Search...

OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass

2011-10-04T00:00:00

ID OPENSSH_47.NASL
Type nessus
Reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
Modified 2021-01-02T00:00:00

Description

According to the banner, OpenSSH earlier than 4.7 is running on the remote host. Such versions contain an authentication bypass vulnerability. In the event that OpenSSH cannot create an untrusted cookie for X, for example due to the temporary partition being full, it will use a trusted cookie instead. This allows attackers to violate intended policy and gain privileges by causing their X client to be treated as trusted.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(44078);
  script_version("1.9");
  script_cvs_date("Date: 2018/07/16 14:09:13");

  script_cve_id("CVE-2007-4752", "CVE-2007-2243");
  script_bugtraq_id(25628);

  script_name(english:"OpenSSH &lt; 4.7 Trusted X11 Cookie Connection Policy Bypass");
  script_summary(english:"Checks the version reported in the SSH banner.");

  script_set_attribute(
    attribute:"synopsis",
    value:"Remote attackers may be able to bypass authentication."
  );
  script_set_attribute(
    attribute:"description",
    value:
"According to the banner, OpenSSH earlier than 4.7 is running on the
remote host.  Such versions contain an authentication bypass
vulnerability.  In the event that OpenSSH cannot create an untrusted
cookie for X, for example due to the temporary partition being full,
it will use a trusted cookie instead.  This allows attackers to
violate intended policy and gain privileges by causing their X client
to be treated as trusted."
  );

  script_set_attribute(
    attribute:"solution",
    value:"Upgrade to OpenSSH 4.7 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 287);

  script_set_attribute(
    attribute:"see_also",
    value:"http://www.openssh.com/txt/release-4.7"
  );
  script_set_attribute(attribute:"vuln_publication_date", value:"2007/09/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/09/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/04");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_detect.nasl");
  script_require_ports("Services/ssh");

  exit(0);
}

include("backport.inc");
include("global_settings.inc");
include("misc_func.inc");

# Ensure the port is open.
port = get_service(svc:"ssh", exit_on_fail:TRUE);

# Get banner for service.
banner = get_kb_item_or_exit("SSH/banner/"+port);

bp_banner = tolower(get_backport_banner(banner:banner));
if ("openssh" &gt;!&lt; bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");

# Check the version in the backported banner.
match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)");
if (isnull(match)) exit(1, "Could not parse the version string in the banner from port "+port+".");
version = match[1];

# Pull out numeric portion of version.
matches = eregmatch(string:version, pattern:"^([0-9.]+)");
if (isnull(matches))
  exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');

if (ver_compare(ver:matches[0], fix:"4.7", strict:FALSE) &gt;= 0)
  exit(0, "The OpenSSH server on port "+port+" is not affected as it's version "+version+".");

if (report_verbosity &gt; 0)
{
  report =
    '\n  Version source    : ' + banner +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : 4.7' +
    '\n';
  security_hole(port:port, extra:report);
}
else security_hole(port);

JSON Vulners Source

Initial Source

{"id": "OPENSSH_47.NASL", "bulletinFamily": "scanner", "title": "OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass", "description": "According to the banner, OpenSSH earlier than 4.7 is running on the\nremote host. Such versions contain an authentication bypass\nvulnerability. In the event that OpenSSH cannot create an untrusted\ncookie for X, for example due to the temporary partition being full,\nit will use a trusted cookie instead. This allows attackers to\nviolate intended policy and gain privileges by causing their X client\nto be treated as trusted.", "published": "2011-10-04T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/44078", "reporter": "This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.", "references": ["http://www.openssh.com/txt/release-4.7"], "cvelist": ["CVE-2007-4752", "CVE-2007-2243"], "type": "nessus", "lastseen": "2021-01-01T04:32:53", "edition": 24, "viewCount": 135, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-4752", "CVE-2007-2243"]}, {"type": "f5", "idList": ["SOL14228", "F5:K14161", "F5:K14229", "SOL14161", "F5:K14228", "SOL14229"]}, {"type": "osvdb", "idList": ["OSVDB:34600"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:73600"]}, {"type": "nessus", "idList": ["SUSE_OPENSSH-4580.NASL", "SUSE_OPENSSH-4579.NASL", "MANDRAKE_MDKSA-2007-236.NASL", "GENTOO_GLSA-200711-02.NASL", "FEDORA_2007-715.NASL", "OPENSSH_CHALLENGE_RESPONSE.NASL", "SUSE9_11931.NASL", "UBUNTU_USN-566-1.NASL", "SL_20080822_OPENSSH_ON_SL4_X.NASL", "SLACKWARE_SSA_2007-255-01.NASL"]}, {"type": "ubuntu", "idList": ["USN-566-1"]}, {"type": "slackware", "idList": ["SSA-2007-255-01"]}, {"type": "openvas", "idList": ["OPENVAS:59014", "OPENVAS:136141256231065513", "OPENVAS:830191", "OPENVAS:58741", "OPENVAS:840214", "OPENVAS:1361412562310830191", "OPENVAS:835082", "OPENVAS:1361412562310870129", "OPENVAS:136141256231059014", "OPENVAS:1361412562310835082"]}, {"type": "gentoo", "idList": ["GLSA-200711-02"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:18019", "SECURITYVULNS:VULN:8166"]}, {"type": "centos", "idList": ["CESA-2008:0855"]}, {"type": "oraclelinux", "idList": ["ELSA-2008-0855"]}, {"type": "redhat", "idList": ["RHSA-2008:0855"]}, {"type": "fedora", "idList": ["FEDORA:L9FJSSNP014372"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1576-1:61216"]}], "modified": "2021-01-01T04:32:53", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2021-01-01T04:32:53", "rev": 2}, "vulnersScore": 6.1}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44078);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/07/16 14:09:13\");\n\n script_cve_id(\"CVE-2007-4752\", \"CVE-2007-2243\");\n script_bugtraq_id(25628);\n\n script_name(english:\"OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass\");\n script_summary(english:\"Checks the version reported in the SSH banner.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"Remote attackers may be able to bypass authentication.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to the banner, OpenSSH earlier than 4.7 is running on the\nremote host. Such versions contain an authentication bypass\nvulnerability. In the event that OpenSSH cannot create an untrusted\ncookie for X, for example due to the temporary partition being full,\nit will use a trusted cookie instead. This allows attackers to\nviolate intended policy and gain privileges by causing their X client\nto be treated as trusted.\"\n );\n\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to OpenSSH 4.7 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 287);\n\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openssh.com/txt/release-4.7\"\n );\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/09/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openbsd:openssh\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\");\n\n exit(0);\n}\n\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Ensure the port is open.\nport = get_service(svc:\"ssh\", exit_on_fail:TRUE);\n\n# Get banner for service.\nbanner = get_kb_item_or_exit(\"SSH/banner/\"+port);\n\nbp_banner = tolower(get_backport_banner(banner:banner));\nif (\"openssh\" >!< bp_banner) exit(0, \"The SSH service on port \"+port+\" is not OpenSSH.\");\nif (backported) exit(1, \"The banner from the OpenSSH server on port \"+port+\" indicates patches may have been backported.\");\n\n# Check the version in the backported banner.\nmatch = eregmatch(string:bp_banner, pattern:\"openssh[-_]([0-9][-._0-9a-z]+)\");\nif (isnull(match)) exit(1, \"Could not parse the version string in the banner from port \"+port+\".\");\nversion = match[1];\n\n# Pull out numeric portion of version.\nmatches = eregmatch(string:version, pattern:\"^([0-9.]+)\");\nif (isnull(matches))\n exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');\n\nif (ver_compare(ver:matches[0], fix:\"4.7\", strict:FALSE) >= 0)\n exit(0, \"The OpenSSH server on port \"+port+\" is not affected as it's version \"+version+\".\");\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 4.7' +\n '\\n';\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "naslFamily": "Misc.", "pluginID": "44078", "cpe": ["cpe:/a:openbsd:openssh"], "scheme": null}

