The version of OpenSSH running on the remote host is affected by the following vulnerabilities :
X11 man-in-the-middle attack:
When attempting to bind(2) to a port that has previously been bound with SO_REUSEADDR set, most operating systems check that either the effective user-id matches the previous bind (common on BSD-derived systems) or that the bind addresses do not overlap. When the sshd_config(5) option X11UseLocalhost has been set to ‘no’ - an attacker may establish a more-specific bind, which will be used in preference to sshd’s wildcard listener. (CVE-2008-3259)
Plaintext Recovery Attack Against SSH:
If exploited, this attack can potentially allow an attacker to recover up to 32 bits of plaintext from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration.
If OpenSSH is used in the standard configuration, then the attacker’s success probability for recovering 32 bits of plaintext is 2^{-18}. A variant of the attack against OpenSSH in the standard configuration can verifiably recover 14 bits of plaintext with probability 2^{-14}. The success probability of the attack for other implementations of SSH is not known. (CVE-2008-5161)
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The text in the description was extracted from AIX Security
# Advisory openssh_advisory.asc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(73557);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/21");
script_cve_id("CVE-2008-3259", "CVE-2008-5161");
script_bugtraq_id(30339, 32319);
script_xref(name:"CERT", value:"958563");
script_name(english:"AIX OpenSSH Advisory: openssh_advisory.asc");
script_summary(english:"Checks the version of the openssh client and server packages");
script_set_attribute(attribute:"synopsis", value:"The remote AIX host is running a vulnerable version of OpenSSH.");
script_set_attribute(attribute:"description", value:
"The version of OpenSSH running on the remote host is affected by the
following vulnerabilities :
- X11 man-in-the-middle attack:
When attempting to bind(2) to a port that has previously
been bound with SO_REUSEADDR set, most operating systems
check that either the effective user-id matches the
previous bind (common on BSD-derived systems) or that
the bind addresses do not overlap. When the
sshd_config(5) option X11UseLocalhost has been set to
'no' - an attacker may establish a more-specific bind,
which will be used in preference to sshd's wildcard
listener. (CVE-2008-3259)
- Plaintext Recovery Attack Against SSH:
If exploited, this attack can potentially allow an
attacker to recover up to 32 bits of plaintext from an
arbitrary block of ciphertext from a connection secured
using the SSH protocol in the standard configuration.
If OpenSSH is used in the standard configuration, then
the attacker's success probability for recovering 32
bits of plaintext is 2^{-18}. A variant of the attack
against OpenSSH in the standard configuration can
verifiably recover 14 bits of plaintext with probability
2^{-14}. The success probability of the attack for other
implementations of SSH is not known. (CVE-2008-5161)");
script_set_attribute(attribute:"see_also", value:"https://aix.software.ibm.com/aix/efixes/security/openssh_advisory.asc");
script_set_attribute(attribute:"see_also", value:"http://www.openssh.org/txt/cbc.adv");
script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-5.1");
script_set_attribute(attribute:"see_also", value:"https://sourceforge.net/projects/openssh-aix/files/");
script_set_attribute(attribute:"solution", value:
"A fix is available for AIX versions 5.3 and 6.1, and it can be
downloaded from the OpenSSH sourceforge website for the AIX release.
There is no fix for AIX version 5.2.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(200);
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix");
script_set_attribute(attribute:"vuln_publication_date", value:"2008/07/21");
script_set_attribute(attribute:"patch_publication_date", value:"2010/06/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/16");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2014-2023 Tenable Network Security, Inc.");
script_family(english:"AIX Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version");
exit(0);
}
include("aix.inc");
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
oslevel = get_kb_item_or_exit("Host/AIX/version");
if ( oslevel != "AIX-5.2" && oslevel != "AIX-5.3" && oslevel != "AIX-6.1" )
{
oslevel = ereg_replace(string:oslevel, pattern:"-", replace:" ");
audit(AUDIT_OS_NOT, "AIX 5.2 / 5.3 / 6.1", oslevel);
}
if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (aix_check_package(release:"5.2", package:"openssh.base.client", minpackagever:"0.0.0.0", maxpackagever:"6.0.0.0", fixpackagever:"Special") > 0) flag++;
if (aix_check_package(release:"5.2", package:"openssh.base.server", minpackagever:"0.0.0.0", maxpackagever:"6.0.0.0", fixpackagever:"Special") > 0) flag++;
if (aix_check_package(release:"5.3", package:"openssh.base.client", minpackagever:"0.0.0.0", maxpackagever:"5.2.0.5299", fixpackagever:"5.2.0.5300") > 0) flag++;
if (aix_check_package(release:"5.3", package:"openssh.base.server", minpackagever:"0.0.0.0", maxpackagever:"5.2.0.5299", fixpackagever:"5.2.0.5300") > 0) flag++;
if (aix_check_package(release:"6.1", package:"openssh.base.client", minpackagever:"0.0.0.0", maxpackagever:"5.2.0.5299", fixpackagever:"5.2.0.5300") > 0) flag++;
if (aix_check_package(release:"6.1", package:"openssh.base.server", minpackagever:"0.0.0.0", maxpackagever:"5.2.0.5299", fixpackagever:"5.2.0.5300") > 0) flag++;
if (flag)
{
# Disassemble and reassemble aix_report_get(), the 5.2 version has no fix and requires special reporting
curr_report = aix_report_get();
lines = split(curr_report, sep:'\n', keep:0);
new_report = "";
foreach currline (lines)
{
new_line = ereg_replace(string:currline, pattern:"Should be : openssh\.base\.(client|server)\.Special", replace:"OpenSSH on AIX version 5.2 has no fix for this issue.");
new_report += new_line + '\n';
}
security_report_v4(
port : 0,
severity : SECURITY_NOTE,
extra : new_report
);
}
else
{
tested = aix_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh.base.client / openssh.base.server");
}