OpenSSH vulnerabilities CVE-2001-0361, CVE-2001-0572, CVE-2004-2069, CVE-2006-0225, and CVE-2006-0883

2015-10-17T01:17:00

Description

F5 Product Development has assigned ID 552898 to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature ---|---|---|---|--- BIG-IP LTM | None | 12.0.0 11.0.0 - 11.6.0 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP AAM | None | 12.0.0 11.4.0 - 11.6.0 | Not vulnerable | None BIG-IP AFM | None | 12.0.0 11.3.0 - 11.6.0 | Not vulnerable | None BIG-IP Analytics | None | 12.0.0 11.0.0 - 11.6.0 | Not vulnerable | None BIG-IP APM | None | 12.0.0 11.0.0 - 11.6.0 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP ASM | None | 12.0.0 11.0.0 - 11.6.0 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP DNS | None | 12.0.0 | Not vulnerable | None BIG-IP Edge Gateway | None | 11.0.0 - 11.3.0 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP GTM | None | 11.0.0 - 11.6.0 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP Link Controller | None | 12.0.0 11.0.0 - 11.6.0 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP PEM | None | 12.0.0 11.3.0 - 11.6.0 | Not vulnerable | None BIG-IP PSM | None | 11.0.0 - 11.4.1 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 10.1.0 - 10.2.4 | Not vulnerable | None BIG-IP WOM | None | 11.0.0 - 11.3.0 10.1.0 - 10.2.4 | Not vulnerable | None ARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None Enterprise Manager | None | 3.0.0 - 3.1.1 | Not vulnerable | None FirePass | None | 7.0.0 6.0.0 - 6.1.0 | Not vulnerable | None BIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None BIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None BIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None BIG-IQ ADC | None | 4.5.0 | Not vulnerable | None LineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None F5 WebSafe | None | 1.0.0 | Not vulnerable | None Traffix SDC | None | 4.0.0 - 4.4.0 3.3.2 - 3.5.1 | Not vulnerable | None None * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>) * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>) * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>) * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)

{"id": "F5:K17452", "type": "f5", "bulletinFamily": "software", "title": "OpenSSH vulnerabilities CVE-2001-0361, CVE-2001-0572, CVE-2004-2069, CVE-2006-0225, and CVE-2006-0883", "description": "\nF5 Product Development has assigned ID 552898 to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | \nNone \n| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| \n \nNone \n \nBIG-IP AAM | None | 12.0.0 \n11.4.0 - 11.6.0 \n| Not vulnerable \n| None \n \nBIG-IP AFM | None | 12.0.0 \n11.3.0 - 11.6.0 \n| Not vulnerable \n| None \n \nBIG-IP Analytics | None | 12.0.0 \n11.0.0 - 11.6.0 \n| Not vulnerable \n| None \n \nBIG-IP APM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP ASM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP DNS \n| None | 12.0.0 \n| Not vulnerable \n| None \n \nBIG-IP Edge Gateway \n| None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP GTM | None | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP Link Controller | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP PEM | None | 12.0.0 \n11.3.0 - 11.6.0 \n| Not vulnerable \n| None \n \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nARX | None | 6.0.0 - 6.4.0 \n| Not vulnerable \n| None \n \nEnterprise Manager | None | 3.0.0 - 3.1.1 \n| Not vulnerable \n| None \n \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 \n| Not vulnerable \n| None \n \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 \n| Not vulnerable \n| None \n \nBIG-IQ Device | None | 4.2.0 - 4.5.0 \n| Not vulnerable \n| None \n \nBIG-IQ Security | None | 4.0.0 - 4.5.0 \n| Not vulnerable \n| None \n \nBIG-IQ ADC | None | 4.5.0 \n| Not vulnerable \n| None \n \nLineRate | None | 2.5.0 - 2.6.1 \n| Not vulnerable \n| None \n \nF5 WebSafe | None | 1.0.0 \n| Not vulnerable \n| None \n \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 \n| Not vulnerable \n| None \n\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "published": "2015-10-17T01:17:00", "modified": "2016-01-09T02:32:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "href": "https://support.f5.com/csp/article/K17452", "reporter": "f5", "references": [], "cvelist": ["CVE-2001-0572", "CVE-2001-0361", "CVE-2006-0225", "CVE-2006-0883", "CVE-2004-2069"], "immutableFields": [], "lastseen": "2017-06-08T00:16:13", "viewCount": 486, "enchantments": {"dependencies": {"references": [{"type": "centos", "idList": ["CESA-2005:550", "CESA-2006:0044", "CESA-2006:0298", "CESA-2006:0698-01"]}, {"type": "cert", "idList": ["VU:161576"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2001-0002", "CPAI-2001-0003"]}, {"type": "cve", "idList": ["CVE-2001-0361", "CVE-2001-0572", "CVE-2004-2069", "CVE-2006-0225", "CVE-2006-0883", "CVE-2007-3717"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2004-2069", "DEBIANCVE:CVE-2006-0225", "DEBIANCVE:CVE-2006-0883"]}, {"type": "f5", "idList": ["SOL17452"]}, {"type": "freebsd", "idList": ["6A308E8E-B1B4-11DA-B2FB-000E0C2E438A"]}, {"type": "gentoo", "idList": ["GLSA-200602-11"]}, {"type": "nessus", "idList": ["1971.PRM", "3947.PRM", "701169.PRM", "CENTOS_RHSA-2005-550.NASL", "CENTOS_RHSA-2006-0044.NASL", "CENTOS_RHSA-2006-0298.NASL", "CISCO-SA-20010627-SSHHTTP.NASL", "CISCO_SSH_MULTIPLE_VULNS.NASL", "DEBIAN_DSA-023.NASL", "DEBIAN_DSA-027.NASL", "DEBIAN_DSA-086.NASL", "FEDORA_2006-056.NASL", "GENTOO_GLSA-200602-11.NASL", "JUNIPER_NSM_2012_1.NASL", "MACOSX_10_4_9.NASL", "MANDRAKE_MDKSA-2001-033.NASL", "MANDRAKE_MDKSA-2006-034.NASL", "NEWSTART_CGSL_NS-SA-2019-0036_OPENSSH.NASL", "NEWSTART_CGSL_NS-SA-2019-0146_OPENSSH-LATEST.NASL", "OPENSSH_252.NASL", "OPENSSH_381P1.NASL", "OPENSSH_38P1.NASL", "OPENSSH_43.NASL", "REDHAT-RHSA-2005-550.NASL", "REDHAT-RHSA-2006-0044.NASL", "REDHAT-RHSA-2006-0298.NASL", "REDHAT-RHSA-2006-0698.NASL", "SLACKWARE_SSA_2006-045-06.NASL", "SOLARIS10_123324-03.NASL", "SOLARIS10_123324.NASL", "SOLARIS10_X86_123325-03.NASL", "SOLARIS10_X86_123325.NASL", "SOLARIS9_114356.NASL", "SOLARIS9_X86_114357.NASL", "SSH1_PROTO_ENABLED.NASL", "SUNSSH_PLAINTEXT_RECOVERY.NASL", "SUSE_SA_2006_008.NASL", "UBUNTU_USN-255-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:103247", "OPENVAS:1361412562310103247", "OPENVAS:1361412562310105118", "OPENVAS:136141256231011342", "OPENVAS:136141256231056294", "OPENVAS:136141256231065019", "OPENVAS:1361412562310801993", "OPENVAS:1361412562310855023", "OPENVAS:1361412562310855030", "OPENVAS:1361412562310855205", "OPENVAS:1361412562310855516", "OPENVAS:1361412562310855742", "OPENVAS:1361412562310855771", "OPENVAS:1361412562310855835", "OPENVAS:1361412562310855853", "OPENVAS:53766", "OPENVAS:53786", "OPENVAS:56294", "OPENVAS:56330", "OPENVAS:56352", "OPENVAS:65019", "OPENVAS:855023", "OPENVAS:855030", "OPENVAS:855205", "OPENVAS:855516", "OPENVAS:855742", "OPENVAS:855771", "OPENVAS:855835", "OPENVAS:855853"]}, {"type": "redhat", "idList": ["RHSA-2005:550", "RHSA-2006:0044", "RHSA-2006:0298", "RHSA-2006:0698"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:11639", "SECURITYVULNS:DOC:15013", "SECURITYVULNS:DOC:15014", "SECURITYVULNS:DOC:15015"]}, {"type": "seebug", "idList": ["SSV:1979"]}, {"type": "slackware", "idList": ["SSA-2006-045-06"]}, {"type": "suse", "idList": ["SUSE-SA:2001:04", "SUSE-SA:2006:008"]}, {"type": "ubuntu", "idList": ["USN-255-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2006-0225", "UB:CVE-2006-0883"]}]}, "score": {"value": 0.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "centos", "idList": ["CESA-2005:550", "CESA-2006:0044", "CESA-2006:0298", "CESA-2006:0698-01"]}, {"type": "cert", "idList": ["VU:161576"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2001-0002", "CPAI-2001-0003"]}, {"type": "cve", "idList": ["CVE-2001-0361", "CVE-2001-0572"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2006-0225"]}, {"type": "f5", "idList": ["SOL17452"]}, {"type": "freebsd", "idList": ["6A308E8E-B1B4-11DA-B2FB-000E0C2E438A"]}, {"type": "gentoo", "idList": ["GLSA-200602-11"]}, {"type": "nessus", "idList": ["MANDRAKE_MDKSA-2001-033.NASL", "NEWSTART_CGSL_NS-SA-2019-0036_OPENSSH.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310855516"]}, {"type": "redhat", "idList": ["RHSA-2005:550"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:11639"]}, {"type": "slackware", "idList": ["SSA-2006-045-06"]}, {"type": "suse", "idList": ["SUSE-SA:2001:04"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2006-0225"]}]}, "exploitation": null, "vulnersScore": 0.0}, "affectedSoftware": [], "_state": {"dependencies": 1659834152, "score": 1659834466}, "_internal": {"score_hash": "5cfe094dc095ea4d48554804e62f8803"}}

{"f5": [{"lastseen": "2016-09-26T17:23:22", "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "cvss3": {}, "published": "2015-10-16T00:00:00", "type": "f5", "title": "SOL17452 - OpenSSH vulnerabilities CVE-2001-0361, CVE-2001-0572, CVE-2004-2069, CVE-2006-0225, and CVE-2006-0883", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0572", "CVE-2001-0361", "CVE-2006-0225", "CVE-2006-0883", "CVE-2004-2069"], "modified": "2015-10-16T00:00:00", "id": "SOL17452", "href": "http://support.f5.com/kb/en-us/solutions/public/17000/400/sol17452.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-08-19T13:20:43", "description": "According to its version number, the remote host is a Cisco router or switch running a vulnerable SSH daemon.\n\nBy exploiting weaknesses in the SSH protocol, it is possible to insert arbitrary commands into an established SSH session, collect information that may help in brute-force key recovery, or brute-force a session key.", "cvss3": {"score": null, "vector": null}, "published": "2002-06-05T00:00:00", "type": "nessus", "title": "Cisco Devices Multiple SSH Information Disclosure Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361", "CVE-2001-0572"], "modified": "2018-11-15T00:00:00", "cpe": [], "id": "CISCO_SSH_MULTIPLE_VULNS.NASL", "href": "https://www.tenable.com/plugins/nessus/10972", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif(description)\n{\n script_id(10972);\n script_version(\"1.29\");\n\n script_cve_id(\"CVE-2001-0361\", \"CVE-2001-0572\");\n script_bugtraq_id(2344);\n\n script_name(english:\"Cisco Devices Multiple SSH Information Disclosure Vulnerabilities\");\n script_summary(english:\"Uses SNMP to determine if a flaw is present\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote network device is running an SSH server with multiple\nvulnerabilities.\" );\n script_set_attribute( attribute:\"description\", value:\n\"According to its version number, the remote host is a Cisco router\nor switch running a vulnerable SSH daemon.\n\nBy exploiting weaknesses in the SSH protocol, it is possible to\ninsert arbitrary commands into an established SSH session, collect\ninformation that may help in brute-force key recovery, or brute-force\na session key.\" );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/bugtraq/2001/Mar/262\"\n );\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20010627-ssh\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fb584d2f\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Apply the fix referenced in the vendor's advisory.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(310);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/06/05\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/03/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2001/06/27\");\n script_cvs_date(\"Date: 2018/11/15 20:50:20\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is (C) 2002-2018 Tenable Network Security, Inc.\");\n\n script_dependencie(\"snmp_sysDesc.nasl\",\n\t\t\t \"snmp_cisco_type.nasl\",\n\t\t\t \"find_service1.nasl\");\n script_require_keys(\"SNMP/community\",\n\t\t\t \"SNMP/sysDesc\",\n\t\t\t \"CISCO/model\");\n exit(0);\n}\n\n\n# The code starts here\nok=0;\nos = get_kb_item(\"SNMP/sysDesc\"); if(!os)exit(0);\nhardware = get_kb_item(\"CISCO/model\"); if(!hardware)exit(0);\n\n\n# Make sure SSH is running first...\nssh = get_kb_item(\"Services/ssh\");\nif(!ssh)ssh = 22;\n\nif(!get_port_state(ssh))exit(0);\nsoc = open_sock_tcp(ssh);\nif(!soc)exit(0);\n\n\n# Check for the required operating system...\n#----------------------------------------------------------------\n# Is this IOS ?\nif(!egrep(pattern:\".*(Internetwork Operating|IOS).*\", string:os))exit(0);\n# 12.0S\nif(egrep(string:os, pattern:\"(12\\.0\$([0-9]|1[0-9])\$|12\\.0)S[0-9]*,\"))ok=1;\n\n# 12.1DB\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)DB[0-9]*,\"))ok=1;\n\n# 12.1DC\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)DC[0-9]*,\"))ok=1;\n\n# 12.1E\nif(egrep(string:os, pattern:\"(12\\.1\$[0-8]\$|12\\.1)E[0-9]*,\"))ok=1;\n\n# 12.1EC\nif(egrep(string:os, pattern:\"((12\\.1\$[0-6]\$|12\\.1)EC[0-9]*|12\\.1\$7\$EC[0-2]),\"))ok=1;\n\n# 12.1EX\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)EX[0-9]*,\"))ok=1;\n\n# 12.1EY\nif(egrep(string:os, pattern:\"(12\\.1\$[0-5]\$|12\\.1)EY[0-9]*,\"))ok=1;\n\n# 12.1EZ\nif(egrep(string:os, pattern:\"((12\\.1\$[0-5]\$|12\\.1)EZ[0-9]*|12\\.1\$6\$EZ[0-1]),\"))ok=1;\n\n# 12.1T\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)T[0-9]*,\"))ok=1;\n\n# 12.1XA\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)XA[0-9]*,\"))ok=1;\n\n# 12.1XB\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)XB[0-9]*,\"))ok=1;\n\n# 12.1XC\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)XC[0-9]*,\"))ok=1;\n\n# 12.1XD\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)XD[0-9]*,\"))ok=1;\n\n# 12.1XE\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)XE[0-9]*,\"))ok=1;\n\n# 12.1XF\nif(egrep(string:os, pattern:\"((12\\.1\$[0-1]\$|12\\.1)XF[0-9]*|12\\.1\$2\$XF[0-3]),\"))ok=1;\n\n# 12.1XG\nif(egrep(string:os, pattern:\"((12\\.1\$[0-4]\$|12\\.1)XG[0-9]*|12\\.1\$5\$XG[0-4]),\"))ok=1;\n\n# 12.1XH\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)XH[0-9]*,\"))ok=1;\n\n# 12.1XI\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)XI[0-9]*,\"))ok=1;\n\n# 12.1XJ\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)XJ[0-9]*,\"))ok=1;\n\n# 12.1XL\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)XL[0-9]*,\"))ok=1;\n\n# 12.1XM\nif(egrep(string:os, pattern:\"((12\\.1\$[0-3]\$|12\\.1)XM[0-9]*|12\\.1\$4\$XM[0-3]),\"))ok=1;\n\n# 12.1XP\nif(egrep(string:os, pattern:\"((12\\.1\$[0-2]\$|12\\.1)XP[0-9]*|12\\.1\$3\$XP[0-3]),\"))ok=1;\n\n# 12.1XQ\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)XQ[0-9]*,\"))ok=1;\n\n# 12.1XR\nif(egrep(string:os, pattern:\"((12\\.1\$[0-4]\$|12\\.1)XR[0-9]*|12\\.1\$5\$XR[0-1]),\"))ok=1;\n\n# 12.1XS\nif(egrep(string:os, pattern:\"((12\\.1\$[0-4]\$|12\\.1)XS[0-9]*|12\\.1\$5\$XS[0-1]),\"))ok=1;\n\n# 12.1XT\nif(egrep(string:os, pattern:\"((12\\.1\$[0-2]\$|12\\.1)XT[0-9]*|12\\.1\$3\$XT[0-2]),\"))ok=1;\n\n# 12.1XU\nif(egrep(string:os, pattern:\"((12\\.1\$[0-4]\$|12\\.1)XU[0-9]*|12\\.1\$5\$XU[0-0]),\"))ok=1;\n\n# 12.1XV\nif(egrep(string:os, pattern:\"((12\\.1\$[0-4]\$|12\\.1)XV[0-9]*|12\\.1\$5\$XV[0-2]),\"))ok=1;\n\n# 12.1XY\nif(egrep(string:os, pattern:\"((12\\.1\$[0-4]\$|12\\.1)XY[0-9]*|12\\.1\$5\$XY[0-5]),\"))ok=1;\n\n# 12.1YA\nif(egrep(string:os, pattern:\"(12\\.1\$[0-9]*\$|12\\.1)YA[0-9]*,\"))ok=1;\n\n# 12.1YB\nif(egrep(string:os, pattern:\"((12\\.1\$[0-4]\$|12\\.1)YB[0-9]*|12\\.1\$5\$YB[0-3]),\"))ok=1;\n\n# 12.1YD\nif(egrep(string:os, pattern:\"((12\\.1\$[0-4]\$|12\\.1)YD[0-9]*|12\\.1\$5\$YD[0-1]),\"))ok=1;\n\n# 12.1YF\nif(egrep(string:os, pattern:\"((12\\.1\$[0-4]\$|12\\.1)YF[0-9]*|12\\.1\$5\$YF[0-1]),\"))ok=1;\n\n# 12.2\nif(egrep(string:os, pattern:\"(12\\.2\$[0-2]\$|12\\.2),\"))ok=1;\n\n# 12.2T\nif(egrep(string:os, pattern:\"(12\\.2\$[0-2]\$|12\\.2)T[0-9]*,\"))ok=1;\n\n# 12.2XA\nif(egrep(string:os, pattern:\"(12\\.2\$[0-1]\$|12\\.2)XA[0-9]*,\"))ok=1;\n\n# 12.2XD\nif(egrep(string:os, pattern:\"((12\\.2\$[0-0]\$|12\\.2)XD[0-9]*|12\\.2\$1\$XD[0-0]),\"))ok=1;\n\n# 12.2XE\nif(egrep(string:os, pattern:\"(12\\.2\$[0-0]\$|12\\.2)XE[0-9]*,\"))ok=1;\n\n# 12.2XH\nif(egrep(string:os, pattern:\"(12\\.2\$[0-0]\$|12\\.2)XH[0-9]*,\"))ok=1;\n\n# 12.2XQ\nif(egrep(string:os, pattern:\"(12\\.2\$[0-0]\$|12\\.2)XQ[0-9]*,\"))ok=1;\n\n\n#----------------------------------------------\n\nif(ok)security_hole(port:161, proto:\"udp\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:59:49", "description": "According to its banner, the remote host appears to be running a version of OpenSSH earlier than 2.5.2 / 2.5.2p2. It, therefore, reportedly contains weaknesses in its implementation of the SSH protocol, both versions 1 and 2. These weaknesses could allow an attacker to sniff password lengths, and ranges of length (this could make brute-force password guessing easier), determine whether RSA or DSA authentication is being used, the number of authorized_keys in RSA authentication and/or the length of shell commands.", "cvss3": {"score": null, "vector": null}, "published": "2011-10-04T00:00:00", "type": "nessus", "title": "OpenSSH < 2.5.2 / 2.5.2p2 Multiple Information Disclosure Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361", "CVE-2001-0572"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:openbsd:openssh"], "id": "OPENSSH_252.NASL", "href": "https://www.tenable.com/plugins/nessus/44068", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44068);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\n\n script_cve_id(\"CVE-2001-0361\", \"CVE-2001-0572\");\n script_bugtraq_id(2344, 49473);\n script_xref(name:\"CERT\", value:\"596827\");\n\n script_name(english:\"OpenSSH < 2.5.2 / 2.5.2p2 Multiple Information Disclosure Vulnerabilities\");\n script_summary(english:\"Checks the version reported in the SSH banner.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"Remote attackers may be able to infer information about traffic\ninside an SSH session.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its banner, the remote host appears to be running a\nversion of OpenSSH earlier than 2.5.2 / 2.5.2p2. It, therefore,\nreportedly contains weaknesses in its implementation of the SSH\nprotocol, both versions 1 and 2. These weaknesses could allow an\nattacker to sniff password lengths, and ranges of length (this could\nmake brute-force password guessing easier), determine whether RSA or\nDSA authentication is being used, the number of authorized_keys in RSA\nauthentication and/or the length of shell commands.\"\n );\n\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to OpenSSH 2.5.2 / 2.5.2p2 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openwall.com/articles/SSH-Traffic-Analysis\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.openssh.com/txt/release-2.5.2p2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/03/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/03/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openbsd:openssh\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\");\n\n exit(0);\n}\n\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Ensure the port is open.\nport = get_service(svc:\"ssh\", exit_on_fail:TRUE);\n\n# Get banner for service.\nbanner = get_kb_item_or_exit(\"SSH/banner/\"+port);\n\nbp_banner = tolower(get_backport_banner(banner:banner));\nif (\"openssh\" >!< bp_banner) exit(0, \"The SSH service on port \"+port+\" is not OpenSSH.\");\nif (backported) exit(1, \"The banner from the OpenSSH server on port \"+port+\" indicates patches may have been backported.\");\n\n# Check the version in the backported banner.\nmatch = eregmatch(string:bp_banner, pattern:\"openssh[-_]([0-9][-._0-9a-z]+)\");\nif (isnull(match)) exit(1, \"Could not parse the version string in the banner from port \"+port+\".\");\nversion = match[1];\n\nif (version !~ \"^[0-9.]+p[0-9]+\")\n{\n # Pull out numeric portion of version of the native OpenBSD version.\n matches = eregmatch(string:version, pattern:\"^([0-9.]+)\");\n if (isnull(matches)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway\n exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');\n\n fix = \"2.5.2\";\n if (ver_compare(ver:matches[1], fix:fix, strict:FALSE) >= 0)\n exit(0, \"The OpenSSH server on port \"+port+\" is not affected as it's version \"+version+\".\");\n}\nelse\n{\n # Pull out numeric portion of version of the portable version.\n matches = eregmatch(string:version, pattern:\"^([0-9.]+)p([0-9]+)\");\n if (isnull(matches)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway\n exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');\n\n fix = \"2.5.2p2\";\n if (\n (ver_compare(ver:matches[1], fix:\"2.5.2\", strict:FALSE) > 0) ||\n (matches[1] == \"2.5.2\" && int(matches[2]) >= 2)\n ) exit(0, \"The OpenSSH server on port \"+port+\" is not affected as it's version \"+version+\".\");\n}\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_warning(port:port, extra:report);\n}\nelse security_warning(port);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-19T13:20:46", "description": "The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. \n\nThese protocols are not completely cryptographically safe so they should not be used.", "cvss3": {"score": null, "vector": null}, "published": "2002-03-06T00:00:00", "type": "nessus", "title": "SSH Protocol Version 1 Session Key Retrieval", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361", "CVE-2001-0572", "CVE-2001-1473"], "modified": "2020-04-27T00:00:00", "cpe": [], "id": "SSH1_PROTO_ENABLED.NASL", "href": "https://www.tenable.com/plugins/nessus/10882", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10882);\n script_version (\"1.36\");\n\n script_cve_id(\"CVE-2001-0361\", \"CVE-2001-0572\", \"CVE-2001-1473\");\n script_bugtraq_id(2344);\n \n\n script_name(english:\"SSH Protocol Version 1 Session Key Retrieval\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service offers an insecure cryptographic protocol.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote SSH daemon supports connections made using the version 1.33\nand/or 1.5 of the SSH protocol. \n\nThese protocols are not completely cryptographically safe so they\nshould not be used.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable compatibility with version 1 of the SSH protocol.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2001-1473\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/03/06\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/02/06\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/27\");\n\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Negotiate SSH connections\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2020 Tenable Network Security, Inc.\");\n script_family(english:\"General\");\n script_dependencie(\"ssh_proto_version.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n exit(0);\n}\n\n\nport = get_kb_item(\"Services/ssh\");\nif(!port)port = 22;\n\nif ( get_kb_item(\"SSH/\" + port + \"/v1_supported\" ) )\n\tsecurity_hole(port);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:18:59", "description": "There are several weaknesses in various implementations of the SSH (Secure Shell) protocols. When exploited, they let the attacker obtain sensitive information by passively monitoring encrypted SSH sessions.\nThe information can later be used to speed up brute-force attacks on passwords, including the initial login password and other passwords appearing in interactive SSH sessions, such as those used with su.\nVersions of OpenSSH 2.5.2 and later have been fixed to reduce the impact of these traffic analysis problems, and as such all Linux- Mandrake users are encouraged to upgrade their version of openssh immediately.\n\nUpdate :\n\nA problem was introduced with a patch applied to the OpenSSH packages released in the previous update. This problem was due to the keepalive patch included, and it broke interoperability with older versions of OpenSSH and SSH. This update removes the patch, and also provides the latest version of OpenSSH which provides a number of new features and enhancements.", "cvss3": {"score": null, "vector": null}, "published": "2004-09-18T00:00:00", "type": "nessus", "title": "Mandrake Linux Security Advisory : openssh (MDKSA-2001:033-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0572"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:openssh", "p-cpe:/a:mandriva:linux:openssh-askpass", "p-cpe:/a:mandriva:linux:openssh-askpass-gnome", "p-cpe:/a:mandriva:linux:openssh-clients", "p-cpe:/a:mandriva:linux:openssh-server", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:7.2", "cpe:/o:mandrakesoft:mandrake_linux:8.0"], "id": "MANDRAKE_MDKSA-2001-033.NASL", "href": "https://www.tenable.com/plugins/nessus/14776", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2001:033. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14776);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2001-0572\");\n script_xref(name:\"MDKSA\", value:\"2001:033-2\");\n\n script_name(english:\"Mandrake Linux Security Advisory : openssh (MDKSA-2001:033-2)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There are several weaknesses in various implementations of the SSH\n(Secure Shell) protocols. When exploited, they let the attacker obtain\nsensitive information by passively monitoring encrypted SSH sessions.\nThe information can later be used to speed up brute-force attacks on\npasswords, including the initial login password and other passwords\nappearing in interactive SSH sessions, such as those used with su.\nVersions of OpenSSH 2.5.2 and later have been fixed to reduce the\nimpact of these traffic analysis problems, and as such all Linux-\nMandrake users are encouraged to upgrade their version of openssh\nimmediately.\n\nUpdate :\n\nA problem was introduced with a patch applied to the OpenSSH packages\nreleased in the previous update. This problem was due to the keepalive\npatch included, and it broke interoperability with older versions of\nOpenSSH and SSH. This update removes the patch, and also provides the\nlatest version of OpenSSH which provides a number of new features and\nenhancements.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"openssh-2.9p1-3.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"openssh-askpass-2.9p1-3.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"openssh-askpass-gnome-2.9p1-3.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"openssh-clients-2.9p1-3.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"openssh-server-2.9p1-3.3mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"openssh-2.9p1-3.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"openssh-askpass-2.9p1-3.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"openssh-askpass-gnome-2.9p1-3.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"openssh-clients-2.9p1-3.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"openssh-server-2.9p1-3.2mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"openssh-2.9p1-3.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"openssh-askpass-2.9p1-3.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"openssh-askpass-gnome-2.9p1-3.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"openssh-clients-2.9p1-3.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"openssh-server-2.9p1-3.1mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-16T02:37:39", "description": "Four different Cisco product lines are susceptible to multiple vulnerabilities discovered in the Secure Shell (SSH) protocol version 1.5. These issues have been addressed, and fixes have been integrated into the Cisco products that support this protocol.\nBy exploiting the weakness in the SSH protocol, it is possible to insert arbitrary commands into an established SSH session, collect information that may help in brute-force key recovery, or brute force a session key.\nAffected product lines are:\nNo other Cisco products are vulnerable. It is possible to mitigate this vulnerability by preventing, or having control over, the interception of SSH traffic.\nCisco IOS is not vulnerable to any of known exploits that are currently used to compromise UNIX hosts. For the warning regarding increased scanning activity for hosts running SSH consult CERT/CC.", "cvss3": {"score": null, "vector": null}, "published": "2010-09-01T00:00:00", "type": "nessus", "title": "Multiple SSH Vulnerabilities - Cisco Systems", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0572"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:cisco:ios"], "id": "CISCO-SA-20010627-SSHHTTP.NASL", "href": "https://www.tenable.com/plugins/nessus/48957", "sourceData": "#TRUSTED 134089c79ffa0d35d71016e7647f060cad6858c0642f2f316a02eb9c4220913f85a199d77553bad67b55ee5eeccf369cc49c4b7cbd84eb8481286cee2b9e2a98fdad77cf62756c0816c75e1e78878ebdb38741da1a65219159a05c42987892b4acca6f4f163b56368ed716865ec7b36a3ec40056d0078bf055c9b1ae8b02083a8776b413da4b6559aa1d9dabcd88985247471ad4a27a2865d50881097a6586348a8ed4972bcbabd060e5590571f7864ab376607e5c1e9add0705bed139e32412ab00b0d2db8b9d311c2ad8a7e3366fb00139ebf3a0bd6a765d9c6b2182eeb8758b53686ea5a3b2e26366f75d0d3bcdf215d0f92d9219487047bae27b223b53c1b2db7e92e0570cb7139b8908fa5d964b213f80c3fc699ecd3f90e2479be2e6cb77a22447c2ff55a06afaf9e180ad3b7dab84d56c0be19fb2b684d37a2417e736bac08265c699eb4667093daabe6259573d65cae39eb9fa8f24dfe70fac7fe5ddf170ffe8e39bce0736bf339ce8618a3561ef70f1c2bf242c77224e03c85e8e4007965cd99cccf6325de576ebd112107ac23f65ed06495d0cc11a2e0d54b36cab0691078711a80163dda147c9630b5052cb519b788188fdce6db328b1a70c69fc6a70894b2d9606698109365a843b4123edd52370aebfb5cebec6803e7d220266c09cb58bf5d6625ff3a0606e28c8e36f3ff3a04eeb12252d4844c23e3325fb34\n#\n# (C) Tenable Network Security, Inc.\n#\n# Security advisory is (C) CISCO, Inc.\n# See https://www.cisco.com/en/US/products/products_security_advisory09186a00800b168e.shtml\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(48957);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/11/15\");\n\n script_cve_id(\"CVE-2001-0572\");\n script_xref(name:\"CERT\", value:\"596827\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdt55357\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdt57231\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdt72996\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdt73353\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdt96253\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdu37371\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdv34668\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdv34676\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdv34679\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20010627-ssh\");\n\n script_name(english:\"Multiple SSH Vulnerabilities - Cisco Systems\");\n script_summary(english:\"Checks the IOS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n'Four different Cisco product lines are susceptible to multiple\nvulnerabilities discovered in the Secure Shell (SSH) protocol version\n1.5. These issues have been addressed, and fixes have been integrated\ninto the Cisco products that support this protocol.\nBy exploiting the weakness in the SSH protocol, it is possible to\ninsert arbitrary commands into an established SSH session, collect\ninformation that may help in brute-force key recovery, or brute force a\nsession key.\nAffected product lines are:\nNo other Cisco products are vulnerable. It is possible to mitigate this\nvulnerability by preventing, or having control over, the interception\nof SSH traffic.\nCisco IOS is not vulnerable to any of known exploits that are currently\nused to compromise UNIX hosts. For the warning regarding increased\nscanning activity for hosts running SSH consult CERT/CC.');\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openwall.com/articles/SSH-Traffic-Analysis\");\n script_set_attribute(attribute:\"see_also\", value: \"https://seclists.org/bugtraq/2001/Mar/262\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20010627-ssh\n script_set_attribute(attribute:\"see_also\", value: \"http://www.nessus.org/u?fb584d2f\");\n # https://www.cisco.com/en/US/products/products_security_advisory09186a00800b168e.shtml\n script_set_attribute(attribute:\"see_also\", value: \"http://www.nessus.org/u?2ead856a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in Cisco Security Advisory\ncisco-sa-20010627-ssh.