{"cve": [{"lastseen": "2020-12-09T19:26:08", "description": "ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.", "edition": 5, "cvss3": {}, "published": "2007-09-12T01:17:00", "title": "CVE-2007-4752", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2007-4752"], "modified": "2018-10-15T21:37:00", "cpe": ["cpe:/a:openbsd:openssh:4.1", "cpe:/a:openbsd:openssh:4.3p2", "cpe:/a:openbsd:openssh:4.2", "cpe:/a:openbsd:openssh:4.0p1", "cpe:/a:openbsd:openssh:4.4", "cpe:/a:openbsd:openssh:4.0", "cpe:/a:openbsd:openssh:4.6", "cpe:/a:openbsd:openssh:4.5", "cpe:/a:openbsd:openssh:4.3", "cpe:/a:openbsd:openssh:4.2p1", "cpe:/a:openbsd:openssh:4.1p1", "cpe:/a:openbsd:openssh:4.4p1", "cpe:/a:openbsd:openssh:4.3p1"], "id": "CVE-2007-4752", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4752", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:openbsd:openssh:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.3p2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.3p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.4p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.5:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.2p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.0p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.6:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:45:51", "description": "OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.", "edition": 4, "cvss3": {}, "published": "2007-04-25T16:19:00", "title": "CVE-2007-2243", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-2243"], "modified": "2017-07-29T01:31:00", "cpe": ["cpe:/a:openbsd:openssh:3.1", "cpe:/a:openbsd:openssh:4.1", "cpe:/a:openbsd:openssh:1.2.27", "cpe:/a:openbsd:openssh:3.7.1p2", "cpe:/a:openbsd:openssh:2.9.9", "cpe:/a:openbsd:openssh:3.9.1", "cpe:/a:openbsd:openssh:3.0p1", "cpe:/a:openbsd:openssh:2.9", "cpe:/a:openbsd:openssh:3.0.1p1", "cpe:/a:openbsd:openssh:4.3p2", "cpe:/a:openbsd:openssh:3.6.1p2", "cpe:/a:openbsd:openssh:2.9p1", "cpe:/a:openbsd:openssh:3.0.2p1", "cpe:/a:openbsd:openssh:2.9.9p2", "cpe:/a:openbsd:openssh:4.2", "cpe:/a:openbsd:openssh:4.0p1", "cpe:/a:openbsd:openssh:3.1p1", "cpe:/a:openbsd:openssh:3.3", "cpe:/a:openbsd:openssh:3.2", "cpe:/a:openbsd:openssh:4.4", "cpe:/a:openbsd:openssh:2.5.1", "cpe:/a:openbsd:openssh:4.0", "cpe:/a:openbsd:openssh:2.9p2", "cpe:/a:openbsd:openssh:3.6.1p1", "cpe:/a:openbsd:openssh:1.2.2", "cpe:/a:openbsd:openssh:3.9", "cpe:/a:openbsd:openssh:3.9.1p1", "cpe:/a:openbsd:openssh:2.3", "cpe:/a:openbsd:openssh:2.5", "cpe:/a:openbsd:openssh:3.7", "cpe:/a:openbsd:openssh:3.3p1", "cpe:/a:openbsd:openssh:4.6", "cpe:/a:openbsd:openssh:3.8.1p1", "cpe:/a:openbsd:openssh:3.6.1", "cpe:/a:openbsd:openssh:4.5", "cpe:/a:openbsd:openssh:4.3", "cpe:/a:openbsd:openssh:3.4", "cpe:/a:openbsd:openssh:3.5p1", "cpe:/a:openbsd:openssh:3.2.2p1", "cpe:/a:openbsd:openssh:4.2p1", "cpe:/a:openbsd:openssh:1.2", "cpe:/a:openbsd:openssh:3.8.1", "cpe:/a:openbsd:openssh:3.8", "cpe:/a:openbsd:openssh:2.1", "cpe:/a:openbsd:openssh:4.1p1", "cpe:/a:openbsd:openssh:1.2.1", "cpe:/a:openbsd:openssh:1.2.3", "cpe:/a:openbsd:openssh:3.4p1", "cpe:/a:openbsd:openssh:3.0.2", "cpe:/a:openbsd:openssh:2.2", "cpe:/a:openbsd:openssh:2.1.1", "cpe:/a:openbsd:openssh:3.2.3p1", "cpe:/a:openbsd:openssh:3.2.2", "cpe:/a:openbsd:openssh:3.5", "cpe:/a:openbsd:openssh:3.0", "cpe:/a:openbsd:openssh:4.4p1", "cpe:/a:openbsd:openssh:3.7.1", "cpe:/a:openbsd:openssh:3.7.1p1", "cpe:/a:openbsd:openssh:3.0.1", "cpe:/a:openbsd:openssh:2.5.2", "cpe:/a:openbsd:openssh:3.6", "cpe:/a:openbsd:openssh:4.3p1"], "id": "CVE-2007-2243", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2243", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:openbsd:openssh:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.9p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.8.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.7.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.3p2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.9.9p2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.9:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.9:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.3p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0.2p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.4p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.4:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.3p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.7.1p2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.3:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.4p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.9p2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.5:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.9.9:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.2p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:1.2.27:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6.1p2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.5p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.2.2p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.9.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.0p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.6:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.2.3p1:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2017-06-08T00:16:37", "bulletinFamily": "software", "cvelist": ["CVE-2007-4752"], "edition": 1, "description": "\nF5 Product Development has evaluated the currently-supported releases for potential vulnerability. To find out whether F5 has determined that your release is vulnerable, and to obtain information about releases or hotfixes that resolve the vulnerability, refer to the following table:\n\nProduct | Versions known to \nbe vulnerable | Versions known to \nbe not vulnerable | Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM | None \n| 9.x \n10.x \n11.x \n| None \nBIG-IP GTM | None | 9.x \n10.x \n11.x | None \nBIG-IP ASM | None | 9.x \n10.x \n11.x | None \nBIG-IP Link Controller | None \n| 9.x \n10.x \n11.x | None \nBIG-IP WebAccelerator | None | 9.x \n10.x \n11.x | None \nBIG-IP PSM | None | 9.x \n10.x \n11.x | None \nBIG-IP WOM | None | 10.x \n11.x | None \nBIG-IP APM | None | 10.x \n11.x | None \nBIG-IP Edge Gateway \n| None | 10.x \n11.x | None \nBIG-IP Analytics \n| None | 11.x | None \nBIG-IP AFM | None | 11.x | None \nBIG-IP PEM | None | 11.x | None \nBIG-IP AAM | None | 11.x | None \nFirePass | None | 6.x \n7.x | None \nEnterprise Manager | None \n| 1.x \n2.x \n3.x | None \nARX | None | 4.x \n5.x \n6.x | None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n\n**Note**: The following link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.\n\n * [Common Vulnerabilities and Exposures (CVE-2007-4752)](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752>)\n", "modified": "2016-01-09T02:29:00", "published": "2013-01-29T03:37:00", "id": "F5:K14161", "href": "https://support.f5.com/csp/article/K14161", "title": "OpenSSH vulnerability CVE-2007-4752", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:00", "bulletinFamily": "software", "cvelist": ["CVE-2007-2243"], "edition": 1, "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * [CVE-2007-2243](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2243>)\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2014-12-11T00:00:00", "published": "2013-02-21T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/14000/200/sol14228.html", "id": "SOL14228", "title": "SOL14228 - OpenSSH vulnerability CVE-2007-2243", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-26T17:23:27", "bulletinFamily": "software", "cvelist": ["CVE-2007-4752"], "edition": 1, "description": "Recommended action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n\n**Note**: The following link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.\n\n * [Common Vulnerabilities and Exposures (CVE-2007-4752)](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752>)\n", "modified": "2013-09-11T00:00:00", "published": "2013-01-28T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14161.html", "id": "SOL14161", "title": "SOL14161 - OpenSSH vulnerability CVE-2007-4752", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-04-06T22:40:00", "bulletinFamily": "software", "cvelist": ["CVE-2007-2243", "CVE-2001-1483"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-08-14T22:41:00", "published": "2014-12-12T02:18:00", "id": "F5:K14228", "href": "https://support.f5.com/csp/article/K14228", "title": "OpenSSH vulnerability CVE-2007-2243", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2016-09-26T17:22:55", "bulletinFamily": "software", "cvelist": ["CVE-2007-2768", "CVE-2007-2243"], "edition": 1, "description": "Recommended action\n\nNone\n\nSupplemental Information\n\n * [Common Vulnerabilities and Exposures (CVE-2007-2243)](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2243>)[](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2243>)\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2013-09-10T00:00:00", "published": "2013-02-21T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/14000/200/sol14229.html", "id": "SOL14229", "title": "SOL14229 - OpenSSH vulnerability CVE-2007-2768", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2020-04-06T22:40:37", "bulletinFamily": "software", "cvelist": ["CVE-2007-2768", "CVE-2007-2243"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-08-14T22:40:00", "published": "2013-09-10T20:53:00", "id": "F5:K14229", "href": "https://support.f5.com/csp/article/K14229", "title": "OpenSSH vulnerability CVE-2007-2768", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:30", "bulletinFamily": "software", "cvelist": ["CVE-2007-2243"], "description": "## Vulnerability Description\nOpenSSH, when configured to use S/KEY authentication, is prone to a remote information disclosure weakness. The issue occurs due to the S/KEY challenge/response system being used for valid accounts. If a remote attacker systematically attempts authentication against a list of usernames, they can watch the response to determine which accounts are valid.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nOpenSSH, when configured to use S/KEY authentication, is prone to a remote information disclosure weakness. The issue occurs due to the S/KEY challenge/response system being used for valid accounts. If a remote attacker systematically attempts authentication against a list of usernames, they can watch the response to determine which accounts are valid.\n## References:\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0590.html\nMail List Post: http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053951.html\nISS X-Force ID: 33794\n[CVE-2007-2243](https://vulners.com/cve/CVE-2007-2243)\nBugtraq ID: 23601\n", "edition": 1, "modified": "2007-04-21T22:58:35", "published": "2007-04-21T22:58:35", "href": "https://vulners.com/osvdb/OSVDB:34600", "id": "OSVDB:34600", "title": "OpenSSH S/KEY Authentication Account Enumeration", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-01T04:32:54", "description": "When OpenSSH has S/KEY authentication enabled, it is possible to\nremotely determine if an account configured for S/KEY authentication\nexists. \n\nNote that Nessus has not attempted to exploit the issue but has\ninstead only checked if OpenSSH is running on the remote host. As a\nresult, it will not detect if the remote host has implemented a\nworkaround.", "edition": 23, "published": "2011-11-18T00:00:00", "title": "OpenSSH S/KEY Authentication Account Enumeration", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-2243"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:openbsd:openssh"], "id": "OPENSSH_CHALLENGE_RESPONSE.NASL", "href": "https://www.tenable.com/plugins/nessus/17704", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(17704);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/07/16 14:09:13\");\n\n script_cve_id(\"CVE-2007-2243\");\n script_bugtraq_id(23601);\n\n script_name(english:\"OpenSSH S/KEY Authentication Account Enumeration\");\n script_summary(english:\"Checks if OpenSSH is installed.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"When OpenSSH has S/KEY authentication enabled, it is possible to\nremotely determine if an account configured for S/KEY authentication\nexists. \n\nNote that Nessus has not attempted to exploit the issue but has\ninstead only checked if OpenSSH is running on the remote host. As a\nresult, it will not detect if the remote host has implemented a\nworkaround.\");\n# https://web.archive.org/web/20110723143430/http://www.helith.net/txt/openssh_system_account_enumeration_if_s-key_is_used.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?907640b9\");\n script_set_attribute(attribute:\"solution\", value:\n\"A patch currently does not exist for this issue. As a workaround,\neither set 'ChallengeResponseAuthentication' in the OpenSSH config to\n'no' or use a version of OpenSSH without S/KEY support compiled in.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(287);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/11/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openbsd:openssh\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_keys(\"Settings/PCI_DSS\");\n script_require_ports(\"Services/ssh\", 22);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (!get_kb_item(\"Settings/PCI_DSS\")) exit(0, \"PCI-DSS compliance checking is not enabled.\");\n\n# Ensure the port is open.\nport = get_service(svc:'ssh', exit_on_fail:TRUE);\n\n# Get banner for service\nbanner = get_kb_item_or_exit(\"SSH/banner/\"+port);\n\nif (\"openssh\" >!