According to the versions of the libssh2 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters.(CVE-2016-0787)
A flaw was found in the way the kex_agree_methods() function of libssh2 performed a key exchange when negotiating a new SSH session. A man-in-the-middle attacker could use a crafted SSH_MSG_KEXINIT packet to crash a connecting libssh2 client.(CVE-2015-1782)
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3857)
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed.
A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3862)
An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3856)
A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.(CVE-2019-3863)
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.(CVE-2019-3855)
An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3858)
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and
_libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3859)
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3860)
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed.
A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.(CVE-2019-3861)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(124932);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id(
"CVE-2015-1782",
"CVE-2016-0787",
"CVE-2019-3855",
"CVE-2019-3856",
"CVE-2019-3857",
"CVE-2019-3858",
"CVE-2019-3859",
"CVE-2019-3860",
"CVE-2019-3861",
"CVE-2019-3862",
"CVE-2019-3863"
);
script_bugtraq_id(
73061
);
script_name(english:"EulerOS Virtualization 3.0.1.0 : libssh2 (EulerOS-SA-2019-1429)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the libssh2 package installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :
- A type confusion issue was found in the way libssh2
generated ephemeral secrets for the
diffie-hellman-group1 and diffie-hellman-group14 key
exchange methods. This would cause an SSHv2
Diffie-Hellman handshake to use significantly less
secure random parameters.(CVE-2016-0787)
- A flaw was found in the way the kex_agree_methods()
function of libssh2 performed a key exchange when
negotiating a new SSH session. A man-in-the-middle
attacker could use a crafted SSH_MSG_KEXINIT packet to
crash a connecting libssh2 client.(CVE-2015-1782)
- An integer overflow flaw which could lead to an out of
bounds write was discovered in libssh2 in the way
SSH_MSG_CHANNEL_REQUEST packets with an exit signal are
parsed. A remote attacker who compromises a SSH server
may be able to execute code on the client system when a
user connects to the server.(CVE-2019-3857)
- An out of bounds read flaw was discovered in libssh2
before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets
with an exit status message and no payload are parsed.
A remote attacker who compromises a SSH server may be
able to cause a Denial of Service or read data in the
client memory.(CVE-2019-3862)
- An integer overflow flaw, which could lead to an out of
bounds write, was discovered in libssh2 before 1.8.1 in
the way keyboard prompt requests are parsed. A remote
attacker who compromises a SSH server may be able to
execute code on the client system when a user connects
to the server.(CVE-2019-3856)
- A flaw was found in libssh2 before 1.8.1. A server
could send a multiple keyboard interactive response
messages whose total length are greater than unsigned
char max characters. This value is used as an index to
copy memory causing in an out of bounds memory write
error.(CVE-2019-3863)
- An integer overflow flaw which could lead to an out of
bounds write was discovered in libssh2 before 1.8.1 in
the way packets are read from the server. A remote
attacker who compromises a SSH server may be able to
execute code on the client system when a user connects
to the server.(CVE-2019-3855)
- An out of bounds read flaw was discovered in libssh2
before 1.8.1 when a specially crafted SFTP packet is
received from the server. A remote attacker who
compromises a SSH server may be able to cause a Denial
of Service or read data in the client
memory.(CVE-2019-3858)
- An out of bounds read flaw was discovered in libssh2
before 1.8.1 in the _libssh2_packet_require and
_libssh2_packet_requirev functions. A remote attacker
who compromises a SSH server may be able to cause a
Denial of Service or read data in the client
memory.(CVE-2019-3859)
- An out of bounds read flaw was discovered in libssh2
before 1.8.1 in the way SFTP packets with empty
payloads are parsed. A remote attacker who compromises
a SSH server may be able to cause a Denial of Service
or read data in the client memory.(CVE-2019-3860)
- An out of bounds read flaw was discovered in libssh2
before 1.8.1 in the way SSH packets with a padding
length value greater than the packet length are parsed.
A remote attacker who compromises a SSH server may be
able to cause a Denial of Service or read data in the
client memory.(CVE-2019-3861)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1429
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9d4ac1c9");
script_set_attribute(attribute:"solution", value:
"Update the affected libssh2 packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/07");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libssh2");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["libssh2-1.4.3-10.1.h4"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libssh2");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1782
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0787
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3858
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3859
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3860
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3861
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863
www.nessus.org/u?9d4ac1c9