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/03/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/06/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/01\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CISCO\");\n\n script_dependencie(\"cisco_ios_version.nasl\");\n script_require_keys(\"Host/Cisco/IOS/Version\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\ninclude(\"cisco_kb_cmd_func.inc\");\n\nflag = 0;\nreport_extra = \"\";\nversion = get_kb_item_or_exit(\"Host/Cisco/IOS/Version\");\noverride = 0;\n\n# Affected: 12.0S\nif (check_release(version: version,\n patched: make_list(\"12.0(20)S\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1DB\nif (deprecated_version(version, \"12.1DB\")) {\n report_extra = '\\nNo updates are scheduled for 12.1DB. Upgrade to a supported version\\n'; flag++;\n}\n# Affected: 12.1DC\nif (deprecated_version(version, \"12.1DC\")) {\n report_extra = '\\nNo updates are scheduled for 12.1DC. Upgrade to a supported version\\n'; flag++;\n}\n# Affected: 12.1E\nif (check_release(version: version,\n patched: make_list(\"12.1(8a)E\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1EC\nif (check_release(version: version,\n patched: make_list(\"12.1(6.5)EC3\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1EX\nif (deprecated_version(version, \"12.1EX\")) {\n report_extra = '\\nUpdate to 12.1(8a)E or later\\n'; flag++;\n}\n# Affected: 12.1EY\nif (check_release(version: version,\n patched: make_list(\"12.1(6)EY\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1EZ\nif (check_release(version: version,\n patched: make_list(\"12.1(6)EZ2\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1T\nif (deprecated_version(version, \"12.1T\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XA\nif (deprecated_version(version, \"12.1XA\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XB\nif (deprecated_version(version, \"12.1XB\")) {\n report_extra = '\\nNo updates are scheduled for 12.1XB. Upgrade to a supported version\\n'; flag++;\n}\n# Affected: 12.1XC\nif (deprecated_version(version, \"12.1XC\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XD\nif (deprecated_version(version, \"12.1XD\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XE\nif (deprecated_version(version, \"12.1XE\")) {\n report_extra = '\\nNo updates are scheduled for 12.1XE. Upgrade to a supported version\\n'; flag++;\n}\n# Affected: 12.1XF\nif (check_release(version: version,\n patched: make_list(\"12.1(2)XF4\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XG\nif (deprecated_version(version, \"12.1XG\")) {\n report_extra = '\\nUpdate to 12.1(2)XF4 or later\\n'; flag++;\n}\n# Affected: 12.1XH\nif (deprecated_version(version, \"12.1XH\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XI\nif (deprecated_version(version, \"12.1XI\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XJ\nif (deprecated_version(version, \"12.1XJ\")) {\n report_extra = '\\nUpdate to 12.1(5)YB4 or later\\n'; flag++;\n}\n# Affected: 12.1XL\nif (deprecated_version(version, \"12.1XL\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XM\nif (check_release(version: version,\n patched: make_list(\"12.1(4)XM4\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XP\nif (check_release(version: version,\n patched: make_list(\"12.1(3)XP4\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XQ\nif (deprecated_version(version, \"12.1XQ\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XR\nif (check_release(version: version,\n patched: make_list(\"12.1(5)XR2\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XS\nif (check_release(version: version,\n patched: make_list(\"12.1(5)XS2\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XT\nif (check_release(version: version,\n patched: make_list(\"12.1(3)XT3\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XU\nif (check_release(version: version,\n patched: make_list(\"12.1(5)XU1\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XV\nif (check_release(version: version,\n patched: make_list(\"12.1(5)XV3\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XY\nif (check_release(version: version,\n patched: make_list(\"12.1(5)XY6\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1YA\nif (deprecated_version(version, \"12.1YA\")) {\n report_extra = '\\nUpdate to 12.2(2)XB or later\\n'; flag++;\n}\n# Affected: 12.1YB\nif (check_release(version: version,\n patched: make_list(\"12.1(5)YB4\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1YC\nif (check_release(version: version,\n patched: make_list(\"12.1(5)YC1\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1YD\nif (check_release(version: version,\n patched: make_list(\"12.1(5)YD2\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1YF\nif (check_release(version: version,\n patched: make_list(\"12.1(5)YF2\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2\nif (check_release(version: version,\n patched: make_list(\"12.2(1.1)\", \"12.2(1b)\", \"12.2(3)\"))) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2T\nif (check_release(version: version,\n patched: make_list(\"12.2(2.2)T\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2XA\nif (check_release(version: version,\n patched: make_list(\"12.2(2)XA\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2XD\nif (check_release(version: version,\n patched: make_list(\"12.2(1)XD1\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2XE\nif (check_release(version: version,\n patched: make_list(\"12.2(1)XE\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2XH\nif (check_release(version: version,\n patched: make_list(\"12.2(1)XH\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2XQ\nif (check_release(version: version,\n patched: make_list(\"12.2(1)XQ\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n\nif (get_kb_item(\"Host/local_checks_enabled\"))\n{\n if (flag)\n {\n flag = 0;\n buf = cisco_command_kb_item(\"Host/Cisco/Config/show_ip_ssh\", \"show ip ssh\");\n if (check_cisco_result(buf))\n {\n if (preg(pattern:\"version\\s+1\\.5\", multiline:TRUE, string:buf)) { flag = 1; }\n } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }\n }\n}\n\nif (flag)\n{\n security_hole(port:0, extra:report_extra + cisco_caveat(override));\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:19:28", "description": "The remote host is using version 1.5 of the SSH protocol. This version allows a remote attacker to decrypt and/or alter traffic via an attack against PKCS#1 version 1.5, called the 'Bleichenbacher' attack. OpenSSH up to version 2.3.0, AppGate and SSH Communications Security ssh1 update to version 1.2.31 are vulnerable to this attack. ", "cvss3": {"score": 4.8, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2004-08-20T00:00:00", "type": "nessus", "title": "PKCS#1 Version 1.5 Session Key Retrieval", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361"], "modified": "2019-03-06T00:00:00", "cpe": [], "id": "1971.PRM", "href": "https://www.tenable.com/plugins/nnm/1971", "sourceData": "Binary data 1971.prm", "cvss": {"score": 4, "vector": "CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-08-19T13:18:38", "description": "- People at WireX have found several potential insecure uses of temporary files in programs provided by INN2.\n Some of them only lead to a vulnerability to symlink attacks if the temporary directory was set to /tmp or /var/tmp, which is the case in many installations, at least in Debian packages. An attacker could overwrite any file owned by the news system administrator, i.e.\n owned by news.news.\n - Michal Zalewski found an exploitable buffer overflow with regard to cancel messages and their verification.\n This bug did only show up if 'verifycancels' was enabled in inn.conf which is not the default and has been disrecommended by upstream.\n\n - Andi Kleen found a bug in INN2 that makes innd crash for two byte headers. There is a chance this can only be exploited with uucp.", "cvss3": {"score": null, "vector": null}, "published": "2004-09-29T00:00:00", "type": "nessus", "title": "Debian DSA-023-1 : inn2 - local tempfile vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:inn2", "cpe:/o:debian:debian_linux:2.2"], "id": "DEBIAN_DSA-023.NASL", "href": "https://www.tenable.com/plugins/nessus/14860", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-023. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14860);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2001-0361\");\n script_xref(name:\"DSA\", value:\"023\");\n\n script_name(english:\"Debian DSA-023-1 : inn2 - local tempfile vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"- People at WireX have found several potential insecure\n uses of temporary files in programs provided by INN2.\n Some of them only lead to a vulnerability to symlink\n attacks if the temporary directory was set to /tmp or\n /var/tmp, which is the case in many installations, at\n least in Debian packages. An attacker could overwrite\n any file owned by the news system administrator, i.e.\n owned by news.news.\n - Michal Zalewski found an exploitable buffer overflow\n with regard to cancel messages and their verification.\n This bug did only show up if 'verifycancels' was enabled\n in inn.conf which is not the default and has been\n disrecommended by upstream.\n\n - Andi Kleen found a bug in INN2 that makes innd crash for\n two byte headers. There is a chance this can only be\n exploited with uucp.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2001/dsa-023\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the inn2 packages immediately.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:inn2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"inn2\", reference:\"2.2.2.2000.01.31-4.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"inn2-dev\", reference:\"2.2.2.2000.01.31-4.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"inn2-inews\", reference:\"2.2.2.2000.01.31-4.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-08-19T12:20:17", "description": "According to its banner, a version of OpenSSH earlier than 3.8p1 is running on the remote host and is affected by the following issues:\n\n - There is an issue in the handling of PAM modules in such versions of OpenSSH. As a result, OpenSSH may not correctly handle aborted conversations with PAM modules. Consequently, that memory may not be scrubbed of sensitive information such as credentials, which could lead to credentials leaking into swap space and core dumps. Other vulnerabilities in PAM modules could come to light because of unpredictable behavior.\n\n - Denial of service attacks are possible when privilege separation is in use. This version of OpenSSH does not properly signal non-privileged processes after session termination when 'LoginGraceTime' is exceeded. This can allow connections to remain open thereby allowing the denial of service when resources are exhausted. (CVE-2004-2069)", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-08-21T00:00:00", "type": "nessus", "title": "OpenSSH < 3.8p1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-2069"], "modified": "2019-08-21T00:00:00", "cpe": ["cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*"], "id": "701169.PRM", "href": "https://www.tenable.com/plugins/nnm/701169", "sourceData": "Binary data 701169.prm", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:20:19", "description": "Updated openssh packages that fix a potential security vulnerability and various other bugs are now available.\n\nThis update has been rated as having low security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This includes the core files necessary for both the OpenSSH client and server.\n\nA bug was found in the way the OpenSSH server handled the MaxStartups and LoginGraceTime configuration variables. A malicious user could connect to the SSH daemon in such a way that it would prevent additional logins from occuring until the malicious connections are closed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-2069 to this issue.\n\nAdditionally, the following issues are resolved with this update :\n\n - The -q option of the ssh client did not suppress the banner message sent by the server, which caused errors when used in scripts.\n\n - The sshd daemon failed to close the client connection if multiple X clients were forwarded over the connection and the client session exited.\n\n - The sftp client leaked memory if used for extended periods.\n\n - The sshd daemon called the PAM functions incorrectly if the user was unknown on the system.\n\nAll users of openssh should upgrade to these updated packages, which contain backported patches and resolve these issues.", "cvss3": {"score": null, "vector": null}, "published": "2006-07-03T00:00:00", "type": "nessus", "title": "CentOS 3 : openssh (CESA-2005:550)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-2069"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:openssh", "p-cpe:/a:centos:centos:openssh-askpass", "p-cpe:/a:centos:centos:openssh-askpass-gnome", "p-cpe:/a:centos:centos:openssh-clients", "p-cpe:/a:centos:centos:openssh-server", "cpe:/o:centos:centos:3"], "id": "CENTOS_RHSA-2005-550.NASL", "href": "https://www.tenable.com/plugins/nessus/21839", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2005:550 and \n# CentOS Errata and Security Advisory 2005:550 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(21839);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2004-2069\");\n script_xref(name:\"RHSA\", value:\"2005:550\");\n\n script_name(english:\"CentOS 3 : openssh (CESA-2005:550)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix a potential security vulnerability\nand various other bugs are now available.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\nincludes the core files necessary for both the OpenSSH client and\nserver.\n\nA bug was found in the way the OpenSSH server handled the MaxStartups\nand LoginGraceTime configuration variables. A malicious user could\nconnect to the SSH daemon in such a way that it would prevent\nadditional logins from occuring until the malicious connections are\nclosed. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2004-2069 to this issue.\n\nAdditionally, the following issues are resolved with this update :\n\n - The -q option of the ssh client did not suppress the\n banner message sent by the server, which caused errors\n when used in scripts.\n\n - The sshd daemon failed to close the client connection if\n multiple X clients were forwarded over the connection\n and the client session exited.\n\n - The sftp client leaked memory if used for extended\n periods.\n\n - The sshd daemon called the PAM functions incorrectly if\n the user was unknown on the system.\n\nAll users of openssh should upgrade to these updated packages, which\ncontain backported patches and resolve these issues.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-September/012216.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?24cdacc0\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-September/012229.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9da0c1da\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-September/012230.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?237aa73b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/12/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 3.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-3\", reference:\"openssh-3.6.1p2-33.30.6\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"openssh-askpass-3.6.1p2-33.30.6\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"openssh-askpass-gnome-3.6.1p2-33.30.6\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"openssh-clients-3.6.1p2-33.30.6\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"openssh-server-3.6.1p2-33.30.6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:59:52", "description": "According to its banner, a version of OpenSSH earlier than 3.8p1 is running on the remote host and is affected by the following issues:\n\n - There is an issue in the handling of PAM modules in such versions of OpenSSH. As a result, OpenSSH may not correctly handle aborted conversations with PAM modules. Consequently, that memory may not be scrubbed of sensitive information such as credentials, which could lead to credentials leaking into swap space and core dumps. Other vulnerabilities in PAM modules could come to light because of unpredictable behavior.\n\n - Denial of service attacks are possible when privilege separation is in use. This version of OpenSSH does not properly signal non-privileged processes after session termination when 'LoginGraceTime' is exceeded. This can allow connections to remain open thereby allowing the denial of service when resources are exhausted. (CVE-2004-2069)", "cvss3": {"score": null, "vector": null}, "published": "2011-10-04T00:00:00", "type": "nessus", "title": "Portable OpenSSH < 3.8p1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-2069"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:openbsd:openssh"], "id": "OPENSSH_38P1.NASL", "href": "https://www.tenable.com/plugins/nessus/44074", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44074);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\n\n script_cve_id(\"CVE-2004-2069\");\n script_bugtraq_id(9040, 14963);\n\n script_name(english:\"Portable OpenSSH < 3.8p1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version reported in the SSH banner.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"Remote attackers may be able to cause information to leak from\naborted sessions.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its banner, a version of OpenSSH earlier than 3.8p1 is\nrunning on the remote host and is affected by the following issues:\n\n - There is an issue in the handling of PAM modules in \n such versions of OpenSSH. As a result, OpenSSH may not\n correctly handle aborted conversations with PAM modules. \n Consequently, that memory may not be scrubbed of \n sensitive information such as credentials, which could \n lead to credentials leaking into swap space and core \n dumps. Other vulnerabilities in PAM modules could come\n to light because of unpredictable behavior.\n\n - Denial of service attacks are possible when privilege\n separation is in use. This version of OpenSSH does not\n properly signal non-privileged processes after session\n termination when 'LoginGraceTime' is exceeded. This can\n allow connections to remain open thereby allowing the \n denial of service when resources are exhausted. \n (CVE-2004-2069)\n\n\");\n\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to OpenSSH 3.8p1 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"see_also\", value:\"https://www.cl.cam.ac.uk/~mgk25/otpw.html#opensshbug\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.mindrot.org/show_bug.cgi?id=632\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e86aec66\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bbd79dfd\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d2f25e5c\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/09/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openbsd:openssh\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\");\n\n exit(0);\n}\n\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Ensure the port is open.\nport = get_service(svc:\"ssh\", exit_on_fail:TRUE);\n\n# Get banner for service.\nbanner = get_kb_item_or_exit(\"SSH/banner/\"+port);\n\nbp_banner = tolower(get_backport_banner(banner:banner));\nif (\"openssh\" >!< bp_banner) exit(0, \"The SSH service on port \"+port+\" is not OpenSSH.\");\nif (backported) exit(1, \"The banner from the OpenSSH server on port \"+port+\" indicates patches may have been backported.\");\n\n# Check the version in the backported banner.\nmatch = eregmatch(string:bp_banner, pattern:\"openssh[-_]([0-9][-._0-9a-z]+)\");\nif (isnull(match)) exit(1, \"Could not parse the version string in the banner from port \"+port+\".\");\nversion = match[1];\n\n# OpenBSD does not use PAM, so this vulnerability only exists in the\n# portable version of OpenSSH.\nif (version !~ \"^[0-9.]+p[0-9]+\")\n exit(0, \"OpenSSH version \"+version+\" on port \"+port+\" is not affected.\");\n\n# Pull out numeric portion of version.\nmatches = eregmatch(string:version, pattern:\"^([0-9.]+)\");\nif (isnull(matches))\n exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');\n\nif (ver_compare(ver:matches[0], fix:\"3.8\", strict:FALSE) >= 0)\n exit(0, \"The Portable OpenSSH server on port \"+port+\" is not affected as it's version \"+version+\".\");\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 3.8p1' +\n '\\n';\n security_warning(port:port, extra:report);\n}\nelse security_warning(port);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-19T13:16:42", "description": "Updated openssh packages that fix a potential security vulnerability and various other bugs are now available.\n\nThis update has been rated as having low security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This includes the core files necessary for both the OpenSSH client and server.\n\nA bug was found in the way the OpenSSH server handled the MaxStartups and LoginGraceTime configuration variables. A malicious user could connect to the SSH daemon in such a way that it would prevent additional logins from occuring until the malicious connections are closed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-2069 to this issue.\n\nAdditionally, the following issues are resolved with this update :\n\n - The -q option of the ssh client did not suppress the banner message sent by the server, which caused errors when used in scripts.\n\n - The sshd daemon failed to close the client connection if multiple X clients were forwarded over the connection and the client session exited.\n\n - The sftp client leaked memory if used for extended periods.\n\n - The sshd daemon called the PAM functions incorrectly if the user was unknown on the system.\n\nAll users of openssh should upgrade to these updated packages, which contain backported patches and resolve these issues.", "cvss3": {"score": null, "vector": null}, "published": "2005-10-05T00:00:00", "type": "nessus", "title": "RHEL 3 : openssh (RHSA-2005:550)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-2069"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:openssh", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome", "p-cpe:/a:redhat:enterprise_linux:openssh-clients", "p-cpe:/a:redhat:enterprise_linux:openssh-server", "cpe:/o:redhat:enterprise_linux:3"], "id": "REDHAT-RHSA-2005-550.NASL", "href": "https://www.tenable.com/plugins/nessus/19830", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2005:550. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(19830);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2004-2069\");\n script_xref(name:\"RHSA\", value:\"2005:550\");\n\n script_name(english:\"RHEL 3 : openssh (RHSA-2005:550)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix a potential security vulnerability\nand various other bugs are now available.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\nincludes the core files necessary for both the OpenSSH client and\nserver.\n\nA bug was found in the way the OpenSSH server handled the MaxStartups\nand LoginGraceTime configuration variables. A malicious user could\nconnect to the SSH daemon in such a way that it would prevent\nadditional logins from occuring until the malicious connections are\nclosed. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2004-2069 to this issue.\n\nAdditionally, the following issues are resolved with this update :\n\n - The -q option of the ssh client did not suppress the\n banner message sent by the server, which caused errors\n when used in scripts.\n\n - The sshd daemon failed to close the client connection if\n multiple X clients were forwarded over the connection\n and the client session exited.\n\n - The sftp client leaked memory if used for extended\n periods.\n\n - The sshd daemon called the PAM functions incorrectly if\n the user was unknown on the system.\n\nAll users of openssh should upgrade to these updated packages, which\ncontain backported patches and resolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-2069\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2005:550\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/12/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/10/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2005:550\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"openssh-3.6.1p2-33.30.6\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"openssh-askpass-3.6.1p2-33.30.6\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"openssh-askpass-gnome-3.6.1p2-33.30.6\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"openssh-clients-3.6.1p2-33.30.6\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"openssh-server-3.6.1p2-33.30.6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc\");\n }\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-03-27T14:44:02", "description": "The remote host is missing the patch for the advisory SUSE-SA:2006:008 (openssh).\n\n\nA problem in the handling of scp in openssh could be used to execute commands on remote hosts even using a scp-only configuration.\n\nThis requires doing a remote-remote scp and a hostile server. (CVE-2006-0225)\n\nOn SUSE Linux Enterprise Server 9 the xauth pollution problem was fixed too.\n\nThe security fix changes the handling of quoting filenames which might break automated scripts using this functionality.\n\nPlease check that your automated scp scripts still work after the update.", "cvss3": {}, "published": "2006-02-15T00:00:00", "type": "nessus", "title": "SUSE-SA:2006:008: openssh", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2021-01-14T00:00:00", "cpe": [], "id": "SUSE_SA_2006_008.NASL", "href": "https://www.tenable.com/plugins/nessus/20923", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:008\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(20923);\n script_version(\"1.9\");\n \n name[\"english\"] = \"SUSE-SA:2006:008: openssh\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SUSE-SA:2006:008 (openssh).\n\n\nA problem in the handling of scp in openssh could be used to execute\ncommands on remote hosts even using a scp-only configuration.\n\nThis requires doing a remote-remote scp and a hostile server. (CVE-2006-0225)\n\nOn SUSE Linux Enterprise Server 9 the xauth pollution problem was fixed too.\n\nThe security fix changes the handling of quoting filenames which might\nbreak automated scripts using this functionality.\n\nPlease check that your automated scp scripts still work after the\nupdate.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/advisories/2006_08_openssh.html\" );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\" );\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/02/15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the openssh package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"openssh-4.1p1-10.4\", release:\"SUSE10.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-askpass-4.1p1-10.4\", release:\"SUSE10.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-4.1p1-11.16\", release:\"SUSE9.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-askpass-4.1p1-11.16\", release:\"SUSE9.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-3.9p1-3.6\", release:\"SUSE9.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-askpass-3.9p1-3.6\", release:\"SUSE9.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-3.9p1-12.4\", release:\"SUSE9.3\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-askpass-3.9p1-12.4\", release:\"SUSE9.3\") )\n{\n security_hole(0);\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-08-19T13:13:46", "description": "SunOS 5.9: /usr/bin/ssh patch.\nDate this patch was last updated by Sun : Sep/16/09", "cvss3": {"score": null, "vector": null}, "published": "2007-07-02T00:00:00", "type": "nessus", "title": "Solaris 9 (sparc) : 114356-19", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2011-09-18T00:00:00", "cpe": [], "id": "SOLARIS9_114356.NASL", "href": "https://www.tenable.com/plugins/nessus/25653", "sourceData": "#%NASL_MIN_LEVEL 999999\n\n# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/09/17.\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(25653);\n script_version(\"1.23\");\n\n script_name(english: \"Solaris 9 (sparc) : 114356-19\");\n script_cve_id(\"CVE-2006-0225\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 114356-19\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.9: /usr/bin/ssh patch.\nDate this patch was last updated by Sun : Sep/16/09');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"https://getupdates.oracle.com/readme/114356-19\");\n script_set_attribute(attribute: \"cvss_vector\", value: \"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/02\");\n script_cvs_date(\"Date: 2018/08/13 14:32:38\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/09/28\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 114356-19\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n\ninclude(\"solaris.inc\");\n\ne += solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"114356-19\", obsoleted_by:\"122300-47 \", package:\"SUNWsshcu\", version:\"11.9.0,REV=2002.04.06.15.27\");\ne += solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"114356-19\", obsoleted_by:\"122300-47 \", package:\"SUNWsshu\", version:\"11.9.0,REV=2002.04.06.15.27\");\nif ( e < 0 ) { \n\tif ( NASL_LEVEL < 3000 ) \n\t security_warning(0);\n\telse \n\t security_warning(port:0, extra:solaris_get_report());\n\texit(0); \n} \nexit(0, \"Host is not affected\");\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:16:05", "description": "A flaw was discovered in the scp local-to-local copy implementation where filenames that contain shell metacharacters or spaces are expanded twice, which could lead to the execution of arbitrary commands if a local user could be tricked into a scp'ing a specially crafted filename.\n\nThe provided updates bump the OpenSSH version to the latest release version of 4.3p1. A number of differences exist, primarily dealing with PAM authentication over the version included in Corporate 3.0 and MNF2. In particular, the default sshd_config now only accepts protocol 2 connections and UsePAM is now disabled by default.\n\nOn systems using alternate authentication methods (ie. LDAP) that use the PAM stack for authentication, you will need to enable UsePAM. Note that the default /etc/pam.d/sshd file has also been modified to use the pam_listfile.so module which will deny access to any users listed in /etc/ssh/denyusers (by default, this is only the root user). This is required to preserve the expected behaviour when using 'PermitRootLogin without-password'; otherwise it would still be possible to obtain a login prompt and login without using keys.\n\nMandriva Linux 10.1 and newer already have these changes in their shipped versions. There are new features in OpenSSH and users are encouraged to review the new sshd_config and ssh_config files when upgrading.", "cvss3": {"score": null, "vector": null}, "published": "2006-02-10T00:00:00", "type": "nessus", "title": "Mandrake Linux Security Advisory : openssh (MDKSA-2006:034)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:openssh", "p-cpe:/a:mandriva:linux:openssh-askpass", "p-cpe:/a:mandriva:linux:openssh-askpass-gnome", "p-cpe:/a:mandriva:linux:openssh-clients", "p-cpe:/a:mandriva:linux:openssh-server", "cpe:/o:mandrakesoft:mandrake_linux:10.1", "cpe:/o:mandriva:linux:2006", "x-cpe:/o:mandrakesoft:mandrake_linux:le2005"], "id": "MANDRAKE_MDKSA-2006-034.NASL", "href": "https://www.tenable.com/plugins/nessus/20875", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2006:034. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20875);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"MDKSA\", value:\"2006:034\");\n\n script_name(english:\"Mandrake Linux Security Advisory : openssh (MDKSA-2006:034)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was discovered in the scp local-to-local copy implementation\nwhere filenames that contain shell metacharacters or spaces are\nexpanded twice, which could lead to the execution of arbitrary\ncommands if a local user could be tricked into a scp'ing a specially\ncrafted filename.\n\nThe provided updates bump the OpenSSH version to the latest release\nversion of 4.3p1. A number of differences exist, primarily dealing\nwith PAM authentication over the version included in Corporate 3.0 and\nMNF2. In particular, the default sshd_config now only accepts protocol\n2 connections and UsePAM is now disabled by default.\n\nOn systems using alternate authentication methods (ie. LDAP) that use\nthe PAM stack for authentication, you will need to enable UsePAM. Note\nthat the default /etc/pam.d/sshd file has also been modified to use\nthe pam_listfile.so module which will deny access to any users listed\nin /etc/ssh/denyusers (by default, this is only the root user). This\nis required to preserve the expected behaviour when using\n'PermitRootLogin without-password'; otherwise it would still be\npossible to obtain a login prompt and login without using keys.\n\nMandriva Linux 10.1 and newer already have these changes in their\nshipped versions. There are new features in OpenSSH and users are\nencouraged to review the new sshd_config and ssh_config files when\nupgrading.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2006\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:mandrakesoft:mandrake_linux:le2005\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/02/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.1\", reference:\"openssh-4.3p1-0.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"openssh-askpass-4.3p1-0.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"openssh-askpass-gnome-4.3p1-0.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"openssh-clients-4.3p1-0.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"openssh-server-4.3p1-0.1.101mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK10.2\", reference:\"openssh-4.3p1-0.1.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"openssh-askpass-4.3p1-0.1.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"openssh-askpass-gnome-4.3p1-0.1.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"openssh-clients-4.3p1-0.1.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"openssh-server-4.3p1-0.1.102mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK2006.0\", reference:\"openssh-4.3p1-0.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"openssh-askpass-4.3p1-0.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"openssh-askpass-gnome-4.3p1-0.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"openssh-clients-4.3p1-0.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"openssh-server-4.3p1-0.1.20060mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:16:04", "description": "Updated openssh packages that fix bugs in sshd and add auditing of user logins are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having low security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server.\n\nAn arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-0225 to this issue.\n\nThe following issue has also been fixed in this update :\n\n* If the sshd service was stopped using the sshd init script while the main sshd daemon was not running, the init script would kill other sshd processes, such as the running sessions. For example, this could happen when the 'service sshd stop' command was issued twice.\n\nAdditionally, this update implements auditing of user logins through the system audit service.\n\nAll users of openssh should upgrade to these updated packages, which resolve these issues.", "cvss3": {"score": null, "vector": null}, "published": "2006-03-08T00:00:00", "type": "nessus", "title": "RHEL 4 : openssh (RHSA-2006:0044)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:openssh", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome", "p-cpe:/a:redhat:enterprise_linux:openssh-clients", "p-cpe:/a:redhat:enterprise_linux:openssh-server", "cpe:/o:redhat:enterprise_linux:4"], "id": "REDHAT-RHSA-2006-0044.NASL", "href": "https://www.tenable.com/plugins/nessus/21030", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0044. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(21030);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"RHSA\", value:\"2006:0044\");\n\n script_name(english:\"RHEL 4 : openssh (RHSA-2006:0044)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix bugs in sshd and add auditing of\nuser logins are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\npackage includes the core files necessary for both the OpenSSH client\nand server.\n\nAn arbitrary command execution flaw was discovered in the way scp\ncopies files locally. It is possible for a local attacker to create a\nfile with a carefully crafted name that could execute arbitrary\ncommands as the user running scp to copy files locally. The Common\nVulnerabilities and Exposures project (cve.mitre.org) assigned the\nname CVE-2006-0225 to this issue.\n\nThe following issue has also been fixed in this update :\n\n* If the sshd service was stopped using the sshd init script while the\nmain sshd daemon was not running, the init script would kill other\nsshd processes, such as the running sessions. For example, this could\nhappen when the 'service sshd stop' command was issued twice.\n\nAdditionally, this update implements auditing of user logins through\nthe system audit service.\n\nAll users of openssh should upgrade to these updated packages, which\nresolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-0225\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2006:0044\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/03/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2006:0044\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL4\", reference:\"openssh-3.9p1-8.RHEL4.12\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"openssh-askpass-3.9p1-8.RHEL4.12\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"openssh-askpass-gnome-3.9p1-8.RHEL4.12\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"openssh-clients-3.9p1-8.RHEL4.12\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"openssh-server-3.9p1-8.RHEL4.12\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc\");\n }\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:16:12", "description": "This is a minor security update which fixes double shell expansion in local to local and remote to remote copy with scp. It also fixes a few other minor non-security issues.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2006-01-24T00:00:00", "type": "nessus", "title": "Fedora Core 4 : openssh-4.2p1-fc4.10 (2006-056)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:openssh", "p-cpe:/a:fedoraproject:fedora:openssh-askpass", "p-cpe:/a:fedoraproject:fedora:openssh-askpass-gnome", "p-cpe:/a:fedoraproject:fedora:openssh-clients", "p-cpe:/a:fedoraproject:fedora:openssh-debuginfo", "p-cpe:/a:fedoraproject:fedora:openssh-server", "cpe:/o:fedoraproject:fedora_core:4"], "id": "FEDORA_2006-056.NASL", "href": "https://www.tenable.com/plugins/nessus/20802", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2006-056.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20802);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"FEDORA\", value:\"2006-056\");\n\n script_name(english:\"Fedora Core 4 : openssh-4.2p1-fc4.10 (2006-056)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is a minor security update which fixes double shell expansion in\nlocal to local and remote to remote copy with scp. It also fixes a few\nother minor non-security issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2006-January/001767.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d3d25dcd\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/01/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 4.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC4\", reference:\"openssh-4.2p1-fc4.10\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"openssh-askpass-4.2p1-fc4.10\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"openssh-askpass-gnome-4.2p1-fc4.10\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"openssh-clients-4.2p1-fc4.10\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"openssh-debuginfo-4.2p1-fc4.10\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"openssh-server-4.2p1-fc4.10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:15:35", "description": "Updated openssh packages that fix bugs in sshd and add auditing of user logins are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having low security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server.\n\nAn arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-0225 to this issue.\n\nThe following issue has also been fixed in this update :\n\n* If the sshd service was stopped using the sshd init script while the main sshd daemon was not running, the init script would kill other sshd processes, such as the running sessions. For example, this could happen when the 'service sshd stop' command was issued twice.\n\nAdditionally, this update implements auditing of user logins through the system audit service.\n\nAll users of openssh should upgrade to these updated packages, which resolve these issues.", "cvss3": {"score": null, "vector": null}, "published": "2006-07-05T00:00:00", "type": "nessus", "title": "CentOS 4 : openssh (CESA-2006:0044)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:openssh", "p-cpe:/a:centos:centos:openssh-askpass", "p-cpe:/a:centos:centos:openssh-askpass-gnome", "p-cpe:/a:centos:centos:openssh-clients", "p-cpe:/a:centos:centos:openssh-server", "cpe:/o:centos:centos:4"], "id": "CENTOS_RHSA-2006-0044.NASL", "href": "https://www.tenable.com/plugins/nessus/21975", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0044 and \n# CentOS Errata and Security Advisory 2006:0044 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(21975);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"RHSA\", value:\"2006:0044\");\n\n script_name(english:\"CentOS 4 : openssh (CESA-2006:0044)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix bugs in sshd and add auditing of\nuser logins are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\npackage includes the core files necessary for both the OpenSSH client\nand server.\n\nAn arbitrary command execution flaw was discovered in the way scp\ncopies files locally. It is possible for a local attacker to create a\nfile with a carefully crafted name that could execute arbitrary\ncommands as the user running scp to copy files locally. The Common\nVulnerabilities and Exposures project (cve.mitre.org) assigned the\nname CVE-2006-0225 to this issue.\n\nThe following issue has also been fixed in this update :\n\n* If the sshd service was stopped using the sshd init script while the\nmain sshd daemon was not running, the init script would kill other\nsshd processes, such as the running sessions. For example, this could\nhappen when the 'service sshd stop' command was issued twice.\n\nAdditionally, this update implements auditing of user logins through\nthe system audit service.\n\nAll users of openssh should upgrade to these updated packages, which\nresolve these issues.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-March/012702.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a20391fc\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-March/012731.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5093f768\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-March/012738.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?23f5115f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 4.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-4\", reference:\"openssh-3.9p1-8.RHEL4.12\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"openssh-askpass-3.9p1-8.RHEL4.12\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"openssh-askpass-gnome-3.9p1-8.RHEL4.12\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"openssh-clients-3.9p1-8.RHEL4.12\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"openssh-server-3.9p1-8.RHEL4.12\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:13:49", "description": "SunOS 5.9_x86: /usr/bin/ssh patch.\nDate this patch was last updated by Sun : Sep/16/09", "cvss3": {"score": null, "vector": null}, "published": "2007-07-02T00:00:00", "type": "nessus", "title": "Solaris 9 (x86) : 114357-18", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2011-09-18T00:00:00", "cpe": [], "id": "SOLARIS9_X86_114357.NASL", "href": "https://www.tenable.com/plugins/nessus/25654", "sourceData": "#%NASL_MIN_LEVEL 999999\n\n# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/09/17.\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(25654);\n script_version(\"1.23\");\n\n script_name(english: \"Solaris 9 (x86) : 114357-18\");\n script_cve_id(\"CVE-2006-0225\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 114357-18\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.9_x86: /usr/bin/ssh patch.\nDate this patch was last updated by Sun : Sep/16/09');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"https://getupdates.oracle.com/readme/114357-18\");\n script_set_attribute(attribute: \"cvss_vector\", value: \"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/02\");\n script_cvs_date(\"Date: 2018/08/13 14:32:38\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/09/28\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 114357-18\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n\ninclude(\"solaris.inc\");\n\ne += solaris_check_patch(release:\"5.9_x86\", arch:\"i386\", patch:\"114357-18\", obsoleted_by:\"122301-47 \", package:\"SUNWsshcu\", version:\"11.9.0,REV=2002.11.04.02.51\");\ne += solaris_check_patch(release:\"5.9_x86\", arch:\"i386\", patch:\"114357-18\", obsoleted_by:\"122301-47 \", package:\"SUNWsshu\", version:\"11.9.0,REV=2002.11.04.02.51\");\nif ( e < 0 ) { \n\tif ( NASL_LEVEL < 3000 ) \n\t security_warning(0);\n\telse \n\t security_warning(port:0, extra:solaris_get_report());\n\texit(0); \n} \nexit(0, \"Host is not affected\");\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:16:02", "description": "The remote host is affected by the vulnerability described in GLSA-200602-11 (OpenSSH, Dropbear: Insecure use of system() call)\n\n To copy from a local filesystem to another local filesystem, scp constructs a command line using 'cp' which is then executed via system(). Josh Bressers discovered that special characters are not escaped by scp, but are simply passed to the shell.\n Impact :\n\n By tricking other users or applications to use scp on maliciously crafted filenames, a local attacker user can execute arbitrary commands with the rights of the user running scp.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": null, "vector": null}, "published": "2006-02-21T00:00:00", "type": "nessus", "title": "GLSA-200602-11 : OpenSSH, Dropbear: Insecure use of system() call", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:dropbear", "p-cpe:/a:gentoo:linux:openssh", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-200602-11.NASL", "href": "https://www.tenable.com/plugins/nessus/20953", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200602-11.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20953);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"GLSA\", value:\"200602-11\");\n\n script_name(english:\"GLSA-200602-11 : OpenSSH, Dropbear: Insecure use of system() call\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200602-11\n(OpenSSH, Dropbear: Insecure use of system() call)\n\n To copy from a local filesystem to another local filesystem, scp\n constructs a command line using 'cp' which is then executed via\n system(). Josh Bressers discovered that special characters are not\n escaped by scp, but are simply passed to the shell.\n \nImpact :\n\n By tricking other users or applications to use scp on maliciously\n crafted filenames, a local attacker user can execute arbitrary commands\n with the rights of the user running scp.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200602-11\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All OpenSSH users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/openssh-4.2_p1-r1'\n All Dropbear users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/dropbear-0.47-r1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:dropbear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/02/21\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/09/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/dropbear\", unaffected:make_list(\"ge 0.47-r1\"), vulnerable:make_list(\"lt 0.47-r1\"))) flag++;\nif (qpkg_check(package:\"net-misc/openssh\", unaffected:make_list(\"ge 4.2_p1-r1\"), vulnerable:make_list(\"lt 4.2_p1-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"OpenSSH / Dropbear\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:15:56", "description": "Tomas Mraz discovered a shell code injection flaw in scp. When doing local-to-local or remote-to-remote copying, scp expanded shell escape characters. By tricking an user into using scp on a specially crafted file name (which could also be caught by using an innocuous wild card like '*'), an attacker could exploit this to execute arbitrary shell commands with the privilege of that user.\n\nPlease be aware that scp is not designed to operate securely on untrusted file names, since it needs to stay compatible with rcp.\nPlease use sftp for automated systems and potentially untrusted file names.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2006-03-13T00:00:00", "type": "nessus", "title": "Ubuntu 4.10 / 5.04 / 5.10 : openssh vulnerability (USN-255-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:openssh-client", "p-cpe:/a:canonical:ubuntu_linux:openssh-server", "p-cpe:/a:canonical:ubuntu_linux:ssh", "p-cpe:/a:canonical:ubuntu_linux:ssh-askpass-gnome", "cpe:/o:canonical:ubuntu_linux:4.10", "cpe:/o:canonical:ubuntu_linux:5.04", "cpe:/o:canonical:ubuntu_linux:5.10"], "id": "UBUNTU_USN-255-1.NASL", "href": "https://www.tenable.com/plugins/nessus/21063", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-255-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(21063);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"USN\", value:\"255-1\");\n\n script_name(english:\"Ubuntu 4.10 / 5.04 / 5.10 : openssh vulnerability (USN-255-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tomas Mraz discovered a shell code injection flaw in scp. When doing\nlocal-to-local or remote-to-remote copying, scp expanded shell escape\ncharacters. By tricking an user into using scp on a specially crafted\nfile name (which could also be caught by using an innocuous wild card\nlike '*'), an attacker could exploit this to execute arbitrary shell\ncommands with the privilege of that user.\n\nPlease be aware that scp is not designed to operate securely on\nuntrusted file names, since it needs to stay compatible with rcp.\nPlease use sftp for automated systems and potentially untrusted file\nnames.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openssh-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:4.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/03/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/09/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(4\\.10|5\\.04|5\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 4.10 / 5.04 / 5.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"4.10\", pkgname:\"openssh-client\", pkgver:\"3.8.1p1-11ubuntu3.3\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"openssh-server\", pkgver:\"3.8.1p1-11ubuntu3.3\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"ssh\", pkgver:\"3.8.1p1-11ubuntu3.3\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"ssh-askpass-gnome\", pkgver:\"3.8.1p1-11ubuntu3.3\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"openssh-client\", pkgver:\"3.9p1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"openssh-server\", pkgver:\"3.9p1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"ssh\", pkgver:\"3.9p1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"ssh-askpass-gnome\", pkgver:\"3.9p1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"openssh-client\", pkgver:\"4.1p1-7ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"openssh-server\", pkgver:\"4.1p1-7ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"ssh\", pkgver:\"4.1p1-7ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"ssh-askpass-gnome\", pkgver:\"4.1p1-7ubuntu4.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh-client / openssh-server / ssh / ssh-askpass-gnome\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:16:04", "description": "New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue.", "cvss3": {"score": null, "vector": null}, "published": "2006-02-15T00:00:00", "type": "nessus", "title": "Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2006-045-06)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:openssh", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:10.0", "cpe:/o:slackware:slackware_linux:10.1", "cpe:/o:slackware:slackware_linux:10.2", "cpe:/o:slackware:slackware_linux:8.1", "cpe:/o:slackware:slackware_linux:9.0", "cpe:/o:slackware:slackware_linux:9.1"], "id": "SLACKWARE_SSA_2006-045-06.NASL", "href": "https://www.tenable.com/plugins/nessus/20917", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2006-045-06. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20917);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"SSA\", value:\"2006-045-06\");\n\n script_name(english:\"Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2006-045-06)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, and -current to fix a security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.425802\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?61b1c8fc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/02/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/02/15\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/09/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssh\", pkgver:\"4.3p1\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"openssh\", pkgver:\"4.3p1\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"openssh\", pkgver:\"4.3p1\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"10.0\", pkgname:\"openssh\", pkgver:\"4.3p1\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"10.1\", pkgname:\"openssh\", pkgver:\"4.3p1\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"10.2\", pkgname:\"openssh\", pkgver:\"4.3p1\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"openssh\", pkgver:\"4.3p1\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:59:49", "description": "According to its banner, the version of OpenSSH running on the remote host is potentially affected by an arbitrary command execution vulnerability. The scp utility does not properly sanitize user-supplied input prior to using a system() function call. A local attacker could exploit this by creating filenames with shell metacharacters, which could cause arbitrary code to be executed if copied by a user running scp.", "cvss3": {"score": null, "vector": null}, "published": "2011-10-04T00:00:00", "type": "nessus", "title": "OpenSSH < 4.3 scp Command Line Filename Processing Command Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2018-07-16T00:00:00", "cpe": ["cpe:/a:openbsd:openssh"], "id": "OPENSSH_43.NASL", "href": "https://www.tenable.com/plugins/nessus/44076", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44076);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/16 14:09:13\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_bugtraq_id(16369);\n\n script_name(english:\"OpenSSH < 4.3 scp Command Line Filename Processing Command Injection\");\n script_summary(english:\"Checks SSH banner\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The version of SSH running on the remote host has a command injection\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its banner, the version of OpenSSH running on the remote\nhost is potentially affected by an arbitrary command execution\nvulnerability. The scp utility does not properly sanitize\nuser-supplied input prior to using a system() function call. A local\nattacker could exploit this by creating filenames with shell\nmetacharacters, which could cause arbitrary code to be executed if\ncopied by a user running scp.\"\n );\n script_set_attribute(attribute:\"see_also\",value:\"https://bugzilla.mindrot.org/show_bug.cgi?id=1094\");\n script_set_attribute(attribute:\"see_also\",value:\"http://www.openssh.com/txt/release-4.3\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to OpenSSH 4.3 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/09/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/04\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openbsd:openssh\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\");\n\n exit(0);\n}\n\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Ensure the port is open.\nport = get_service(svc:\"ssh\", exit_on_fail:TRUE);\n\n# Get banner for service.\nbanner = get_kb_item_or_exit(\"SSH/banner/\"+port);\nbp_banner = tolower(get_backport_banner(banner:banner));\nif (\"openssh\" >!< bp_banner) exit(0, \"The SSH service on port \"+port+\" is not OpenSSH.\");\nif (backported) exit(1, \"The banner from the OpenSSH server on port \"+port+\" indicates patches may have been backported.\");\n\n# Check the version in the backported banner.\nmatch = eregmatch(string:bp_banner, pattern:\"openssh[-_]([0-9][-._0-9a-z]+)\");\nif (isnull(match)) exit(1, \"Could not parse the version string in the banner from port \"+port+\".\");\nversion = match[1];\n\nmatch = eregmatch(string:version, pattern:'^([0-9.]+)');\nif (isnull(match)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway\n exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');\n\nver = match[1];\nfix = '4.3';\n\nif (ver_compare(ver:ver, fix:fix, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse exit(0, \"The OpenSSH server on port \"+port+\" is not affected as it's version \"+version+\".\");\n\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:59:53", "description": "According to its banner, the version of OpenSSH running on the remote host is affected by a remote denial of service vulnerability. When used with OpenPAM, OpenSSH does not properly handle when a forked child process ends during PAM authentication. This could allow a remote attacker to cause a denial of service by connecting several times to the SSH server, waiting for the password prompt and then disconnecting.", "cvss3": {"score": null, "vector": null}, "published": "2011-10-04T00:00:00", "type": "nessus", "title": "OpenSSH With OpenPAM DoS", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0883"], "modified": "2018-07-16T00:00:00", "cpe": ["cpe:/a:openbsd:openssh"], "id": "OPENSSH_381P1.NASL", "href": "https://www.tenable.com/plugins/nessus/44073", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44073);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/07/16 14:09:13\");\n\n script_cve_id(\"CVE-2006-0883\");\n script_bugtraq_id(16892);\n\n script_name(english:\"OpenSSH With OpenPAM DoS\");\n script_summary(english:\"Checks SSH banner\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The SSH server running on the remote host has a denial of service\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its banner, the version of OpenSSH running on the remote\nhost is affected by a remote denial of service vulnerability. When\nused with OpenPAM, OpenSSH does not properly handle when a forked\nchild process ends during PAM authentication. This could allow a\nremote attacker to cause a denial of service by connecting several\ntimes to the SSH server, waiting for the password prompt and then\ndisconnecting.\"\n );\n script_set_attribute(attribute:\"see_also\",value:\"https://bugzilla.mindrot.org/show_bug.cgi?id=839\");\n # ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:09.openssh.asc\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?170f19e3\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to OpenSSH 3.8.1p1 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/04\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openbsd:openssh\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Denial of Service\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\");\n\n exit(0);\n}\n\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Ensure the port is open.\nport = get_service(svc:\"ssh\", exit_on_fail:TRUE);\n\n# Get banner for service.\nbanner = get_kb_item_or_exit(\"SSH/banner/\"+port);\nbp_banner = tolower(get_backport_banner(banner:banner));\nif (\"openssh\" >!< bp_banner) exit(0, \"The SSH service on port \"+port+\" is not OpenSSH.\");\nif (backported) exit(1, \"The banner from the OpenSSH server on port \"+port+\" indicates patches may have been backported.\");\n\n# Check the version in the backported banner.\nmatch = eregmatch(string:bp_banner, pattern:\"openssh[-_]([0-9][-._0-9a-z]+)\");\nif (isnull(match)) exit(1, \"Could not parse the version string in the banner from port \"+port+\".\");\nversion = match[1];\n\n# there was no 3.8.1, so we don't need to worry about checking anything after the 'p'\nmatch = eregmatch(string:version, pattern:'^([0-9.]+)');\nif (isnull(match)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway\n exit(1, 'Error parsing version: ' + version);\n\nver = split(match[1], sep:'.', keep:FALSE);\nfor (i = 0; i < max_index(ver); i++)\n ver[i] = int(ver[i]);\n\nif (\n ver[0] < 3 ||\n (ver[0] == 3 && ver[1] < 8) ||\n (ver[0] == 3 && ver[1] == 8 && ver[2] < 1)\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 3.8.1p1\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse exit(0, \"The OpenSSH server on port \"+port+\" is not affected as it's version \"+version+\".\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T13:18:35", "description": "- Versions of OpenSSH prior to 2.3.0 are vulnerable to a remote arbitrary memory overwrite attack which may lead to a root exploit.\n - CORE-SDI has described a problem with regards to RSA key exchange and a Bleichenbacher attack to gather the session key from an ssh session.\n\nBoth of these issues have been corrected in our ssh package 1.2.3-9.2.\nWe recommend you upgrade your openssh package immediately.", "cvss3": {"score": null, "vector": null}, "published": "2004-09-29T00:00:00", "type": "nessus", "title": "Debian DSA-027-1 : OpenSSH - remote exploit", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0144", "CVE-2001-0361"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:ssh", "cpe:/o:debian:debian_linux:2.2"], "id": "DEBIAN_DSA-027.NASL", "href": "https://www.tenable.com/plugins/nessus/14864", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-027. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14864);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2001-0144\", \"CVE-2001-0361\");\n script_bugtraq_id(2344);\n script_xref(name:\"DSA\", value:\"027\");\n\n script_name(english:\"Debian DSA-027-1 : OpenSSH - remote exploit\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"- Versions of OpenSSH prior to 2.3.0 are vulnerable to a\n remote arbitrary memory overwrite attack which may lead\n to a root exploit.\n - CORE-SDI has described a problem with regards to RSA key\n exchange and a Bleichenbacher attack to gather the\n session key from an ssh session.\n\nBoth of these issues have been corrected in our ssh package 1.2.3-9.2.\nWe recommend you upgrade your openssh package immediately.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2001/dsa-027\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected ssh package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/02/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"ssh\", reference:\"1.2.3-9.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"ssh-askpass-gnome\", reference:\"1.2.3-9.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:18:40", "description": "We have received reports that the 'SSH CRC-32 compensation attack detector vulnerability' is being actively exploited. This is the same integer type error previously corrected for OpenSSH in DSA-027-1.\nOpenSSH (the Debian ssh package) was fixed at that time, but ssh-nonfree and ssh-socks were not.\n\nThough packages in the non-free section of the archive are not officially supported by the Debian project, we are taking the unusual step of releasing updated ssh-nonfree/ssh-socks packages for those users who have not yet migrated to OpenSSH. However, we do recommend that our users migrate to the regularly supported, DFSG-free 'ssh' package as soon as possible. ssh 1.2.3-9.3 is the OpenSSH package available in Debian 2.2r4.\n\nThe fixed ssh-nonfree/ssh-socks packages are available in version 1.2.27-6.2 for use with Debian 2.2 (potato) and version 1.2.27-8 for use with the Debian unstable/testing distribution. Note that the new ssh-nonfree/ssh-socks packages remove the setuid bit from the ssh binary, disabling rhosts-rsa authentication. If you need this functionality, run\n\nchmod u+s /usr/bin/ssh1\n\nafter installing the new package.", "cvss3": {"score": null, "vector": null}, "published": "2004-09-29T00:00:00", "type": "nessus", "title": "Debian DSA-086-1 : ssh-nonfree - remote root exploit", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0144", "CVE-2001-0361"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:ssh-nonfree", "p-cpe:/a:debian:debian_linux:ssh-socks", "cpe:/o:debian:debian_linux:2.2"], "id": "DEBIAN_DSA-086.NASL", "href": "https://www.tenable.com/plugins/nessus/14923", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-086. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14923);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2001-0144\", \"CVE-2001-0361\");\n script_xref(name:\"DSA\", value:\"086\");\n\n script_name(english:\"Debian DSA-086-1 : ssh-nonfree - remote root exploit\");\n script_summary(english:\"Checks dpkg output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"We have received reports that the 'SSH CRC-32 compensation attack\ndetector vulnerability' is being actively exploited. This is the same\ninteger type error previously corrected for OpenSSH in DSA-027-1.\nOpenSSH (the Debian ssh package) was fixed at that time, but\nssh-nonfree and ssh-socks were not.\n\nThough packages in the non-free section of the archive are not\nofficially supported by the Debian project, we are taking the unusual\nstep of releasing updated ssh-nonfree/ssh-socks packages for those\nusers who have not yet migrated to OpenSSH. However, we do recommend\nthat our users migrate to the regularly supported, DFSG-free 'ssh'\npackage as soon as possible. ssh 1.2.3-9.3 is the OpenSSH package\navailable in Debian 2.2r4.\n\nThe fixed ssh-nonfree/ssh-socks packages are available in version\n1.2.27-6.2 for use with Debian 2.2 (potato) and version 1.2.27-8 for\nuse with the Debian unstable/testing distribution. Note that the new\nssh-nonfree/ssh-socks packages remove the setuid bit from the ssh\nbinary, disabling rhosts-rsa authentication. If you need this\nfunctionality, run\n\nchmod u+s /usr/bin/ssh1\n\nafter installing the new package.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2001/dsa-086\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected ssh-nonfree, and ssh-socks packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ssh-nonfree\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ssh-socks\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/11/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/02/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"ssh-askpass-nonfree\", reference:\"1.2.27-6.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"ssh-nonfree\", reference:\"1.2.27-6.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"ssh-socks\", reference:\"1.2.27-6.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:13:46", "description": "SunOS 5.10: sshd patch.\nDate this patch was last updated by Sun : Jun/20/07", "cvss3": {"score": null, "vector": null}, "published": "2007-07-02T00:00:00", "type": "nessus", "title": "Solaris 10 (sparc) : 123324-03", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225", "CVE-2006-4924"], "modified": "2021-01-14T00:00:00", "cpe": [], "id": "SOLARIS10_123324.NASL", "href": "https://www.tenable.com/plugins/nessus/25642", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/10/24.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(25642);\n script_version(\"1.25\");\n\n script_name(english: \"Solaris 10 (sparc) : 123324-03\");\n script_cve_id(\"CVE-2006-0225\", \"CVE-2006-4924\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 123324-03\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.10: sshd patch.\nDate this patch was last updated by Sun : Jun/20/07');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"http://download.oracle.com/sunalerts/1000947.1.html\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_cwe_id(399);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/02\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/09/28\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 123324-03\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-08-19T13:15:26", "description": "Updated openssh packages that fix bugs in sshd are now available for Red Hat Enterprise Linux 3.\n\nThis update has been rated as having low security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server.\n\nAn arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally.\n(CVE-2006-0225)\n\nThe SSH daemon, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass 'from=' and 'user@host' address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. (CVE-2003-0386)\n\nThe following issues have also been fixed in this update :\n\n* If the sshd service was stopped using the sshd init script while the main sshd daemon was not running, the init script would kill other sshd processes, such as the running sessions. For example, this could happen when the 'service sshd stop' command was issued twice.\n\n* When privilege separation was enabled, the last login message was printed only for the root user.