< tolower(banner)) exit(0, \"The SSH service on port \"+port+\" is not OpenSSH.\");\n\nmatch = eregmatch(string:tolower(banner), pattern:\"openssh[-_]([0-9][-._0-9a-z]+)\");\nif (isnull(match)) exit(1, \"Could not parse the version string in the banner from port \"+port+\".\");\nversion = match[1];\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n';\n security_warning(port:port, extra:report);\n}\nelse security_warning(port);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T11:51:48", "description": "A flaw in OpenSSH prior to 4.7 prevented ssh from properly handling\nwhen an untrusted cookie could not be created and used a trusted X11\ncookie instead, which could allow attackers to violate intended policy\nand gain privileges by causing an X client to be treated as trusted.\n\nThe updated packages have been patched to correct these issue.", "edition": 25, "published": "2007-12-07T00:00:00", "title": "Mandrake Linux Security Advisory : openssh (MDKSA-2007:236)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "modified": "2007-12-07T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:openssh-server", "cpe:/o:mandriva:linux:2007", "cpe:/o:mandriva:linux:2007.1", "p-cpe:/a:mandriva:linux:openssh-clients", "p-cpe:/a:mandriva:linux:openssh-askpass", "p-cpe:/a:mandriva:linux:openssh-askpass-gnome", "p-cpe:/a:mandriva:linux:openssh", "p-cpe:/a:mandriva:linux:openssh-askpass-common"], "id": "MANDRAKE_MDKSA-2007-236.NASL", "href": "https://www.tenable.com/plugins/nessus/29233", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2007:236. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(29233);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2007-4752\");\n script_bugtraq_id(25628);\n script_xref(name:\"MDKSA\", value:\"2007:236\");\n\n script_name(english:\"Mandrake Linux Security Advisory : openssh (MDKSA-2007:236)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw in OpenSSH prior to 4.7 prevented ssh from properly handling\nwhen an untrusted cookie could not be created and used a trusted X11\ncookie instead, which could allow attackers to violate intended policy\nand gain privileges by causing an X client to be treated as trusted.\n\nThe updated packages have been patched to correct these issue.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-askpass-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2007\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2007.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/12/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2007.0\", reference:\"openssh-4.5p1-0.2mdv2007.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.0\", reference:\"openssh-askpass-4.5p1-0.2mdv2007.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.0\", reference:\"openssh-askpass-common-4.5p1-0.2mdv2007.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.0\", reference:\"openssh-askpass-gnome-4.5p1-0.2mdv2007.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.0\", reference:\"openssh-clients-4.5p1-0.2mdv2007.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.0\", reference:\"openssh-server-4.5p1-0.2mdv2007.0\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2007.1\", reference:\"openssh-4.6p1-1.1mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", reference:\"openssh-askpass-4.6p1-1.1mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", reference:\"openssh-askpass-common-4.6p1-1.1mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", reference:\"openssh-askpass-gnome-4.6p1-1.1mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", reference:\"openssh-clients-4.6p1-1.1mdv2007.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2007.1\", reference:\"openssh-server-4.6p1-1.1mdv2007.1\", yank:\"mdv\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:52:16", "description": "The remote host is affected by the vulnerability described in GLSA-200711-02\n(OpenSSH: Security bypass)\n\n Jan Pechanec discovered that OpenSSH uses a trusted X11 cookie when it\n cannot create an untrusted one.\n \nImpact :\n\n An attacker could bypass the SSH client security policy and gain\n privileges by causing an X client to be treated as trusted.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 24, "published": "2007-11-02T00:00:00", "title": "GLSA-200711-02 : OpenSSH: Security bypass", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "modified": "2007-11-02T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:openssh"], "id": "GENTOO_GLSA-200711-02.NASL", "href": "https://www.tenable.com/plugins/nessus/27612", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200711-02.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(27612);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2007-4752\");\n script_bugtraq_id(25628);\n script_xref(name:\"GLSA\", value:\"200711-02\");\n\n script_name(english:\"GLSA-200711-02 : OpenSSH: Security bypass\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200711-02\n(OpenSSH: Security bypass)\n\n Jan Pechanec discovered that OpenSSH uses a trusted X11 cookie when it\n cannot create an untrusted one.\n \nImpact :\n\n An attacker could bypass the SSH client security policy and gain\n privileges by causing an X client to be treated as trusted.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200711-02\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All OpenSSH users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/openssh-4.7'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/11/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/11/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/openssh\", unaffected:make_list(\"ge 4.7\"), vulnerable:make_list(\"lt 4.7\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"OpenSSH\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T14:02:13", "description": " - This update fixes a bug in ssh's cookie handling code.\n It does not properly handle the situation when an\n untrusted cookie cannot be created and uses a trusted\n X11 cookie instead. This allows attackers to violate the\n intended policy and gain privileges by causing an X\n client to be treated as trusted. (CVE-2007-4752)\n\n - Additionally this update fixes a bug introduced with the\n last security update for openssh. When the SSH daemon\n wrote to stderr (for instance, to warn about the\n presence of a deprecated option like\n PAMAuthenticationViaKbdInt in its configuration file),\n SIGALRM was blocked for SSH sessions. This resulted in\n problems with processes which rely on SIGALRM, such as\n ntpdate.", "edition": 24, "published": "2009-09-24T00:00:00", "title": "SuSE9 Security Update : OpenSSH (YOU Patch Number 11931)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "modified": "2009-09-24T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE9_11931.NASL", "href": "https://www.tenable.com/plugins/nessus/41158", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(41158);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2007-4752\");\n\n script_name(english:\"SuSE9 Security Update : OpenSSH (YOU Patch Number 11931)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 9 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - This update fixes a bug in ssh's cookie handling code.\n It does not properly handle the situation when an\n untrusted cookie cannot be created and uses a trusted\n X11 cookie instead. This allows attackers to violate the\n intended policy and gain privileges by causing an X\n client to be treated as trusted. (CVE-2007-4752)\n\n - Additionally this update fixes a bug introduced with the\n last security update for openssh. When the SSH daemon\n wrote to stderr (for instance, to warn about the\n presence of a deprecated option like\n PAMAuthenticationViaKbdInt in its configuration file),\n SIGALRM was blocked for SSH sessions. This resulted in\n problems with processes which rely on SIGALRM, such as\n ntpdate.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2007-4752.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply YOU patch number 11931.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 9 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SUSE9\", reference:\"openssh-4.1p1-11.40\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"openssh-askpass-4.1p1-11.40\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T14:46:49", "description": "This update fixes a bug in ssh's cookie handling code. It does not\nproperly handle the situation when an untrusted cookie cannot be\ncreated and uses a trusted X11 cookie instead. This allows attackers\nto violate the intended policy and gain privileges by causing an X\nclient to be treated as trusted. (CVE-2007-4752) Additionally this\nupdate fixes a bug introduced with the last security update for\nopenssh. When the SSH daemon wrote to stderr (for instance, to warn\nabout the presence of a deprecated option like\nPAMAuthenticationViaKbdInt in its configuration file), SIGALRM was\nblocked for SSH sessions. This resulted in problems with processes\nwhich rely on SIGALRM, such as ntpdate.", "edition": 24, "published": "2007-12-13T00:00:00", "title": "SuSE 10 Security Update : OpenSSH (ZYPP Patch Number 4580)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "modified": "2007-12-13T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_OPENSSH-4580.NASL", "href": "https://www.tenable.com/plugins/nessus/29540", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(29540);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2007-4752\");\n\n script_name(english:\"SuSE 10 Security Update : OpenSSH (ZYPP Patch Number 4580)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a bug in ssh's cookie handling code. It does not\nproperly handle the situation when an untrusted cookie cannot be\ncreated and uses a trusted X11 cookie instead. This allows attackers\nto violate the intended policy and gain privileges by causing an X\nclient to be treated as trusted. (CVE-2007-4752) Additionally this\nupdate fixes a bug introduced with the last security update for\nopenssh. When the SSH daemon wrote to stderr (for instance, to warn\nabout the presence of a deprecated option like\nPAMAuthenticationViaKbdInt in its configuration file), SIGALRM was\nblocked for SSH sessions. This resulted in problems with processes\nwhich rely on SIGALRM, such as ntpdate.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2007-4752.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 4580.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/12/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:1, reference:\"openssh-4.2p1-18.30\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:1, reference:\"openssh-askpass-4.2p1-18.30\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:1, reference:\"openssh-4.2p1-18.30\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:1, reference:\"openssh-askpass-4.2p1-18.30\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:44:00", "description": "These packages fix a low severity flaw in the way ssh handles X11\ncookies when creating X11 forwarding connections. When ssh was unable\nto create untrusted cookie, ssh used a trusted cookie instead,\npossibly allowing the administrative user of a untrusted remote\nserver, or untrusted application run on the remote server, to gain\nunintended access to a users local X server. (CVE-2007-4752)\n\nTo address concerns about these, and past openssh packages, we have\ndone an intensive review of the source rpm's of these, and past\nopenssh packages. Our conclusion is that these, and past packages have\nNOT been compromised. Either at the source level, or the compiled\nbinary level.", "edition": 25, "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : openssh on SL4.x, SL5.x i386/x86_64", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "modified": "2012-08-01T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20080822_OPENSSH_ON_SL4_X.NASL", "href": "https://www.tenable.com/plugins/nessus/60467", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60467);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2007-4752\");\n\n script_name(english:\"Scientific Linux Security Update : openssh on SL4.x, SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"These packages fix a low severity flaw in the way ssh handles X11\ncookies when creating X11 forwarding connections. When ssh was unable\nto create untrusted cookie, ssh used a trusted cookie instead,\npossibly allowing the administrative user of a untrusted remote\nserver, or untrusted application run on the remote server, to gain\nunintended access to a users local X server. (CVE-2007-4752)\n\nTo address concerns about these, and past openssh packages, we have\ndone an intensive review of the source rpm's of these, and past\nopenssh packages. Our conclusion is that these, and past packages have\nNOT been compromised. Either at the source level, or the compiled\nbinary level.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0808&L=scientific-linux-errata&T=0&P=1788\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7d0dfcaf\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL4\", reference:\"openssh-3.9p1-11.el4_7\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"openssh-askpass-3.9p1-11.el4_7\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"openssh-askpass-gnome-3.9p1-11.el4_7\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"openssh-clients-3.9p1-11.el4_7\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"openssh-server-3.9p1-11.el4_7\")) flag++;\n\nif (rpm_check(release:\"SL5\", reference:\"openssh-4.3p2-26.el5_2.