / NVD: [CVE-2015-5600](<https://nvd.nist.gov/vuln/detail/CVE-2015-5600>) \n**Impact** | Information disclosure \n**Description** | A flaw allows an attacker to conduct brute-force password guessing attacks or cause denial of service in SSH servers that use keyboard interactive authentication. \n \n \n\n**CVE-2015-6563** \n--- \n**Severity / CVSSv2** | Low / 1.9 (AV:L/AC:M/Au:N/C:N/I:P/A:N) \n**References** | SecurityFocus: [BID 76317](<https://www.securityfocus.com/bid/76317>) / NVD: [CVE-2015-6563](<https://nvd.nist.gov/vuln/detail/CVE-2015-6563>) \n**Impact** | Privilege escalation \n**Description** | A flaw allows a local attacker with valid user credentials to achieve privilege escalation if the attacker has already compromised a local non-privileged pre-authentication process. \n \n \n\n**CVE-2015-6564** \n--- \n**Severity / CVSSv2** | Medium / 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C) \n**References** | SecurityFocus: [BID 76317](<https://www.securityfocus.com/bid/76317>) / NVD: [CVE-2015-6564](<https://nvd.nist.gov/vuln/detail/CVE-2015-6564>) \n**Impact** | Denial of service, privilege escalation \n**Description** | A flaw allows a local attacker to cause the SSH daemon to crash or execute arbitrary code with root privileges if the attacker has already compromised a local non-privileges pre-authentication process. \n \n \n\n**CVE-2015-6565** \n--- \n**Severity / CVSSv2** | High / 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) \n**References** | SecurityFocus: [BID 76497](<https://www.securityfocus.com/bid/76497>) / NVD: [CVE-2015-6565](<https://nvd.nist.gov/vuln/detail/CVE-2015-6565>) \n**Impact** | Denial of service, unspecified other impact \n**Description** | A flaw that allows a local attacker to cause denial-of-service or have unspecified other impact through writing to TTY device files. \n \n \n\n### MITIGATION\n\nThese vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.\n\nBy default, Director does not configure its OpenSSH software to accept environment variables from clients or to use keyboard interactive authentication. Customers who leave this default behavior unchanged prevent attacks against Director using CVE-2014-2532 and CVE-2015-5600.\n\nBy default, MAA does not use SSH as a client, does not use SSH in a Kerberos environment, and does not configure its OpenSSH software to use keyboard interactive authentication. Customers who leave this default behavior unchanged prevent attacks against MAA using CVE-2014-2653 and CVE-2015-5600.\n\nBy default, Security Analytics does not use SSH in a Kerberos environment. Also, it does not configure its OpenSSH software to accept environment variables from clients or to use keyboard interactive authentication. Customers who leave this default behavior unchanged prevent attacks against Security Analytics using CVE-2014-2532 and and CVE-2015-5600.\n\nBy default, XOS does not use SSH as a client and does not configure its OpenSSH software to accept environment variables from clients or to use keyboard interactive authentication. Customers who leave this default behavior unchanged prevent attacks against XOS using CVE-2014-2532, CVE-2014-2653, CVE-2015-5600. \n \n\n\n### REFERENCES\n\nOpenSSH security announcements - <https://www.openssh.com/security.html> \n \n\n\n### REVISION\n\n2020-04-20 Security Analytics 7.3, 8.0, and 8.1 are not vulnerable to CVE-2014-2532. Industrial Control System Protection (ICSP) 5.4 is not vulnerable because a fix is available in 5.4.1. Advisory status moved to Closed. \n2019-10-02 Web Isolation is not vulnerable. \n2019-08-29 Reporter 10.3 and 10.4 have vulnerable versions of OpenSSH for CVE-2014-2532, but are not vulnerable to known vectors of attack. \n2019-01-20 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable to CVE-2014-2532. \n2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-22 PacketShaper S-Series 11.10 is not vulnerable. \n2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1. \n2017-08-02 SSLV 4.1 is not vulnerable. \n2017-07-24 PacketShaper S-Series 11.9 is not vulnerable. \n2017-07-20 MC 1.10 is not vulnerable. \n2017-06-22 Security Analytics 7.3 is not vulnerable. \n2017-06-05 PacketShaper S-Series 11.8 is not vulnerable. \n2017-05-17 CAS 2.1 is not vulnerable. \n2017-03-06 MC 1.8 is not vulnerable. SSLV 4.0 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support. \n2017-02-16 Previously, it was reported that Security Analytics by default is not vulnerable to CVE-2014-2653 because it does not act as an SSH client. Further