\n\n* The sshd daemon was sending messages to the system log from a signal handler when debug logging was enabled. This could cause a deadlock of the user's connection.\n\nAll users of openssh should upgrade to these updated packages, which resolve these issues.", "cvss3": {"score": null, "vector": null}, "published": "2006-08-04T00:00:00", "type": "nessus", "title": "CentOS 3 : openssh (CESA-2006:0298)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2003-0386", "CVE-2006-0225"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:openssh", "p-cpe:/a:centos:centos:openssh-askpass", "p-cpe:/a:centos:centos:openssh-askpass-gnome", "p-cpe:/a:centos:centos:openssh-clients", "p-cpe:/a:centos:centos:openssh-server", "cpe:/o:centos:centos:3"], "id": "CENTOS_RHSA-2006-0298.NASL", "href": "https://www.tenable.com/plugins/nessus/22134", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0298 and \n# CentOS Errata and Security Advisory 2006:0298 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22134);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2003-0386\", \"CVE-2006-0225\");\n script_xref(name:\"RHSA\", value:\"2006:0298\");\n\n script_name(english:\"CentOS 3 : openssh (CESA-2006:0298)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix bugs in sshd are now available for\nRed Hat Enterprise Linux 3.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\npackage includes the core files necessary for both the OpenSSH client\nand server.\n\nAn arbitrary command execution flaw was discovered in the way scp\ncopies files locally. It is possible for a local attacker to create a\nfile with a carefully crafted name that could execute arbitrary\ncommands as the user running scp to copy files locally.\n(CVE-2006-0225)\n\nThe SSH daemon, when restricting host access by numeric IP addresses\nand with VerifyReverseMapping disabled, allows remote attackers to\nbypass 'from=' and 'user@host' address restrictions by connecting to a\nhost from a system whose reverse DNS hostname contains the numeric IP\naddress. (CVE-2003-0386)\n\nThe following issues have also been fixed in this update :\n\n* If the sshd service was stopped using the sshd init script while the\nmain sshd daemon was not running, the init script would kill other\nsshd processes, such as the running sessions. For example, this could\nhappen when the 'service sshd stop' command was issued twice.\n\n* When privilege separation was enabled, the last login message was\nprinted only for the root user.\n\n* The sshd daemon was sending messages to the system log from a signal\nhandler when debug logging was enabled. This could cause a deadlock of\nthe user's connection.\n\nAll users of openssh should upgrade to these updated packages, which\nresolve these issues.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-August/013093.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b4d59e30\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-August/013094.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f1bdec32\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-July/013050.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?92a3f2dd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 3.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-3\", reference:\"openssh-3.6.1p2-33.30.9\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"openssh-askpass-3.6.1p2-33.30.9\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"openssh-askpass-gnome-3.6.1p2-33.30.9\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"openssh-clients-3.6.1p2-33.30.9\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"openssh-server-3.6.1p2-33.30.9\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:15:24", "description": "Updated openssh packages that fix bugs in sshd are now available for Red Hat Enterprise Linux 3.\n\nThis update has been rated as having low security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server.\n\nAn arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally.\n(CVE-2006-0225)\n\nThe SSH daemon, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass 'from=' and 'user@host' address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. (CVE-2003-0386)\n\nThe following issues have also been fixed in this update :\n\n* If the sshd service was stopped using the sshd init script while the main sshd daemon was not running, the init script would kill other sshd processes, such as the running sessions. For example, this could happen when the 'service sshd stop' command was issued twice.\n\n* When privilege separation was enabled, the last login message was printed only for the root user.\n\n* The sshd daemon was sending messages to the system log from a signal handler when debug logging was enabled. This could cause a deadlock of the user's connection.\n\nAll users of openssh should upgrade to these updated packages, which resolve these issues.", "cvss3": {"score": null, "vector": null}, "published": "2006-07-21T00:00:00", "type": "nessus", "title": "RHEL 3 : openssh (RHSA-2006:0298)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2003-0386", "CVE-2006-0225"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:openssh", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome", "p-cpe:/a:redhat:enterprise_linux:openssh-clients", "p-cpe:/a:redhat:enterprise_linux:openssh-server", "cpe:/o:redhat:enterprise_linux:3"], "id": "REDHAT-RHSA-2006-0298.NASL", "href": "https://www.tenable.com/plugins/nessus/22084", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0298. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22084);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2003-0386\", \"CVE-2006-0225\");\n script_xref(name:\"RHSA\", value:\"2006:0298\");\n\n script_name(english:\"RHEL 3 : openssh (RHSA-2006:0298)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix bugs in sshd are now available for\nRed Hat Enterprise Linux 3.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\npackage includes the core files necessary for both the OpenSSH client\nand server.\n\nAn arbitrary command execution flaw was discovered in the way scp\ncopies files locally. It is possible for a local attacker to create a\nfile with a carefully crafted name that could execute arbitrary\ncommands as the user running scp to copy files locally.\n(CVE-2006-0225)\n\nThe SSH daemon, when restricting host access by numeric IP addresses\nand with VerifyReverseMapping disabled, allows remote attackers to\nbypass 'from=' and 'user@host' address restrictions by connecting to a\nhost from a system whose reverse DNS hostname contains the numeric IP\naddress. (CVE-2003-0386)\n\nThe following issues have also been fixed in this update :\n\n* If the sshd service was stopped using the sshd init script while the\nmain sshd daemon was not running, the init script would kill other\nsshd processes, such as the running sessions. For example, this could\nhappen when the 'service sshd stop' command was issued twice.\n\n* When privilege separation was enabled, the last login message was\nprinted only for the root user.\n\n* The sshd daemon was sending messages to the system log from a signal\nhandler when debug logging was enabled. This could cause a deadlock of\nthe user's connection.\n\nAll users of openssh should upgrade to these updated packages, which\nresolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-0225\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2006:0298\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2006:0298\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"openssh-3.6.1p2-33.30.9\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"openssh-askpass-3.6.1p2-33.30.9\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"openssh-askpass-gnome-3.6.1p2-33.30.9\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"openssh-clients-3.6.1p2-33.30.9\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"openssh-server-3.6.1p2-33.30.9\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:13:48", "description": "SunOS 5.10_x86: sshd patch.\nDate this patch was last updated by Sun : Jun/21/07", "cvss3": {"score": null, "vector": null}, "published": "2007-07-02T00:00:00", "type": "nessus", "title": "Solaris 10 (x86) : 123325-03", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225", "CVE-2006-4924"], "modified": "2021-01-14T00:00:00", "cpe": [], "id": "SOLARIS10_X86_123325.NASL", "href": "https://www.tenable.com/plugins/nessus/25645", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/10/24.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(25645);\n script_version(\"1.23\");\n\n script_name(english: \"Solaris 10 (x86) : 123325-03\");\n script_cve_id(\"CVE-2006-0225\", \"CVE-2006-4924\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 123325-03\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.10_x86: sshd patch.\nDate this patch was last updated by Sun : Jun/21/07');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"http://download.oracle.com/sunalerts/1000947.1.html\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_cwe_id(399);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/02\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/09/28\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 123325-03\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-08-19T12:33:38", "description": "SunOS 5.10_x86: sshd patch.\nDate this patch was last updated by Sun : Jun/21/07", "cvss3": {"score": null, "vector": null}, "published": "2018-03-12T00:00:00", "type": "nessus", "title": "Solaris 10 (x86) : 123325-03", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225", "CVE-2006-4924"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:oracle:solaris:10:123325", "p-cpe:/a:oracle:solaris:10:124443", "p-cpe:/a:oracle:solaris:10:125431", "cpe:/o:oracle:solaris:10"], "id": "SOLARIS10_X86_123325-03.NASL", "href": "https://www.tenable.com/plugins/nessus/107891", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(107891);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-0225\", \"CVE-2006-4924\");\n\n script_name(english:\"Solaris 10 (x86) : 123325-03\");\n script_summary(english:\"Check for patch 123325-03\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote host is missing Sun Security Patch number 123325-03\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"SunOS 5.10_x86: sshd patch.\nDate this patch was last updated by Sun : Jun/21/07\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://download.oracle.com/sunalerts/1000947.1.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Install patch 123325-03\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:123325\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:124443\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:125431\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nshowrev = get_kb_item(\"Host/Solaris/showrev\");\nif (empty_or_null(showrev)) audit(AUDIT_OS_NOT, \"Solaris\");\nos_ver = pregmatch(pattern:\"Release: (\\d+.(\\d+))\", string:showrev);\nif (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Solaris\");\nfull_ver = os_ver[1];\nos_level = os_ver[2];\nif (full_ver != \"5.10\") audit(AUDIT_OS_NOT, \"Solaris 10\", \"Solaris \" + os_level);\npackage_arch = pregmatch(pattern:\"Application architecture: (\\w+)\", string:showrev);\nif (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH);\npackage_arch = package_arch[1];\nif (package_arch != \"i386\") audit(AUDIT_ARCH_NOT, \"i386\", package_arch);\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"123325-03\", obsoleted_by:\"120012-14 \", package:\"SUNWcslr\", version:\"11.10.0,REV=2005.01.21.16.34\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"123325-03\", obsoleted_by:\"120012-14 \", package:\"SUNWhea\", version:\"11.10.0,REV=2005.01.21.16.34\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"123325-03\", obsoleted_by:\"120012-14 \", package:\"SUNWsshcu\", version:\"11.10.0,REV=2005.01.21.16.34\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"123325-03\", obsoleted_by:\"120012-14 \", package:\"SUNWsshdu\", version:\"11.10.0,REV=2005.01.21.16.34\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"123325-03\", obsoleted_by:\"120012-14 \", package:\"SUNWsshu\", version:\"11.10.0,REV=2005.01.21.16.34\") < 0) flag++;\n\nif (flag) {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : solaris_get_report()\n );\n} else {\n patch_fix = solaris_patch_fix_get();\n if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, \"Solaris 10\");\n tested = solaris_pkg_tests_get();\n if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SUNWcslr / SUNWhea / SUNWsshcu / SUNWsshdu / SUNWsshu\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-08-19T12:33:11", "description": "SunOS 5.10: sshd patch.\nDate this patch was last updated by Sun : Jun/20/07", "cvss3": {"score": null, "vector": null}, "published": "2018-03-12T00:00:00", "type": "nessus", "title": "Solaris 10 (sparc) : 123324-03", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225", "CVE-2006-4924"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:oracle:solaris:10:123324", "p-cpe:/a:oracle:solaris:10:124442", "p-cpe:/a:oracle:solaris:10:125430", "cpe:/o:oracle:solaris:10"], "id": "SOLARIS10_123324-03.NASL", "href": "https://www.tenable.com/plugins/nessus/107389", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(107389);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-0225\", \"CVE-2006-4924\");\n\n script_name(english:\"Solaris 10 (sparc) : 123324-03\");\n script_summary(english:\"Check for patch 123324-03\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote host is missing Sun Security Patch number 123324-03\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"SunOS 5.10: sshd patch.\nDate this patch was last updated by Sun : Jun/20/07\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://download.oracle.com/sunalerts/1000947.1.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Install patch 123324-03\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:123324\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:124442\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:125430\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nshowrev = get_kb_item(\"Host/Solaris/showrev\");\nif (empty_or_null(showrev)) audit(AUDIT_OS_NOT, \"Solaris\");\nos_ver = pregmatch(pattern:\"Release: (\\d+.(\\d+))\", string:showrev);\nif (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Solaris\");\nfull_ver = os_ver[1];\nos_level = os_ver[2];\nif (full_ver != \"5.10\") audit(AUDIT_OS_NOT, \"Solaris 10\", \"Solaris \" + os_level);\npackage_arch = pregmatch(pattern:\"Application architecture: (\\w+)\", string:showrev);\nif (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH);\npackage_arch = package_arch[1];\nif (package_arch != \"sparc\") audit(AUDIT_ARCH_NOT, \"sparc\", package_arch);\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"123324-03\", obsoleted_by:\"120011-14 \", package:\"SUNWcslr\", version:\"11.10.0,REV=2005.01.21.15.53\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"123324-03\", obsoleted_by:\"120011-14 \", package:\"SUNWhea\", version:\"11.10.0,REV=2005.01.21.15.53\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"123324-03\", obsoleted_by:\"120011-14 \", package:\"SUNWsshcu\", version:\"11.10.0,REV=2005.01.21.15.53\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"123324-03\", obsoleted_by:\"120011-14 \", package:\"SUNWsshdu\", version:\"11.10.0,REV=2005.01.21.15.53\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"123324-03\", obsoleted_by:\"120011-14 \", package:\"SUNWsshu\", version:\"11.10.0,REV=2005.01.21.15.53\") < 0) flag++;\n\nif (flag) {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : solaris_get_report()\n );\n} else {\n patch_fix = solaris_patch_fix_get();\n if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, \"Solaris 10\");\n tested = solaris_pkg_tests_get();\n if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SUNWcslr / SUNWhea / SUNWsshcu / SUNWsshdu / SUNWsshu\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-03-27T14:51:20", "description": "Updated openssh packages that fix several security issues in sshd are now available for Red Hat Enterprise Linux 2.1.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server.\n\nMark Dowd discovered a signal handler race condition in the OpenSSH sshd server. A remote attacker could possibly leverage this flaw to cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project believes the likelihood of successful exploitation leading to arbitrary code execution appears remote. However, the Red Hat Security Response Team have not yet been able to verify this claim due to lack of upstream vulnerability information. We are therefore including a fix for this flaw and have rated it important security severity in the event our continued investigation finds this issue to be exploitable.\n\nTavis Ormandy of the Google Security Team discovered a denial of service bug in the OpenSSH sshd server. A remote attacker can send a specially crafted SSH-1 request to the server causing sshd to consume a large quantity of CPU resources. (CVE-2006-4924)\n\nAn arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally.\n(CVE-2006-0225)\n\nThe SSH daemon, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass 'from=' and 'user@host' address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. (CVE-2003-0386)\n\nAll users of openssh should upgrade to these updated packages, which contain backported patches that resolve these issues.", "cvss3": {"score": null, "vector": null}, "published": "2006-09-29T00:00:00", "type": "nessus", "title": "RHEL 2.1 : openssh (RHSA-2006:0698)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2003-0386", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-5051"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:openssh", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome", "p-cpe:/a:redhat:enterprise_linux:openssh-clients", "p-cpe:/a:redhat:enterprise_linux:openssh-server", "cpe:/o:redhat:enterprise_linux:2.1"], "id": "REDHAT-RHSA-2006-0698.NASL", "href": "https://www.tenable.com/plugins/nessus/22474", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0698. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22474);\n script_version(\"1.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2003-0386\", \"CVE-2006-0225\", \"CVE-2006-4924\", \"CVE-2006-5051\");\n script_xref(name:\"RHSA\", value:\"2006:0698\");\n\n script_name(english:\"RHEL 2.1 : openssh (RHSA-2006:0698)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix several security issues in sshd are\nnow available for Red Hat Enterprise Linux 2.1.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\npackage includes the core files necessary for both the OpenSSH client\nand server.\n\nMark Dowd discovered a signal handler race condition in the OpenSSH\nsshd server. A remote attacker could possibly leverage this flaw to\ncause a denial of service (crash). (CVE-2006-5051) The OpenSSH project\nbelieves the likelihood of successful exploitation leading to\narbitrary code execution appears remote. However, the Red Hat Security\nResponse Team have not yet been able to verify this claim due to lack\nof upstream vulnerability information. We are therefore including a\nfix for this flaw and have rated it important security severity in the\nevent our continued investigation finds this issue to be exploitable.\n\nTavis Ormandy of the Google Security Team discovered a denial of\nservice bug in the OpenSSH sshd server. A remote attacker can send a\nspecially crafted SSH-1 request to the server causing sshd to consume\na large quantity of CPU resources. (CVE-2006-4924)\n\nAn arbitrary command execution flaw was discovered in the way scp\ncopies files locally. It is possible for a local attacker to create a\nfile with a carefully crafted name that could execute arbitrary\ncommands as the user running scp to copy files locally.\n(CVE-2006-0225)\n\nThe SSH daemon, when restricting host access by numeric IP addresses\nand with VerifyReverseMapping disabled, allows remote attackers to\nbypass 'from=' and 'user@host' address restrictions by connecting to a\nhost from a system whose reverse DNS hostname contains the numeric IP\naddress. (CVE-2003-0386)\n\nAll users of openssh should upgrade to these updated packages, which\ncontain backported patches that resolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-0225\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-4924\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-5051\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2006:0698\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(362, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/09/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/09/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2006:0698\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"openssh-3.1p1-21\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"openssh-askpass-3.1p1-21\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"openssh-askpass-gnome-3.1p1-21\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"openssh-clients-3.1p1-21\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"openssh-server-3.1p1-21\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc\");\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:59:58", "description": "The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information.\n\nNote that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.", "cvss3": {"score": null, "vector": null}, "published": "2011-08-29T00:00:00", "type": "nessus", "title": "SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2000-0525", "CVE-2000-1169", "CVE-2001-0361", "CVE-2001-0529", "CVE-2001-0572", "CVE-2001-0816", "CVE-2001-0872", "CVE-2001-1380", "CVE-2001-1382", "CVE-2001-1459", "CVE-2001-1507", "CVE-2001-1585", "CVE-2002-0083", "CVE-2002-0575", "CVE-2002-0639", "CVE-2002-0640", "CVE-2002-0765", "CVE-2003-0190", "CVE-2003-0386", "CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695", "CVE-2003-0786", "CVE-2003-0787", "CVE-2003-1562", "CVE-2004-0175", "CVE-2004-1653", "CVE-2004-2069", "CVE-2004-2760", "CVE-2005-2666", "CVE-2005-2797", "CVE-2005-2798", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2006-5794", "CVE-2007-2243", "CVE-2007-2768", "CVE-2007-3102", "CVE-2007-4752", "CVE-2008-1483", "CVE-2008-1657", "CVE-2008-3259", "CVE-2008-4109", "CVE-2008-5161"], "modified": "2020-09-21T00:00:00", "cpe": ["cpe:/o:oracle:solaris"], "id": "SUNSSH_PLAINTEXT_RECOVERY.NASL", "href": "https://www.tenable.com/plugins/nessus/55992", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(55992);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/21\");\n\n script_cve_id(\n \"CVE-2000-0525\",\n \"CVE-2000-1169\",\n \"CVE-2001-0361\",\n \"CVE-2001-0529\",\n \"CVE-2001-0572\",\n \"CVE-2001-0816\",\n \"CVE-2001-0872\",\n \"CVE-2001-1380\",\n \"CVE-2001-1382\",\n \"CVE-2001-1459\",\n \"CVE-2001-1507\",\n \"CVE-2001-1585\",\n \"CVE-2002-0083\",\n \"CVE-2002-0575\",\n \"CVE-2002-0639\",\n \"CVE-2002-0640\",\n \"CVE-2002-0765\",\n \"CVE-2003-0190\",\n \"CVE-2003-0386\",\n \"CVE-2003-0682\",\n \"CVE-2003-0693\",\n \"CVE-2003-0695\",\n \"CVE-2003-0786\",\n \"CVE-2003-0787\",\n \"CVE-2003-1562\",\n \"CVE-2004-0175\",\n \"CVE-2004-1653\",\n \"CVE-2004-2069\",\n \"CVE-2004-2760\",\n \"CVE-2005-2666\",\n \"CVE-2005-2797\",\n \"CVE-2005-2798\",\n \"CVE-2006-0225\",\n \"CVE-2006-4924\",\n \"CVE-2006-4925\",\n \"CVE-2006-5051\",\n \"CVE-2006-5052\",\n \"CVE-2006-5229\",\n \"CVE-2006-5794\",\n \"CVE-2007-2243\",\n \"CVE-2007-2768\",\n \"CVE-2007-3102\",\n \"CVE-2007-4752\",\n \"CVE-2008-1483\",\n \"CVE-2008-1657\",\n \"CVE-2008-3259\",\n \"CVE-2008-4109\",\n \"CVE-2008-5161\"\n );\n script_bugtraq_id(32319);\n script_xref(name:\"CERT\", value:\"958563\");\n\n script_name(english:\"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure\");\n script_summary(english:\"Checks SSH banner\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The SSH service running on the remote host has an information\ndisclosure vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of SunSSH running on the remote host has an information\ndisclosure vulnerability. A design flaw in the SSH specification\ncould allow a man-in-the-middle attacker to recover up to 32 bits of\nplaintext from an SSH-protected connection in the standard\nconfiguration. An attacker could exploit this to gain access to\nsensitive information.\n\nNote that this version of SunSSH is also prone to several additional\nissues but Nessus did not test for them.\" );\n\n # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?4984aeb9\");\n # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?b679208a\");\n script_set_attribute(attribute:\"see_also\",value:\"http://blogs.oracle.com/janp/entry/on_sunssh_versioning\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to SunSSH 1.1.1 / 1.3 or later\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399);\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris\");\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2008/11/17\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2008/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\",value:\"2011/08/29\");\n script_set_attribute(attribute:\"plugin_type\",value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\");\n\n exit(0);\n}\n\ninclude('global_settings.inc');\ninclude('misc_func.inc');\n\n# Ensure the port is open.\nport = get_service(svc:\"ssh\", default:22, exit_on_fail:TRUE);\n\n# Get banner for service.\nbanner = get_kb_item_or_exit(\"SSH/banner/\" + port);\n\n# Check that we're using SunSSH.\nif ('sun_ssh' >!< tolower(banner))\n exit(0, \"The SSH service on port \" + port + \" is not SunSSH.\");\n\n# Check the version in the banner.\nmatch = eregmatch(string:banner, pattern:\"sun_ssh[-_]([0-9.]+)$\", icase:TRUE);\nif (isnull(match))\n exit(1, \"Could not parse the version string from the banner on port \" + port + \".\");\nelse\n version = match[1];\n\n# the Oracle (Sun) blog above explains how the versioning works. we could\n# probably explicitly check for each vulnerable version if it came down to it\nif (\n ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 ||\n version == '1.2'\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 1.1.1 / 1.3\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse exit(0, \"The SunSSH server on port \"+port+\" is not affected as it's version \"+version+\".\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-20T15:05:43", "description": "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected by multiple vulnerabilities:\n\n - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.\n (CVE-2006-0225)\n\n - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924)\n\n - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051)\n\n - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication.\n NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist.\n (CVE-2006-5794)\n\n - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information.\n (CVE-2007-3102)\n\n - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.\n (CVE-2010-4755)\n\n - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107)\n\n - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions.\n (CVE-2014-2532)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 4.9, "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0036)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225", "CVE-2006-4924", "CVE-2006-5051", "CVE-2006-5794", "CVE-2007-3102", "CVE-2010-2632", "CVE-2010-4755", "CVE-2010-5107", "CVE-2014-2532"], "modified": "2022-05-19T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2019-0036_OPENSSH.NASL", "href": "https://www.tenable.com/plugins/nessus/127206", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0036. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127206);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/19\");\n\n script_cve_id(\n \"CVE-2006-0225\",\n \"CVE-2006-4924\",\n \"CVE-2006-5051\",\n \"CVE-2006-5794\",\n \"CVE-2007-3102\",\n \"CVE-2010-4755\",\n \"CVE-2010-5107\",\n \"CVE-2014-2532\"\n );\n\n script_name(english:\"NewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0036)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected\nby multiple vulnerabilities:\n\n - scp in OpenSSH 4.2p1 allows attackers to execute\n arbitrary commands via filenames that contain shell\n metacharacters or spaces, which are expanded twice.\n (CVE-2006-0225)\n\n - sshd in OpenSSH before 4.4, when using the version 1 SSH\n protocol, allows remote attackers to cause a denial of\n service (CPU consumption) via an SSH packet that\n contains duplicate blocks, which is not properly handled\n by the CRC compensation attack detector. (CVE-2006-4924)\n\n - Signal handler race condition in OpenSSH before 4.4\n allows remote attackers to cause a denial of service\n (crash), and possibly execute arbitrary code if GSSAPI\n authentication is enabled, via unspecified vectors that\n lead to a double-free. (CVE-2006-5051)\n\n - Unspecified vulnerability in the sshd Privilege\n Separation Monitor in OpenSSH before 4.5 causes weaker\n verification that authentication has been successful,\n which might allow attackers to bypass authentication.\n NOTE: as of 20061108, it is believed that this issue is\n only exploitable by leveraging vulnerabilities in the\n unprivileged process, which are not known to exist.\n (CVE-2006-5794)\n\n - Unspecified vulnerability in the\n linux_audit_record_event function in OpenSSH 4.3p2, as\n used on Fedora Core 6 and possibly other systems, allows\n remote attackers to write arbitrary characters to an\n audit log via a crafted username. NOTE: some of these\n details are obtained from third party information.\n (CVE-2007-3102)\n\n - The (1) remote_glob function in sftp-glob.c and the (2)\n process_put function in sftp.c in OpenSSH 5.8 and\n earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2,\n OpenBSD 4.7, and other products, allow remote\n authenticated users to cause a denial of service (CPU\n and memory consumption) via crafted glob expressions\n that do not match any pathnames, as demonstrated by glob\n expressions in SSH_FXP_STAT requests to an sftp daemon,\n a different vulnerability than CVE-2010-2632.\n (CVE-2010-4755)\n\n - The default configuration of OpenSSH through 6.1\n enforces a fixed time limit between establishing a TCP\n connection and completing a login, which makes it easier\n for remote attackers to cause a denial of service\n (connection-slot exhaustion) by periodically making many\n new TCP connections. (CVE-2010-5107)\n\n - It was found that OpenSSH did not properly handle\n certain AcceptEnv parameter values with wildcard\n characters. A remote attacker could use this flaw to\n bypass intended environment variable restrictions.\n (CVE-2014-2532)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0036\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL openssh packages. Note that updated packages may not be available yet. Please contact ZTE\nfor more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-5051\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2014-2532\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(362, 399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL CORE 5.04\" &&\n release !~ \"CGSL MAIN 5.04\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL CORE 5.04\": [\n \"openssh-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-askpass-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-cavs-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-clients-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-debuginfo-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-keycat-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-ldap-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-server-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"pam_ssh_agent_auth-0.10.3-6.1.el7.cgslv5.0.2.gc747ef6\"\n ],\n \"CGSL MAIN 5.04\": [\n \"openssh-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-askpass-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-cavs-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-clients-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-debuginfo-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-keycat-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-ldap-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"openssh-server-7.9p1-1.el7.cgslv5.0.2.gc747ef6\",\n \"pam_ssh_agent_auth-0.10.3-6.1.el7.cgslv5.0.2.gc747ef6\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T15:51:47", "description": "According to the version of one or more Juniper NSM servers running on the remote host, it is potentially vulnerable to multiple vulnerabilities, the worst of which may allow an authenticated user to trigger a denial of service condition or execute arbitrary code.", "cvss3": {"score": null, "vector": null}, "published": "2013-09-13T00:00:00", "type": "nessus", "title": "Juniper NSM Servers < 2012.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0230", "CVE-2005-2798", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-5051", "CVE-2010-1169", "CVE-2010-1170", "CVE-2010-1447", "CVE-2010-3433", "CVE-2010-4015"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:juniper:netscreen-security_manager"], "id": "JUNIPER_NSM_2012_1.NASL", "href": "https://www.tenable.com/plugins/nessus/69872", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(69872);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2004-0230\",\n \"CVE-2005-2798\",\n \"CVE-2006-0225\",\n \"CVE-2006-4924\",\n \"CVE-2006-5051\",\n \"CVE-2010-1169\",\n \"CVE-2010-1170\",\n \"CVE-2010-1447\",\n \"CVE-2010-3433\",\n \"CVE-2010-4015\"\n );\n script_bugtraq_id(\n 10183,\n 14729,\n 16369,\n 20216,\n 20241,\n 40215,\n 40305,\n 43747,\n 46084\n );\n\n script_name(english:\"Juniper NSM Servers < 2012.1 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of one or more Juniper NSM servers running on\nthe remote host, it is potentially vulnerable to multiple\nvulnerabilities, the worst of which may allow an authenticated user to\ntrigger a denial of service condition or execute arbitrary code.