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"openssh-askpass-4.3p2-26.el5_2.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"openssh-clients-4.3p2-26.el5_2.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"openssh-server-4.3p2-26.el5_2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T09:10:20", "description": "New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, 11.0, and 12.0 to fix a possible security issue. This\nversion should also provide increased performance with certain\nciphers.", "edition": 23, "published": "2007-09-14T00:00:00", "title": "Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 8.1 / 9.0 / 9.1 : openssh (SSA:2007-255-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "modified": "2007-09-14T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:12.0", "p-cpe:/a:slackware:slackware_linux:openssh", "cpe:/o:slackware:slackware_linux:8.1", "cpe:/o:slackware:slackware_linux:9.0", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux:10.1", "cpe:/o:slackware:slackware_linux:10.0", "cpe:/o:slackware:slackware_linux:11.0", "cpe:/o:slackware:slackware_linux:10.2"], "id": "SLACKWARE_SSA_2007-255-01.NASL", "href": "https://www.tenable.com/plugins/nessus/26053", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2007-255-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(26053);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2007-4752\");\n script_xref(name:\"SSA\", value:\"2007-255-01\");\n\n script_name(english:\"Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 8.1 / 9.0 / 9.1 : openssh (SSA:2007-255-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0,\n10.1, 10.2, 11.0, and 12.0 to fix a possible security issue. This\nversion should also provide increased performance with certain\nciphers.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.511041\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ab71da07\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:11.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:12.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/09/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssh\", pkgver:\"4.7p1\", pkgarch:\"i386\", pkgnum:\"1_slack8.1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"openssh\", pkgver:\"4.7p1\", pkgarch:\"i386\", pkgnum:\"1_slack9.0\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"openssh\", pkgver:\"4.7p1\", pkgarch:\"i486\", pkgnum:\"1_slack9.1\")) flag++;\n\nif (slackware_check(osver:\"10.0\", pkgname:\"openssh\", pkgver:\"4.7p1\", pkgarch:\"i486\", pkgnum:\"1_slack10.0\")) flag++;\n\nif (slackware_check(osver:\"10.1\", pkgname:\"openssh\", pkgver:\"4.7p1\", pkgarch:\"i486\", pkgnum:\"1_slack10.1\")) flag++;\n\nif (slackware_check(osver:\"10.2\", pkgname:\"openssh\", pkgver:\"4.7p1\", pkgarch:\"i486\", pkgnum:\"1_slack10.2\")) flag++;\n\nif (slackware_check(osver:\"11.0\", pkgname:\"openssh\", pkgver:\"4.7p1\", pkgarch:\"i486\", pkgnum:\"1_slack11.0\")) flag++;\n\nif (slackware_check(osver:\"12.0\", pkgname:\"openssh\", pkgver:\"4.7p1\", pkgarch:\"i486\", pkgnum:\"1_slack12.0\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T14:46:49", "description": "This update fixes a bug in ssh's cookie handling code. It does not\nproperly handle the situation when an untrusted cookie cannot be\ncreated and uses a trusted X11 cookie instead. This allows attackers\nto violate the intended policy and gain privileges by causing an X\nclient to be treated as trusted. (CVE-2007-4752) Additionally this\nupdate fixes a bug introduced with the last security update for\nopenssh. When the SSH daemon wrote to stderr (for instance, to warn\nabout the presence of a deprecated option like\nPAMAuthenticationViaKbdInt in its configuration file), SIGALRM was\nblocked for SSH sessions. This resulted in problems with processes\nwhich rely on SIGALRM, such as ntpdate.", "edition": 24, "published": "2007-10-30T00:00:00", "title": "openSUSE 10 Security Update : openssh (openssh-4579)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "modified": "2007-10-30T00:00:00", "cpe": ["cpe:/o:novell:opensuse:10.3", "cpe:/o:novell:opensuse:10.2", "p-cpe:/a:novell:opensuse:openssh", "p-cpe:/a:novell:opensuse:openssh-askpass", "cpe:/o:novell:opensuse:10.1"], "id": "SUSE_OPENSSH-4579.NASL", "href": "https://www.tenable.com/plugins/nessus/27589", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openssh-4579.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(27589);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2007-4752\");\n\n script_name(english:\"openSUSE 10 Security Update : openssh (openssh-4579)\");\n script_summary(english:\"Check for the openssh-4579 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a bug in ssh's cookie handling code. It does not\nproperly handle the situation when an untrusted cookie cannot be\ncreated and uses a trusted X11 cookie instead. This allows attackers\nto violate the intended policy and gain privileges by causing an X\nclient to be treated as trusted. (CVE-2007-4752) Additionally this\nupdate fixes a bug introduced with the last security update for\nopenssh. When the SSH daemon wrote to stderr (for instance, to warn\nabout the presence of a deprecated option like\nPAMAuthenticationViaKbdInt in its configuration file), SIGALRM was\nblocked for SSH sessions. This resulted in problems with processes\nwhich rely on SIGALRM, such as ntpdate.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/10/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE10\\.1|SUSE10\\.2|SUSE10\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"10.1 / 10.2 / 10.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE10.1\", reference:\"openssh-4.2p1-18.30\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", reference:\"openssh-askpass-4.2p1-18.30\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"openssh-4.4p1-26\") ) flag++;\nif ( rpm_check(release:\"SUSE10.2\", reference:\"openssh-askpass-4.4p1-26\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"openssh-4.6p1-58.1\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"openssh-askpass-4.6p1-58.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T15:44:07", "description": "Jan Pechanec discovered that ssh would forward trusted X11 cookies\nwhen untrusted cookie generation failed. This could lead to unintended\nprivileges being forwarded to a remote host.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2008-01-10T00:00:00", "title": "Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : openssh vulnerability (USN-566-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "modified": "2008-01-10T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:7.10", "p-cpe:/a:canonical:ubuntu_linux:ssh-krb5", "cpe:/o:canonical:ubuntu_linux:6.10", "p-cpe:/a:canonical:ubuntu_linux:ssh", "p-cpe:/a:canonical:ubuntu_linux:openssh-server", "p-cpe:/a:canonical:ubuntu_linux:ssh-askpass-gnome", "p-cpe:/a:canonical:ubuntu_linux:openssh-client", "cpe:/o:canonical:ubuntu_linux:7.04", "cpe:/o:canonical:ubuntu_linux:6.06:-:lts"], "id": "UBUNTU_USN-566-1.NASL", "href": "https://www.tenable.com/plugins/nessus/29922", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-566-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(29922);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2007-4752\");\n script_bugtraq_id(25628);\n script_xref(name:\"USN\", value:\"566-1\");\n\n script_name(english:\"Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : openssh vulnerability (USN-566-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jan Pechanec discovered that ssh would forward trusted X11 cookies\nwhen untrusted cookie generation failed. This could lead to unintended\nprivileges being forwarded to a remote host.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/566-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openssh-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ssh-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:6.06:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:6.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:7.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:7.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/01/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/01/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(6\\.06|6\\.10|7\\.04|7\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 6.06 / 6.10 / 7.04 / 7.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"6.06\", pkgname:\"openssh-client\", pkgver:\"1:4.2p1-7ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"openssh-server\", pkgver:\"4.2p1-7ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"ssh\", pkgver:\"4.2p1-7ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"ssh-askpass-gnome\", pkgver:\"4.2p1-7ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"openssh-client\", pkgver:\"1:4.3p2-5ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"openssh-server\", pkgver:\"4.3p2-5ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"ssh\", pkgver:\"4.3p2-5ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"6.10\", pkgname:\"ssh-askpass-gnome\", pkgver:\"4.3p2-5ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"openssh-client\", pkgver:\"1:4.3p2-8ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"openssh-server\", pkgver:\"4.3p2-8ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"ssh\", pkgver:\"4.3p2-8ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"ssh-askpass-gnome\", pkgver:\"4.3p2-8ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"7.04\", pkgname:\"ssh-krb5\", pkgver:\"4.3p2-8ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"openssh-client\", pkgver:\"1:4.6p1-5ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"openssh-server\", pkgver:\"4.6p1-5ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"ssh\", pkgver:\"4.6p1-5ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"ssh-askpass-gnome\", pkgver:\"4.6p1-5ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"ssh-krb5\", pkgver:\"4.6p1-5ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh-client / openssh-server / ssh / ssh-askpass-gnome / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:06:16", "description": "Updated openssh packages are now available for Red Hat Enterprise\nLinux 4, Red Hat Enterprise Linux 5, and Red Hat Enterprise Linux 4.5\nExtended Update Support.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation.\n\nLast week Red Hat detected an intrusion on certain of its computer\nsystems and took immediate action. While the investigation into the\nintrusion is on-going, our initial focus was to review and test the\ndistribution channel we use with our customers, Red Hat Network (RHN)\nand its associated security measures. Based on these efforts, we\nremain highly confident that our systems and processes prevented the\nintrusion from compromising RHN or the content distributed via RHN and\naccordingly believe that customers who keep their systems updated\nusing Red Hat Network are not at risk. We are issuing this alert\nprimarily for those who may obtain Red Hat binary packages via\nchannels other than those of official Red Hat subscribers.\n\nIn connection with the incident, the intruder was able to sign a small\nnumber of OpenSSH packages relating only to Red Hat Enterprise Linux 4\n(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5\n(x86_64 architecture only). As a precautionary measure, we are\nreleasing an updated version of these packages, and have published a\nlist of the tampered packages and how to detect them at\nhttp://www.redhat.com/security/data/openssh-blacklist.html\n\nTo reiterate, our processes and efforts to date indicate that packages\nobtained by Red Hat Enterprise Linux subscribers via Red Hat Network\nare not at risk.\n\nThese packages also fix a low severity flaw in the way ssh handles X11\ncookies when creating X11 forwarding connections. When ssh was unable\nto create untrusted cookie, ssh used a trusted cookie instead,\npossibly allowing the administrative user of a untrusted remote\nserver, or untrusted application run on the remote server, to gain\nunintended access to a users local X server. (CVE-2007-4752)", "edition": 29, "published": "2008-08-24T00:00:00", "title": "RHEL 4 / 5 : openssh (RHSA-2008:0855)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752", "CVE-2008-3844"], "modified": "2008-08-24T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:4", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome", "p-cpe:/a:redhat:enterprise_linux:openssh", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass", "cpe:/o:redhat:enterprise_linux:4.5", "cpe:/o:redhat:enterprise_linux:5.2", "p-cpe:/a:redhat:enterprise_linux:openssh-clients", "p-cpe:/a:redhat:enterprise_linux:openssh-server", "cpe:/o:redhat:enterprise_linux:4.7"], "id": "REDHAT-RHSA-2008-0855.NASL", "href": "https://www.tenable.com/plugins/nessus/34034", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2008:0855. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(34034);\n script_version(\"1.39\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2007-4752\", \"CVE-2008-3844\");\n script_bugtraq_id(25628, 30794);\n script_xref(name:\"RHSA\", value:\"2008:0855\");\n script_xref(name:\"IAVT\", value:\"2008-T-0046\");\n\n script_name(english:\"RHEL 4 / 5 : openssh (RHSA-2008:0855)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages are now available for Red Hat Enterprise\nLinux 4, Red Hat Enterprise Linux 5, and Red Hat Enterprise Linux 4.5\nExtended Update Support.