investigation has shown that Security Analytics acts as an SSH client and is vulnerable to CVE-2014-2653 by default. \n2016-11-29 A fix for Director is available in 6.1.22.1. PacketShaper S-Series 11.7 is not vulnerable. SSLV 3.11 is not vulnerable. \n2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable. \n2016-11-08 A fix for all CVEs in ASG is available in 6.6.5.1. \n2016-11-07 SSLV 3.10 is not vulnerable \n2016-09-22 A fix for all CVEs in Reporter 10.1 is available in 10.1.4.2. MC 1.6 and 1.7 are not vulnerable because they have the vulnerability fixes. Further vulnerability fixes for MC 1.4 and 1.5 will not be provided. Please upgrade to the latest MC version with the vulnerability fixes. \n2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55. \n2016-08-12 A fix for all CVEs in CAS 1.3 is available in 1.3.7.1. Security Analytics 7.2 is not vulnerable. \n2016-06-30 PacketShaper S-Series is not vulnerable. \n2016-06-28 Fixed typos in Affected Products, Advisory Details, and Patches sections. \n2016-06-27 Fixes will not be provided for PacketShaper S-Series 11.2, 11.3, and 11.4. Please upgrade to a later version with the vulnerability fixes. \n2016-06-24 A fix for CVE-2014-2653 in PS S-Series is available in 11.5.2.1. A fix for all CVEs in PS S-Series is available in 11.5.3.2. A fix for PC S-Series is available in 1.1.2.2. \n2016-06-22 A fix for CVE-2014-2532 is available in ASG 6.6.3.1. \n2016-06-22 Previously, it was reported that ASG 6.6 is not vulnerable to CVE-2014-2532, CVE-2015-5600, CVE-2015-6563, and CVE-2015-6564. Further investigation has shown that ASG 6.6 has a vulnerable version of OpenSSH for multiple CVEs, but is not vulnerable to known vectors of attack. \n2016-06-16 PC S-Series is vulnerable to CVE-2015-6563 and CVE-2015-6564. It also has vulnerable code for CVE-2015-5352, but is not vulnerable to known vectors of attack. A fix is not available at this time. \n2016-06-14 A fix for SA 7.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6. \n2016-05-26 Fixes for CVE-2015-5352 in Security Analytics 6.6 and 7.1 are available through patch RPMs from Blue Coat Support. \n2016-05-19 Fixes for all CVEs except CVE-2015-5352 are available in Security Analytics 6.6.12 and 7.1.11. \n2016-05-11 No Cloud Data Protection products are vulnerable. \n2016-04-27 A fix for CVE-2015-5600 in MTD 1.1 is available in 1.1.2.1. \n2016-04-24 MTD 1.1 is vulnerable to CVE-2015-6563 and CVE-2015-6564. It also have vulnerable code for CVE-2015-5352 and CVE-2015-5600, but is not vulnerable to known vectors of attack. \n2016-04-22 It was previously reported that Security Analytics 6.6, 7.0, and 7.1 are vulnerable to CVE-2014-9278, and that Reporter 10.1 has vulnerable code for CVE-2014-9278. New information indicates that SA and Reporter are not vulnerable to this CVE. \n2016-04-19 Fixes for CVE-2014-2532 and CVE-2015-5600 in PS S-Series 11.5 are available in 11.5.2.1. \n2016-04-15 Fixes will not be provided for CAS 1.1 and 1.2. Please upgrade to a later version with the vulnerability fixes. \n2016-03-14 A fix for CVE-2014-2532 and CVE-2014-2653 in CAS 1.3 is available in 1.3.6.1. \n2016-03-10 A fix for MAA 4.2 is available in 4.2.8. It was previously reported that MAA 4.2 is vulnerable to CVE-2014-9278, but further investigation has shown that it is not vulnerable to that CVE. \n2016-03-04 A fix for CVE-2014-2532 and CVE-2014-2653 is available in Reporter 10.1.3.1. \n2016-01-21 A fix for SSLV 3.9 is available. \n2016-01-15 A fix for SSLV 3.8 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2015-12-22 MC 1.5 contains fixes for CVE-2014-2532 and CVE-2014-2653. It is vulnerable to or has vulnerable code for other CVEs, and fixes are pending. \n2015-12-21 CAS, Director, MAA, MC, PacketShaper, Reporter 10.1, Security Analytics, SSLV, and XOS have vulnerable OpenSSH software, but do not use the vulnerable functionality and are not known to be vulnerable. The vulnerable software will be patched in future releases. \n2015-12-10 Security Analytics 6.6, 7.0, and 7.1 are vulnerable. \n2015-12-09 initial public release\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.7}, "published": "2015-12-08T08:00:00", "type": "symantec", "title": "SA104 : OpenSSH Vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1692", "CVE-2014-2532", "CVE-2014-2653", "CVE-2014-9278", "CVE-2015-5352", "CVE-2015-5600", "CVE-2015-6563", "CVE-2015-6564", "CVE-2015-6565"], "modified": "2021-05-04T22:27:28", "id": "SMNTC-1337", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}]}