\");\n # https://kb.juniper.net/InfoCenter/index?page=content&legacyid=PSN-2012-08-686\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d9e06c1c\");\n # https://kb.juniper.net/InfoCenter/index?page=content&legacyid=PSN-2012-08-687\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a46c4019\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to NSM version 2012.1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(362, 399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/09/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:juniper:netscreen-security_manager\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"juniper_nsm_gui_svr_detect.nasl\", \"juniper_nsm_servers_installed.nasl\");\n script_require_keys(\"Juniper_NSM_VerDetected\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\n\nkb_base = \"Host/NSM/\";\n\nget_kb_item_or_exit(\"Juniper_NSM_VerDetected\");\n\nkb_list = make_list();\n\ntemp = get_kb_list(\"Juniper_NSM_GuiSvr/*/build\");\n\nif (!isnull(temp) && max_index(keys(temp)) > 0)\n kb_list = make_list(kb_list, keys(temp));\n\ntemp = get_kb_list(\"Host/NSM/*/build\");\nif (!isnull(temp) && max_index(keys(temp)) > 0)\n kb_list = make_list(kb_list, keys(temp));\n\nif (isnull(kb_list)) audit(AUDIT_NOT_INST, \"Juniper NSM Servers\");\n\nreport = '';\n\nentry = branch(kb_list);\n\nport = 0;\nkb_base = '';\n\nif (\"Juniper_NSM_GuiSvr\" >< entry)\n{\n port = entry - \"Juniper_NSM_GuiSvr/\" - \"/build\";\n kb_base = \"Juniper_NSM_GuiSvr/\" + port + \"/\";\n\n report_str1 = \"Remote GUI server version : \";\n report_str2 = \"Fixed Version : \";\n}\nelse\n{\n kb_base = entry - \"build\";\n if (\"guiSvr\" >< kb_base)\n {\n report_str1 = \"Local GUI server version : \";\n report_str2 = \"Fixed version : \";\n }\n else\n {\n report_str1 = \"Local device server version : \";\n report_str2 = \"Fixed version : \";\n }\n}\n\nbuild = get_kb_item_or_exit(entry);\nversion = get_kb_item_or_exit(kb_base + 'version');\n\ndisp_version = version + \" (\" + build + \")\";\n\n# fix : NSM version 2012.1 or later\nitem = eregmatch(pattern:\"^([0-9.]+)\", string:version);\nif (!isnull(item))\n{\n fix = '2012.1';\n if (ver_compare(ver:item[1], fix:fix, strict:FALSE) == -1)\n {\n report += '\\n ' + report_str1 + disp_version +\n '\\n ' + report_str2 + '2012.1' + '\\n';\n }\n}\n\nif (report == '') audit(AUDIT_INST_VER_NOT_VULN, \"Juniper NSM GUI Server or Device Server\");\n\nif (report_verbosity > 0) security_hole(extra:report, port:port);\nelse security_hole(port);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-21T18:48:50", "description": "The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by multiple vulnerabilities:\n\n - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.\n (CVE-2006-0225)\n\n - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. (CVE-2006-4924)\n\n - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051)\n\n - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication.\n NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist.\n (CVE-2006-5794)\n\n - Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information.\n (CVE-2007-3102)\n\n - The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.\n (CVE-2010-4755)\n\n - The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. (CVE-2010-5107)\n\n - It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions.\n (CVE-2014-2532)\n\n - It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.\n (CVE-2014-2653)\n\n - It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278)\n\n - It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. (CVE-2015-5600)\n\n - It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. (CVE-2015-8325)\n\n - An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client.\n (CVE-2016-0777)\n\n - An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908)\n\n - A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225", "CVE-2006-4924", "CVE-2006-5051", "CVE-2006-5794", "CVE-2007-3102", "CVE-2010-2632", "CVE-2010-4755", "CVE-2010-5107", "CVE-2014-2532", "CVE-2014-2653", "CVE-2014-9278", "CVE-2015-5600", "CVE-2015-8325", "CVE-2016-0777", "CVE-2016-1908", "CVE-2016-6210"], "modified": "2022-05-19T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2019-0146_OPENSSH-LATEST.NASL", "href": "https://www.tenable.com/plugins/nessus/127415", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0146. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127415);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/19\");\n\n script_cve_id(\n \"CVE-2006-0225\",\n \"CVE-2006-4924\",\n \"CVE-2006-5051\",\n \"CVE-2006-5794\",\n \"CVE-2007-3102\",\n \"CVE-2010-4755\",\n \"CVE-2010-5107\",\n \"CVE-2014-2532\",\n \"CVE-2014-2653\",\n \"CVE-2014-9278\",\n \"CVE-2015-5600\",\n \"CVE-2015-8325\",\n \"CVE-2016-0777\",\n \"CVE-2016-1908\",\n \"CVE-2016-6210\"\n );\n\n script_name(english:\"NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by\nmultiple vulnerabilities:\n\n - scp in OpenSSH 4.2p1 allows attackers to execute\n arbitrary commands via filenames that contain shell\n metacharacters or spaces, which are expanded twice.\n (CVE-2006-0225)\n\n - sshd in OpenSSH before 4.4, when using the version 1 SSH\n protocol, allows remote attackers to cause a denial of\n service (CPU consumption) via an SSH packet that\n contains duplicate blocks, which is not properly handled\n by the CRC compensation attack detector. (CVE-2006-4924)\n\n - Signal handler race condition in OpenSSH before 4.4\n allows remote attackers to cause a denial of service\n (crash), and possibly execute arbitrary code if GSSAPI\n authentication is enabled, via unspecified vectors that\n lead to a double-free. (CVE-2006-5051)\n\n - Unspecified vulnerability in the sshd Privilege\n Separation Monitor in OpenSSH before 4.5 causes weaker\n verification that authentication has been successful,\n which might allow attackers to bypass authentication.\n NOTE: as of 20061108, it is believed that this issue is\n only exploitable by leveraging vulnerabilities in the\n unprivileged process, which are not known to exist.\n (CVE-2006-5794)\n\n - Unspecified vulnerability in the\n linux_audit_record_event function in OpenSSH 4.3p2, as\n used on Fedora Core 6 and possibly other systems, allows\n remote attackers to write arbitrary characters to an\n audit log via a crafted username. NOTE: some of these\n details are obtained from third party information.\n (CVE-2007-3102)\n\n - The (1) remote_glob function in sftp-glob.c and the (2)\n process_put function in sftp.c in OpenSSH 5.8 and\n earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2,\n OpenBSD 4.7, and other products, allow remote\n authenticated users to cause a denial of service (CPU\n and memory consumption) via crafted glob expressions\n that do not match any pathnames, as demonstrated by glob\n expressions in SSH_FXP_STAT requests to an sftp daemon,\n a different vulnerability than CVE-2010-2632.\n (CVE-2010-4755)\n\n - The default configuration of OpenSSH through 6.1\n enforces a fixed time limit between establishing a TCP\n connection and completing a login, which makes it easier\n for remote attackers to cause a denial of service\n (connection-slot exhaustion) by periodically making many\n new TCP connections. (CVE-2010-5107)\n\n - It was found that OpenSSH did not properly handle\n certain AcceptEnv parameter values with wildcard\n characters. A remote attacker could use this flaw to\n bypass intended environment variable restrictions.\n (CVE-2014-2532)\n\n - It was discovered that OpenSSH clients did not correctly\n verify DNS SSHFP records. A malicious server could use\n this flaw to force a connecting client to skip the DNS\n SSHFP record check and require the user to perform\n manual host verification of the DNS SSHFP record.\n (CVE-2014-2653)\n\n - It was found that when OpenSSH was used in a Kerberos\n environment, remote authenticated users were allowed to\n log in as a different user if they were listed in the\n ~/.k5users file of that user, potentially bypassing\n intended authentication restrictions. (CVE-2014-9278)\n\n - It was discovered that the OpenSSH sshd daemon did not\n check the list of keyboard-interactive authentication\n methods for duplicates. A remote attacker could use this\n flaw to bypass the MaxAuthTries limit, making it easier\n to perform password guessing attacks. (CVE-2015-5600)\n\n - It was discovered that the OpenSSH sshd daemon fetched\n PAM environment settings before running the login\n program. In configurations with UseLogin=yes and the\n pam_env PAM module configured to read user environment\n settings, a local user could use this flaw to execute\n arbitrary code as root. (CVE-2015-8325)\n\n - An information leak flaw was found in the way the\n OpenSSH client roaming feature was implemented. A\n malicious server could potentially use this flaw to leak\n portions of memory (possibly including private SSH keys)\n of a successfully authenticated OpenSSH client.\n (CVE-2016-0777)\n\n - An access flaw was discovered in OpenSSH; the OpenSSH\n client did not correctly handle failures to generate\n authentication cookies for untrusted X11 forwarding. A\n malicious or compromised remote X application could\n possibly use this flaw to establish a trusted connection\n to the local X server, even if only untrusted X11\n forwarding was requested. (CVE-2016-1908)\n\n - A covert timing channel flaw was found in the way\n OpenSSH handled authentication of non-existent users. A\n remote unauthenticated attacker could possibly use this\n flaw to determine valid user names by measuring the\n timing of server responses. (CVE-2016-6210)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0146\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL openssh-latest packages. Note that updated packages may not be available yet. Please contact\nZTE for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-5051\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2016-1908\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(362, 399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL MAIN 4.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL MAIN 4.05\": [\n \"openssh-latest-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-askpass-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-cavs-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-clients-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-debuginfo-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-keycat-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-ldap-7.9p1-1.el6.cgsl7741\",\n \"openssh-latest-server-7.9p1-1.el6.cgsl7741\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh-latest\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-16T16:06:48", "description": "The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied.\n\nThis update contains several security fixes for the following programs :\n\n - ColorSync\n - CoreGraphics\n - Crash Reporter\n - CUPS\n - Disk Images\n - DS Plugins\n - Flash Player\n - GNU Tar\n - HFS\n - HID Family\n - ImageIO\n - Kernel\n - MySQL server\n - Networking\n - OpenSSH\n - Printing\n - QuickDraw Manager\n - servermgrd\n - SMB File Server\n - Software Update\n - sudo \n - WebLog", "cvss3": {"score": null, "vector": null}, "published": "2007-03-13T00:00:00", "type": "nessus", "title": "Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-0719", "CVE-2007-0467", "CVE-2007-0720", "CVE-2007-0721", "CVE-2007-0722", "CVE-2006-6061", "CVE-2006-6062", "CVE-2006-5679", "CVE-2007-0229", "CVE-2007-0267", "CVE-2007-0299", "CVE-2007-0723", "CVE-2006-5330", "CVE-2006-0300", "CVE-2006-6097", "CVE-2007-0318", "CVE-2007-0724", "CVE-2007-1071", "CVE-2007-0733", "CVE-2006-5836", "CVE-2006-6129", "CVE-2006-6173", "CVE-2006-1516", "CVE-2006-1517", "CVE-2006-2753", "CVE-2006-3081", "CVE-2006-4031", "CVE-2006-4226", "CVE-2006-3469", "CVE-2006-6130", "CVE-2007-0236", "CVE-2007-0726", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-5051", "CVE-2006-5052", "CVE-2007-0728", "CVE-2007-0588", "CVE-2007-0730", "CVE-2007-0731", "CVE-2007-0463", "CVE-2005-2959", "CVE-2006-4829"], "modified": "2018-07-14T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_10_4_9.NASL", "href": "https://www.tenable.com/plugins/nessus/24811", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\nif ( NASL_LEVEL < 3004 ) exit(0);\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(24811);\n script_version (\"1.29\");\n\n script_cve_id(\"CVE-2007-0719\", \"CVE-2007-0467\", \"CVE-2007-0720\", \n \"CVE-2007-0721\", \"CVE-2007-0722\", \"CVE-2006-6061\", \n \"CVE-2006-6062\", \"CVE-2006-5679\", \"CVE-2007-0229\", \n \"CVE-2007-0267\", \"CVE-2007-0299\", \"CVE-2007-0723\", \n \"CVE-2006-5330\", \"CVE-2006-0300\", \"CVE-2006-6097\", \n \"CVE-2007-0318\", \"CVE-2007-0724\", \"CVE-2007-1071\", \n \"CVE-2007-0733\", \"CVE-2006-5836\", \"CVE-2006-6129\", \n \"CVE-2006-6173\", \"CVE-2006-1516\", \"CVE-2006-1517\", \n \"CVE-2006-2753\", \"CVE-2006-3081\", \"CVE-2006-4031\", \n \"CVE-2006-4226\", \"CVE-2006-3469\", \"CVE-2006-6130\", \n \"CVE-2007-0236\", \"CVE-2007-0726\", \"CVE-2006-0225\", \n \"CVE-2006-4924\", \"CVE-2006-5051\", \"CVE-2006-5052\", \n \"CVE-2007-0728\", \"CVE-2007-0588\", \"CVE-2007-0730\", \n \"CVE-2007-0731\", \"CVE-2007-0463\", \"CVE-2005-2959\", \n \"CVE-2006-4829\");\n script_bugtraq_id(20982, 21236, 21291, 21349, 22041, 22948);\n\n script_name(english:\"Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update which fixes a security\nissue.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.4 which is older than\nversion 10.4.9 or a version of Mac OS X 10.3 which does not have \nSecurity Update 2007-003 applied.\n\nThis update contains several security fixes for the following programs :\n\n - ColorSync\n - CoreGraphics\n - Crash Reporter\n - CUPS\n - Disk Images\n - DS Plugins\n - Flash Player\n - GNU Tar\n - HFS\n - HID Family\n - ImageIO\n - Kernel\n - MySQL server\n - Networking\n - OpenSSH\n - Printing\n - QuickDraw Manager\n - servermgrd\n - SMB File Server\n - Software Update\n - sudo \n - WebLog\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://docs.info.apple.com/article.html?artnum=305214\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Mac OS X 10.4 : Upgrade to Mac OS X 10.4.9 :\n\nhttp://www.apple.com/support/downloads/macosxserver1049updateppc.html\nhttp://www.apple.com/support/downloads/macosx1049updateintel.html\nhttp://www.apple.com/support/downloads/macosxserver1049updateuniversal.html\n\nMac OS X 10.3 : Apply Security Update 2007-003 :\n\nhttp://www.apple.com/support/downloads/securityupdate20070031039client.html\nhttp://www.apple.com/support/downloads/securityupdate20070031039server.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79, 119, 362, 399);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/03/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/09/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/03/13\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"combined\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\nscript_end_attributes();\n\n script_summary(english:\"Check for the version of Mac OS X\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"MacOS X Local Security Checks\");\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n exit(0);\n}\n\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif ( ! os ) {\n\t os = get_kb_item(\"Host/OS\");\n\t confidence = get_kb_item(\"Host/OS/Confidence\");\n\t if ( confidence <= 90 ) exit(0);\n\t}\nif ( ! os ) exit(0);\nif ( ereg(pattern:\"Mac OS X 10\\.4($|\\.[1-8]([^0-9]|$))\", string:os)) security_hole(0);\nelse if ( ereg(pattern:\"Mac OS X 10\\.3\\.\", string:os) )\n{\n packages = get_kb_item(\"Host/MacOSX/packages\");\n if ( ! packages ) exit(0);\n if (!egrep(pattern:\"^SecUpd(Srvr)?2007-003\", string:packages)) security_hole(0);\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:14:12", "description": "The remote host is running a version of Mac OS X 10.4 that is older than version 10.4.9 or a version of Mac OS X 10.3 that does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs :\n\n - ColorSync\n - CoreGraphics\n - Crash Reporter\n - CUPS\n - Disk Images\n - DS Plugins\n - Flash Player\n - GNU Tar\n - HFS\n - HID Family\n - ImageIO\n - Kernel\n - MySQL server\n - Networking\n - OpenSSH\n - Printing\n - QuickDraw Manager\n - servermgrd\n - SMB File Server\n - Software Update\n - sudo \n - WebLog", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2007-03-13T00:00:00", "type": "nessus", "title": "Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-4031", "CVE-2006-0300", "CVE-2006-1516", "CVE-2006-1517", "CVE-2006-2753", "CVE-2006-3081", "CVE-2006-0225", "CVE-2006-6097", "CVE-2006-4924", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-4226", "CVE-2007-0720", "CVE-2006-4227", "CVE-2006-3469", "CVE-2007-0726", "CVE-2006-1518", "CVE-2006-5330", "CVE-2006-5836", "CVE-2007-0318", "CVE-2007-0236", "CVE-2006-6173", "CVE-2006-6130", "CVE-2007-0719", "CVE-2007-0721", "CVE-2007-0722", "CVE-2007-0723", "CVE-2007-0724", "CVE-2007-0733", "CVE-2007-0728", "CVE-2007-0730", "CVE-2007-0731", "CVE-2005-2959", "CVE-2007-0467", "CVE-2006-6129", "CVE-2006-6062", "CVE-2007-0588", "CVE-2007-0463", "CVE-2006-4829", "CVE-2007-0229", "CVE-2006-6061", "CVE-2006-5679", "CVE-2007-0267", "CVE-2007-0299", "CVE-2007-1071"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*"], "id": "3947.PRM", "href": "https://www.tenable.com/plugins/nnm/3947", "sourceData": "Binary data 3947.prm", "cvss": {"score": 8.3, "vector": "CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-03-30T19:16:11", "description": "The host is running SSH and is providing / accepting one or more deprecated versions\n of the SSH protocol which have known cryptograhic flaws.", "cvss3": {}, "published": "2011-10-14T00:00:00", "type": "openvas", "title": "Deprecated SSH-1 Protocol Detection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0572", "CVE-2001-0361", "CVE-2001-1473"], "modified": "2020-03-26T00:00:00", "id": "OPENVAS:1361412562310801993", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801993", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Deprecated SSH-1 Protocol Detection\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801993\");\n script_version(\"2020-03-26T13:48:10+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-26 13:48:10 +0000 (Thu, 26 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-10-14 14:22:41 +0200 (Fri, 14 Oct 2011)\");\n # nb: Few CVEs/vulns to point out the cryptographic flaws.\n script_cve_id(\"CVE-2001-0361\", \"CVE-2001-0572\", \"CVE-2001-1473\");\n script_bugtraq_id(2344);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Deprecated SSH-1 Protocol Detection\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"ssh_proto_version.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"SSH/supportedversions/available\");\n\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/684820\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/6603\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allows remote attackers to bypass security\n restrictions and to obtain a client's public host key during a connection attempt and use it to open and\n authenticate an SSH session to another server with the same access.\");\n\n script_tag(name:\"affected\", value:\"Services providing / accepting the SSH protocol version SSH-1 (1.33 and 1.5).\");\n\n script_tag(name:\"solution\", value:\"Reconfigure the SSH service to only provide / accept the SSH protocol version SSH-2.\");\n\n script_tag(name:\"summary\", value:\"The host is running SSH and is providing / accepting one or more deprecated versions\n of the SSH protocol which have known cryptograhic flaws.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"ssh_func.inc\");\ninclude(\"misc_func.inc\");\n\nport = ssh_get_port( default:22 );\nversions = get_kb_list( \"SSH/supportedversions/\" + port );\nif( ! versions )\n exit( 0 );\n\nversions = sort( versions );\n\nreport = 'The service is providing / accepting the following deprecated versions of the SSH protocol which have known cryptograhic flaws:\\n';\n\nforeach version( versions ) {\n\n # nb: Don't add 1.99 which is only a backward compatibility banner\n if( version == \"1.33\" || version == \"1.5\" ) {\n report += '\\n' + version;\n VULN = TRUE;\n }\n}\n\nif( VULN ) {\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-09-04T14:19:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0572"], "description": "OpenSSH is prone to a security weakness that may allow attackers to\ndowngrade the ciphersuite.\n\nSuccessfully exploiting this issue in conjunction with other latent\nvulnerabilities may allow attackers to gain access to sensitive\ninformation that may aid in further attacks.\n\nReleases prior to OpenSSH 2.9p2 are vulnerable.", "modified": "2017-08-30T00:00:00", "published": "2011-09-09T00:00:00", "id": "OPENVAS:103247", "href": "http://plugins.openvas.org/nasl.php?oid=103247", "type": "openvas", "title": "OpenSSH Ciphersuite Specification Information Disclosure Weakness", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_openssh_49473.nasl 7024 2017-08-30 11:51:43Z teissa $\n#\n# OpenSSH Ciphersuite Specification Information Disclosure Weakness\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"OpenSSH is prone to a security weakness that may allow attackers to\ndowngrade the ciphersuite.\n\nSuccessfully exploiting this issue in conjunction with other latent\nvulnerabilities may allow attackers to gain access to sensitive\ninformation that may aid in further attacks.\n\nReleases prior to OpenSSH 2.9p2 are vulnerable.\";\n\ntag_solution = \"Updates are available. Please see the references for more information.\";\n\nif (description)\n{\n script_id(103247);\n script_version(\"$Revision: 7024 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-08-30 13:51:43 +0200 (Wed, 30 Aug 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-09-09 13:52:42 +0200 (Fri, 09 Sep 2011)\");\n script_bugtraq_id(49473);\n script_cve_id(\"CVE-2001-0572\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_name(\"OpenSSH Ciphersuite Specification Information Disclosure Weakness\");\n\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/bid/49473\");\n script_xref(name : \"URL\" , value : \"http://www.openssh.com\");\n script_xref(name : \"URL\" , value : \"http://www.kb.cert.org/vuls/id/596827\");\n\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_mandatory_keys(\"openssh/detected\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"global_settings.inc\");\n\nport = get_kb_item(\"Services/ssh\");\nif(!port) port = 22;\n\nif(!get_port_state(port))exit(0);\n\nbanner = get_kb_item(\"SSH/banner/\" + port);\nif ( ! banner ) exit(0);\n\nversion = eregmatch(pattern:\"ssh-.*openssh[_-]{1}([0-9.]+[p0-9]*)\", string: banner,icase:TRUE);\nif(isnull(version[1]))exit(0);\n\nif(version_is_less(version: version[1], test_version: \"2.9p2\")) {\n security_message(port);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0572"], "description": "OpenSSH is prone to a security weakness that may allow attackers to\n downgrade the ciphersuite.", "modified": "2019-05-22T00:00:00", "published": "2011-09-09T00:00:00", "id": "OPENVAS:1361412562310103247", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103247", "type": "openvas", "title": "OpenSSH Ciphersuite Specification Information Disclosure Weakness", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenSSH Ciphersuite Specification Information Disclosure Weakness\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openbsd:openssh\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103247\");\n script_version(\"2019-05-22T07:58:25+0000\");\n script_bugtraq_id(49473);\n script_cve_id(\"CVE-2001-0572\");\n script_tag(name:\"last_modification\", value:\"2019-05-22 07:58:25 +0000 (Wed, 22 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2011-09-09 13:52:42 +0200 (Fri, 09 Sep 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"OpenSSH Ciphersuite Specification Information Disclosure Weakness\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"gb_openssh_consolidation.nasl\");\n script_mandatory_keys(\"openssh/detected\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/49473\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/596827\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue in conjunction with other latent\n vulnerabilities may allow attackers to gain access to sensitive information that\n may aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"Releases prior to OpenSSH 2.9p2 are vulnerable.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"OpenSSH is prone to a security weakness that may allow attackers to\n downgrade the ciphersuite.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( isnull( port = get_app_port( cpe:CPE ) ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )\n exit( 0 );\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif( version_is_less( version:vers, test_version:\"2.9p2\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"2.9p2\", install_path:path );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:49:48", "description": "The remote host is missing an update to inn2\nannounced via advisory DSA 023-1.", "cvss3": {}, "published": "2008-01-17T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 023-1 (inn2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:53786", "href": "http://plugins.openvas.org/nasl.php?oid=53786", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_023_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 023-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"1. People at WireX have found several potential insecure uses of\ntemporary files in programs provided by INN2. Some of them only\nlead to a vulnerability to symlink attacks if the temporary\ndirectory was set to /tmp or /var/tmp, which is the case in many\ninstallations, at least in Debian packages. An attacker could\noverwrite any file owned by the news system administrator,\ni.e. owned by news.news.\n\n2. Michal Zalewski found an exploitable buffer overflow with regard\nto cancel messages and their verification. This bug did only show\nup if 'verifycancels' was enabled in inn.conf which is not the\ndefault and has been disrecommended by upstream.\n\n3. Andi Kleen found a bug in INN2 that makes innd crash for two byte\nheaders. There is a chance this can only be exploited with uucp.\n\nWe recommend you upgrade your inn2 packages immediately.\";\ntag_summary = \"The remote host is missing an update to inn2\nannounced via advisory DSA 023-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20023-1\";\n\nif(description)\n{\n script_id(53786);\n script_cve_id(\"CVE-2001-0361\");\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 14:24:38 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_name(\"Debian Security Advisory DSA 023-1 (inn2)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"inn2-dev\", ver:\"2.2.2.2000.01.31-4.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"inn2-inews\", ver:\"2.2.2.2000.01.31-4.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"inn2\", ver:\"2.2.2.2000.01.31-4.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"task-news-server\", ver:\"2.2.2.2000.01.31-4.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-24T12:50:02", "description": "The remote host is missing an update to ssh-nonfree, ssh-socks\nannounced via advisory DSA 086-1.", "cvss3": {}, "published": "2008-01-17T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 086-1 (ssh-nonfree, ssh-socks)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:53766", "href": "http://plugins.openvas.org/nasl.php?oid=53766", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_086_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 086-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"We have received reports that the SSH CRC-32 compensation attack\ndetector vulnerability is being actively exploited. This is the same\ninteger type error previously corrected for OpenSSH in DSA-027-1.\nOpenSSH (the Debian ssh package) was fixed at that time, but\nssh-nonfree and ssh-socks were not.\n\nThough packages in the non-free section of the archive are not\nofficially supported by the Debian project, we are taking the unusal\nstep of releasing updated ssh-nonfree/ssh-socks packages for those\nusers who have not yet migrated to OpenSSH. However, we do recommend\nthat our users migrate to the regularly supported, DFSG-free ssh\npackage as soon as possible. ssh 1.2.3-9.3 is the OpenSSH package\navailable in Debian 2.2r4.\n\nThe fixed ssh-nonfree/ssh-socks packages are available in version\n1.2.27-6.2 for use with Debian 2.2 (potato) and version 1.2.27-8 for\nuse with the Debian unstable/testing distribution. Note that the new\nssh-nonfree/ssh-socks packages remove the setuid bit from the ssh\nbinary, disabling rhosts-rsa authentication. If you need this\nfunctionality, run\nchmod u+s /usr/bin/ssh1\nafter installing the new package.\";\ntag_summary = \"The remote host is missing an update to ssh-nonfree, ssh-socks\nannounced via advisory DSA 086-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20086-1\";\n\nif(description)\n{\n script_id(53766);\n script_cve_id(\"CVE-2001-0361\");\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 14:24:38 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_name(\"Debian Security Advisory DSA 086-1 (ssh-nonfree, ssh-socks)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ssh-askpass-nonfree\", ver:\"1.2.27-6.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ssh-nonfree\", ver:\"1.2.27-6.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ssh-socks\", ver:\"1.2.27-6.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2020-03-30T16:38:10", "description": "You are running SSH protocol version 1.5.", "cvss3": {}, "published": "2005-11-03T00:00:00", "type": "openvas", "title": "PKCS 1 Version 1.5 Session Key Retrieval", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361"], "modified": "2020-03-26T00:00:00", "id": "OPENVAS:136141256231011342", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011342", "sourceData": "# OpenVAS Vulnerability Test\n# Description: PKCS 1 Version 1.5 Session Key Retrieval\n#\n# Authors:\n# Xue Yong Zhi<xueyong@udel.edu>\n#\n# Copyright:\n# Copyright (C) 2003 Xue Yong Zhi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11342\");\n script_version(\"2020-03-26T13:48:10+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-26 13:48:10 +0000 (Thu, 26 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(2344);\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_cve_id(\"CVE-2001-0361\");\n script_name(\"PKCS 1 Version 1.5 Session Key Retrieval\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2003 Xue Yong Zhi\");\n script_family(\"Gain a shell remotely\");\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"ssh/server_banner/available\");\n\n script_tag(name:\"solution\", value:\"Patch and new version are available from SSH/OpenSSH.\");\n\n script_tag(name:\"summary\", value:\"You are running SSH protocol version 1.5.\");\n\n script_tag(name:\"impact\", value:\"This version allows a remote attacker to decrypt and/or\n alter traffic via an attack on PKCS#1 version 1.5 knows as a Bleichenbacher attack.\");\n\n script_tag(name:\"affected\", value:\"OpenSSH up to version 2.3.0, AppGate, and SSH Communications Security\n ssh-1 up to version 1.2.31 have the vulnerability present, although it may not be exploitable due to configurations.\");\n\n exit(0);\n}\n\ninclude(\"ssh_func.inc\");\ninclude(\"misc_func.inc\");\n\nport = ssh_get_port(default:22);\nbanner = ssh_get_serverbanner(port:port);\nif(!banner)\n exit(0);\n\n#Looking for SSH product version number from 1.0 to 1.2.31\nif(ereg(string:banner, pattern:\"SSH-.*-1\\.([01]|[01]\\..*|2\\.([0-9]|1[0-9]|2[0-9]|3[01]))[^0-9]*$\", icase:TRUE))\n security_message(port:port);\nelse {\n if(ereg(pattern:\".*openssh[-_](1|2\\.([0-2]\\.|3\\.0)).*\",string:banner, icase:TRUE))\n security_message(port:port);\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2017-07-24T12:50:39", "description": "The remote host is missing an update as announced\nvia advisory SSA:2006-045-06.", "cvss3": {}, "published": "2012-09-11T00:00:00", "type": "openvas", "title": "Slackware Advisory SSA:2006-045-06 openssh", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:56294", "href": "http://plugins.openvas.org/nasl.php?oid=56294", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2006_045_06.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix a security issue.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2006-045-06.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2006-045-06\";\n \nif(description)\n{\n script_id(56294);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_bugtraq_id(16369);\n script_cve_id(\"CVE-2006-0225\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2006-045-06 openssh \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i386-1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i386-1\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK10.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK10.2\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:51", "description": "The remote host is missing updates announced in\nadvisory GLSA 200602-11.", "cvss3": {}, "published": "2008-09-24T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200602-11 (OpenSSH)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:56330", "href": "http://plugins.openvas.org/nasl.php?oid=56330", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A flaw in OpenSSH and Dropbear allows local users to elevate their\nprivileges via scp.\";\ntag_solution = \"All OpenSSH users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/openssh-4.2_p1-r1'\n\nAll Dropbear users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/dropbear-0.47-r1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200602-11\nhttp://bugs.gentoo.org/show_bug.cgi?id=119232\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200602-11.