\n\nThis update has been rated as having critical security impact by the\nRed Hat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation.\n\nLast week Red Hat detected an intrusion on certain of its computer\nsystems and took immediate action. While the investigation into the\nintrusion is on-going, our initial focus was to review and test the\ndistribution channel we use with our customers, Red Hat Network (RHN)\nand its associated security measures. Based on these efforts, we\nremain highly confident that our systems and processes prevented the\nintrusion from compromising RHN or the content distributed via RHN and\naccordingly believe that customers who keep their systems updated\nusing Red Hat Network are not at risk. We are issuing this alert\nprimarily for those who may obtain Red Hat binary packages via\nchannels other than those of official Red Hat subscribers.\n\nIn connection with the incident, the intruder was able to sign a small\nnumber of OpenSSH packages relating only to Red Hat Enterprise Linux 4\n(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5\n(x86_64 architecture only). As a precautionary measure, we are\nreleasing an updated version of these packages, and have published a\nlist of the tampered packages and how to detect them at\nhttp://www.redhat.com/security/data/openssh-blacklist.html\n\nTo reiterate, our processes and efforts to date indicate that packages\nobtained by Red Hat Enterprise Linux subscribers via Red Hat Network\nare not at risk.\n\nThese packages also fix a low severity flaw in the way ssh handles X11\ncookies when creating X11 forwarding connections. When ssh was unable\nto create untrusted cookie, ssh used a trusted cookie instead,\npossibly allowing the administrative user of a untrusted remote\nserver, or untrusted application run on the remote server, to gain\nunintended access to a users local X server. (CVE-2007-4752)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2007-4752\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2008-3844\"\n );\n # http://www.redhat.com/security/data/openssh-blacklist.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/openssh-blacklist.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2008:0855\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4.7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/09/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(4|5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x / 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2008:0855\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\nif (sp == \"5\") { if (rpm_check(release:\"RHEL4\", sp:\"5\", reference:\"openssh-3.9p1-10.RHEL4.20\")) flag++; }\n else { if (rpm_check(release:\"RHEL4\", reference:\"openssh-3.9p1-11.el4_7\")) flag++; }\n\nif (sp == \"5\") { if (rpm_check(release:\"RHEL4\", sp:\"5\", reference:\"openssh-askpass-3.9p1-10.RHEL4.20\")) flag++; }\n else { if (rpm_check(release:\"RHEL4\", reference:\"openssh-askpass-3.9p1-11.el4_7\")) flag++; }\n\nif (sp == \"5\") { if (rpm_check(release:\"RHEL4\", sp:\"5\", reference:\"openssh-askpass-gnome-3.9p1-10.RHEL4.20\")) flag++; }\n else { if (rpm_check(release:\"RHEL4\", reference:\"openssh-askpass-gnome-3.9p1-11.el4_7\")) flag++; }\n\nif (sp == \"5\") { if (rpm_check(release:\"RHEL4\", sp:\"5\", reference:\"openssh-clients-3.9p1-10.RHEL4.20\")) flag++; }\n else { if (rpm_check(release:\"RHEL4\", reference:\"openssh-clients-3.9p1-11.el4_7\")) flag++; }\n\nif (sp == \"5\") { if (rpm_check(release:\"RHEL4\", sp:\"5\", reference:\"openssh-server-3.9p1-10.RHEL4.20\")) flag++; }\n else { if (rpm_check(release:\"RHEL4\", reference:\"openssh-server-3.9p1-11.el4_7\")) flag++; }\n\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"openssh-4.3p2-26.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"openssh-4.3p2-26.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"openssh-4.3p2-26.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"openssh-askpass-4.3p2-26.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"openssh-askpass-4.3p2-26.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"openssh-askpass-4.3p2-26.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"openssh-clients-4.3p2-26.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"openssh-clients-4.3p2-26.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"openssh-clients-4.3p2-26.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"openssh-server-4.3p2-26.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"openssh-server-4.3p2-26.el5_2.1\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"openssh-server-4.3p2-26.el5_2.1\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc\");\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:59", "description": "", "published": "2007-04-21T00:00:00", "type": "packetstorm", "title": "OpenSSH s/key Weakness", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2243"], "modified": "2007-04-21T00:00:00", "id": "PACKETSTORM:73600", "href": "https://packetstormsecurity.com/files/73600/OpenSSH-s-key-Weakness.html", "sourceData": "` _ _ _____ _ ___ _____ _ _ \n/ / / / ____/ / / _/_ __/ / / / \n/ /_/ / __/ / / / / / / / /_/ / \n/ __ / /___/ /____/ / / / / __ / \n/_/ /_/_____/_____/___/ /_/ /_/ /_/ \nHelith - 0815 \n-------------------------------------------------------------------------------- \n \nAuthor : Rembrandt \nDate : 2007-04-21 \nAffected Software: openssh (propably other implementations as well) \nAffected OS : any \nType : Information Disclosure \n \nOSVDB : 34600 \nCVE : 2007-2243 \nISS X-Force: : 33794 \nBID : 23601 \n \n \nOpenSSH, when configured to use S/KEY authentication, is prone to a remote \ninformation disclosure weakness. The issue occurs due to the S/KEY \nchallenge/response system being used for valid accounts. If a remote attacker \nsystematically attempsauthentication against a list of usernames, he can watch \nthe response to determine which accounts are valid. \n \nIf \"ChallengeResponseAuthentication\" is set to \"Yes\", which is the default \nsetting, OpenSSH allows the user to login by using S/KEY in the form of \n'ssh userid:skey at hostname'. \n \n \nSteps to reproduce: \n \n$ ssh user@somewhere \nPermission denied (publickey,keyboard-interactive). \n$ ssh user:skey@somewhere \notp-md5 99 some04578 \nS/Key Password: \n \n$ \n \n \nIf the useraccount exist but is not configured to use S/KEY or if the \nuseraccount does not exist at the specific system the response looks normal. \n \n \n$ ssh testuser:skey@somewhere \nPermission denied (publickey,keyboard-interactive). \n \n \nAs you can see clearly OpenSSH discloses the existence of system accounts. \n \n \nKind regards, \nRembrandt \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/73600/openssh_system_account_enumeration_if_s-key_is_used.txt"}], "ubuntu": [{"lastseen": "2020-07-09T00:21:25", "bulletinFamily": "unix", "cvelist": ["CVE-2007-4752"], "description": "Jan Pechanec discovered that ssh would forward trusted X11 cookies when \nuntrusted cookie generation failed. This could lead to unintended privileges \nbeing forwarded to a remote host.", "edition": 5, "modified": "2008-01-09T00:00:00", "published": "2008-01-09T00:00:00", "id": "USN-566-1", "href": "https://ubuntu.com/security/notices/USN-566-1", "title": "OpenSSH vulnerability", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2020-10-25T16:36:05", "bulletinFamily": "unix", "cvelist": ["CVE-2007-4752"], "description": "New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, 11.0, and 12.0 to fix a possible security issue. This version should\nalso provide increased performance with certain ciphers.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752\n\n\nHere are the details from the Slackware 12.0 ChangeLog:\n\npatches/packages/openssh-4.7p1-i486-1_slack12.0.tgz:\n Upgraded to openssh-4.7p1.\n From the OpenSSH release notes:\n \"Security bugs resolved in this release: Prevent ssh(1) from using a\n trusted X11 cookie if creation of an untrusted cookie fails; found and\n fixed by Jan Pechanec.\"\n While it's fair to say that we here at Slackware don't see how this could\n be leveraged to compromise a system, a) the OpenSSH people (who presumably\n understand the code better) characterize this as a security bug, b) it has\n been assigned a CVE entry, and c) OpenSSH is one of the most commonly used\n network daemons. Better safe than sorry.\n More information should appear here eventually:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-4.7p1-i386-1_slack8.1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/openssh-4.7p1-i386-1_slack9.0.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/openssh-4.7p1-i486-1_slack9.1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/openssh-4.7p1-i486-1_slack10.0.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/openssh-4.7p1-i486-1_slack10.1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/openssh-4.7p1-i486-1_slack10.2.tgz\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/openssh-4.7p1-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/openssh-4.7p1-i486-1_slack12.0.tgz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\n25e0189c2bc95eea8bb16765754ecea1 openssh-4.7p1-i386-1_slack8.1.tgz\n\nSlackware 9.0 package:\n7505d255c41ef230253c717cc26ccbdb openssh-4.7p1-i386-1_slack9.0.tgz\n\nSlackware 9.1 package:\ndf85c1d9b38e013299a3836bb9c27132 openssh-4.7p1-i486-1_slack9.1.tgz\n\nSlackware 10.0 package:\nda0ca9a9fe19b6a957841c713f1741c3 openssh-4.7p1-i486-1_slack10.0.tgz\n\nSlackware 10.1 package:\nbde00df8778cd0493c3c0b725723a0c8 openssh-4.7p1-i486-1_slack10.1.tgz\n\nSlackware 10.2 package:\n882aefa12a491338232d062e1ae3a728 openssh-4.7p1-i486-1_slack10.2.tgz\n\nSlackware 11.0 package:\n3a39b28ceffc200fee92ebe78e259e92 openssh-4.7p1-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\n405be96f426dde59c0fd0cb55eaa555f openssh-4.7p1-i486-1_slack12.0.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg openssh-4.7p1-i486-1_slack12.0.tgz", "modified": "2007-09-12T21:56:33", "published": "2007-09-12T21:56:33", "id": "SSA-2007-255-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.511041", "type": "slackware", "title": "[slackware-security] openssh", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2017-07-24T12:56:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "description": "Check for the Version of HP Secure Shell", "modified": "2017-07-06T00:00:00", "published": "2009-05-05T00:00:00", "id": "OPENVAS:835082", "href": "http://plugins.openvas.org/nasl.php?oid=835082", "type": "openvas", "title": "HP-UX Update for HP Secure Shell HPSBUX02287", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for HP Secure Shell HPSBUX02287\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remotely gain extended privileges\";\ntag_affected = \"HP Secure Shell on\n HP-UX B.11.11, B.11.23, and B.11.31 running HP Secure Shell\";\ntag_insight = \"A potential security vulnerability has been identified with HP-UX running HP \n Secure Shell. The vulnerability could be exploited remotely to gain extended \n privileges.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01271085-1\");\n script_id(835082);\n script_version(\"$Revision: 6584 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 16:13:23 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"HPSBUX\", value: \"02287\");\n script_cve_id(\"CVE-2007-4752\");\n script_name( \"HP-UX Update for HP Secure Shell HPSBUX02287\");\n\n script_summary(\"Check for the Version of HP Secure Shell\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.31\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"Secure_Shell.SECURE_SHELL\", revision:\"A.04.70.005\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"Secure_Shell.SECURE_SHELL\", revision:\"A.04.70.004\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"Secure_Shell.SECURE_SHELL\", revision:\"A.04.70.003\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-09T11:40:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "description": "Check for the Version of HP Secure Shell", "modified": "2018-04-06T00:00:00", "published": "2009-05-05T00:00:00", "id": "OPENVAS:1361412562310835082", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310835082", "type": "openvas", "title": "HP-UX Update for HP Secure Shell HPSBUX02287", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for HP Secure Shell HPSBUX02287\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remotely gain extended privileges\";\ntag_affected = \"HP Secure Shell on\n HP-UX B.11.11, B.11.23, and B.11.31 running HP Secure Shell\";\ntag_insight = \"A potential security vulnerability has been identified with HP-UX running HP \n Secure Shell. The vulnerability could be exploited remotely to gain extended \n privileges.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01271085-1\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.835082\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"HPSBUX\", value: \"02287\");\n script_cve_id(\"CVE-2007-4752\");\n script_name( \"HP-UX Update for HP Secure Shell HPSBUX02287\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of HP Secure Shell\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.31\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"Secure_Shell.SECURE_SHELL\", revision:\"A.04.70.005\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"Secure_Shell.SECURE_SHELL\", revision:\"A.04.70.004\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"Secure_Shell.SECURE_SHELL\", revision:\"A.04.70.003\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:38:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2007-255-01.", "modified": "2019-03-15T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:136141256231059014", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231059014", "type": "openvas", "title": "Slackware Advisory SSA:2007-255-01 openssh", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2007_255_01.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.59014\");\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_cve_id(\"CVE-2007-4752\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 14202 $\");\n script_name(\"Slackware Advisory SSA:2007-255-01 openssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK(8\\.1|9\\.0|9\\.1|10\\.0|10\\.1|10\\.2|11\\.0|12\\.0)\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2007-255-01\");\n\n script_tag(name:\"insight\", value:\"New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, 11.0, and 12.0 to fix a possible security issue. This version should\nalso provide increased performance with certain ciphers.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2007-255-01.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i386-1_slack8.1\", rls:\"SLK8.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i386-1_slack9.0\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i486-1_slack9.1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i486-1_slack10.0\", rls:\"SLK10.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i486-1_slack10.1\", rls:\"SLK10.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i486-1_slack10.2\", rls:\"SLK10.2\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i486-1_slack11.0\", rls:\"SLK11.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i486-1_slack12.0\", rls:\"SLK12.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-04-09T11:38:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "description": "Check for the Version of openssh", "modified": "2018-04-06T00:00:00", "published": "2009-04-09T00:00:00", "id": "OPENVAS:1361412562310830191", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310830191", "type": "openvas", "title": "Mandriva Update for openssh MDKSA-2007:236 (openssh)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for openssh MDKSA-2007:236 (openssh)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A flaw in OpenSSH prior to 4.7 prevented ssh from properly handling\n when an untrusted cookie could not be created and used a trusted X11\n cookie instead, which could allow attackers to violate intended policy\n and gain privileges by causing an X client to be treated as trusted.\n\n The updated packages have been patched to correct these issue.\";\n\ntag_affected = \"openssh on Mandriva Linux 2007.0,\n Mandriva Linux 2007.0/X86_64,\n Mandriva Linux 2007.1,\n Mandriva Linux 2007.1/X86_64\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2007-12/msg00004.php\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.830191\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-04-09 14:00:25 +0200 (Thu, 09 Apr 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"MDKSA\", value: \"2007:236\");\n script_cve_id(\"CVE-2007-4752\");\n script_name( \"Mandriva Update for openssh MDKSA-2007:236 (openssh)\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of openssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_2007.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~4.6p1~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~4.6p1~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass-common\", rpm:\"openssh-askpass-common~4.6p1~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass-gnome\", rpm:\"openssh-askpass-gnome~4.6p1~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~4.6p1~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~4.6p1~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2007.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~4.5p1~0.2mdv2007.0\", rls:\"MNDK_2007.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~4.5p1~0.2mdv2007.0\", rls:\"MNDK_2007.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass-common\", rpm:\"openssh-askpass-common~4.5p1~0.2mdv2007.0\", rls:\"MNDK_2007.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass-gnome\", rpm:\"openssh-askpass-gnome~4.5p1~0.2mdv2007.0\", rls:\"MNDK_2007.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~4.5p1~0.2mdv2007.0\", rls:\"MNDK_2007.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~4.5p1~0.2mdv2007.0\", rls:\"MNDK_2007.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200711-02.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:58741", "href": "http://plugins.openvas.org/nasl.php?oid=58741", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200711-02 (openssh)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A flaw has been discovered in OpenSSH which could allow a local attacker to\nbypass security restrictions.\";\ntag_solution = \"All OpenSSH users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/openssh-4.7'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200711-02\nhttp://bugs.gentoo.org/show_bug.cgi?id=191321\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200711-02.\";\n\n \n\nif(description)\n{\n script_id(58741);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2007-4752\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200711-02 (openssh)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-misc/openssh\", unaffected: make_list(\"ge 4.7\"), vulnerable: make_list(\"lt 4.7\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:38:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n openssh\n openssh-askpass\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5016761 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2018-04-06T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:136141256231065513", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065513", "type": "openvas", "title": "SLES9: Security update for OpenSSH", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5016761.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Security update for OpenSSH\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n openssh\n openssh-askpass\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5016761 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.65513\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2007-4752\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"SLES9: Security update for OpenSSH\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~4.1p1~11.40\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:56:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "description": "Check for the Version of openssh", "modified": "2017-07-06T00:00:00", "published": "2009-04-09T00:00:00", "id": "OPENVAS:830191", "href": "http://plugins.openvas.org/nasl.php?oid=830191", "type": "openvas", "title": "Mandriva Update for openssh MDKSA-2007:236 (openssh)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for openssh MDKSA-2007:236 (openssh)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A flaw in OpenSSH prior to 4.7 prevented ssh from properly handling\n when an untrusted cookie could not be created and used a trusted X11\n cookie instead, which could allow attackers to violate intended policy\n and gain privileges by causing an X client to be treated as trusted.\n\n The updated packages have been patched to correct these issue.\";\n\ntag_affected = \"openssh on Mandriva Linux 2007.0,\n Mandriva Linux 2007.0/X86_64,\n Mandriva Linux 2007.1,\n Mandriva Linux 2007.1/X86_64\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2007-12/msg00004.php\");\n script_id(830191);\n script_version(\"$Revision: 6568 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:04:21 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-04-09 14:00:25 +0200 (Thu, 09 Apr 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"MDKSA\", value: \"2007:236\");\n script_cve_id(\"CVE-2007-4752\");\n script_name( \"Mandriva Update for openssh MDKSA-2007:236 (openssh)\");\n\n script_summary(\"Check for the Version of openssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_2007.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~4.6p1~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~4.6p1~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass-common\", rpm:\"openssh-askpass-common~4.6p1~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass-gnome\", rpm:\"openssh-askpass-gnome~4.6p1~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~4.6p1~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~4.6p1~1.1mdv2007.1\", rls:\"MNDK_2007.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2007.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~4.5p1~0.2mdv2007.0\", rls:\"MNDK_2007.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~4.5p1~0.2mdv2007.0\", rls:\"MNDK_2007.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass-common\", rpm:\"openssh-askpass-common~4.5p1~0.2mdv2007.0\", rls:\"MNDK_2007.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass-gnome\", rpm:\"openssh-askpass-gnome~4.5p1~0.2mdv2007.0\", rls:\"MNDK_2007.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~4.5p1~0.2mdv2007.0\", rls:\"MNDK_2007.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~4.5p1~0.2mdv2007.0\", rls:\"MNDK_2007.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-09T11:40:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "description": "Check for the Version of openssh", "modified": "2018-04-06T00:00:00", "published": "2009-03-06T00:00:00", "id": "OPENVAS:1361412562310870129", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870129", "type": "openvas", "title": "RedHat Update for openssh RHSA-2008:0855-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for openssh RHSA-2008:0855-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation.\n\n Last week Red Hat detected an intrusion on certain of its computer systems\n and took immediate action. While the investigation into the intrusion is\n on-going, our initial focus was to review and test the distribution\n channel we use with our customers, Red Hat Network (RHN) and its associated\n security measures. Based on these efforts, we remain highly confident that\n our systems and processes prevented the intrusion from compromising RHN or\n the content distributed via RHN and accordingly believe that customers who\n keep their systems updated using Red Hat Network are not at risk. We are\n issuing this alert primarily for those who may obtain Red Hat binary\n packages via channels other than those of official Red Hat subscribers.\n \n In connection with the incident, the intruder was able to sign a small\n number of OpenSSH packages relating only to Red Hat Enterprise Linux 4\n (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64\n architecture only). As a precautionary measure, we are releasing an\n updated version of these packages, and have published a list of the\n tampered packages and how to detect them at\n <a rel= &qt nofollow &qt href= &qt http://www.redhat.com/security/data/openssh-blacklist.html &qt >http://www.redhat.com/security/data/openssh-blacklist.html</a>\n \n To reiterate, our processes and efforts to date indicate that packages\n obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are\n not at risk.\n \n These packages also fix a low severity flaw in the way ssh handles X11\n cookies when creating X11 forwarding connections. When ssh was unable to\n create untrusted cookie, ssh used a trusted cookie instead, possibly\n allowing the administrative user of a untrusted remote server, or untrusted\n application run on the remote server, to gain unintended access to a users\n local X server. (CVE-2007-4752)\";\n\ntag_affected = \"openssh on Red Hat Enterprise Linux AS version 4,\n Red Hat Enterprise Linux ES version 4,\n Red Hat Enterprise Linux WS version 4,\n Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2008-August/msg00017.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870129\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-06 07:30:35 +0100 (Fri, 06 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"RHSA\", value: \"2008:0855-01\");\n script_cve_id(\"CVE-2007-4752\");\n script_name( \"RedHat Update for openssh RHSA-2008:0855-01\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of openssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~4.3p2~26.el5_2.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~4.3p2~26.el5_2.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~4.3p2~26.el5_2.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~4.3p2~26.el5_2.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~4.3p2~26.el5_2.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"RHENT_4\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~3.9p1~11.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~3.9p1~11.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass-gnome\", rpm:\"openssh-askpass-gnome~3.9p1~11.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~3.9p1~11.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~3.9p1~11.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~3.9p1~11.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2007-255-01.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:59014", "href": "http://plugins.openvas.org/nasl.php?oid=59014", "type": "openvas", "title": "Slackware Advisory SSA:2007-255-01 openssh", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2007_255_01.