\";\n\n \n\nif(description)\n{\n script_id(56330);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_bugtraq_id(16369);\n script_cve_id(\"CVE-2006-0225\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200602-11 (OpenSSH)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-misc/openssh\", unaffected: make_list(\"ge 4.2_p1-r1\"), vulnerable: make_list(\"lt 4.2_p1-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"net-misc/dropbear\", unaffected: make_list(\"ge 0.47-r1\"), vulnerable: make_list(\"lt 0.47-r1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:38:43", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n openssh-askpass\n openssh\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5021162 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "cvss3": {}, "published": "2009-10-10T00:00:00", "type": "openvas", "title": "SLES9: Security update for OpenSSH", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:136141256231065019", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065019", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5021162.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Security update for OpenSSH\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n openssh-askpass\n openssh\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5021162 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.65019\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2006-0225\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"SLES9: Security update for OpenSSH\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~4.1p1~11.16\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-26T08:55:42", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n openssh-askpass\n openssh\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5021162 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "cvss3": {}, "published": "2009-10-10T00:00:00", "type": "openvas", "title": "SLES9: Security update for OpenSSH", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2017-07-11T00:00:00", "id": "OPENVAS:65019", "href": "http://plugins.openvas.org/nasl.php?oid=65019", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5021162.nasl 6666 2017-07-11 13:13:36Z cfischer $\n# Description: Security update for OpenSSH\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n openssh-askpass\n openssh\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5021162 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_id(65019);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2006-0225\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"SLES9: Security update for OpenSSH\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~4.1p1~11.16\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:21", "description": "The remote host is missing an update as announced\nvia advisory SSA:2006-045-06.", "cvss3": {}, "published": "2012-09-11T00:00:00", "type": "openvas", "title": "Slackware Advisory SSA:2006-045-06 openssh", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:136141256231056294", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231056294", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2006_045_06.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.56294\");\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_bugtraq_id(16369);\n script_cve_id(\"CVE-2006-0225\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 14202 $\");\n script_name(\"Slackware Advisory SSA:2006-045-06 openssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK(8\\.1|9\\.0|9\\.1|10\\.0|10\\.1|10\\.2)\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2006-045-06\");\n\n script_tag(name:\"insight\", value:\"New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix a security issue.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2006-045-06.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i386-1\", rls:\"SLK8.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i386-1\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK10.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK10.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK10.2\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-12-08T11:44:57", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory FreeBSD-SA-06:09.openssh.asc", "cvss3": {}, "published": "2008-09-04T00:00:00", "type": "openvas", "title": "FreeBSD Security Advisory (FreeBSD-SA-06:09.openssh.asc)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-0883"], "modified": "2017-12-07T00:00:00", "id": "OPENVAS:56352", "href": "http://plugins.openvas.org/nasl.php?oid=56352", "sourceData": "#\n#ADV FreeBSD-SA-06:09.openssh.asc\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n#\n\ntag_insight = \"OpenSSH is an implementation of the SSH protocol suite, providing an\nencrypted, authenticated transport for a variety of services,\nincluding remote shell access.\n\nPrivilege separation is a mechanism used by OpenSSH to protect itself\nagainst possible future vulnerabilities. It works by splitting the\nserver process in two: the child process drops its privileges and\ncarries on the conversation with the client, while the parent retains\nits privileges, monitors the child, and performs privileged operations\non behalf of the child when it is satisified that everything is in\norder. Privilege separation is enabled by default in FreeBSD.\n\nOpenPAM is an implementation of the PAM framework, which allows the\nuse of loadable modules to implement user authentication and session\nmanagement in a manner defined by the administrator. It is used by\nOpenSSH and numerous other applications in FreeBSD to provide a\nconsistent and configurable authentication system.\n\nBecause OpenSSH and OpenPAM have conflicting designs (one is event-\ndriven while the other is callback-driven), it is necessary for\nOpenSSH to fork a child process to handle calls to the PAM framework.\nHowever, if the unprivileged child terminates while PAM authentication\nis under way, the parent process incorrectly believes that the PAM\nchild also terminated. The parent process then terminates, and the\nPAM child is left behind.\n\nDue to the way OpenSSH performs internal accounting, these orphaned\nPAM children are counted as pending connections by the master OpenSSH\nserver process. Once a certain number of orphans has accumulated, the\nmaster decides that it is overloaded and stops accepting client\nconnections.\";\ntag_solution = \"Upgrade your system to the appropriate stable release\nor security branch dated after the correction date\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FreeBSD-SA-06:09.openssh.asc\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory FreeBSD-SA-06:09.openssh.asc\";\n\n \nif(description)\n{\n script_id(56352);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_bugtraq_id(16892);\n script_cve_id(\"CVE-2006-0883\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n name = \"FreeBSD Security Advisory (FreeBSD-SA-06:09.openssh.asc)\";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n family = \"FreeBSD Local Security Checks\";\n script_family(family);\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdpatchlevel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\nvuln = 0;\nif(patchlevelcmp(rel:\"5.4\", patchlevel:\"12\")<0) {\n vuln = 1;\n}\nif(patchlevelcmp(rel:\"5.3\", patchlevel:\"27\")<0) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-04-09T11:38:32", "description": "Check for the Version of kernel", "cvss3": {}, "published": "2009-06-03T00:00:00", "type": "openvas", "title": "Solaris Update for kernel 120012-14", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-0957", "CVE-2006-0225"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310855205", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855205", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for kernel 120012-14\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"kernel on solaris_5.10_x86\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n kernel\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.855205\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:31:50 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"120012-14\");\n script_cve_id(\"CVE-2007-0957\", \"CVE-2006-0225\");\n script_name( \"Solaris Update for kernel 120012-14\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-120012-14-1\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.10\", arch:\"i386\", patch:\"120012-14\", package:\"SUNWcpc.i SUNWsshcu SUNWpcmci SUNWnge SUNWcnetr SUNWdhcsu SUNWrcmdc SUNWperl584usr SUNWixgb SUNWpsu SUNWfss SUNWatfsu SUNWpmu SUNWlldap SUNWipfr SUNWudapltu SUNWzoner SUNWarc SUNWipfu SUNWfmd SUNWintgige SUNWscpu SUNWbtool SUNWxge SUNWsra SUNWperl584core SUNWbart SUNWkrbu SUNWsmapi SUNWtavor SUNWipfh SUNWmdb SUNWzfsu SUNWsndmr SUNWaudit SUNWncar SUNWpapi SUNWsshdu SUNWsndmu SUNWpppdu SUNWnfssu SUNWdhcm SUNWkdcu SUNWpsdir SUNWpool SUNWxcu4 SUNWudapltr SUNWdtrc SUNWopenssl-libraries SUNWcsl SUNWcpcu SUNWses SUNWsadmi SUNWvolu SUNWib SUNWkey SUNWnisu SUNWos86r SUNWtoo SUNWdmgtu SUNWusbu SUNWypu SUNWpoolr SUNWftduu SUNWppm SUNWuksp SUNWusb SUNWzfsr SUNWroute SUNWckr SUNWcsr SUNWdoc SUNWaudh SUNWrge SUNWtecla SUNWmdbr SUNWpcu SUNWzfskr SUNWarcr SUNWrcapu SUNWwbsup SUNWhea SUNWcakr.i SUNWqos SUNWntpu SUNWnfsckr SUNWdtrp SUNWlibsasl SUNWcslr SUNWippcore SUNWrmodr SUNWsshu SUNWcsu SUNWnfscu SUNWesu SUNWcsd SUNWipplr SUNWpsm-lpd SUNWuprl SUNWzoneu SUNWipplu SUNWrcapr SUNWdfbh SUNWftdur SUNWauda\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:13:47", "description": "Check for the Version of kernel", "cvss3": {}, "published": "2009-06-03T00:00:00", "type": "openvas", "title": "Solaris Update for kernel 120012-14", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-0957", "CVE-2006-0225"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:855205", "href": "http://plugins.openvas.org/nasl.php?oid=855205", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for kernel 120012-14\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"kernel on solaris_5.10_x86\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n kernel\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(855205);\n script_version(\"$Revision: 5359 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 12:20:19 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:31:50 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"120012-14\");\n script_cve_id(\"CVE-2007-0957\", \"CVE-2006-0225\");\n script_name( \"Solaris Update for kernel 120012-14\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-120012-14-1\");\n\n script_summary(\"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.10\", arch:\"i386\", patch:\"120012-14\", package:\"SUNWcpc.i SUNWsshcu SUNWpcmci SUNWnge SUNWcnetr SUNWdhcsu SUNWrcmdc SUNWperl584usr SUNWixgb SUNWpsu SUNWfss SUNWatfsu SUNWpmu SUNWlldap SUNWipfr SUNWudapltu SUNWzoner SUNWarc SUNWipfu SUNWfmd SUNWintgige SUNWscpu SUNWbtool SUNWxge SUNWsra SUNWperl584core SUNWbart SUNWkrbu SUNWsmapi SUNWtavor SUNWipfh SUNWmdb SUNWzfsu SUNWsndmr SUNWaudit SUNWncar SUNWpapi SUNWsshdu SUNWsndmu SUNWpppdu SUNWnfssu SUNWdhcm SUNWkdcu SUNWpsdir SUNWpool SUNWxcu4 SUNWudapltr SUNWdtrc SUNWopenssl-libraries SUNWcsl SUNWcpcu SUNWses SUNWsadmi SUNWvolu SUNWib SUNWkey SUNWnisu SUNWos86r SUNWtoo SUNWdmgtu SUNWusbu SUNWypu SUNWpoolr SUNWftduu SUNWppm SUNWuksp SUNWusb SUNWzfsr SUNWroute SUNWckr SUNWcsr SUNWdoc SUNWaudh SUNWrge SUNWtecla SUNWmdbr SUNWpcu SUNWzfskr SUNWarcr SUNWrcapu SUNWwbsup SUNWhea SUNWcakr.i SUNWqos SUNWntpu SUNWnfsckr SUNWdtrp SUNWlibsasl SUNWcslr SUNWippcore SUNWrmodr SUNWsshu SUNWcsu SUNWnfscu SUNWesu SUNWcsd SUNWipplr SUNWpsm-lpd SUNWuprl SUNWzoneu SUNWipplu SUNWrcapr SUNWdfbh SUNWftdur SUNWauda\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-03-10T18:58:56", "description": "This host is installed with Dropbear SSH and\n is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2014-11-14T00:00:00", "type": "openvas", "title": "Dropbear SSH < 0.48 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-1206", "CVE-2006-0225"], "modified": "2020-03-09T00:00:00", "id": "OPENVAS:1361412562310105118", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105118", "sourceData": "# Copyright (C) 2014 SCHUTZWERK GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:dropbear_ssh_project:dropbear_ssh\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105118\");\n script_version(\"2020-03-09T10:54:00+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-09 10:54:00 +0000 (Mon, 09 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-11-14 12:00:00 +0100 (Fri, 14 Nov 2014)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_cve_id(\"CVE-2006-0225\", \"CVE-2006-1206\");\n script_bugtraq_id(16369, 17024);\n\n script_name(\"Dropbear SSH < 0.48 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2014 SCHUTZWERK GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_dropbear_ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"dropbear/installed\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Dropbear SSH and\n is prone to multiple vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - A large number of connection attempts that exceeds the MAX_UNAUTH_CLIENTS defined\n value of 30 is possible.\n\n - The shipped scp command of OpenSSH 4.2p1 expands filenames that contain shell metacharacters or spaces twice.\");\n script_tag(name:\"impact\", value:\"The flaws allows remote attackers to cause a denial of service\n (connection slot exhaustion) and local attackers to execute arbitrary commands.\");\n script_tag(name:\"affected\", value:\"Versions prior to Dropbear SSH 0.48 are vulnerable.\");\n script_tag(name:\"solution\", value:\"Updates are available.\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/17024\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/16369\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/1572\");\n script_xref(name:\"URL\", value:\"https://matt.ucc.asn.au/dropbear/dropbear.html\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nver = eregmatch( pattern:\"^([0-9]+)\\.([0-9]+)\", string:vers );\n\nif( isnull( ver[2] ) ) exit( 0 );\n\nif( int( ver[1] ) > 0 ) exit( 99 );\n\nif( version_is_less( version:ver[2], test_version:\"48\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"0.48\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2018-04-09T11:41:12", "description": "Check for the Version of /usr/bin/ssh", "cvss3": {}, "published": "2009-06-03T00:00:00", "type": "openvas", "title": "Solaris Update for /usr/bin/ssh 114357-17", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310855030", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855030", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for /usr/bin/ssh 114357-17\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"/usr/bin/ssh on solaris_5.9_x86\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n /usr/bin/ssh\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.855030\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:24:08 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"114357-17\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-0225\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\");\n script_name( \"Solaris Update for /usr/bin/ssh 114357-17\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-114357-17-1\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of /usr/bin/ssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"i386\", patch:\"114357-17\", package:\"SUNWsshcu SUNWsshu\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:14:14", "description": "Check for the Version of /usr/bin/ssh", "cvss3": {}, "published": "2009-06-03T00:00:00", "type": "openvas", "title": "Solaris Update for /usr/bin/ssh 114357-17", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:855030", "href": "http://plugins.openvas.org/nasl.php?oid=855030", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for /usr/bin/ssh 114357-17\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"/usr/bin/ssh on solaris_5.9_x86\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n /usr/bin/ssh\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(855030);\n script_version(\"$Revision: 5359 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 12:20:19 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:24:08 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"114357-17\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-0225\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\");\n script_name( \"Solaris Update for /usr/bin/ssh 114357-17\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-114357-17-1\");\n\n script_summary(\"Check for the Version of /usr/bin/ssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"i386\", patch:\"114357-17\", package:\"SUNWsshcu SUNWsshu\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:41:22", "description": "Check for the Version of /usr/bin/ssh", "cvss3": {}, "published": "2009-10-13T00:00:00", "type": "openvas", "title": "Solaris Update for /usr/bin/ssh 114356-19", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310855742", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855742", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for /usr/bin/ssh 114356-19\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"/usr/bin/ssh on solaris_5.9_sparc\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n /usr/bin/ssh\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.855742\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-13 15:16:45 +0200 (Tue, 13 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"114356-19\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-0225\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\");\n script_name(\"Solaris Update for /usr/bin/ssh 114356-19\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-114356-19-1\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of /usr/bin/ssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"114356-19\", package:\"SUNWsshcu SUNWsshu\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-12T11:11:14", "description": "Check for the Version of Kernel", "cvss3": {}, "published": "2010-02-03T00:00:00", "type": "openvas", "title": "Solaris Update for Kernel 122301-48", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "modified": "2017-12-12T00:00:00", "id": "OPENVAS:855853", "href": "http://plugins.openvas.org/nasl.php?oid=855853", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for Kernel 122301-48\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"Kernel on solaris_5.9_x86\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n Kernel\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(855853);\n script_version(\"$Revision: 8082 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-12 07:31:24 +0100 (Tue, 12 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-02-03 13:24:57 +0100 (Wed, 03 Feb 2010)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"122301-48\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\", \"CVE-2006-0225\");\n script_name(\"Solaris Update for Kernel 122301-48\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-122301-48-1\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of Kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"i386\", patch:\"122301-48\", package:\"SUNWsshcu SUNWcar.i SUNWatfsu SUNWarc SUNWmdb SUNWaudit SUNWsshdu SUNWnfssu SUNWcsl SUNWrsg SUNWrsgk SUNWsshdr SUNWvolu SUNWsshr SUNWnfssr SUNWcsr SUNWhea SUNWatfsr SUNWsshu SUNWcsu SUNWnfscu SUNWnfscr SUNWcstl SUNWudfr\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:39:42", "description": "Check for the Version of /usr/bin/ssh", "cvss3": {}, "published": "2009-10-13T00:00:00", "type": "openvas", "title": "Solaris Update for /usr/bin/ssh 114357-18", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310855771", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855771", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for /usr/bin/ssh 114357-18\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"/usr/bin/ssh on solaris_5.9_x86\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n /usr/bin/ssh\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.855771\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-13 15:16:45 +0200 (Tue, 13 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"114357-18\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-0225\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\");\n script_name(\"Solaris Update for /usr/bin/ssh 114357-18\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-114357-18-1\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of /usr/bin/ssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"i386\", patch:\"114357-18\", package:\"SUNWsshcu SUNWsshu\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-18T11:04:54", "description": "Check for the Version of Kernel", "cvss3": {}, "published": "2010-02-03T00:00:00", "type": "openvas", "title": "Solaris Update for Kernel 122300-48", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "modified": "2018-01-17T00:00:00", "id": "OPENVAS:1361412562310855835", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855835", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for Kernel 122300-48\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"Kernel on solaris_5.9_sparc\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n Kernel\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.855835\");\n script_version(\"$Revision: 8440 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 08:58:46 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-02-03 13:24:57 +0100 (Wed, 03 Feb 2010)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"122300-48\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\", \"CVE-2006-0225\");\n script_name(\"Solaris Update for Kernel 122300-48\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-122300-48-1\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of Kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"122300-48\", package:\"SUNWcar.us SUNWatfsu SUNWarc SUNWnfssx SUNWcar.m SUNWudfrx SUNWpdx SUNWmdb SUNWaudit SUNWsshdu SUNWnfscx SUNWnfssu FJSVhea SUNWcsl SUNWrsg SUNWrsgx SUNWrsgk SUNWsshdr SUNWses SUNWefcx.u SUNWvolu SUNWsshr SUNWdrr.u SUNWdrrx.us SUNWssadx SUNWcsxu SUNWcarx.us SUNWpiclu SUNWmdbx SUNWnfssr SUNWvolr SUNWdrr.us SUNWcsr SUNWefcx.us SUNWpd SUNWhea SUNWcslx SUNWcstlx SUNWcarx.u SUNWatfsr SUNWsshu SUNWcsu SUNWcar.u SUNWnfscu SUNWdrcrx.u SUNWdrrx.u SUNWssad SUNWpdu SUNWnfscr SUNWcstl SUNWudfr\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:14:15", "description": "Check for the Version of /usr/bin/ssh", "cvss3": {}, "published": "2009-10-13T00:00:00", "type": "openvas", "title": "Solaris Update for /usr/bin/ssh 114356-19", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:855742", "href": "http://plugins.openvas.org/nasl.php?oid=855742", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for /usr/bin/ssh 114356-19\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"/usr/bin/ssh on solaris_5.9_sparc\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n /usr/bin/ssh\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(855742);\n script_version(\"$Revision: 5359 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 12:20:19 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-13 15:16:45 +0200 (Tue, 13 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"114356-19\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-0225\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\");\n script_name(\"Solaris Update for /usr/bin/ssh 114356-19\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-114356-19-1\");\n\n script_summary(\"Check for the Version of /usr/bin/ssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"114356-19\", package:\"SUNWsshcu SUNWsshu\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-20T13:18:07", "description": "Check for the Version of Kernel", "cvss3": {}, "published": "2010-02-03T00:00:00", "type": "openvas", "title": "Solaris Update for Kernel 122300-48", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "modified": "2017-12-19T00:00:00", "id": "OPENVAS:855835", "href": "http://plugins.openvas.org/nasl.php?oid=855835", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for Kernel 122300-48\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"Kernel on solaris_5.9_sparc\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n Kernel\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(855835);\n script_version(\"$Revision: 8164 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-19 07:30:41 +0100 (Tue, 19 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-02-03 13:24:57 +0100 (Wed, 03 Feb 2010)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"122300-48\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\", \"CVE-2006-0225\");\n script_name(\"Solaris Update for Kernel 122300-48\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-122300-48-1\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of Kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"122300-48\", package:\"SUNWcar.us SUNWatfsu SUNWarc SUNWnfssx SUNWcar.m SUNWudfrx SUNWpdx SUNWmdb SUNWaudit SUNWsshdu SUNWnfscx SUNWnfssu FJSVhea SUNWcsl SUNWrsg SUNWrsgx SUNWrsgk SUNWsshdr SUNWses SUNWefcx.u SUNWvolu SUNWsshr SUNWdrr.u SUNWdrrx.us SUNWssadx SUNWcsxu SUNWcarx.us SUNWpiclu SUNWmdbx SUNWnfssr SUNWvolr SUNWdrr.us SUNWcsr SUNWefcx.us SUNWpd SUNWhea SUNWcslx SUNWcstlx SUNWcarx.u SUNWatfsr SUNWsshu SUNWcsu SUNWcar.u SUNWnfscu SUNWdrcrx.u SUNWdrrx.u SUNWssad SUNWpdu SUNWnfscr SUNWcstl SUNWudfr\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-02T10:54:46", "description": "Check for the Version of Kernel", "cvss3": {}, "published": "2010-02-03T00:00:00", "type": "openvas", "title": "Solaris Update for Kernel 122301-48", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "modified": "2017-12-21T00:00:00", "id": "OPENVAS:1361412562310855853", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855853", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for Kernel 122301-48\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"Kernel on solaris_5.9_x86\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n Kernel\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.855853\");\n script_version(\"$Revision: 8207 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-21 08:30:12 +0100 (Thu, 21 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-02-03 13:24:57 +0100 (Wed, 03 Feb 2010)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"122301-48\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\", \"CVE-2006-0225\");\n script_name(\"Solaris Update for Kernel 122301-48\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-122301-48-1\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of Kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"i386\", patch:\"122301-48\", package:\"SUNWsshcu SUNWcar.i SUNWatfsu SUNWarc SUNWmdb SUNWaudit SUNWsshdu SUNWnfssu SUNWcsl SUNWrsg SUNWrsgk SUNWsshdr SUNWvolu SUNWsshr SUNWnfssr SUNWcsr SUNWhea SUNWatfsr SUNWsshu SUNWcsu SUNWnfscu SUNWnfscr SUNWcstl SUNWudfr\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:13:58", "description": "Check for the Version of /usr/bin/ssh", "cvss3": {}, "published": "2009-10-13T00:00:00", "type": "openvas", "title": "Solaris Update for /usr/bin/ssh 114357-18", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:855771", "href": "http://plugins.openvas.org/nasl.php?oid=855771", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for /usr/bin/ssh 114357-18\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"/usr/bin/ssh on solaris_5.9_x86\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n /usr/bin/ssh\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(855771);\n script_version(\"$Revision: 5359 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 12:20:19 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-13 15:16:45 +0200 (Tue, 13 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"114357-18\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-0225\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\");\n script_name(\"Solaris Update for /usr/bin/ssh 114357-18\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-114357-18-1\");\n\n script_summary(\"Check for the Version of /usr/bin/ssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"i386\", patch:\"114357-18\", package:\"SUNWsshcu SUNWsshu\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:14:19", "description": "Check for the Version of /usr/bin/ssh", "cvss3": {}, "published": "2009-06-03T00:00:00", "type": "openvas", "title": "Solaris Update for /usr/bin/ssh 114356-18", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:855023", "href": "http://plugins.openvas.org/nasl.php?oid=855023", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for /usr/bin/ssh 114356-18\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"/usr/bin/ssh on solaris_5.9_sparc\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n /usr/bin/ssh\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(855023);\n script_version(\"$Revision: 5359 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 12:20:19 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:24:08 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"114356-18\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-0225\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\");\n script_name( \"Solaris Update for /usr/bin/ssh 114356-18\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-114356-18-1\");\n\n script_summary(\"Check for the Version of /usr/bin/ssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"114356-18\", package:\"SUNWsshcu SUNWsshu\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:41:42", "description": "Check for the Version of /usr/bin/ssh", "cvss3": {}, "published": "2009-06-03T00:00:00", "type": "openvas", "title": "Solaris Update for /usr/bin/ssh 114356-18", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310855023", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855023", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for /usr/bin/ssh 114356-18\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"/usr/bin/ssh on solaris_5.9_sparc\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n /usr/bin/ssh\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.855023\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:24:08 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"114356-18\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-0225\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\");\n script_name( \"Solaris Update for /usr/bin/ssh 114356-18\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-114356-18-1\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of /usr/bin/ssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"114356-18\", package:\"SUNWsshcu SUNWsshu\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:14:09", "description": "Check for the Version of kernel", "cvss3": {}, "published": "2009-06-03T00:00:00", "type": "openvas", "title": "Solaris Update for kernel 120011-14", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2005-2969", "CVE-2006-4339", "CVE-2007-0957", "CVE-2006-0225"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:855516", "href": "http://plugins.openvas.org/nasl.php?oid=855516", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for kernel 120011-14\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"kernel on solaris_5.10_sparc\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n kernel\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(855516);\n script_version(\"$Revision: 5359 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 12:20:19 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:31:50 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"120011-14\");\n script_cve_id(\"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\", \"CVE-2007-0957\", \"CVE-2006-0225\", \"CVE-2005-2969\");\n script_name( \"Solaris Update for kernel 120011-14\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-120011-14-1\");\n\n script_summary(\"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"120011-14\", package:\"SUNWcakr.u SUNWsshcu SUNWpcmci SUNWcnetr SUNWcar.us SUNWdhcsu SUNWrcmdc SUNWperl584usr SUNWixgb SUNWpsu SUNWfss SUNWatfsu SUNWopenssl-include SUNWpmu SUNWlldap SUNWipfr SUNWudapltu SUNWzoner SUNWarc SUNWipfu SUNWfmd SUNWintgige SUNWscpu SUNWbtool SUNWxge SUNWidn.u SUNWsra FJSVcpcu SUNWperl584core SUNWbart SUNWkrbu SUNWdrcr.u SUNWsmapi SUNWtavor SUNWbcp SUNWipfh SUNWmdb SUNWzfsu SUNWsndmr SUNWaudit SUNWncar SUNWldomr.v SUNWiopc.v SUNWcakr.us SUNWpapi SUNWsshdu SUNWcart200.v SUNWcpr.u SUNWkvm.u SUNWsndmu SUNWpppdu SUNWnfssu SUNWdhcm SUNWkdcu SUNWmdr SUNWkvm.v SUNWkvm.us FJSVhea SUNWpool SUNWxcu4 SUNWudapltr SUNWdtrc SUNWopenssl-libraries SUNWus.u SUNWcsl FJSVmdbr SUNWcpcu SUNWses SUNWsadmi SUNWvolu SUNWcpc.v SUNWib SUNWkey SUNWnisu SUNWtoo SUNWsckmr SUNWdrr.u FJSVpiclu SUNWdmgtu SUNWkvmt200.v SUNWusbu SUNWefc.u SUNWpiclu SUNWypu SUNWpoolr SUNWftduu SUNWppm SUNWuksp SUNWcakr.v SUNWslpu SUNWusb SUNWcti2.u SUNWzfsr SUNWdrr.us SUNWroute SUNWckr SUNWcsr SUNWdoc SUNWefcr SUNWaudh SUNWefcl SUNWrge SUNWtecla SUNWmdbr SUNWldomu.v SUNWpcu SUNWdscpr.u SUNWzfskr SUNWarcr SUNWmdu SUNWdcsu SUNWrcapu FJSVmdb SUNWwbsup SUNWcar.v SUNWhea SUNWqos SUNWntpu SUNWnfsckr SUNWdtrp SUNWcpc.us SUNWpl5u SUNWlibsasl SUNWcslr SUNWippcore SUNWsshu SUNWdcsr SUNWcsu SUNWust1.v SUNWcar.u SUNWnfscu SUNWesu SUNWcsd SUNWfruip.u SUNWssad SUNWcpc.u SUNWipplr SUNWpsm-lpd SUNWuprl SUNWefc.us SUNWzoneu SUNWipplu SUNWrcapr SUNWdfbh SUNWwrsm.u SUNWftdur SUNWerid SUNWauda\") < 0)\n{\n security_message(0);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:40:47", "description": "Check for the Version of kernel", "cvss3": {}, "published": "2009-06-03T00:00:00", "type": "openvas", "title": "Solaris Update for kernel 120011-14", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2005-2969", "CVE-2006-4339", "CVE-2007-0957", "CVE-2006-0225"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310855516", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855516", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for kernel 120011-14\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"kernel on solaris_5.10_sparc\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n