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, 11.0, and 12.0 to fix a possible security issue. This version should\nalso provide increased performance with certain ciphers.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2007-255-01.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2007-255-01\";\n \nif(description)\n{\n script_id(59014);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_cve_id(\"CVE-2007-4752\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2007-255-01 openssh \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i386-1_slack8.1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i386-1_slack9.0\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i486-1_slack9.1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i486-1_slack10.0\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i486-1_slack10.1\", rls:\"SLK10.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i486-1_slack10.2\", rls:\"SLK10.2\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i486-1_slack11.0\", rls:\"SLK11.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.7p1-i486-1_slack12.0\", rls:\"SLK12.0\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-27T10:56:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4752"], "description": "Check for the Version of openssh", "modified": "2017-07-12T00:00:00", "published": "2009-03-06T00:00:00", "id": "OPENVAS:870129", "href": "http://plugins.openvas.org/nasl.php?oid=870129", "type": "openvas", "title": "RedHat Update for openssh RHSA-2008:0855-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for openssh RHSA-2008:0855-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation.\n\n Last week Red Hat detected an intrusion on certain of its computer systems\n and took immediate action. While the investigation into the intrusion is\n on-going, our initial focus was to review and test the distribution\n channel we use with our customers, Red Hat Network (RHN) and its associated\n security measures. Based on these efforts, we remain highly confident that\n our systems and processes prevented the intrusion from compromising RHN or\n the content distributed via RHN and accordingly believe that customers who\n keep their systems updated using Red Hat Network are not at risk. We are\n issuing this alert primarily for those who may obtain Red Hat binary\n packages via channels other than those of official Red Hat subscribers.\n \n In connection with the incident, the intruder was able to sign a small\n number of OpenSSH packages relating only to Red Hat Enterprise Linux 4\n (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64\n architecture only). As a precautionary measure, we are releasing an\n updated version of these packages, and have published a list of the\n tampered packages and how to detect them at\n <a rel= &qt nofollow &qt href= &qt http://www.redhat.com/security/data/openssh-blacklist.html &qt >http://www.redhat.com/security/data/openssh-blacklist.html</a>\n \n To reiterate, our processes and efforts to date indicate that packages\n obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are\n not at risk.\n \n These packages also fix a low severity flaw in the way ssh handles X11\n cookies when creating X11 forwarding connections. When ssh was unable to\n create untrusted cookie, ssh used a trusted cookie instead, possibly\n allowing the administrative user of a untrusted remote server, or untrusted\n application run on the remote server, to gain unintended access to a users\n local X server. (CVE-2007-4752)\";\n\ntag_affected = \"openssh on Red Hat Enterprise Linux AS version 4,\n Red Hat Enterprise Linux ES version 4,\n Red Hat Enterprise Linux WS version 4,\n Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2008-August/msg00017.html\");\n script_id(870129);\n script_version(\"$Revision: 6683 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:41:57 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-06 07:30:35 +0100 (Fri, 06 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"RHSA\", value: \"2008:0855-01\");\n script_cve_id(\"CVE-2007-4752\");\n script_name( \"RedHat Update for openssh RHSA-2008:0855-01\");\n\n script_summary(\"Check for the Version of openssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~4.3p2~26.el5_2.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~4.3p2~26.el5_2.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~4.3p2~26.el5_2.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~4.3p2~26.el5_2.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~4.3p2~26.el5_2.1\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"RHENT_4\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~3.9p1~11.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~3.9p1~11.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass-gnome\", rpm:\"openssh-askpass-gnome~3.9p1~11.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~3.9p1~11.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~3.9p1~11.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~3.9p1~11.el4_7\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:58", "bulletinFamily": "unix", "cvelist": ["CVE-2007-4752"], "description": "### Background\n\nOpenSSH is a complete SSH protocol implementation that includes an SFTP client and server support. \n\n### Description\n\nJan Pechanec discovered that OpenSSH uses a trusted X11 cookie when it cannot create an untrusted one. \n\n### Impact\n\nAn attacker could bypass the SSH client security policy and gain privileges by causing an X client to be treated as trusted. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll OpenSSH users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/openssh-4.7\"", "edition": 1, "modified": "2007-11-01T00:00:00", "published": "2007-11-01T00:00:00", "id": "GLSA-200711-02", "href": "https://security.gentoo.org/glsa/200711-02", "type": "gentoo", "title": "OpenSSH: Security bypass", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:27", "bulletinFamily": "software", "cvelist": ["CVE-2007-4752"], "description": "Invalid usage of X11 cookies.", "edition": 1, "modified": "2007-09-19T00:00:00", "published": "2007-09-19T00:00:00", "id": "SECURITYVULNS:VULN:8166", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8166", "title": "OpenSSH privilege escalation", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "cvelist": ["CVE-2007-4752"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nForesight Linux Essential Advisory: 2007-0055-1\r\nPublished: 2007-09-17\r\n\r\nRating: Minor\r\n\r\nUpdated Versions:\r\n openssh=/conary.rpath.com@rpl:devel//1//foresight.rpath.org@fl:1-devel//1/4.7p1-0.1.1-1\r\n openssh-client=/conary.rpath.com@rpl:devel//1//foresight.rpath.org@fl:1-devel//1/4.7p1-0.1.1-1\r\n openssh-server=/conary.rpath.com@rpl:devel//1//foresight.rpath.org@fl:1-devel//1/4.7p1-0.1.1-1\r\n gnome-ssh-askpass=/conary.rpath.com@rpl:devel//1//foresight.rpath.org@fl:1-devel//1/4.7p1-0.1.1-1\r\n group-dist=/foresight.rpath.org@fl:1-devel//1/1.3.2-0.19-5\r\n\r\nReferences:\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752\r\n https://issues.rpath.com/browse/RPL-1706\r\n http://www.openssh.com/txt/release-4.7\r\n\r\nDescription:\r\n Previous versions of openssh could use a trusted X11 cookie if creation\r\n of an untrusted cookie failed, a minor privilege escalation attack.\r\n\r\n- ---\r\n\r\nCopyright 2007 Foresight Linux Project\r\nThis file is distributed under the terms of the MIT License.\r\nA copy is available at http://www.foresightlinux.org/permanent/mit-license.html\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.4 (GNU/Linux)\r\n\r\niQIVAwUBRu7eIdfwEn07iAtZAQI1mA//QD4v/aBMlEBccfwRbnfqwLPqHIFw/am+\r\n9x5FhyCcp7n/t6vgwt4sYw8LOhUD2HdmRv5dL9zQ5KRB11Ed7nMwBrUje15+tu3h\r\nTkE/NOZxkWUFrrJ6EpFFHkCAhz9zyCvV0HtVkPi+yHYL5N+VYU5Ez/EcB98hXNaG\r\nEWlLwMT1WU230CwP3mb82Tjwah2aLJAVK/jDoieaxfMr0KinBaK9e55sjBuuTrE2\r\nzhvkzlO8MKsL3IHZaK4RtKL6OCBp0aFbzCJTuHnSwkjyrNmQOHft4+szP6GeBEIx\r\n2/A1P/lD78TZHekIRCl+L3FnH9Fe8/SNzFne2FkBYr4EC+7D7iDNkRQaC2gUKOqw\r\nGiweNrUyjfHarJceLxleovfjPY+3eaeAg1gXWaJQe6VmJUksDYHS9gpG+SXuPFkD\r\nWxxKYea1ncql8o98MfogzTzD+gfHJcpmuHn4rPmZ43Q49gxasmqtpbF86+yG7TPg\r\nU/emWMBCCL933nesi6o03Sfchk9P90bN1oWJ2jqI1UnoShsBlQ9X3wDoYjJ9saxD\r\n+N9nRTLuNbBZ+47EP3iRdP6nztFNt/2dDN/b4kFUxg5hxFErSPSOp1jQYdBoKxM7\r\nymh7ttgTIY0gyT7IgV/CDe0h/3CU2J1NdVqoEiRS1BGBfD3OPv8n/+vN0sz9vjks\r\nwApKQskb83w=\r\n=m8I5\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2007-09-19T00:00:00", "published": "2007-09-19T00:00:00", "id": "SECURITYVULNS:DOC:18019", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18019", "title": "FLEA-2007-0055-1 openssh openssh-client openssh-server gnome-ssh-askpass", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "centos": [{"lastseen": "2020-07-17T03:27:57", "bulletinFamily": "unix", "cvelist": ["CVE-2007-4752", "CVE-2008-3844"], "description": "**CentOS Errata and Security Advisory** CESA-2008:0855\n\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. \r\n\r\nLast week Red Hat detected an intrusion on certain of its computer systems\r\nand took immediate action. While the investigation into the intrusion is\r\non-going, our initial focus was to review and test the distribution\r\nchannel we use with our customers, Red Hat Network (RHN) and its associated\r\nsecurity measures. Based on these efforts, we remain highly confident that\r\nour systems and processes prevented the intrusion from compromising RHN or\r\nthe content distributed via RHN and accordingly believe that customers who\r\nkeep their systems updated using Red Hat Network are not at risk. We are\r\nissuing this alert primarily for those who may obtain Red Hat binary\r\npackages via channels other than those of official Red Hat subscribers.\r\n\r\nIn connection with the incident, the intruder was able to sign a small\r\nnumber of OpenSSH packages relating only to Red Hat Enterprise Linux 4\r\n(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64\r\narchitecture only). As a precautionary measure, we are releasing an\r\nupdated version of these packages, and have published a list of the\r\ntampered packages and how to detect them at\r\nhttp://www.redhat.com/security/data/openssh-blacklist.html\r\n\r\nTo reiterate, our processes and efforts to date indicate that packages\r\nobtained by Red Hat Enterprise Linux subscribers via Red Hat Network are\r\nnot at risk.\r\n\r\nThese packages also fix a low severity flaw in the way ssh handles X11\r\ncookies when creating X11 forwarding connections. When ssh was unable to\r\ncreate untrusted cookie, ssh used a trusted cookie instead, possibly\r\nallowing the administrative user of a untrusted remote server, or untrusted\r\napplication run on the remote server, to gain unintended access to a users\r\nlocal X server. (CVE-2007-4752)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2008-August/027231.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-August/027232.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-August/027238.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-August/027242.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-askpass-gnome\nopenssh-clients\nopenssh-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2008-0855.html", "edition": 8, "modified": "2008-08-23T15:41:51", "published": "2008-08-22T20:45:22", "href": "http://lists.centos.org/pipermail/centos-announce/2008-August/027231.html", "id": "CESA-2008:0855", "title": "openssh security update", "type": "centos", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-12-11T13:33:25", "bulletinFamily": "unix", "cvelist": ["CVE-2007-4752", "CVE-2008-3844"], "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. \r\n\r\nLast week Red Hat detected an intrusion on certain of its computer systems\r\nand took immediate action. While the investigation into the intrusion is\r\non-going, our initial focus was to review and test the distribution\r\nchannel we use with our customers, Red Hat Network (RHN) and its associated\r\nsecurity measures. Based on these efforts, we remain highly confident that\r\nour systems and processes prevented the intrusion from compromising RHN or\r\nthe content distributed via RHN and accordingly believe that customers who\r\nkeep their systems updated using Red Hat Network are not at risk. We are\r\nissuing this alert primarily for those who may obtain Red Hat binary\r\npackages via channels other than those of official Red Hat subscribers.\r\n\r\nIn connection with the incident, the intruder was able to sign a small\r\nnumber of OpenSSH packages relating only to Red Hat Enterprise Linux 4\r\n(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64\r\narchitecture only). As a precautionary measure, we are releasing an\r\nupdated version of these packages, and have published a list of the\r\ntampered packages and how to detect them at\r\nhttp://www.redhat.com/security/data/openssh-blacklist.html\r\n\r\nTo reiterate, our processes and efforts to date indicate that packages\r\nobtained by Red Hat Enterprise Linux subscribers via Red Hat Network are\r\nnot at risk.