kernel\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.855516\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:31:50 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"120011-14\");\n script_cve_id(\"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\", \"CVE-2007-0957\", \"CVE-2006-0225\", \"CVE-2005-2969\");\n script_name( \"Solaris Update for kernel 120011-14\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-120011-14-1\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"120011-14\", package:\"SUNWcakr.u SUNWsshcu SUNWpcmci SUNWcnetr SUNWcar.us SUNWdhcsu SUNWrcmdc SUNWperl584usr SUNWixgb SUNWpsu SUNWfss SUNWatfsu SUNWopenssl-include SUNWpmu SUNWlldap SUNWipfr SUNWudapltu SUNWzoner SUNWarc SUNWipfu SUNWfmd SUNWintgige SUNWscpu SUNWbtool SUNWxge SUNWidn.u SUNWsra FJSVcpcu SUNWperl584core SUNWbart SUNWkrbu SUNWdrcr.u SUNWsmapi SUNWtavor SUNWbcp SUNWipfh SUNWmdb SUNWzfsu SUNWsndmr SUNWaudit SUNWncar SUNWldomr.v SUNWiopc.v SUNWcakr.us SUNWpapi SUNWsshdu SUNWcart200.v SUNWcpr.u SUNWkvm.u SUNWsndmu SUNWpppdu SUNWnfssu SUNWdhcm SUNWkdcu SUNWmdr SUNWkvm.v SUNWkvm.us FJSVhea SUNWpool SUNWxcu4 SUNWudapltr SUNWdtrc SUNWopenssl-libraries SUNWus.u SUNWcsl FJSVmdbr SUNWcpcu SUNWses SUNWsadmi SUNWvolu SUNWcpc.v SUNWib SUNWkey SUNWnisu SUNWtoo SUNWsckmr SUNWdrr.u FJSVpiclu SUNWdmgtu SUNWkvmt200.v SUNWusbu SUNWefc.u SUNWpiclu SUNWypu SUNWpoolr SUNWftduu SUNWppm SUNWuksp SUNWcakr.v SUNWslpu SUNWusb SUNWcti2.u SUNWzfsr SUNWdrr.us SUNWroute SUNWckr SUNWcsr SUNWdoc SUNWefcr SUNWaudh SUNWefcl SUNWrge SUNWtecla SUNWmdbr SUNWldomu.v SUNWpcu SUNWdscpr.u SUNWzfskr SUNWarcr SUNWmdu SUNWdcsu SUNWrcapu FJSVmdb SUNWwbsup SUNWcar.v SUNWhea SUNWqos SUNWntpu SUNWnfsckr SUNWdtrp SUNWcpc.us SUNWpl5u SUNWlibsasl SUNWcslr SUNWippcore SUNWsshu SUNWdcsr SUNWcsu SUNWust1.v SUNWcar.u SUNWnfscu SUNWesu SUNWcsd SUNWfruip.u SUNWssad SUNWcpc.u SUNWipplr SUNWpsm-lpd SUNWuprl SUNWefc.us SUNWzoneu SUNWipplu SUNWrcapr SUNWdfbh SUNWwrsm.u SUNWftdur SUNWerid SUNWauda\") < 0)\n{\n security_message(0);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T12:29:49", "description": "The SSH protocols 1 and 2 (aka SSH-2) as implemented in OpenSSH and other packages have various weaknesses which can allow a remote attacker to obtain the following information via sniffing: (1) password lengths or ranges of lengths, which simplifies brute force password guessing, (2) whether RSA or DSA authentication is being used, (3) the number of authorized_keys in RSA authentication, or (4) the lengths of shell commands.", "cvss3": {}, "published": "2001-08-22T04:00:00", "type": "cve", "title": "CVE-2001-0572", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0572"], "modified": "2008-09-05T20:24:00", "cpe": ["cpe:/a:ssh:ssh:1.2.27", "cpe:/a:ssh:ssh:1.2.24", "cpe:/a:ssh:ssh:1.2.30", "cpe:/a:ssh:ssh:1.2.31", "cpe:/a:ssh:ssh:1.2.28", "cpe:/a:openbsd:openssh:4.5", "cpe:/a:ssh:ssh:1.2.25", "cpe:/a:ssh:ssh:1.2.29", "cpe:/a:ssh:ssh:1.2.26"], "id": "CVE-2001-0572", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0572", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ssh:ssh:1.2.29:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.26:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.28:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.25:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.24:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.5:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.30:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.31:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.27:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:26:16", "description": "Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a \"Bleichenbacher attack\" on PKCS#1 version 1.5.", "cvss3": {}, "published": "2001-06-27T04:00:00", "type": "cve", "title": "CVE-2001-0361", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0361"], "modified": "2018-05-03T01:29:00", "cpe": ["cpe:/a:ssh:ssh:1.2.31", "cpe:/a:openbsd:openssh:2.1.1", "cpe:/a:openbsd:openssh:1.2.3", "cpe:/a:openbsd:openssh:2.1"], "id": "CVE-2001-0361", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0361", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ssh:ssh:1.2.31:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:1.2.3:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:09:26", "description": "sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption).", "cvss3": {}, "published": "2004-12-31T05:00:00", "type": "cve", "title": "CVE-2004-2069", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-2069"], "modified": "2018-10-19T15:30:00", "cpe": ["cpe:/a:openbsd:openssh:3.7.1p2", "cpe:/a:openbsd:openssh:3.6.1p2"], "id": "CVE-2004-2069", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2069", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:openbsd:openssh:3.7.1p2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6.1p2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:01:14", "description": "scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.", "cvss3": {}, "published": "2006-01-25T11:03:00", "type": "cve", "title": "CVE-2006-0225", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-0225"], "modified": "2018-10-19T15:43:00", "cpe": ["cpe:/a:openbsd:openssh:3.6", "cpe:/a:openbsd:openssh:3.8.1", "cpe:/a:openbsd:openssh:3.2.3p1", "cpe:/a:openbsd:openssh:3.1p1", "cpe:/a:openbsd:openssh:3.9.1", "cpe:/a:openbsd:openssh:3.1", "cpe:/a:openbsd:openssh:4.0p1", "cpe:/a:openbsd:openssh:4.1p1", "cpe:/a:openbsd:openssh:3.7.1p2", "cpe:/a:openbsd:openssh:3.2.2p1", "cpe:/a:openbsd:openssh:3.0", "cpe:/a:openbsd:openssh:3.5p1", "cpe:/a:openbsd:openssh:3.8", "cpe:/a:openbsd:openssh:3.3p1", "cpe:/a:openbsd:openssh:3.0.1p1", "cpe:/a:openbsd:openssh:3.9", "cpe:/a:openbsd:openssh:3.0.2", "cpe:/a:openbsd:openssh:3.3", "cpe:/a:openbsd:openssh:3.6.1", "cpe:/a:openbsd:openssh:3.0p1", "cpe:/a:openbsd:openssh:3.9.1p1", "cpe:/a:openbsd:openssh:3.8.1p1", "cpe:/a:openbsd:openssh:3.6.1p1", "cpe:/a:openbsd:openssh:3.4", "cpe:/a:openbsd:openssh:4.2p1", "cpe:/a:openbsd:openssh:3.5", "cpe:/a:openbsd:openssh:3.4p1", "cpe:/a:openbsd:openssh:3.2", "cpe:/a:openbsd:openssh:3.0.2p1", "cpe:/a:openbsd:openssh:3.6.1p2", "cpe:/a:openbsd:openssh:3.7", "cpe:/a:openbsd:openssh:3.7.1", "cpe:/a:openbsd:openssh:3.0.1"], "id": "CVE-2006-0225", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0225", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:openbsd:openssh:3.7.1p2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.8.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.3p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0.2p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.9:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.9.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.2.3p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.0p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.2.2p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.4:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.2p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.5p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.4p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6.1p2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0p1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:23:33", "description": "OpenSSH on FreeBSD 5.3 and 5.4, when used with OpenPAM, does not properly handle when a forked child process terminates during PAM authentication, which allows remote attackers to cause a denial of service (client connection refusal) by connecting multiple times to the SSH server, waiting for the password prompt, then disconnecting.", "cvss3": {}, "published": "2006-03-07T02:02:00", "type": "cve", "title": "CVE-2006-0883", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0883"], "modified": "2017-07-20T01:30:00", "cpe": ["cpe:/a:openbsd:openssh:3.8.1p1", "cpe:/o:freebsd:freebsd:5.3", "cpe:/o:freebsd:freebsd:5.4"], "id": "CVE-2006-0883", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0883", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:freebsd:freebsd:5.4:pre-release:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.8.1p1:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:5.3:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:5.3:release:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:5.3:releng:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:5.4:release:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:5.4:stable:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:5.4:releng:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:5.3:stable:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:39:03", "description": "rcp on Sun Solaris 8, 9, and 10 before 20070710 does not properly call certain helper applications, which allows local users to gain privileges by creating files with certain names, possibly containing shell metacharacters or spaces, a similar issue to CVE-2006-0225.", "cvss3": {}, "published": "2007-07-12T16:30:00", "type": "cve", "title": "CVE-2007-3717", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0225", "CVE-2007-3717"], "modified": "2018-10-30T16:25:00", "cpe": ["cpe:/o:sun:sunos:5.10", "cpe:/o:sun:sunos:5.9", "cpe:/o:sun:sunos:5.8"], "id": "CVE-2007-3717", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3717", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:sun:sunos:5.9:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.8:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.10:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:47:20", "description": "", "cvss3": {}, "published": "2005-02-01T00:00:00", "type": "checkpoint_advisories", "title": "SSH over Non Standard Ports (CVE-2001-0361)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0361"], "modified": "2019-04-01T00:00:00", "id": "CPAI-2001-0002", "href": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-12-17T12:47:27", "description": "", "cvss3": {}, "published": "2005-02-01T00:00:00", "type": "checkpoint_advisories", "title": "SSH Older Versions Control (CVE-2001-0361)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0361"], "modified": "2013-01-01T00:00:00", "id": "CPAI-2001-0003", "href": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}], "suse": [{"lastseen": "2016-04-13T01:13:24", "description": "SuSE distributions contain the ssh package in the version 1.2.27. No later version is provided because of licensing issues. SuSE maintains the 1.2.27 version in a patched package. Three new patches have been added that workaround three independent security problems in the ssh package: a) SSHD-1 Logging Vulnerability (discovered and published by Jose Nazario, Crimelabs). Attackers can remotely brute-force passwords without getting noticed or logged. In the ssh package from the SuSE distribution, root login is allowed, as well as password authentication. Even though brute-forcing a password may take an enormous amount of time and resources, the issue is to be taken seriously. b) SSH1 session key recovery vulnerability (by (Ariel Waissbein, Agustin Azubel) - CORE SDI, Argentina, and David Bleichenbacher). Captured encrypted ssh traffic can be decrypted with some effort by obtaining the session key for the ssh session. The added patch in our package causes the ssh daemon to generate a new server key pair upon failure of an RSA operation (please note that the patch supplied with Iv\u00c3\u00a1n Arce on bugtraq on Wed, 7 Feb 2001 has been corrected later on!). c) In 1998, the ssh-1 protocol was found to be vulnerable to an attack where arbitrary sequences could be inserted into the ssh-1 protocol layer. The attack was called \"crc32 compensation attack\", and a fix was introduced (crc compensation attack detector in the ssh -v output) into the later versions of ssh. Michal Zalewski discovered that the fix in its most widely used implementation is defective. An integer overflow allows an attacker to overwrite arbitrary memory in the sshd process' address space, which potentionally results in a remote root compromise. There are easy resorts that can be offered: a) switch to openssh (please use the openssh packages on ftp.suse.com from the same update directories as the ssh package update URLs below indicate). openssh is a different implementation of the ssh protocol that is compatible to the protocol versions 1 and 2. Openssh Version 2.3.0 does not suffer from the problems listed above. Versions before 2.3.0 are vulnerable to other problems, so please use the updates from the update directory on the ftp.suse.de ftp server. See section 2) of this announcement for the md5sums of the packages. b) upgrade your ssh package from the locations described below.", "cvss3": {}, "published": "2000-02-16T18:00:00", "type": "suse", "title": "possible remote root compromise in ssh", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2001-0361"], "modified": "2000-02-16T18:00:00", "id": "SUSE-SA:2001:04", "href": "http://lists.opensuse.org/opensuse-security-announce/2001-02/msg00004.html", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:02:17", "description": "A problem in the handling of scp in openssh could be used to execute commands on remote hosts even using a scp-only configuration.\n#### Solution\nThere is no known workaround, please install the update packages.", "cvss3": {}, "published": "2006-02-14T10:41:38", "type": "suse", "title": "remote code execution in openssh", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2006-02-14T10:41:38", "id": "SUSE-SA:2006:008", "href": "http://lists.opensuse.org/opensuse-security-announce/2006-02/msg00015.html", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2021-09-28T17:53:59", "description": "### Overview\n\nAn implementation problem in at least one Secure Shell (SSH) product and a weakness in the PKCS#1_1.5 public key encryption standard allows attackers to recover plaintext of messages encrypted with SSH.\n\n### Description\n\nA weakness in some SSH products using the SSH1 protocol may allow an attacker to determine internal cryptologic states. Combined with a weakness in the PKCS#1_1.5 public key encryption standard, used by SSH protocol 1.5, this vulnerability may be exploited to recover arbitrary session keys used for symmetric encryption in SSH connections. It has been reported that these vulnerabilities are relatively difficult to exploit. \n \n--- \n \n### Impact\n\nAn attacker may recover an SSH connection's session key and decrypt all communications from the connection. \n \n--- \n \n### Solution\n\n**Apply a patch available from your vendor**\n\nThis vulnerability was first reported and patched in early 2001. \n \n--- \n \n**Reduce potential exposure** \n \nDisable all variants of SSH protocols 1.5 and older on the server. \n \n--- \n \n### Vendor Information\n\n161576\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### OpenSSH __ Affected\n\nNotified: December 09, 2001 Updated: June 07, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nMarkus Friedl of OpenSSH writes:\n\n\"OpenSSH-2.2.0 and later fix this problem by imposing a limit to the numbers of allowed connections. Versions earlier than 2.3.0 should not be used, because the suffer the CRC32 bug. \n \n\"Later versions of OpenSSH (2.5.* and later) add additional countermeasures (like not calling fatal() on RSA operation failures and adding random cookies for each new generated server key, see the source for defails).\"\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23161576 Feedback>).\n\n### SSH Communications Security __ Unknown\n\nNotified: December 09, 2001 Updated: June 12, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nTatu Ylonen of SSH Communications Security writes:\n\n\"SSH1 has been officially deprecated for some time now. I strongly urge all users to switch to the latest SSH Secure Shell (or generally to the version 2 of the Secure Shell protocol). The version 1.x protocol suffers from many security problems. \n \n\"I do, however, have reason to believe that the issue reported here may be a fluke. There was discussion about the Bleisenbacher attack against SSH1 some years ago (after the attack became public), and the general conclusion at that time was that it didn't affect Secure Shell. The session key in SSH1 is encrypted TWICE, once by the server key, and once by the host key. To decrypt the session key, one would need to be able to determine BOTH the server key and the host key. I am not aware of a variant of the Bleisenbacher attack that would do this.... \n \n\"As a fix, I would add upgrading to the lastest version (ssh-3.1.2, or ssh-1.2.33 if one insists on using the deprecated 1.x protocol).\"\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23161576 Feedback>).\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References\n\n * <http://www.securityfocus.com/bid/2344>\n * <http://securityportal.com/articles/magicnumbers20010227.html>\n\n### Acknowledgements\n\nThanks to CORE SDI for reporting this vulnerability and to Markus Friedl and Tatu Ylonen for their helpful clarifications.\n\nThis document was written by Shawn Van Ittersum.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2001-0361](<http://web.nvd.nist.gov/vuln/detail/CVE-2001-0361>) \n---|--- \n**Severity Metric:** | 6.48 \n**Date Public:** | 2001-02-13 \n**Date First Published:** | 2002-07-31 \n**Date Last Updated: ** | 2002-07-31 23:01 UTC \n**Document Revision: ** | 20 \n", "cvss3": {}, "published": "2002-07-31T00:00:00", "type": "cert", "title": "Certain implementations of SSH1 may reveal internal cryptologic state", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0361"], "modified": "2002-07-31T23:01:00", "id": "VU:161576", "href": "https://www.kb.cert.org/vuls/id/161576", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}], "debiancve": [{"lastseen": "2022-07-09T17:35:00", "description": "sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption).", "cvss3": {}, "published": "2004-12-31T05:00:00", "type": "debiancve", "title": "CVE-2004-2069", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-2069"], "modified": "2004-12-31T05:00:00", "id": "DEBIANCVE:CVE-2004-2069", "href": "https://security-tracker.debian.org/tracker/CVE-2004-2069", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-07-09T17:30:46", "description": "scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.", "cvss3": {}, "published": "2006-01-25T11:03:00", "type": "debiancve", "title": "CVE-2006-0225", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-0225"], "modified": "2006-01-25T11:03:00", "id": "DEBIANCVE:CVE-2006-0225", "href": "https://security-tracker.debian.org/tracker/CVE-2006-0225", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-09T17:35:01", "description": "OpenSSH on FreeBSD 5.3 and 5.4, when used with OpenPAM, does not properly handle when a forked child process terminates during PAM authentication, which allows remote attackers to cause a denial of service (client connection refusal) by connecting multiple times to the SSH server, waiting for the password prompt, then disconnecting.", "cvss3": {}, "published": "2006-03-07T02:02:00", "type": "debiancve", "title": "CVE-2006-0883", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0883"], "modified": "2006-03-07T02:02:00", "id": "DEBIANCVE:CVE-2006-0883", "href": "https://security-tracker.debian.org/tracker/CVE-2006-0883", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "centos": [{"lastseen": "2022-02-27T16:03:39", "description": "**CentOS Errata and Security Advisory** CESA-2005:550\n\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\nincludes the core files necessary for both the OpenSSH client and server. \r\n\r\nA bug was found in the way the OpenSSH server handled the MaxStartups and\r\nLoginGraceTime configuration variables. A malicious user could connect to\r\nthe SSH daemon in such a way that it would prevent additional logins from\r\noccuring until the malicious connections are closed. The Common\r\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\r\nCAN-2004-2069 to this issue.\r\n\r\nAdditionally, the following issues are resolved with this update:\r\n\r\n- The -q option of the ssh client did not suppress the banner message sent\r\nby the server, which caused errors when used in scripts.\r\n\r\n- The sshd daemon failed to close the client connection if multiple X\r\nclients were forwarded over the connection and the client session exited.\r\n\r\n- The sftp client leaked memory if used for extended periods.\r\n\r\n- The sshd daemon called the PAM functions incorrectly if the user was\r\nunknown on the system.\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\ncontain backported patches and resolve these issues.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-announce/2005-September/049135.html\nhttps://lists.centos.org/pipermail/centos-announce/2005-September/049140.html\nhttps://lists.centos.org/pipermail/centos-announce/2005-September/049148.html\nhttps://lists.centos.org/pipermail/centos-announce/2005-September/049149.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-askpass-gnome\nopenssh-clients\nopenssh-server\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2005:550", "cvss3": {}, "published": "2005-09-28T16:13:14", "type": "centos", "title": "openssh security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-2069"], "modified": "2005-09-28T21:15:12", "id": "CESA-2005:550", "href": "https://lists.centos.org/pipermail/centos-announce/2005-September/049135.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-02-27T15:59:59", "description": "**CentOS Errata and Security Advisory** CESA-2006:0044\n\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nAn arbitrary command execution flaw was discovered in the way scp copies\r\nfiles locally. It is possible for a local attacker to create a file with a\r\ncarefully crafted name that could execute arbitrary commands as the user\r\nrunning scp to copy files locally. The Common Vulnerabilities and Exposures\r\nproject (cve.mitre.org) assigned the name CVE-2006-0225 to this issue. \r\n\r\nThe following issue has also been fixed in this update:\r\n\r\n* If the sshd service was stopped using the sshd init script while the\r\n main sshd daemon was not running, the init script would kill other sshd\r\n processes, such as the running sessions. For example, this could happen\r\n when the 'service sshd stop' command was issued twice.\r\n\r\nAdditionally, this update implements auditing of user logins through the\r\nsystem audit service.\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\nresolve these issues.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-announce/2006-March/049621.html\nhttps://lists.centos.org/pipermail/centos-announce/2006-March/049625.html\nhttps://lists.centos.org/pipermail/centos-announce/2006-March/049629.html\nhttps://lists.centos.org/pipermail/centos-announce/2006-March/049650.html\nhttps://lists.centos.org/pipermail/centos-announce/2006-March/049657.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-askpass-gnome\nopenssh-clients\nopenssh-server\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2006:0044", "cvss3": {}, "published": "2006-03-08T00:16:52", "type": "centos", "title": "openssh security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-0225"], "modified": "2006-03-13T14:28:10", "id": "CESA-2006:0044", "href": "https://lists.centos.org/pipermail/centos-announce/2006-March/049621.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-27T15:58:16", "description": "**CentOS Errata and Security Advisory** CESA-2006:0298\n\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nAn arbitrary command execution flaw was discovered in the way scp copies\r\nfiles locally. It is possible for a local attacker to create a file with a\r\ncarefully crafted name that could execute arbitrary commands as the user\r\nrunning scp to copy files locally. (CVE-2006-0225)\r\n\r\nThe SSH daemon, when restricting host access by numeric IP addresses and\r\nwith VerifyReverseMapping disabled, allows remote attackers to bypass\r\n\"from=\" and \"user@host\" address restrictions by connecting to a host from a\r\nsystem whose reverse DNS hostname contains the numeric IP address.\r\n(CVE-2003-0386)\r\n\r\nThe following issues have also been fixed in this update:\r\n\r\n* If the sshd service was stopped using the sshd init script while the\r\n main sshd daemon was not running, the init script would kill other sshd\r\n processes, such as the running sessions. For example, this could happen\r\n when the 'service sshd stop' command was issued twice.\r\n\r\n* When privilege separation was enabled, the last login message was printed\r\n only for the root user.\r\n\r\n* The sshd daemon was sending messages to the system log from a signal\r\n handler when debug logging was enabled. This could cause a deadlock of\r\n the user's connection.\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\nresolve these issues.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-announce/2006-August/050012.html\nhttps://lists.centos.org/pipermail/centos-announce/2006-August/050013.html\nhttps://lists.centos.org/pipermail/centos-announce/2006-July/049969.html\nhttps://lists.centos.org/pipermail/centos-announce/2006-July/049971.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-askpass-gnome\nopenssh-clients\nopenssh-server\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2006:0298", "cvss3": {}, "published": "2006-07-20T15:13:49", "type": "centos", "title": "openssh security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0386", "CVE-2006-0225"], "modified": "2006-08-03T13:59:39", "id": "CESA-2006:0298", "href": "https://lists.centos.org/pipermail/centos-announce/2006-July/049969.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-27T15:57:36", "description": "**CentOS Errata and Security Advisory** CESA-2006:0698-01\n\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nMark Dowd discovered a signal handler race condition in the OpenSSH sshd\r\nserver. A remote attacker could possibly leverage this flaw to cause a\r\ndenial of service (crash). (CVE-2006-5051) The OpenSSH project believes the\r\nlikelihood of successful exploitation leading to arbitrary code execution\r\nappears remote. However, the Red Hat Security Response Team have not yet\r\nbeen able to verify this claim due to lack of upstream vulnerability\r\ninformation. We are therefore including a fix for this flaw and have rated\r\nit important security severity in the event our continued investigation\r\nfinds this issue to be exploitable.\r\n\r\nTavis Ormandy of the Google Security Team discovered a denial of service\r\nbug in the OpenSSH sshd server. A remote attacker can send a specially\r\ncrafted SSH-1 request to the server causing sshd to consume a large\r\nquantity of CPU resources. (CVE-2006-4924)\r\n\r\nAn arbitrary command execution flaw was discovered in the way scp copies\r\nfiles locally. It is possible for a local attacker to create a file with a\r\ncarefully crafted name that could execute arbitrary commands as the user\r\nrunning scp to copy files locally. (CVE-2006-0225)\r\n\r\nThe SSH daemon, when restricting host access by numeric IP addresses and\r\nwith VerifyReverseMapping disabled, allows remote attackers to bypass\r\n\"from=\" and \"user@host\" address restrictions by connecting to a host from a\r\nsystem whose reverse DNS hostname contains the numeric IP address.\r\n(CVE-2003-0386)\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\ncontain backported patches that resolve these issues.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-announce/2006-October/050229.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-askpass-gnome\nopenssh-clients\nopenssh-server\n\n", "cvss3": {}, "published": "2006-10-02T01:42:56", "type": "centos", "title": "openssh security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0386", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-5051"], "modified": "2006-10-02T01:42:56", "id": "CESA-2006:0698-01", "href": "https://lists.centos.org/pipermail/centos-announce/2006-October/050229.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2021-10-21T04:44:42", "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\nincludes the core files necessary for both the OpenSSH client and server. \r\n\r\nA bug was found in the way the OpenSSH server handled the MaxStartups and\r\nLoginGraceTime configuration variables. A malicious user could connect to\r\nthe SSH daemon in such a way that it would prevent additional logins from\r\noccuring until the malicious connections are closed. The Common\r\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\r\nCAN-2004-2069 to this issue.\r\n\r\nAdditionally, the following issues are resolved with this update:\r\n\r\n- The -q option of the ssh client did not suppress the banner message sent\r\nby the server, which caused errors when used in scripts.\r\n\r\n- The sshd daemon failed to close the client connection if multiple X\r\nclients were forwarded over the connection and the client session exited.\r\n\r\n- The sftp client leaked memory if used for extended periods.\r\n\r\n- The sshd daemon called the PAM functions incorrectly if the user was\r\nunknown on the system.\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\ncontain backported patches and resolve these issues.", "cvss3": {}, "published": "2005-09-28T00:00:00", "type": "redhat", "title": "(RHSA-2005:550) openssh security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-2069"], "modified": "2017-07-29T16:28:04", "id": "RHSA-2005:550", "href": "https://access.redhat.com/errata/RHSA-2005:550", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-10-21T04:43:22", "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nAn arbitrary command execution flaw was discovered in the way scp copies\r\nfiles locally. It is possible for a local attacker to create a file with a\r\ncarefully crafted name that could execute arbitrary commands as the user\r\nrunning scp to copy files locally. The Common Vulnerabilities and Exposures\r\nproject (cve.mitre.org) assigned the name CVE-2006-0225 to this issue. \r\n\r\nThe following issue has also been fixed in this update:\r\n\r\n* If the sshd service was stopped using the sshd init script while the\r\n main sshd daemon was not running, the init script would kill other sshd\r\n processes, such as the running sessions. For example, this could happen\r\n when the 'service sshd stop' command was issued twice.\r\n\r\nAdditionally, this update implements auditing of user logins through the\r\nsystem audit service.\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\nresolve these issues.", "cvss3": {}, "published": "2006-03-07T12:56:55", "type": "redhat", "title": "(RHSA-2006:0044) openssh security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-0225"], "modified": "2017-09-08T08:09:39", "id": "RHSA-2006:0044", "href": "https://access.redhat.com/errata/RHSA-2006:0044", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-21T04:46:48", "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nAn arbitrary command execution flaw was discovered in the way scp copies\r\nfiles locally. It is possible for a local attacker to create a file with a\r\ncarefully crafted name that could execute arbitrary commands as the user\r\nrunning scp to copy files locally. (CVE-2006-0225)\r\n\r\nThe SSH daemon, when restricting host access by numeric IP addresses and\r\nwith VerifyReverseMapping disabled, allows remote attackers to bypass\r\n\"from=\" and \"user@host\" address restrictions by connecting to a host from a\r\nsystem whose reverse DNS hostname contains the numeric IP address.\r\n(CVE-2003-0386)\r\n\r\nThe following issues have also been fixed in this update:\r\n\r\n* If the sshd service was stopped using the sshd init script while the\r\n main sshd daemon was not running, the init script would kill other sshd\r\n processes, such as the running sessions. For example, this could happen\r\n when the 'service sshd stop' command was issued twice.\r\n\r\n* When privilege separation was enabled, the last login message was printed\r\n only for the root user.\r\n\r\n* The sshd daemon was sending messages to the system log from a signal\r\n handler when debug logging was enabled. This could cause a deadlock of\r\n the user's connection.\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\nresolve these issues.", "cvss3": {}, "published": "2006-07-20T09:25:51", "type": "redhat", "title": "(RHSA-2006:0298) openssh security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0386", "CVE-2006-0225"], "modified": "2017-07-29T16:31:10", "id": "RHSA-2006:0298", "href": "https://access.redhat.com/errata/RHSA-2006:0298", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-21T04:47:11", "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nMark Dowd discovered a signal handler race condition in the OpenSSH sshd\r\nserver. A remote attacker could possibly leverage this flaw to cause a\r\ndenial of service (crash). (CVE-2006-5051) The OpenSSH project believes the\r\nlikelihood of successful exploitation leading to arbitrary code execution\r\nappears remote. However, the Red Hat Security Response Team have not yet\r\nbeen able to verify this claim due to lack of upstream vulnerability\r\ninformation. We are therefore including a fix for this flaw and have rated\r\nit important security severity in the event our continued investigation\r\nfinds this issue to be exploitable.\r\n\r\nTavis Ormandy of the Google Security Team discovered a denial of service\r\nbug in the OpenSSH sshd server. A remote attacker can send a specially\r\ncrafted SSH-1 request to the server causing sshd to consume a large\r\nquantity of CPU resources. (CVE-2006-4924)\r\n\r\nAn arbitrary command execution flaw was discovered in the way scp copies\r\nfiles locally. It is possible for a local attacker to create a file with a\r\ncarefully crafted name that could execute arbitrary commands as the user\r\nrunning scp to copy files locally. (CVE-2006-0225)\r\n\r\nThe SSH daemon, when restricting host access by numeric IP addresses and\r\nwith VerifyReverseMapping disabled, allows remote attackers to bypass\r\n\"from=\" and \"user@host\" address restrictions by connecting to a host from a\r\nsystem whose reverse DNS hostname contains the numeric IP address.\r\n(CVE-2003-0386)\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\ncontain backported patches that resolve these issues.", "cvss3": {}, "published": "2006-09-28T00:00:00", "type": "redhat", "title": "(RHSA-2006:0698) openssh security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0386", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-5051"], "modified": "2018-03-14T15:26:44", "id": "RHSA-2006:0698", "href": "https://access.redhat.com/errata/RHSA-2006:0698", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2022-01-17T19:18:08", "description": "### Background\n\nOpenSSH is a free application suite consisting of server and clients that replace tools like telnet, rlogin, rcp and ftp with more secure versions offering additional functionality. Dropbear is an SSH server and client designed with a small memory footprint that includes OpenSSH scp code. \n\n### Description\n\nTo copy from a local filesystem to another local filesystem, scp constructs a command line using 'cp' which is then executed via system(). Josh Bressers discovered that special characters are not escaped by scp, but are simply passed to the shell. \n\n### Impact\n\nBy tricking other users or applications to use scp on maliciously crafted filenames, a local attacker user can execute arbitrary commands with the rights of the user running scp. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll OpenSSH users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/openssh-4.2_p1-r1\"\n\nAll Dropbear users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/dropbear-0.47-r1\"", "cvss3": {}, "published": "2006-02-20T00:00:00", "type": "gentoo", "title": "OpenSSH, Dropbear: Insecure use of system() call", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-0225"], "modified": "2006-02-20T00:00:00", "id": "GLSA-200602-11", "href": "https://security.gentoo.org/glsa/200602-11", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2022-08-04T14:47:27", "description": "scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via\nfilenames that contain shell metacharacters or spaces, which are expanded\ntwice.", "cvss3": {}, "published": "2006-01-25T00:00:00", "type": "ubuntucve", "title": "CVE-2006-0225", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-0225"], "modified": "2006-01-25T00:00:00", "id": "UB:CVE-2006-0225", "href": "https://ubuntu.com/security/CVE-2006-0225", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T14:47:16", "description": "OpenSSH on FreeBSD 5.3 and 5.4, when used with OpenPAM, does not properly\nhandle when a forked child process terminates during PAM authentication,\nwhich allows remote attackers to cause a denial of service (client\nconnection refusal) by connecting multiple times to the SSH server, waiting\nfor the password prompt, then disconnecting.", "cvss3": {}, "published": "2006-03-07T00:00:00", "type": "ubuntucve", "title": "CVE-2006-0883", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0883"], "modified": "2006-03-07T00:00:00", "id": "UB:CVE-2006-0883", "href": "https://ubuntu.com/security/CVE-2006-0883", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "seebug": [{"lastseen": "2017-11-19T22:01:34", "description": "CVE ID:CVE-2006-0225\r\nCNCVE ID:CNCVE-20060225\r\nAvaya Call Management System\u662f\u4e00\u6b3eAvaya\u7684\u8fd0\u8425\u6548\u7387\u89e3\u51b3\u65b9\u6848\uff0c\u63d0\u4f9b\u96c6\u6210\u7684\u5206\u6790\u4e0e\u62a5\u544a\u3002\r\n\r\n\u8fd0\u884c\u5728Sun Solaris\u4e0a\u7684CMS\u548cIR\u5e94\u7528\u7a0b\u5e8f\u5904\u7406scp\u547d\u4ee4\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u95ee\u9898\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u4ee5\u7528\u6237\u7279\u6743\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\r\n\r\n\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\n0\nAvaya Call Management System (CMS)\n\u53ef\u53c2\u8003\u5982\u4e0b\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\n\r\n<a href="http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm" target="_blank">http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm</a>", "cvss3": {}, "published": "2007-07-10T00:00:00", "title": "Avaya CMS / IR Solaris scp\u547d\u4ee4\u884cshell\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2006-0225"], "modified": "2007-07-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-1979", "id": "SSV:1979", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "slackware": [{"lastseen": "2021-07-28T14:46:55", "description": "New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix a security issue.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225\n\n\nHere are the details from the Slackware 10.2 ChangeLog:\n\npatches/packages/openssh-4.3p1-i486-1.tgz: Upgraded to openssh-4.3p1.\n This fixes a security issue when using scp to copy files that could\n cause commands embedded in filenames to be executed.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225\n (* Security fix *)\n\nWhere to find the new packages:\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-4.3p1-i386-1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/openssh-4.3p1-i386-1.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/openssh-4.3p1-i486-1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/openssh-4.3p1-i486-1.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/openssh-4.3p1-i486-1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/openssh-4.3p1-i486-1.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-4.3p1-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\ne48cf3c1dd582b5e21e6acc3daea1af0 openssh-4.3p1-i386-1.tgz\n\nSlackware 9.0 package:\n47ad2060666d1beafec836ad3c20d5fd openssh-4.3p1-i386-1.tgz\n\nSlackware 9.1 package:\nb795fea0fa188746c2b5edc93273e7b7 openssh-4.3p1-i486-1.tgz\n\nSlackware 10.0 package:\nf02633326a65201fcb1187cf86d101f4 openssh-4.3p1-i486-1.tgz\n\nSlackware 10.1 package:\nadbdf45d3476c146c40f3990665cf2bf openssh-4.3p1-i486-1.tgz\n\nSlackware 10.2 package:\n8ca842462851056fa3ce129dae847fbe openssh-4.3p1-i486-1.tgz\n\nSlackware -current package:\ndf20d506217f453e60190120b1c69a8e openssh-4.3p1-i486-1.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg openssh-4.3p1-i486-1.tgz\n\nNext, restart the sshd daemon:\n. /etc/rc.d/rc.sshd restart", "cvss3": {}, "published": "2006-02-15T00:27:52", "type": "slackware", "title": "[slackware-security] openssh", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-0225"], "modified": "2006-02-15T00:27:52", "id": "SSA-2006-045-06", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.425802", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2022-01-04T13:36:06", "description": "Tomas Mraz discovered a shell code injection flaw in scp. When doing \nlocal-to-local or remote-to-remote copying, scp expanded shell escape \ncharacters. By tricking an user into using scp on a specially crafted \nfile name (which could also be caught by using an innocuous wild card \nlike '*'), an attacker could exploit this to execute arbitrary shell \ncommands with the privilege of that user.\n\nPlease be aware that scp is not designed to operate securely on \nuntrusted file names, since it needs to stay compatible with rcp. \nPlease use sftp for automated systems and potentially untrusted file \nnames.\n", "cvss3": {}, "published": "2006-02-22T00:00:00", "type": "ubuntu", "title": "openssh vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-0225"], "modified": "2006-02-22T00:00:00", "id": "USN-255-1", "href": "https://ubuntu.com/security/notices/USN-255-1", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T16:03:50", "description": "\n\nProblem description:\nBecause OpenSSH and OpenPAM have conflicting designs (one is event-\n\t driven while the other is callback-driven), it is necessary for\n\t OpenSSH to fork a child process to handle calls to the PAM framework.\n\t However, if the unprivileged child terminates while PAM authentication\n\t is under way, the parent process incorrectly believes that the PAM\n\t child also terminated. The parent process then terminates, and the\n\t PAM child is left behind.\nDue to the way OpenSSH performs internal accounting, these orphaned\n\t PAM children are counted as pending connections by the master OpenSSH\n\t server process. Once a certain number of orphans has accumulated, the\n\t master decides that it is overloaded and stops accepting client\n\t connections.\nImpact:\nBy repeatedly connecting to a vulnerable server, waiting for\n\t a password prompt, and closing the connection, an attacker can\n\t cause OpenSSH to stop accepting client connections until the\n\t system restarts or an administrator manually kills the orphaned\n\t PAM processes.\nWorkaround:\nThe following command will show a list of orphaned PAM\n\t processes:\n# pgrep -lf 'sshd.*\\[pam\\]'\nThe following command will kill orphaned PAM processes:\n# pkill -f 'sshd.*\\[pam\\]'\nTo prevent OpenSSH from leaving orphaned PAM processes behind,\n\t perform one of the following:\n\n\nDisable PAM authentication in OpenSSH. Users will still\n\t be able to log in using their Unix password, OPIE or SSH\n\t keys.\nTo do this, execute the following commands as root:\n# echo 'UsePAM no' >>/etc/ssh/sshd_config\n# echo 'PasswordAuthentication yes' >>/etc/ssh/sshd_config\n# /etc/rc.d/sshd restart\n\n\nIf disabling PAM is not an option - if, for instance, you use\n\t RADIUS authentication, or store user passwords in an SQL database\n\t - you may instead disable privilege separation. However, this may\n\t leave OpenSSH vulnerable to hitherto unknown bugs, and should be\n\t considered a last resort.\nTo do this, execute the following commands as root:\n# echo 'UsePrivilegeSeparation no' >>/etc/ssh/sshd_config\n# /etc/rc.d/sshd restart\n\n\n\n", "cvss3": {}, "published": "2006-03-01T00:00:00", "type": "freebsd", "title": "openssh -- remote denial of service", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0883"], "modified": "2016-08-09T00:00:00", "id": "6A308E8E-B1B4-11DA-B2FB-000E0C2E438A", "href": "https://vuxml.freebsd.org/freebsd/6a308e8e-b1b4-11da-b2fb-000e0c2e438a.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:16", "bulletinFamily": "software", "cvelist": ["CVE-2006-0883"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n=============================================================================\r\nFreeBSD-SA-06:09.openssh Security Advisory\r\n The FreeBSD Project\r\n\r\nTopic: Remote denial of service in OpenSSH\r\n\r\nCategory: contrib\r\nModule: OpenSSH\r\nAnnounced: 2006-03-01\r\nAffects: FreeBSD 5.3 and 5.4\r\nCorrected: 2006-03-01 14:19:48 UTC (RELENG_5, 5.5-PRERELEASE)\r\n 2006-03-01 14:21:01 UTC (RELENG_5_4, 5.4-RELEASE-p12)\r\n 2006-03-01 14:24:52 UTC (RELENG_5_3, 5.3-RELEASE-p27)\r\nCVE Name: CVE-2006-0883\r\n\r\nFor general information regarding FreeBSD Security Advisories,\r\nincluding descriptions of the fields above, security branches, and the\r\nfollowing sections, please visit\r\n<URL:http://www.freebsd.org/security/>.\r\n\r\n0. Revision History\r\n\r\nv1.0 2006-03-01 Initial release.\r\nv1.1 2006-03-01 Corrected workaround instructions.\r\n\r\nI. Background\r\n\r\nOpenSSH is an implementation of the SSH protocol suite, providing an\r\nencrypted, authenticated transport for a variety of services,\r\nincluding remote shell access.\r\n\r\nPrivilege separation is a mechanism used by OpenSSH to protect itself\r\nagainst possible future vulnerabilities. It works by splitting the\r\nserver process in two: the child process drops its privileges and\r\ncarries on the conversation with the client, while the parent retains\r\nits privileges, monitors the child, and performs privileged operations\r\non behalf of the child when it is satisified that everything is in\r\norder. Privilege separation is enabled by default in FreeBSD.\r\n\r\nOpenPAM is an implementation of the PAM framework, which allows the\r\nuse of loadable modules to implement user authentication and session\r\nmanagement in a manner defined by the administrator. It is used by\r\nOpenSSH and numerous other applications in FreeBSD to provide a\r\nconsistent and configurable authentication system.\r\n\r\nII. Problem Description\r\n\r\nBecause OpenSSH and OpenPAM have conflicting designs (one is event-\r\ndriven while the other is callback-driven), it is necessary for\r\nOpenSSH to fork a child process to handle calls to the PAM framework.\r\nHowever, if the unprivileged child terminates while PAM authentication\r\nis under way, the parent process incorrectly believes that the PAM\r\nchild also terminated. The parent process then terminates, and the\r\nPAM child is left behind.\r\n\r\nDue to the way OpenSSH performs internal accounting, these orphaned\r\nPAM children are counted as pending connections by the master OpenSSH\r\nserver process. Once a certain number of orphans has accumulated, the\r\nmaster decides that it is overloaded and stops accepting client\r\nconnections.\r\n\r\nIII. Impact\r\n\r\nBy repeatedly connecting to a vulnerable server, waiting for a\r\npassword prompt, and closing the connection, an attacker can cause\r\nOpenSSH to stop accepting client connections until the system restarts\r\nor an administrator manually kills the orphaned PAM processes.\r\n\r\nIV. Workaround\r\n\r\nThe following command will show a list of orphaned PAM processes:\r\n\r\n# pgrep -lf 'sshd.*\[pam\]'\r\n\r\nThe following command will kill orphaned PAM processes:\r\n\r\n# pkill -f 'sshd.*\[pam\]'\r\n\r\nTo prevent OpenSSH from leaving orphaned PAM processes behind, perform\r\none of the following:\r\n\r\n1) Disable PAM authentication in OpenSSH. Users will still be able to\r\n log in using their Unix password, OPIE or SSH keys.\r\n\r\n To do this, execute the following commands as root:\r\n\r\n# echo 'UsePAM no' >>/etc/ssh/sshd_config\r\n# /etc/rc.d/sshd restart\r\n\r\n2) If disabling PAM is not an option - if, for instance, you use\r\n RADIUS authentication, or store user passwords in an SQL database -\r\n you may instead disable privilege separation. However, this may\r\n leave OpenSSH vulnerable to hitherto unknown bugs, and should be\r\n considered a last resort.\r\n\r\n To do this, execute the following commands as root:\r\n\r\n# echo 'UsePrivilegeSeparation no' >>/etc/ssh/sshd_config\r\n# /etc/rc.d/sshd restart\r\n\r\nV. Solution\r\n\r\nPerform one of the following:\r\n\r\n1) Upgrade your vulnerable system to 5-STABLE or to the RELENG_5_4 or\r\n RELENG_5_3 security branch dated after the correction date.\r\n\r\n2) To patch your present system:\r\n\r\nThe following patches have been verified to apply to FreeBSD 5.3 and\r\n5.4 systems.\r\n\r\na) Download the relevant patch from the location below, and verify the\r\ndetached PGP signature using your PGP utility.\r\n\r\n# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:09/openssh.patch\r\n# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:09/openssh.patch.asc\r\n\r\nb) Execute the following commands as root:\r\n\r\n# cd /usr/src\r\n# patch < /path/to/patch\r\n# cd /usr/src/secure/lib/libssh\r\n# make obj && make depend && make && make install\r\n# cd /usr/src/secure/usr.sbin/sshd\r\n# make obj && make depend && make && make install\r\n# /etc/rc.d/sshd restart\r\n\r\nVI. Correction details\r\n\r\nThe following list contains the revision numbers of each file that was\r\ncorrected in FreeBSD.\r\n\r\nBranch Revision\r\n Path\r\n- -------------------------------------------------------------------------\r\nRELENG_5\r\n src/crypto/openssh/auth-pam.c 1.14.2.1\r\n src/crypto/openssh/ssh_config 1.25.2.1\r\n src/crypto/openssh/ssh_config.5 1.15.2.1\r\n src/crypto/openssh/sshd_config 1.40.2.1\r\n src/crypto/openssh/sshd_config.5 1.21.2.1\r\n src/crypto/openssh/version.h 1.27.2.1\r\nRELENG_5_4\r\n src/UPDATING 1.342.2.24.2.21\r\n src/sys/conf/newvers.sh 1.62.2.18.2.17\r\n src/crypto/openssh/auth-pam.c 1.14.6.1\r\n src/crypto/openssh/ssh_config 1.25.6.1\r\n src/crypto/openssh/ssh_config.5 1.15.6.1\r\n src/crypto/openssh/sshd_config 1.40.6.1\r\n src/crypto/openssh/sshd_config.5 1.21.6.1\r\n src/crypto/openssh/version.h 1.27.6.1\r\nRELENG_5_3\r\n src/UPDATING 1.342.2.13.2.30\r\n src/sys/conf/newvers.sh 1.62.2.15.2.32\r\n src/crypto/openssh/auth-pam.c 1.14.4.1\r\n src/crypto/openssh/ssh_config 1.25.4.1\r\n src/crypto/openssh/ssh_config.5 1.15.4.1\r\n src/crypto/openssh/sshd_config 1.40.4.1\r\n src/crypto/openssh/sshd_config.5 1.21.4.1\r\n src/crypto/openssh/version.h 1.27.4.1\r\n- -------------------------------------------------------------------------\r\n\r\nVII. References\r\n\r\nhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248125\r\nhttp://bugzilla.mindrot.org/show_bug.cgi?id=839\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0883\r\n\r\nThe latest revision of this advisory is available at\r\nftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:09.openssh.asc\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.2 (FreeBSD)\r\n\r\niD8DBQFEBcVoFdaIBMps37IRAtciAJ0ZEisuqx4lAtn2vr+44e4mrWYQuQCeLLRB\r\nkUuFQBE4Jy3SJeI+07wnknA=\r\n=esdm\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2006-03-01T00:00:00", "published": "2006-03-01T00:00:00", "id": "SECURITYVULNS:DOC:11639", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:11639", "title": "FreeBSD Security Advisory FreeBSD-SA-06:09.openssh [REVISED]", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:20", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\n- - -------------------------------------------------------------------\r\n VMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2006-0006\r\nSynopsis: VMware ESX Server 2.5.3 Upgrade Patch 4\r\nPatch URL: http://www.vmware.com/download/esx/esx-253-200610-patch.html\r\nIssue date: 2006-10-31\r\nUpdated on: 2006-11-13\r\nCVE Names: CAN-2004-2069 CVE-2006-3403 CVE-2005-2177\r\n CVE-2006-3467 CVE-2006-1056 CVE-2006-1342\r\n CVE-2006-1343 CVE-2006-1864 CVE-2006-2071\r\n- - -------------------------------------------------------------------\r\n\r\n1. Summary:\r\n\r\nUpdated package addresses several security issues.\r\n\r\n2. Relevant releases:\r\n\r\nVMware ESX 2.5.3 prior to upgrade patch 4\r\n\r\n3. Problem description:\r\n\r\nThis patch addresses the following security issues:\r\n\r\nOpenssh -- A bug was found in the way the OpenSSH server handled the\r\nMaxStartups and LoginGraceTime configuration variables. The Common\r\nVulnerabilities and Exposures project (cve.mitre.org) assigned the name\r\nCAN-2004-2069 to this issue.\r\n\r\nsamba -- A denial of service bug was found in the way the smbd daemon\r\ntracks active connections to shares. It was possible for a remote\r\nattacker to cause the smbd daemon to consume a large amount of system\r\nmemory by sending carefully crafted smb requests. The Common\r\nVulnerabilities and Exposures project (cve.mitre.org) assigned the name\r\nCVE-2006-3403 to this issue.\r\n\r\nPython -- An integer overflow flaw was found in Python's PCRE library\r\nthat could be triggered by a maliciously crafted regular expression. On\r\nsystems that accept arbitrary regular expressions from untrusted users,\r\nthis could be exploited to execute arbitrary code with the privileges of\r\nthe application using the library. The Common Vulnerabilities and\r\nExposures project (cve.mitre.org) assigned the name CVE-2005-2491 to\r\nthis issue.\r\n\r\nucd-snmp -- A denial of service bug was found in the way ucd-snmp uses\r\nnetwork stream protocols. A remote attacker could send a ucd-snmp agent\r\na specially crafted packet which will cause the agent to crash. The\r\nCommon Vulnerabilities and Exposures project (cve.mitre.org) assigned\r\nthe name CAN-2005-2177 to this issue.\r\n\r\nXFree86 -- An integer overflow flaw in the way the XFree86 server\r\nprocesses PCF font files was discovered. A malicious authorized client\r\ncould exploit this issue to cause a denial of service (crash) or\r\npotentially execute arbitrary code with root privileges on the XFree86\r\nserver. The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nassigned the name CVE-2006-3467 to this issue.\r\n\r\nAn AMD fxsave/restore security vulnerability. The instructions fxsave\r\nand fxrstor on AMD CPUs are used to save or restore the FPU registers\r\n(FOP, FIP and FDP). On AMD Opteron processors, these instructions do not\r\nsave/restore some exception related registers unless an exception is\r\ncurrently being serviced. This could allow a local attacker to partially\r\nmonitor the execution path of FPU processes, possibly allowing them to\r\nobtain sensitive information being passed through those processes. The\r\nCommon Vulnerabilities and Exposures project (cve.mitre.org) assigned\r\nthe name CVE-2006-1056 to this issue.\r\n\r\nA minor info leak in socket name handling in the network code\r\n(CVE-2006-1342).\r\nA minor info leak in socket option handling in the network code\r\n(CVE-2006-1343).\r\nA directory traversal vulnerability in smbfs that allowed a local user\r\nto escape chroot restrictions for an SMB-mounted filesystem via "..\\"\r\nsequences (CVE-2006-1864).\r\nA flaw in the mprotect system call that allowed to give write permission\r\nto a readonly attachment of shared memory (CVE-2006-2071).\r\n\r\nThe non-security-related fixes are documented on the patch download page.\r\n\r\n4. Solution:\r\n\r\nUpgrade to the latest update package for your release of ESX.\r\nhttp://www.vmware.com/download/esx/\r\n\r\nhttp://www.vmware.com/download/esx/esx-253-200610-patch.html\r\n\r\nThe md5 checksum output should match the following:\r\n4852f5a00e29b5780d9d0fadc0d28f3e esx-2.5.3-32134-upgrade.tar.gz\r\n\r\nPlease DO NOT apply this patch on SunFire X4100 or X4200 servers.\r\nFor further details, please refer to knowledge base article 2085:\r\nInstalling ESX 2.5.3 on SunFire x4100 and x4200 Servers.\r\nhttp://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2085\r\n\r\n5. References:\r\nhttp://www.vmware.com/download/esx/esx-253-200610-patch.html\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2069\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1056\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1342\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2071\r\nhttp://www.vmware.com/products/esx/\r\nhttp://www.vmware.com/download/esx/\r\n\r\n6. Contact:\r\n\r\nhttp://www.vmware.com/security\r\n\r\nVMware Security Response Policy\r\nhttp://www.vmware.com/vmtn/technology/security/security_response.html\r\n\r\nE-mail: security@vmware.com\r\n\r\nCopyright 2006 VMware Inc. All rights reserved.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (GNU/Linux)\r\nComment: Using GnuPG with Fedora - http://enigmail.mozdev.org\r\n\r\niD8DBQFFWP476KjQhy2pPmkRCD9rAKC9xQ9ej+t23opBsZn5BY6w736lmQCfQ9WA\r\n5PuJxKgAYF2RTeQoXM7lr1I=\r\n=miw3\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2006-11-14T00:00:00", "title": "VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 4", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2006-1056", "CVE-2006-1343", "CVE-2006-3467", "CVE-2006-2071", "CVE-2005-2491", "CVE-2006-1864", "CVE-2004-2069", "CVE-2006-1342", "CVE-2005-2177", "CVE-2006-3403"], "modified": "2006-11-14T00:00:00", "id": "SECURITYVULNS:DOC:15015", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15015", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:20", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\n- - -------------------------------------------------------------------\r\n VMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2006-0008\r\nSynopsis: VMware ESX Server 2.0.2 Upgrade Patch 2\r\nPatch URL: http://www.vmware.com/download/esx/esx-202-200610-patch.html\r\nIssue date: 2006-10-31\r\nUpdated on: 2006-11-13\r\nCVE Names: CAN-2004-2069 CVE-2006-3403 CVE-2005-2177\r\n CVE-2006-3467 CVE-2006-1342 CVE-2006-1343\r\n CVE-2006-1864 CVE-2006-2071\r\n- - -------------------------------------------------------------------\r\n\r\n1. Summary:\r\n\r\nUpdated package addresses several security issues.\r\n\r\n2. Relevant releases:\r\n\r\nVMware ESX 2.0.2 prior to upgrade patch 2\r\n\r\n3. Problem description:\r\n\r\nThis patch addresses the following security issues:\r\n\r\nOpenssh -- A bug was found in the way the OpenSSH server handled the\r\nMaxStartups and LoginGraceTime configuration variables. The Common\r\nVulnerabilities and Exposures project (cve.mitre.org) assigned the name\r\nCAN-2004-2069 to this issue.\r\n\r\nsamba -- A denial of service bug was found in the way the smbd daemon\r\ntracks active connections to shares. It was possible for a remote\r\nattacker to cause the smbd daemon to consume a large amount of system\r\nmemory by sending carefully crafted smb requests. The Common\r\nVulnerabilities and Exposures project (cve.mitre.org) assigned the name\r\nCVE-2006-3403 to this issue.\r\n\r\nPython -- An integer overflow flaw was found in Python's PCRE library\r\nthat could be triggered by a maliciously crafted regular expression. On\r\nsystems that accept arbitrary regular expressions from untrusted users,\r\nthis could be exploited to execute arbitrary code with the privileges of\r\nthe application using the library. The Common Vulnerabilities and\r\nExposures project (cve.mitre.org) assigned the name CVE-2005-2491 to\r\nthis issue.\r\n\r\nucd-snmp -- A denial of service bug was found in the way ucd-snmp uses\r\nnetwork stream protocols. A remote attacker could send a ucd-snmp agent\r\na specially crafted packet which will cause the agent to crash. The\r\nCommon Vulnerabilities and Exposures project (cve.mitre.org) assigned\r\nthe name CAN-2005-2177 to this issue.\r\n\r\nXFree86 -- An integer overflow flaw in the way the XFree86 server\r\nprocesses PCF font files was discovered. A malicious authorized client\r\ncould exploit this issue to cause a denial of service (crash) or\r\npotentially execute arbitrary code with root privileges on the XFree86\r\nserver. The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nassigned the name CVE-2006-3467 to this issue.\r\n\r\nA minor info leak in socket name handling in the network code\r\n(CVE-2006-1342).\r\nA minor info leak in socket option handling in the network code\r\n(CVE-2006-1343).\r\nA directory traversal vulnerability in smbfs that allowed a local user\r\nto escape chroot restrictions for an SMB-mounted filesystem via "..\\"\r\nsequences (CVE-2006-1864).\r\nA flaw in the mprotect system call that allowed to give write permission\r\nto a readonly attachment of shared memory (CVE-2006-2071).\r\n\r\nNOTE: AMD processers were not supported in the VMware ESX 2.0.2 release\r\nso CVE-2006-1056 is not applicable to this version of the product.\r\n\r\nThe non-security-related fixes are documented on the patch download page.\r\n\r\n4. Solution:\r\n\r\nUpgrade to the latest update package for your release of ESX.\r\nhttp://www.vmware.com/download/esx/\r\n\r\nhttp://www.vmware.com/download/esx/esx-202-200610-patch.html\r\n\r\nhe md5 checksum output should match the following:\r\n9e79d333ac9360122fb69bc8fc549405 esx-2.0.2-31924-upgrade.tar.gz\r\n\r\n5. References:\r\nhttp://www.vmware.com/download/esx/esx-202-200610-patch.html\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2069\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1342\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2071\r\nhttp://www.vmware.com/products/esx/\r\nhttp://www.vmware.com/download/esx/\r\n\r\n6. Contact:\r\n\r\nhttp://www.vmware.com/security\r\n\r\nVMware Security Response Policy\r\nhttp://www.vmware.com/vmtn/technology/security/security_response.html\r\n\r\nE-mail: security@vmware.com\r\n\r\nCopyright 2006 VMware Inc. All rights reserved.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (GNU/Linux)\r\nComment: Using GnuPG with Fedora - http://enigmail.mozdev.org\r\n\r\niD8DBQFFWP5W6KjQhy2pPmkRCDVzAJ9O3O4zIUSmEW9i4NyvxKxd1xUMLwCfRrYT\r\nPiCazE9ioHCf33AaY31k8mU=\r\n=U+XZ\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2006-11-14T00:00:00", "title": "VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2006-1056", "CVE-2006-1343", "CVE-2006-3467", "CVE-2006-2071", "CVE-2005-2491", "CVE-2006-1864", "CVE-2004-2069", "CVE-2006-1342", "CVE-2005-2177", "CVE-2006-3403"], "modified": "2006-11-14T00:00:00", "id": "SECURITYVULNS:DOC:15013", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15013", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:20", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\n- - -------------------------------------------------------------------\r\n VMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2006-0007\r\nSynopsis: VMware ESX Server 2.1.3 Upgrade Patch 2\r\nPatch URL: http://www.vmware.com/download/esx/esx-213-200610-patch.html\r\nIssue date: 2006-10-31\r\nUpdated on: 2006-11-13\r\nCVE Names: CAN-2004-2069 CVE-2006-3403 CVE-2005-2177\r\n CVE-2006-3467 CVE-2006-1056 CVE-2006-1342\r\n CVE-2006-1343 CVE-2006-1864 CVE-2006-2071\r\n- - -------------------------------------------------------------------\r\n\r\n1. Summary:\r\n\r\nUpdated package addresses several security issues.\r\n\r\n2. Relevant releases:\r\n\r\nVMware ESX 2.1.3 prior to upgrade patch 2\r\n\r\n3. Problem description:\r\n\r\nThis patch addresses the following security issues:\r\n\r\nOpenssh -- A bug was found in the way the OpenSSH server handled the\r\nMaxStartups and LoginGraceTime configuration variables. The Common\r\nVulnerabilities and Exposures project (cve.mitre.org) assigned the name\r\nCAN-2004-2069 to this issue.\r\n\r\nsamba -- A denial of service bug was found in the way the smbd daemon\r\ntracks active connections to shares. It was possible for a remote\r\nattacker to cause the smbd daemon to consume a large amount of system\r\nmemory by sending carefully crafted smb requests. The Common\r\nVulnerabilities and Exposures project (cve.mitre.org) assigned the name\r\nCVE-2006-3403 to this issue.\r\n\r\nPython -- An integer overflow flaw was found in Python's PCRE library\r\nthat could be triggered by a maliciously crafted regular expression. On\r\nsystems that accept arbitrary regular expressions from untrusted users,\r\nthis could be exploited to execute arbitrary code with the privileges of\r\nthe application using the library. The Common Vulnerabilities and\r\nExposures project (cve.mitre.org) assigned the name CVE-2005-2491 to\r\nthis issue.\r\n\r\nucd-snmp -- A denial of service bug was found in the way ucd-snmp uses\r\nnetwork stream protocols. A remote attacker could send a ucd-snmp agent\r\na specially crafted packet which will cause the agent to crash. The\r\nCommon Vulnerabilities and Exposures project (cve.mitre.org) assigned\r\nthe name CAN-2005-2177 to this issue.\r\n\r\nXFree86 -- An integer overflow flaw in the way the XFree86 server\r\nprocesses PCF font files was discovered. A malicious authorized client\r\ncould exploit this issue to cause a denial of service (crash) or\r\npotentially execute arbitrary code with root privileges on the XFree86\r\nserver. The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nassigned the name CVE-2006-3467 to this issue.\r\n\r\nAn AMD fxsave/restore security vulnerability. The instructions fxsave\r\nand fxrstor on AMD CPUs are used to save or restore the FPU registers\r\n(FOP, FIP and FDP). On AMD Opteron processors, these instructions do not\r\nsave/restore some exception related registers unless an exception is\r\ncurrently being serviced. This could allow a local attacker to partially\r\nmonitor the execution path of FPU processes, possibly allowing them to\r\nobtain sensitive information being passed through those processes. The\r\nCommon Vulnerabilities and Exposures project (cve.mitre.org) assigned\r\nthe name CVE-2006-1056 to this issue.\r\n\r\nA minor info leak in socket name handling in the network code\r\n(CVE-2006-1342).\r\nA minor info leak in socket option handling in the network code\r\n(CVE-2006-1343).\r\nA directory traversal vulnerability in smbfs that allowed a local user\r\nto escape chroot restrictions for an SMB-mounted filesystem via "..\\"\r\nsequences (CVE-2006-1864).\r\nA flaw in the mprotect system call that allowed to give write permission\r\nto a readonly attachment of shared memory (CVE-2006-2071).\r\n\r\nThe non-security-related fixes are documented on the patch download page.\r\n\r\n4. Solution:\r\n\r\nUpgrade to the latest update package for your release of ESX.\r\nhttp://www.vmware.com/download/esx/\r\n\r\nhttp://www.vmware.com/download/esx/esx-213-200610-patch.html\r\n\r\nThe md5 checksum output should match the following:\r\nc7057896ee275ce28b0b94a2186c1232 esx-2.1.3-24171-upgrade.tar.gz\r\n\r\n5. References:\r\nhttp://www.vmware.com/download/esx/esx-213-200610-patch.html\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2069\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1056\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1342\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1343\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1864\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2071\r\nhttp://www.vmware.com/products/esx/\r\nhttp://www.vmware.com/download/esx/\r\n\r\n6. Contact:\r\n\r\nhttp://www.vmware.com/security\r\n\r\nVMware Security Response Policy\r\nhttp://www.vmware.com/vmtn/technology/security/security_response.html\r\n\r\nE-mail: security@vmware.com\r\n\r\nCopyright 2006 VMware Inc. All rights reserved.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (GNU/Linux)\r\nComment: Using GnuPG with Fedora - http://enigmail.mozdev.org\r\n\r\niD8DBQFFWP5M6KjQhy2pPmkRCGbTAJ9a4PnHLWO6HwHQKzVPj1VI9V0dVQCdETxH\r\nISqiyTar1d433nMH9q/JvxA=\r\n=cesx\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2006-11-14T00:00:00", "title": "VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 2", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2006-1056", "CVE-2006-1343", "CVE-2006-3467", "CVE-2006-2071", "CVE-2005-2491", "CVE-2006-1864", "CVE-2004-2069", "CVE-2006-1342", "CVE-2005-2177", "CVE-2006-3403"], "modified": "2006-11-14T00:00:00", "id": "SECURITYVULNS:DOC:15014", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15014", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}

OpenSSH vulnerabilities CVE-2001-0361, CVE-2001-0572, CVE-2004-2069, CVE-2006-0225, and CVE-2006-0883

Description

Related