\r\n\r\nThese packages also fix a low severity flaw in the way ssh handles X11\r\ncookies when creating X11 forwarding connections. When ssh was unable to\r\ncreate untrusted cookie, ssh used a trusted cookie instead, possibly\r\nallowing the administrative user of a untrusted remote server, or untrusted\r\napplication run on the remote server, to gain unintended access to a users\r\nlocal X server. (CVE-2007-4752)", "modified": "2017-09-08T11:57:25", "published": "2008-08-22T04:00:00", "id": "RHSA-2008:0855", "href": "https://access.redhat.com/errata/RHSA-2008:0855", "type": "redhat", "title": "(RHSA-2008:0855) Critical: openssh security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:48", "bulletinFamily": "unix", "cvelist": ["CVE-2007-3102", "CVE-2007-4752"], "description": "SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. ", "modified": "2007-10-15T19:54:28", "published": "2007-10-15T19:54:28", "id": "FEDORA:L9FJSSNP014372", "href": "", "type": "fedora", "title": "[SECURITY] Fedora Core 6 Update: openssh-4.3p2-25.fc6", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:32", "bulletinFamily": "unix", "cvelist": ["CVE-2007-4752", "CVE-2008-3844"], "description": "[4.3p2-26.el5_2.1]\n- CVE-2007-4752 - Prevent ssh(1) from using a trusted X11 cookie if creation of an\n untrusted cookie fails (#280361)", "edition": 4, "modified": "2008-08-22T00:00:00", "published": "2008-08-22T00:00:00", "id": "ELSA-2008-0855", "href": "http://linux.oracle.com/errata/ELSA-2008-0855.html", "title": "openssh security update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-11-11T13:16:42", "bulletinFamily": "unix", "cvelist": ["CVE-2007-4752", "CVE-2008-1483", "CVE-2008-0166"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1576-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nMay 14, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : openssh\nVulnerability : predictable random number generator\nProblem type : remote\nDebian-specific: yes\nCVE Id(s) : CVE-2008-0166\n\nThe recently announced vulnerability in Debian's openssl package\n(DSA-1571-1, CVE-2008-0166) indirectly affects OpenSSH. As a result,\nall user and host keys generated using broken versions of the openssl\npackage must be considered untrustworthy, even after the openssl update\nhas been applied.\n\n1. Install the security updates\n\n This update contains a dependency on the openssl update and will\n automatically install a corrected version of the libss0.9.8 package,\n and a new package openssh-blacklist.\n\n Once the update is applied, weak user keys will be automatically\n rejected where possible (though they cannot be detected in all\n cases). If you are using such keys for user authentication, they\n will immediately stop working and will need to be replaced (see\n step 3).\n\n OpenSSH host keys can be automatically regenerated when the OpenSSH\n security update is applied. The update will prompt for confirmation\n before taking this step.\n\n2. Update OpenSSH known_hosts files\n\n The regeneration of host keys will cause a warning to be displayed when\n connecting to the system using SSH until the host key is updated in the\n known_hosts file. The warning will look like this:\n\n @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @\n @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\n Someone could be eavesdropping on you right now (man-in-the-middle attack)!\n It is also possible that the RSA host key has just been changed.\n\n In this case, the host key has simply been changed, and you should update\n the relevant known_hosts file as indicated in the error message.\n \n It is recommended that you use a trustworthy channel to exchange the\n server key. It is found in the file /etc/ssh/ssh_host_rsa_key.pub on\n the server; it's fingerprint can be printed using the command:\n\n ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub\n\n In addition to user-specific known_hosts files, there may be a\n system-wide known hosts file /etc/ssh/known_hosts. This is file is\n used both by the ssh client and by sshd for the hosts.equiv\n functionality. This file needs to be updated as well.\n\n3. Check all OpenSSH user keys\n\n The safest course of action is to regenerate all OpenSSH user keys,\n except where it can be established to a high degree of certainty that the\n key was generated on an unaffected system.\n\n Check whether your key is affected by running the ssh-vulnkey tool, included\n in the security update. By default, ssh-vulnkey will check the standard\n location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity),\n your authorized_keys file (~/.ssh/authorized_keys and\n ~/.ssh/authorized_keys2), and the system's host keys\n (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key).\n\n To check all your own keys, assuming they are in the standard\n locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity):\n\n ssh-vulnkey\n\n To check all keys on your system:\n\n sudo ssh-vulnkey -a\n\n To check a key in a non-standard location:\n\n ssh-vulnkey /path/to/key\n\n If ssh-vulnkey says "Unknown (no blacklist information)", then it has no\n information about whether that key is affected. In this case, you\n can examine the modification time (mtime) of the file using "ls -l".\n Keys generated before September 2006 are not affected. Keep in mind\n that, although unlikely, backup procedures may have changed the file\n date back in time (or the system clock may have been incorrectly\n set).\n \n If in doubt, generate a new key and remove the old one from any\n servers.\n\n4. Regenerate any affected user keys\n\n OpenSSH keys used for user authentication must be manually regenerated,\n including those which may have since been transferred to a different system\n after being generated.\n\n New keys can be generated using ssh-keygen, e.g.:\n\n $ ssh-keygen\n Generating public/private rsa key pair.\n Enter file in which to save the key (/home/user/.ssh/id_rsa):\n Enter passphrase (empty for no passphrase):\n Enter same passphrase again:\n Your identification has been saved in /home/user/.ssh/id_rsa.\n Your public key has been saved in /home/user/.ssh/id_rsa.pub.\n The key fingerprint is:\n 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 user@host\n\n5. Update authorized_keys files (if necessary)\n\n Once the user keys have been regenerated, the relevant public keys\n must be propagated to any authorized_keys files (and authorized_keys2\n files, if applicable) on remote systems. Be sure to delete the lines\n containing old keys from those files..\n\n\nIn addition to countermeasures to mitigate the randomness vulnerability,\nthis OpenSSH update fixes several other vulnerabilities:\n\nCVE-2008-1483:\n Timo Juhani Lindfors discovered that, when using X11 forwarding, the\n SSH client selects an X11 forwarding port without ensuring that it\n can be bound on all address families. If the system is configured\n with IPv6 (even if it does not have working IPv6 connectivity), this\n could allow a local attacker on the remote server to hijack X11\n forwarding.\n\nCVE-2007-4752:\n Jan Pechanec discovered that ssh fails back to creating a trusted X11\n cookie if creating an untrusted cookie fails, potentially exposing\n the local display to a malicious remote server when using X11\n forwarding.\n\nFor the stable distribution (etch), these problems have been fixed in\nversion 4.3p2-9etch1. Currently, only a subset of all supported\narchitectures have been built; further updates will be provided when\nthey become available.\n\nFor the unstable distribution (sid) and the testing distribution\n(lenny), these problems have been fixed in version 4.7p1-9.\n\nWe recommend that you upgrade your openssh packages and take the\nmeasures indicated above.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch1.diff.gz\n Size/MD5 checksum: 275168 920f559caa1c8c737b016c08df2bde05\n http://security.debian.org/pool/updates/main/o/openssh-blacklist/openssh-blacklist_0.1.1.tar.gz\n Size/MD5 checksum: 3694141 05eec6b473990bff4fc70921b232794b\n http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2-9etch1.dsc\n Size/MD5 checksum: 1074 89930d72e9aff6b344efd35a130e4faa\n http://security.debian.org/pool/updates/main/o/openssh-blacklist/openssh-blacklist_0.1.1.dsc\n Size/MD5 checksum: 799 aeaa45e0bfbf7f966e3c7fca9181d99d\n http://security.debian.org/pool/updates/main/o/openssh/openssh_4.3p2.orig.tar.gz\n Size/MD5 checksum: 920186 239fc801443acaffd4c1f111948ee69c\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/o/openssh-blacklist/openssh-blacklist_0.1.1_all.deb\n Size/MD5 checksum: 2121928 fa1ba22d98f91f18b326ee1bfd31bcbb\n http://security.debian.org/pool/updates/main/o/openssh/ssh_4.3p2-9etch1_all.deb\n Size/MD5 checksum: 1060 44ec3f52add1876d7b2c1bd3fa3cdbfd\n http://security.debian.org/pool/updates/main/o/openssh/ssh-krb5_4.3p2-9etch1_all.deb\n Size/MD5 checksum: 92162 9ae37916a6dc269318aff1215b6638cf\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_alpha.udeb\n Size/MD5 checksum: 198496 69fe6fc4002ec592e1756cee28ffd85b\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_alpha.deb\n Size/MD5 checksum: 782120 e5746f3c12a52f72b75cffee8e1c3a6f\n http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_alpha.deb\n Size/MD5 checksum: 100402 fda20ac6b68a6882534384e6ce4e6efd\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_alpha.udeb\n Size/MD5 checksum: 213724 118390296bbf6d6d208d39a07895852e\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_alpha.deb\n Size/MD5 checksum: 266518 be53eb9497ea993e0ae7db6a0a4dcd3a\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_amd64.udeb\n Size/MD5 checksum: 183848 bd6c4123fe0e72f7565e455b25eb037c\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_amd64.deb\n Size/MD5 checksum: 244406 f70bf398d91eb4b8fe27cc5b03548b16\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_amd64.udeb\n Size/MD5 checksum: 171512 0b8afcf2b96ad97323152342e83dd3bf\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_amd64.deb\n Size/MD5 checksum: 709734 556332c58aeee82628d35ebf71d15ac1\n http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_amd64.deb\n Size/MD5 checksum: 99896 14d2f97314e7b4b6cb97540667d7f544\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_hppa.udeb\n Size/MD5 checksum: 189608 5267dec18e00f3e88bd53b3adfe23e62\n http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_hppa.deb\n Size/MD5 checksum: 100438 2ebd2edd75c440c062eaafab5a97b177\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_hppa.deb\n Size/MD5 checksum: 250556 1ca2aa080853748ab343381d9f9ffc6b\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_hppa.udeb\n Size/MD5 checksum: 198424 d99af9d81fe074f9b16928cae835ce56\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_hppa.deb\n Size/MD5 checksum: 733664 e6abc3231e7d274a5a73321ea3761974\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_i386.deb\n Size/MD5 checksum: 660432 16f0807e7871c23af0660e529837cb76\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_i386.deb\n Size/MD5 checksum: 224178 aaedc883a11ba7273e5ddeb496a3488a\n http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_i386.deb\n Size/MD5 checksum: 100000 fd41f726ff14b7f8ab0dfc1c6b43be2c\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_i386.udeb\n Size/MD5 checksum: 162630 f197dbdfe7a92bd4992d8c77c76b4488\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_i386.udeb\n Size/MD5 checksum: 154028 5df04dc7c5474b30e515047740bd0c38\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_ia64.udeb\n Size/MD5 checksum: 269868 1646034b7db5a862ea17d0d6928900ff\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_ia64.deb\n Size/MD5 checksum: 961594 394027253cbaeba863f07e7fee848dcb\n http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_ia64.deb\n Size/MD5 checksum: 101280 f3e421145857106615ce19cb05508a7a\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_ia64.udeb\n Size/MD5 checksum: 251840 24ba6fd53e10e754845fc4361257d0ff\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_ia64.deb\n Size/MD5 checksum: 338256 4ff1206f8f3c618f7bfd406f88b38841\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_powerpc.deb\n Size/MD5 checksum: 237040 b50b3e1ac8586eb55a5f06201dd3edf2\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_powerpc.udeb\n Size/MD5 checksum: 173322 f1fa458555b787a2b7fc786da7974b91\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_powerpc.deb\n Size/MD5 checksum: 700518 fd43ca106400be36545f31b955667e22\n http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_powerpc.deb\n Size/MD5 checksum: 101080 a5005e3e3447f8eb75d99746a2704b8d\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_powerpc.udeb\n Size/MD5 checksum: 168320 61848a42ed513d232fceea6eb335e315\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server_4.3p2-9etch1_sparc.deb\n Size/MD5 checksum: 218132 ce7a2f44e51c2fe6df31ec567ce65d28\n http://security.debian.org/pool/updates/main/o/openssh/ssh-askpass-gnome_4.3p2-9etch1_sparc.deb\n Size/MD5 checksum: 99544 61cd81c98576feea92fb865856311b7d\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client_4.3p2-9etch1_sparc.deb\n Size/MD5 checksum: 639770 6085da0b96f1e9ee87abec7206eb7ef8\n http://security.debian.org/pool/updates/main/o/openssh/openssh-server-udeb_4.3p2-9etch1_sparc.udeb\n Size/MD5 checksum: 166706 99368689bddbc70f98ef5f51aa19051a\n http://security.debian.org/pool/updates/main/o/openssh/openssh-client-udeb_4.3p2-9etch1_sparc.udeb\n Size/MD5 checksum: 158360 07bf438d8e0d3fd02ff37371ff8645d6\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 7, "modified": "2008-05-14T09:25:13", "published": "2008-05-14T09:25:13", "id": "DEBIAN:DSA-1576-1:61216", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00153.html", "title": "[SECURITY] [DSA 1576-1] New openssh packages fix predictable randomness", "type": "debian", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N"}}]}

OpenSSH &lt; 4.7 Trusted X11 Cookie Connection Policy Bypass

Description

OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass