{"id": "OPENSSH_72.NASL", "bulletinFamily": "scanner", "title": "OpenSSH < 7.2 Untrusted X11 Forwarding Fallback Security Bypass", "description": "According to its banner, the version of OpenSSH running on the remote\nhost is prior to 7.2. It is, therefore, affected by a security bypass\nvulnerability due to a flaw in ssh(1) that is triggered when it falls\nback from untrusted X11 forwarding to trusted forwarding when the\nSECURITY extension is disabled by the X server. This can result in\nuntrusted X11 connections that can be exploited by a remote attacker.", "published": "2016-03-18T00:00:00", "modified": "2021-03-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/90022", "reporter": "This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.openssh.com/txt/release-7.2"], "cvelist": ["CVE-2016-1908"], "type": "nessus", "lastseen": "2021-03-01T04:56:15", "edition": 31, "viewCount": 61, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-1908"]}, {"type": "f5", "idList": ["SOL71960814", "F5:K71960814"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1500-2:1F61F", "DEBIAN:DLA-1500-1:E6BD7"]}, {"type": "fedora", "idList": ["FEDORA:5EDFF6087A17"]}, {"type": "amazon", "idList": ["ALAS-2016-675"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2016-0465.NASL", "SL_20160321_OPENSSH_ON_SL7_X.NASL", "AIX_OPENSSH_ADVISORY8.NASL", "ORACLELINUX_ELSA-2016-0465.NASL", "CENTOS_RHSA-2016-0465.NASL", "ALA_ALAS-2016-675.NASL", "PALO_ALTO_PAN-SA-2020-0005.NASL", "FEDORA_2016-4509765B4B.NASL", "EULEROS_SA-2016-1008.NASL", "DEBIAN_DLA-1500.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810768", "OPENVAS:1361412562310842740", "OPENVAS:1361412562310120665", "OPENVAS:1361412562310807245", "OPENVAS:1361412562310122910", "OPENVAS:1361412562310882432", "OPENVAS:1361412562310810769", "OPENVAS:1361412562310871580", "OPENVAS:1361412562311220161008", "OPENVAS:1361412562310871613"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-0741", "ELSA-2016-0465"]}, {"type": "redhat", "idList": ["RHSA-2016:0465", "RHSA-2016:0741"]}, {"type": "symantec", "idList": ["SMNTC-1368"]}, {"type": "centos", "idList": ["CESA-2016:0465", "CESA-2016:0741"]}, {"type": "aix", "idList": ["OPENSSH_ADVISORY8.ASC"]}, {"type": "ubuntu", "idList": ["USN-2966-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:782597A83B98B15285C8A73B8555B7B2"]}, {"type": "gentoo", "idList": ["GLSA-201612-18"]}], "modified": "2021-03-01T04:56:15", "rev": 2}, "score": {"value": 6.7, "vector": "NONE", "modified": "2021-03-01T04:56:15", "rev": 2}, "vulnersScore": 6.7}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90022);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/20\");\n\n script_cve_id(\"CVE-2016-1908\");\n\n script_name(english:\"OpenSSH < 7.2 Untrusted X11 Forwarding Fallback Security Bypass\");\n script_summary(english:\"Checks the OpenSSH banner version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The SSH server running on the remote host is affected by a security\nbypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of OpenSSH running on the remote\nhost is prior to 7.2. It is, therefore, affected by a security bypass\nvulnerability due to a flaw in ssh(1) that is triggered when it falls\nback from untrusted X11 forwarding to trusted forwarding when the\nSECURITY extension is disabled by the X server. This can result in\nuntrusted X11 connections that can be exploited by a remote attacker.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.openssh.com/txt/release-7.2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to OpenSSH version 7.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1908\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openbsd:openssh\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/ssh\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Ensure the port is open.\nport = get_service(svc:\"ssh\", exit_on_fail:TRUE);\n\n# Get banner for service.\nbanner = get_kb_item_or_exit(\"SSH/banner/\" + port);\n\nbp_banner = tolower(get_backport_banner(banner:banner));\nif (\"openssh\" >!< bp_banner)\n audit(AUDIT_NOT_LISTEN, \"OpenSSH\", port);\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\nif (backported)\n audit(code:0, AUDIT_BACKPORT_SERVICE, port, \"OpenSSH\");\n\n# Check the version in the backported banner.\nmatch = eregmatch(string:bp_banner, pattern:\"openssh[-_]([0-9][-._0-9a-z]+)\");\nif (isnull(match))\n audit(AUDIT_SERVICE_VER_FAIL, \"OpenSSH\", port);\nversion = match[1];\n\nfix = \"7.2\";\nif (\n version =~ \"^[0-6]\\.\" ||\n version =~ \"^7\\.[0-1]($|[^0-9])\"\n )\n{\n items = make_array(\"Version source\", banner,\n \"Installed version\", version,\n \"Fixed version\", fix);\n order = make_list(\"Version source\", \"Installed version\", \"Fixed version\");\n report = report_items_str(report_items:items, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"OpenSSH\", port, version);\n", "naslFamily": "Misc.", "pluginID": "90022", "cpe": ["cpe:/a:openbsd:openssh"], "scheme": null, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}

{"cve": [{"lastseen": "2021-02-02T06:28:04", "description": "The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-11T18:59:00", "title": "CVE-2016-1908", "type": "cve", "cwe": ["CWE-254"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1908"], "modified": "2018-09-11T10:29:00", "cpe": ["cpe:/a:openbsd:openssh:7.1"], "id": "CVE-2016-1908", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1908", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:openbsd:openssh:7.1:p2:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2019-04-30T18:21:08", "bulletinFamily": "software", "cvelist": ["CVE-2016-1908"], "description": "\nF5 Product Development has assigned ID 593402 (BIG-IP) and ID LRS-60742 (LineRate) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nLineRate| 2.5.0 - 2.6.1| None| Medium| OpenSSH \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 5.0.0 \n4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| OpenSSH\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nLineRate\n\nTo mitigate this vulnerability, you can modify the **sshd_config** file to disable X11 forwarding. To do so, perform the following procedure:\n\n**Impact of action:** This procedure requires you to modify your secure shell (SSH) configuration, and to restart the SSH service. If you do not update the configuration syntax correctly, the SSH service may fail to start. When you restart the SSH service, existing SSH sessions may be terminated. You should not perform this procedure using a remote SSH session; any mistakes may prevent further SSH access to the LineRate system.\n\n 1. Log in to the LineRate command line.\n 2. Switch to the Advanced Shell (**bash**) by typing the following command: \n\nbash\n\n 3. Create a backup of the current **sshd_config** file by typing the following command: \n\nsudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config-SOL71960814.save\n\n 4. Using a text editor, such as **vi** or **pico**, locate the **X11Forwarding** option in the **/etc/ssh/sshd_config** file, and disable the option by setting it to **no**: \n\nX11Forwarding no\n\n**Note**: You must use the **sudo** command when opening your text editor, or you will not have permission to save your changes.\n\n 5. Save your changes and exit the text editor.\n 6. Test the syntax of your changes by typing the following two commands: \n * sudo /usr/linerate/sbin/sshd -t\n\nIf there are no errors, this command should return you to the prompt.\n\n * echo $?\n\nThis echo command returns the status code of the last command you typed. The result should be 0 (zero).\n\n**Important**: If either of these commands return errors, repeat step 4 and confirm that the syntax of the modification is correct. Incorrect configuration syntax may prevent the SSH service from starting.\n\n 7. Restart the SSH service by typing the following command: \n\nsudo service sshd restart\n\n**Note**: Existing SSH sessions may be terminated when you restart the SSH service.\n\n 8. Exit **bash **by typing the following command: \n\nexit\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "modified": "2017-05-24T20:50:00", "published": "2016-05-31T23:44:00", "id": "F5:K71960814", "href": "https://support.f5.com/csp/article/K71960814", "title": "OpenSSH vulnerability CVE-2016-1908", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:23", "bulletinFamily": "software", "cvelist": ["CVE-2016-1908"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nLineRate\n\nTo mitigate this vulnerability, you can modify the **sshd_config** file to disable X11 forwarding. To do so, perform the following procedure:\n\n**Impact of action:** This procedure requires you to modify your secure shell (SSH) configuration, and to restart the SSH service. If you do not update the configuration syntax correctly, the SSH service may fail to start. When you restart the SSH service, existing SSH sessions may be terminated. You should not perform this procedure using a remote SSH session; any mistakes may prevent further SSH access to the LineRate system.\n\n 1. Log in to the LineRate command line.\n 2. Switch to the Advanced Shell (**bash**) by typing the following command: \n\nbash\n\n 3. Create a backup of the current **sshd_config** file by typing the following command: \n\nsudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config-SOL71960814.save\n\n 4. Using a text editor, such as **vi** or **pico**, locate the **X11Forwarding** option in the **/etc/ssh/sshd_config** file, and disable the option by setting it to **no**: \n\nX11Forwarding no\n\n**Note**: You must use the **sudo** command when opening your text editor, or you will not have permission to save your changes.\n\n 5. Save your changes and exit the text editor.\n 6. Test the syntax of your changes by typing the following two commands: \n * sudo /usr/linerate/sbin/sshd -t\n\nIf there are no errors, this command should return you to the prompt.\n\n * echo $?\n\nThis echo command returns the status code of the last command you typed. The result should be 0 (zero).\n\n**Important**: If either of these commands return errors, repeat step 4 and confirm that the syntax of the modification is correct. Incorrect configuration syntax may prevent the SSH service from starting.\n\n 7. Restart the SSH service by typing the following command: \n\nsudo service sshd restart\n\n**Note**: Existing SSH sessions may be terminated when you restart the SSH service.\n\n 8. Exit **bash **by typing the following command: \n\nexit\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2016-05-31T00:00:00", "published": "2016-05-31T00:00:00", "id": "SOL71960814", "href": "http://support.f5.com/kb/en-us/solutions/public/k/71/sol71960814.html", "type": "f5", "title": "SOL71960814 - OpenSSH vulnerability CVE-2016-1908", "cvss": {"score": 3.8, "vector": "AV:NETWORK/AC:LOW/Au:LOW/C:NONE/I:LOW/A:NONE/"}}], "debian": [{"lastseen": "2020-08-12T00:59:51", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908"], "description": "Package : openssh\nVersion : 1:6.7p1-5+deb8u7\nDebian Bug : 908652\n\n\nThe security update of OpenSSH announced as DLA 1500-1 introduced a bug in\nopenssh-client: when X11 forwarding is enabled (via system-wide\nconfiguration in ssh_config or via -X command line switch), but no DISPLAY\nis set, the client produces a &quot;DISPLAY &quot;(null)&quot; invalid; disabling X11\nforwarding&quot; warning. These bug was introduced by the patch set to fix the\nCVE-2016-1908 issue. For reference, the following is the relevant section\nof the original announcement:\n\nCVE-2016-1908\n\n OpenSSH mishandled untrusted X11 forwarding when the X server disables\n the SECURITY extension. Untrusted connections could obtain trusted X11\n forwarding privileges. Reported by Thomas Hoger.\n\nFor Debian 8 &quot;Jessie&quot;, this problem has been fixed in version\n1:6.7p1-5+deb8u7.\n\nWe recommend that you upgrade your openssh packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 10, "modified": "2018-09-12T20:03:33", "published": "2018-09-12T20:03:33", "id": "DEBIAN:DLA-1500-2:1F61F", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201809/msg00014.html", "title": "[SECURITY] [DLA 1500-2] openssh regression update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T01:03:17", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5600", "CVE-2016-1908", "CVE-2016-10708", "CVE-2016-10011", "CVE-2015-6564", "CVE-2016-10009", "CVE-2016-6515", "CVE-2015-5352", "CVE-2016-3115", "CVE-2017-15906", "CVE-2016-10012", "CVE-2015-6563"], "description": "Package : openssh\nVersion : 1:6.7p1-5+deb8u6\nCVE ID : CVE-2015-5352 CVE-2015-5600 CVE-2015-6563 CVE-2015-6564\n CVE-2016-1908 CVE-2016-3115 CVE-2016-6515 CVE-2016-10009\n CVE-2016-10011 CVE-2016-10012 CVE-2016-10708\n CVE-2017-15906\nDebian Bug : 790798 793616 795711 848716 848717\n\n\nSeveral vulnerabilities have been found in OpenSSH, a free implementation\nof the SSH protocol suite:\n\nCVE-2015-5352\n\n OpenSSH incorrectly verified time window deadlines for X connections.\n Remote attackers could take advantage of this flaw to bypass intended\n access restrictions. Reported by Jann Horn.\n\nCVE-2015-5600\n\n OpenSSH improperly restricted the processing of keyboard-interactive\n devices within a single connection, which could allow remote attackers\n to perform brute-force attacks or cause a denial of service, in a\n non-default configuration.\n\nCVE-2015-6563\n\n OpenSSH incorrectly handled usernames during PAM authentication. In\n conjunction with an additional flaw in the OpenSSH unprivileged child\n process, remote attackers could make use if this issue to perform user\n impersonation. Discovered by Moritz Jodeit.\n\nCVE-2015-6564\n\n Moritz Jodeit discovered a use-after-free flaw in PAM support in\n OpenSSH, that could be used by remote attackers to bypass\n authentication or possibly execute arbitrary code.\n\nCVE-2016-1908\n\n OpenSSH mishandled untrusted X11 forwarding when the X server disables\n the SECURITY extension. Untrusted connections could obtain trusted X11\n forwarding privileges. Reported by Thomas Hoger.\n\nCVE-2016-3115\n\n OpenSSH improperly handled X11 forwarding data related to\n authentication credentials. Remote authenticated users could make use\n of this flaw to bypass intended shell-command restrictions. Identified\n by github.com/tintinweb.\n\nCVE-2016-6515\n\n OpenSSH did not limit password lengths for password authentication.\n Remote attackers could make use of this flaw to cause a denial of\n service via long strings.\n\nCVE-2016-10009\n\n Jann Horn discovered an untrusted search path vulnerability in\n ssh-agent allowing remote attackers to execute arbitrary local\n PKCS#11 modules by leveraging control over a forwarded agent-socket.\n\nCVE-2016-10011\n\n Jann Horn discovered that OpenSSH did not properly consider the\n effects of realloc on buffer contents. This may allow local users to\n obtain sensitive private-key information by leveraging access to a\n privilege-separated child process.\n\nCVE-2016-10012\n\n Guido Vranken discovered that the OpenSSH shared memory manager\n did not ensure that a bounds check was enforced by all compilers,\n which could allow local users to gain privileges by leveraging access\n to a sandboxed privilege-separation process.\n\nCVE-2016-10708\n\n NULL pointer dereference and daemon crash via an out-of-sequence\n NEWKEYS message.\n\nCVE-2017-15906\n\n Michal Zalewski reported that OpenSSH improperly prevent write\n operations in readonly mode, allowing attackers to create zero-length\n files.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n1:6.7p1-5+deb8u6.\n\nWe recommend that you upgrade your openssh packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 10, "modified": "2018-09-10T08:45:03", "published": "2018-09-10T08:45:03", "id": "DEBIAN:DLA-1500-1:E6BD7", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201809/msg00010.html", "title": "[SECURITY] [DLA 1500-1] openssh security update", "type": "debian", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908"], "description": "SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This version of OpenSSH has been modified to support GSI authentication. This package includes the core files necessary for both the gsissh client and server. To make this package useful, you should also install gsi-openssh-clients, gsi-openssh-server, or both. ", "modified": "2016-02-10T16:53:50", "published": "2016-02-10T16:53:50", "id": "FEDORA:5EDFF6087A17", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: gsi-openssh-7.1p2-3.fc23", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:36:27", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908"], "description": "**Issue Overview:**\n\nAn access flaw was discovered in the OpenSSH client where it did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested.\n\n \n**Affected Packages:** \n\n\nopenssh\n\n \n**Issue Correction:** \nRun _yum update openssh_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n openssh-clients-6.6.1p1-25.61.amzn1.i686 \n openssh-ldap-6.6.1p1-25.61.amzn1.i686 \n openssh-6.6.1p1-25.61.amzn1.i686 \n openssh-debuginfo-6.6.1p1-25.61.amzn1.i686 \n pam_ssh_agent_auth-0.9.3-9.25.61.amzn1.i686 \n openssh-keycat-6.6.1p1-25.61.amzn1.i686 \n openssh-server-6.6.1p1-25.61.amzn1.i686 \n \n src: \n openssh-6.6.1p1-25.61.amzn1.src \n \n x86_64: \n openssh-debuginfo-6.6.1p1-25.61.amzn1.x86_64 \n openssh-6.6.1p1-25.61.amzn1.x86_64 \n pam_ssh_agent_auth-0.9.3-9.25.61.amzn1.x86_64 \n openssh-ldap-6.6.1p1-25.61.amzn1.x86_64 \n openssh-clients-6.6.1p1-25.61.amzn1.x86_64 \n openssh-keycat-6.6.1p1-25.61.amzn1.x86_64 \n openssh-server-6.6.1p1-25.61.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2016-03-29T15:30:00", "published": "2016-03-29T15:30:00", "id": "ALAS-2016-675", "href": "https://alas.aws.amazon.com/ALAS-2016-675.html", "title": "Medium: openssh", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-12T10:14:12", "description": "Sync with latest openssh package.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 20, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-03-04T00:00:00", "title": "Fedora 23 : gsi-openssh-7.1p2-3.fc23 (2016-4509765b4b)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908"], "modified": "2016-03-04T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:gsi-openssh", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-4509765B4B.NASL", "href": "https://www.tenable.com/plugins/nessus/89528", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-4509765b4b.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89528);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-1908\");\n script_xref(name:\"FEDORA\", value:\"2016-4509765b4b\");\n\n script_name(english:\"Fedora 23 : gsi-openssh-7.1p2-3.fc23 (2016-4509765b4b)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Sync with latest openssh package.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1298741\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177079.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c81ffd71\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected gsi-openssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:gsi-openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"gsi-openssh-7.1p2-3.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gsi-openssh\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T01:22:25", "description": "An access flaw was discovered in the OpenSSH client where it did not\ncorrectly handle failures to generate authentication cookies for\nuntrusted X11 forwarding. A malicious or compromised remote X\napplication could possibly use this flaw to establish a trusted\nconnection to the local X server, even if only untrusted X11\nforwarding was requested.", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-04-01T00:00:00", "title": "Amazon Linux AMI : openssh (ALAS-2016-675)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:openssh-clients", "p-cpe:/a:amazon:linux:pam_ssh_agent_auth", "p-cpe:/a:amazon:linux:openssh-ldap", "p-cpe:/a:amazon:linux:openssh-debuginfo", "p-cpe:/a:amazon:linux:openssh-server", "p-cpe:/a:amazon:linux:openssh", "p-cpe:/a:amazon:linux:openssh-keycat", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2016-675.NASL", "href": "https://www.tenable.com/plugins/nessus/90268", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-675.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90268);\n script_version(\"2.5\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2016-1908\");\n script_xref(name:\"ALAS\", value:\"2016-675\");\n\n script_name(english:\"Amazon Linux AMI : openssh (ALAS-2016-675)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An access flaw was discovered in the OpenSSH client where it did not\ncorrectly handle failures to generate authentication cookies for\nuntrusted X11 forwarding. A malicious or compromised remote X\napplication could possibly use this flaw to establish a trusted\nconnection to the local X server, even if only untrusted X11\nforwarding was requested.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2016-675.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update openssh' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"openssh-6.6.1p1-25.61.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssh-clients-6.6.1p1-25.61.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssh-debuginfo-6.6.1p1-25.61.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssh-keycat-6.6.1p1-25.61.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssh-ldap-6.6.1p1-25.61.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssh-server-6.6.1p1-25.61.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"pam_ssh_agent_auth-0.9.3-9.25.61.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-clients / openssh-debuginfo / openssh-keycat / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:39:48", "description": "The security update of OpenSSH announced as DLA 1500-1 introduced a\nbug in openssh-client: when X11 forwarding is enabled (via system-wide\nconfiguration in ssh_config or via -X command line switch), but no\nDISPLAY is set, the client produces a 'DISPLAY '(null)' invalid;\ndisabling X11 forwarding' warning. These bug was introduced by the\npatch set to fix the CVE-2016-1908 issue. For reference, the following\nis the relevant section of the original announcement :\n\nCVE-2016-1908\n\nOpenSSH mishandled untrusted X11 forwarding when the X server disables\nthe SECURITY extension. Untrusted connections could obtain trusted X11\nforwarding privileges. Reported by Thomas Hoger.\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n1:6.7p1-5+deb8u7.\n\nWe recommend that you upgrade your openssh packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 18, "published": "2018-09-12T00:00:00", "title": "Debian DLA-1500-2 : openssh regression update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908"], "modified": "2018-09-12T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:openssh-client", "p-cpe:/a:debian:debian_linux:ssh-krb5", "p-cpe:/a:debian:debian_linux:ssh", "p-cpe:/a:debian:debian_linux:openssh-client-udeb", "p-cpe:/a:debian:debian_linux:openssh-server-udeb", "p-cpe:/a:debian:debian_linux:openssh-sftp-server", "p-cpe:/a:debian:debian_linux:openssh-server", "p-cpe:/a:debian:debian_linux:ssh-askpass-gnome"], "id": "DEBIAN_DLA-1500.NASL", "href": "https://www.tenable.com/plugins/nessus/117432", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1500-2. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117432);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_name(english:\"Debian DLA-1500-2 : openssh regression update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The security update of OpenSSH announced as DLA 1500-1 introduced a\nbug in openssh-client: when X11 forwarding is enabled (via system-wide\nconfiguration in ssh_config or via -X command line switch), but no\nDISPLAY is set, the client produces a 'DISPLAY '(null)' invalid;\ndisabling X11 forwarding' warning. These bug was introduced by the\npatch set to fix the CVE-2016-1908 issue. For reference, the following\nis the relevant section of the original announcement :\n\nCVE-2016-1908\n\nOpenSSH mishandled untrusted X11 forwarding when the X server disables\nthe SECURITY extension. Untrusted connections could obtain trusted X11\nforwarding privileges. Reported by Thomas Hoger.\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n1:6.7p1-5+deb8u7.\n\nWe recommend that you upgrade your openssh packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/09/msg00014.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/openssh\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssh-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssh-client-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssh-server-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssh-sftp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ssh-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"openssh-client\", reference:\"1:6.7p1-5+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openssh-client-udeb\", reference:\"1:6.7p1-5+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openssh-server\", reference:\"1:6.7p1-5+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openssh-server-udeb\", reference:\"1:6.7p1-5+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"openssh-sftp-server\", reference:\"1:6.7p1-5+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ssh\", reference:\"1:6.7p1-5+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ssh-askpass-gnome\", reference:\"1:6.7p1-5+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ssh-krb5\", reference:\"1:6.7p1-5+deb8u7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:49:10", "description": "It was discovered that the OpenSSH server did not sanitize data\nreceived in requests to enable X11 forwarding. An authenticated client\nwith restricted SSH access could possibly use this flaw to bypass\nintended restrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH; the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for\nuntrusted X11 forwarding. A malicious or compromised remote X\napplication could possibly use this flaw to establish a trusted\nconnection to the local X server, even if only untrusted X11\nforwarding was requested. (CVE-2016-1908)\n\nAfter installing this update, the OpenSSH server daemon (sshd) will be\nrestarted automatically.", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-03-22T00:00:00", "title": "Scientific Linux Security Update : openssh on SL7.x x86_64 (20160321)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "modified": "2016-03-22T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:openssh-debuginfo", "p-cpe:/a:fermilab:scientific_linux:openssh", "p-cpe:/a:fermilab:scientific_linux:openssh-ldap", "p-cpe:/a:fermilab:scientific_linux:openssh-server", "p-cpe:/a:fermilab:scientific_linux:openssh-askpass", "p-cpe:/a:fermilab:scientific_linux:openssh-clients", "p-cpe:/a:fermilab:scientific_linux:pam_ssh_agent_auth", "p-cpe:/a:fermilab:scientific_linux:openssh-server-sysvinit", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:openssh-keycat"], "id": "SL_20160321_OPENSSH_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/90081", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90081);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-1908\", \"CVE-2016-3115\");\n\n script_name(english:\"Scientific Linux Security Update : openssh on SL7.x x86_64 (20160321)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the OpenSSH server did not sanitize data\nreceived in requests to enable X11 forwarding. An authenticated client\nwith restricted SSH access could possibly use this flaw to bypass\nintended restrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH; the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for\nuntrusted X11 forwarding. A malicious or compromised remote X\napplication could possibly use this flaw to establish a trusted\nconnection to the local X server, even if only untrusted X11\nforwarding was requested. (CVE-2016-1908)\n\nAfter installing this update, the OpenSSH server daemon (sshd) will be\nrestarted automatically.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1603&L=scientific-linux-errata&F=&S=&P=7359\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6a756ca6\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssh-server-sysvinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-askpass-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-clients-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-debuginfo-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-keycat-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-ldap-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-server-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"openssh-server-sysvinit-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"pam_ssh_agent_auth-0.9.3-9.25.el7_2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:51:39", "description": "According to the versions of the openssh packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that the OpenSSH server did not\n sanitize data received in requests to enable X11\n forwarding. An authenticated client with restricted SSH\n access could possibly use this flaw to bypass intended\n restrictions. (CVE-2016-3115)\n\n - An access flaw was discovered in OpenSSH the OpenSSH\n client did not correctly handle failures to generate\n authentication cookies for untrusted X11 forwarding. A\n malicious or compromised remote X application could\n possibly use this flaw to establish a trusted\n connection to the local X server, even if only\n untrusted X11 forwarding was requested. (CVE-2016-1908)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : openssh (EulerOS-SA-2016-1008)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "modified": "2017-05-01T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:openssh-askpass", "p-cpe:/a:huawei:euleros:openssh-clients", "p-cpe:/a:huawei:euleros:openssh-keycat", "p-cpe:/a:huawei:euleros:openssh-server", "p-cpe:/a:huawei:euleros:openssh", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2016-1008.NASL", "href": "https://www.tenable.com/plugins/nessus/99771", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99771);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-1908\",\n \"CVE-2016-3115\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : openssh (EulerOS-SA-2016-1008)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the openssh packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that the OpenSSH server did not\n sanitize data received in requests to enable X11\n forwarding. An authenticated client with restricted SSH\n access could possibly use this flaw to bypass intended\n restrictions. (CVE-2016-3115)\n\n - An access flaw was discovered in OpenSSH the OpenSSH\n client did not correctly handle failures to generate\n authentication cookies for untrusted X11 forwarding. A\n malicious or compromised remote X application could\n possibly use this flaw to establish a trusted\n connection to the local X server, even if only\n untrusted X11 forwarding was requested. (CVE-2016-1908)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?48f275ff\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssh packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"openssh-6.6.1p1-25.4.h3\",\n \"openssh-askpass-6.6.1p1-25.4.h3\",\n \"openssh-clients-6.6.1p1-25.4.h3\",\n \"openssh-keycat-6.6.1p1-25.4.h3\",\n \"openssh-server-6.6.1p1-25.4.h3\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T12:50:34", "description": "From Red Hat Security Advisory 2016:0465 :\n\nUpdated openssh packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These\npackages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that the OpenSSH server did not sanitize data\nreceived in requests to enable X11 forwarding. An authenticated client\nwith restricted SSH access could possibly use this flaw to bypass\nintended restrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH; the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for\nuntrusted X11 forwarding. A malicious or compromised remote X\napplication could possibly use this flaw to establish a trusted\nconnection to the local X server, even if only untrusted X11\nforwarding was requested. (CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling this update, the OpenSSH server daemon (sshd) will be\nrestarted automatically.", "edition": 31, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-03-22T00:00:00", "title": "Oracle Linux 7 : openssh (ELSA-2016-0465)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "modified": "2016-03-22T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:openssh-server-sysvinit", "p-cpe:/a:oracle:linux:openssh", "p-cpe:/a:oracle:linux:openssh-keycat", "p-cpe:/a:oracle:linux:openssh-server", "p-cpe:/a:oracle:linux:openssh-askpass", "p-cpe:/a:oracle:linux:openssh-ldap", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:openssh-clients", "p-cpe:/a:oracle:linux:pam_ssh_agent_auth"], "id": "ORACLELINUX_ELSA-2016-0465.NASL", "href": "https://www.tenable.com/plugins/nessus/90074", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:0465 and \n# Oracle Linux Security Advisory ELSA-2016-0465 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90074);\n script_version(\"2.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-1908\", \"CVE-2016-3115\");\n script_xref(name:\"RHSA\", value:\"2016:0465\");\n\n script_name(english:\"Oracle Linux 7 : openssh (ELSA-2016-0465)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:0465 :\n\nUpdated openssh packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These\npackages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that the OpenSSH server did not sanitize data\nreceived in requests to enable X11 forwarding. An authenticated client\nwith restricted SSH access could possibly use this flaw to bypass\nintended restrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH; the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for\nuntrusted X11 forwarding. A malicious or compromised remote X\napplication could possibly use this flaw to establish a trusted\nconnection to the local X server, even if only untrusted X11\nforwarding was requested. (CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling this update, the OpenSSH server daemon (sshd) will be\nrestarted automatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-March/005876.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-server-sysvinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-askpass-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-clients-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-keycat-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-ldap-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-server-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-server-sysvinit-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"pam_ssh_agent_auth-0.9.3-9.25.el7_2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-clients / openssh-keycat / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:30:32", "description": "Updated openssh packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These\npackages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that the OpenSSH server did not sanitize data\nreceived in requests to enable X11 forwarding. An authenticated client\nwith restricted SSH access could possibly use this flaw to bypass\nintended restrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH; the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for\nuntrusted X11 forwarding. A malicious or compromised remote X\napplication could possibly use this flaw to establish a trusted\nconnection to the local X server, even if only untrusted X11\nforwarding was requested. (CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling this update, the OpenSSH server daemon (sshd) will be\nrestarted automatically.", "edition": 34, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-03-22T00:00:00", "title": "CentOS 7 : openssh (CESA-2016:0465)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "modified": "2016-03-22T00:00:00", "cpe": ["p-cpe:/a:centos:centos:openssh-keycat", "p-cpe:/a:centos:centos:openssh-ldap", "p-cpe:/a:centos:centos:openssh", "p-cpe:/a:centos:centos:openssh-server", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:openssh-server-sysvinit", "p-cpe:/a:centos:centos:openssh-clients", "p-cpe:/a:centos:centos:openssh-askpass", "p-cpe:/a:centos:centos:pam_ssh_agent_auth"], "id": "CENTOS_RHSA-2016-0465.NASL", "href": "https://www.tenable.com/plugins/nessus/90068", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0465 and \n# CentOS Errata and Security Advisory 2016:0465 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90068);\n script_version(\"2.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-1908\", \"CVE-2016-3115\");\n script_xref(name:\"RHSA\", value:\"2016:0465\");\n\n script_name(english:\"CentOS 7 : openssh (CESA-2016:0465)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These\npackages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that the OpenSSH server did not sanitize data\nreceived in requests to enable X11 forwarding. An authenticated client\nwith restricted SSH access could possibly use this flaw to bypass\nintended restrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH; the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for\nuntrusted X11 forwarding. A malicious or compromised remote X\napplication could possibly use this flaw to establish a trusted\nconnection to the local X server, even if only untrusted X11\nforwarding was requested. (CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling this update, the OpenSSH server daemon (sshd) will be\nrestarted automatically.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-March/021746.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?111fbd4d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1908\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-server-sysvinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-askpass-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-clients-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-keycat-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-ldap-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-server-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-server-sysvinit-6.6.1p1-25.el7_2\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"pam_ssh_agent_auth-0.9.3-9.25.el7_2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-clients / openssh-keycat / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:18:36", "description": "The remote AIX host has a version of OpenSSH installed that is\naffected by the following vulnerabilities :\n\n - A remote code execution vulnerability exists in the\n sshd server component of OpenSSH due to improper\n sanitization of X11 authentication credentials. An\n authenticated, remote attacker can exploit this\n vulnerability to inject arbitrary xauth commands.\n (CVE-2016-3115)\n\n - A security bypass vulnerability exists in the sshd\n server component of OpenSSH due to improper error\n handling. An authenticated, remote attacker can exploit\n this vulnerability, when an authentication cookie is\n generated during untrusted X11 forwarding, to gain\n access to the X server on the host system.\n (CVE-2016-1908)", "edition": 26, "published": "2016-05-06T00:00:00", "title": "AIX OpenSSH Advisory : openssh_advisory8.asc", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "modified": "2016-05-06T00:00:00", "cpe": ["cpe:/a:openbsd:openssh", "cpe:/o:ibm:aix"], "id": "AIX_OPENSSH_ADVISORY8.NASL", "href": "https://www.tenable.com/plugins/nessus/90942", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90942);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2016-1908\",\n \"CVE-2016-3115\"\n );\n script_xref(name:\"EDB-ID\", value:\"39569\");\n\n script_name(english:\"AIX OpenSSH Advisory : openssh_advisory8.asc\");\n script_summary(english:\"Checks the version of the OpenSSH packages and iFixes.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AIX host has a version of OpenSSH installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote AIX host has a version of OpenSSH installed that is\naffected by the following vulnerabilities :\n\n - A remote code execution vulnerability exists in the\n sshd server component of OpenSSH due to improper\n sanitization of X11 authentication credentials. An\n authenticated, remote attacker can exploit this\n vulnerability to inject arbitrary xauth commands.\n (CVE-2016-3115)\n\n - A security bypass vulnerability exists in the sshd\n server component of OpenSSH due to improper error\n handling. An authenticated, remote attacker can exploit\n this vulnerability, when an authentication cookie is\n generated during untrusted X11 forwarding, to gain\n access to the X server on the host system.\n (CVE-2016-1908)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc\");\n script_set_attribute(attribute:\"solution\", value:\n\"A fix is available and can be downloaded from the IBM AIX website.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openbsd:openssh\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item(\"Host/AIX/version\");\nif (isnull(oslevel)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\nif ( oslevel != \"AIX-5.3\" && oslevel != \"AIX-6.1\" && oslevel != \"AIX-7.1\" && oslevel != \"AIX-7.2\" )\n{\n oslevel = ereg_replace(string:oslevel, pattern:\"-\", replace:\" \");\n audit(AUDIT_OS_NOT, \"AIX 5.3 / 6.1 / 7.1 / 7.2\", oslevel);\n}\n\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This AIX package check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nifixes_6110 = \"(IV84698m9b)\";\nifixes_6201 = \"(IV84698m9a)\";\n\n\nif (aix_check_ifix(release:\"5.3\", patch:ifixes_6110, package:\"openssh.base.client\", minfilesetver:\"4.0.0.5200\", maxfilesetver:\"6.0.0.6110\") < 0) flag++;\nif (aix_check_ifix(release:\"5.3\", patch:ifixes_6201, package:\"openssh.base.client\", minfilesetver:\"6.0.0.6200\", maxfilesetver:\"6.0.0.6201\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", patch:ifixes_6110, package:\"openssh.base.client\", minfilesetver:\"4.0.0.5200\", maxfilesetver:\"6.0.0.6110\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", patch:ifixes_6201, package:\"openssh.base.client\", minfilesetver:\"6.0.0.6200\", maxfilesetver:\"6.0.0.6201\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", patch:ifixes_6110, package:\"openssh.base.client\", minfilesetver:\"4.0.0.5200\", maxfilesetver:\"6.0.0.6110\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", patch:ifixes_6201, package:\"openssh.base.client\", minfilesetver:\"6.0.0.6200\", maxfilesetver:\"6.0.0.6201\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", patch:ifixes_6110, package:\"openssh.base.client\", minfilesetver:\"4.0.0.5200\", maxfilesetver:\"6.0.0.6110\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", patch:ifixes_6201, package:\"openssh.base.client\", minfilesetver:\"6.0.0.6200\", maxfilesetver:\"6.0.0.6201\") < 0) flag++;\n\nif (aix_check_ifix(release:\"5.3\", patch:ifixes_6110, package:\"openssh.base.server\", minfilesetver:\"4.0.0.5200\", maxfilesetver:\"6.0.0.6110\") < 0) flag++;\nif (aix_check_ifix(release:\"5.3\", patch:ifixes_6201, package:\"openssh.base.server\", minfilesetver:\"6.0.0.6200\", maxfilesetver:\"6.0.0.6201\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", patch:ifixes_6110, package:\"openssh.base.server\", minfilesetver:\"4.0.0.5200\", maxfilesetver:\"6.0.0.6110\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", patch:ifixes_6201, package:\"openssh.base.server\", minfilesetver:\"6.0.0.6200\", maxfilesetver:\"6.0.0.6201\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", patch:ifixes_6110, package:\"openssh.base.server\", minfilesetver:\"4.0.0.5200\", maxfilesetver:\"6.0.0.6110\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", patch:ifixes_6201, package:\"openssh.base.server\", minfilesetver:\"6.0.0.6200\", maxfilesetver:\"6.0.0.6201\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", patch:ifixes_6110, package:\"openssh.base.server\", minfilesetver:\"4.0.0.5200\", maxfilesetver:\"6.0.0.6110\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", patch:ifixes_6201, package:\"openssh.base.server\", minfilesetver:\"6.0.0.6200\", maxfilesetver:\"6.0.0.6201\") < 0) flag++;\n\nif (flag)\n{\n aix_report_extra = ereg_replace(string:aix_report_get(), pattern:\"[()]\", replace:\"\");\n aix_report_extra = ereg_replace(string:aix_report_extra, pattern:\"[|]\", replace:\" or \");\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : aix_report_extra\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh.base.client / openssh.base.server\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-03-01T05:37:39", "description": "Updated openssh packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These\npackages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that the OpenSSH server did not sanitize data\nreceived in requests to enable X11 forwarding. An authenticated client\nwith restricted SSH access could possibly use this flaw to bypass\nintended restrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH; the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for\nuntrusted X11 forwarding. A malicious or compromised remote X\napplication could possibly use this flaw to establish a trusted\nconnection to the local X server, even if only untrusted X11\nforwarding was requested. (CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling this update, the OpenSSH server daemon (sshd) will be\nrestarted automatically.", "edition": 35, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-03-22T00:00:00", "title": "RHEL 7 : openssh (RHSA-2016:0465)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.7", "p-cpe:/a:redhat:enterprise_linux:openssh", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass", "p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo", "cpe:/o:redhat:enterprise_linux:7.3", "p-cpe:/a:redhat:enterprise_linux:openssh-ldap", "p-cpe:/a:redhat:enterprise_linux:openssh-server-sysvinit", "cpe:/o:redhat:enterprise_linux:7.2", "p-cpe:/a:redhat:enterprise_linux:openssh-clients", "p-cpe:/a:redhat:enterprise_linux:openssh-server", "cpe:/o:redhat:enterprise_linux:7.6", "p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth", "p-cpe:/a:redhat:enterprise_linux:openssh-keycat"], "id": "REDHAT-RHSA-2016-0465.NASL", "href": "https://www.tenable.com/plugins/nessus/90078", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0465. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90078);\n script_version(\"2.17\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2016-1908\", \"CVE-2016-3115\");\n script_xref(name:\"RHSA\", value:\"2016:0465\");\n\n script_name(english:\"RHEL 7 : openssh (RHSA-2016:0465)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These\npackages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that the OpenSSH server did not sanitize data\nreceived in requests to enable X11 forwarding. An authenticated client\nwith restricted SSH access could possibly use this flaw to bypass\nintended restrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH; the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for\nuntrusted X11 forwarding. A malicious or compromised remote X\napplication could possibly use this flaw to establish a trusted\nconnection to the local X server, even if only untrusted X11\nforwarding was requested. (CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling this update, the OpenSSH server daemon (sshd) will be\nrestarted automatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:0465\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-1908\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-3115\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server-sysvinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0465\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-askpass-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-askpass-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-clients-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-clients-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"openssh-debuginfo-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-keycat-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-keycat-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-ldap-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-ldap-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-server-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-server-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-server-sysvinit-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-server-sysvinit-6.6.1p1-25.el7_2\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"pam_ssh_agent_auth-0.9.3-9.25.el7_2\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-clients / openssh-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T14:45:46", "description": "openssh was updated to fix three security issues.\n\nThese security issues were fixed :\n\n - CVE-2016-3115: Multiple CRLF injection vulnerabilities\n in session.c in sshd in OpenSSH allowed remote\n authenticated users to bypass intended shell-command\n restrictions via crafted X11 forwarding data, related to\n the (1) do_authenticated1 and (2) session_x11_req\n functions (bsc#970632).\n\n - CVE-2016-1908: Possible fallback from untrusted to\n trusted X11 forwarding (bsc#962313).\n\n - CVE-2015-8325: Ignore PAM environment vars when\n UseLogin=yes (bsc#975865).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 30, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-06-17T00:00:00", "title": "SUSE SLES11 Security Update : openssh (SUSE-SU-2016:1528-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2015-8325", "CVE-2016-3115"], "modified": "2016-06-17T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:openssh", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:openssh-helpers", "p-cpe:/a:novell:suse_linux:openssh-fips"], "id": "SUSE_SU-2016-1528-1.NASL", "href": "https://www.tenable.com/plugins/nessus/91655", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:1528-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91655);\n script_version(\"2.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-8325\", \"CVE-2016-1908\", \"CVE-2016-3115\");\n\n script_name(english:\"SUSE SLES11 Security Update : openssh (SUSE-SU-2016:1528-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"openssh was updated to fix three security issues.\n\nThese security issues were fixed :\n\n - CVE-2016-3115: Multiple CRLF injection vulnerabilities\n in session.c in sshd in OpenSSH allowed remote\n authenticated users to bypass intended shell-command\n restrictions via crafted X11 forwarding data, related to\n the (1) do_authenticated1 and (2) session_x11_req\n functions (bsc#970632).\n\n - CVE-2016-1908: Possible fallback from untrusted to\n trusted X11 forwarding (bsc#962313).\n\n - CVE-2015-8325: Ignore PAM environment vars when\n UseLogin=yes (bsc#975865).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=729190\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=932483\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=948902\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=960414\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=961368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=961494\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962313\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=965576\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=970632\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=975865\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8325/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1908/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-3115/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20161528-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?81906f53\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP4 :\n\nzypper in -t patch slessp4-openssh-12603=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4 :\n\nzypper in -t patch dbgsp4-openssh-12603=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-fips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"openssh-6.6p1-21.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"openssh-askpass-gnome-6.6p1-21.3\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"openssh-fips-6.6p1-21.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"openssh-helpers-6.6p1-21.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-03-17T22:57:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2016-03-31T00:00:00", "id": "OPENVAS:1361412562310120665", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120665", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2016-675)", "sourceData": "# Copyright (C) 2016 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120665\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2016-03-31 08:02:09 +0300 (Thu, 31 Mar 2016)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2016-675)\");\n script_tag(name:\"insight\", value:\"An access flaw was discovered in the OpenSSH client where it did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested.\");\n script_tag(name:\"solution\", value:\"Run yum update openssh to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2016-675.html\");\n script_cve_id(\"CVE-2016-1908\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2016 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~25.61.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-ldap\", rpm:\"openssh-ldap~6.6.1p1~25.61.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~25.61.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~6.6.1p1~25.61.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"auth\", rpm:\"auth~0.9.3~9.25.61.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~25.61.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~25.61.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-02-11T00:00:00", "id": "OPENVAS:1361412562310807245", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807245", "type": "openvas", "title": "Fedora Update for gsi-openssh FEDORA-2016-4509765", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gsi-openssh FEDORA-2016-4509765\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807245\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-11 06:40:34 +0100 (Thu, 11 Feb 2016)\");\n script_cve_id(\"CVE-2016-1908\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for gsi-openssh FEDORA-2016-4509765\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gsi-openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"gsi-openssh on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-4509765\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177079.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"gsi-openssh\", rpm:\"gsi-openssh~7.1p2~3.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908"], "description": "This host is installed with openssh and\n is prone to security bypass vulnerability.", "modified": "2019-05-22T00:00:00", "published": "2017-04-21T00:00:00", "id": "OPENVAS:1361412562310810769", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810769", "type": "openvas", "title": "OpenSSH X11 Forwarding Security Bypass Vulnerability (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenSSH X11 Forwarding Security Bypass Vulnerability (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openbsd:openssh\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810769\");\n script_version(\"2019-05-22T12:00:57+0000\");\n script_cve_id(\"CVE-2016-1908\");\n script_bugtraq_id(84427);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-22 12:00:57 +0000 (Wed, 22 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-21 16:34:59 +0530 (Fri, 21 Apr 2017)\");\n script_name(\"OpenSSH X11 Forwarding Security Bypass Vulnerability (Linux)\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_openssh_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"openssh/detected\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"http://openwall.com/lists/oss-security/2016/01/15/13\");\n script_xref(name:\"URL\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1298741#c4\");\n script_xref(name:\"URL\", value:\"http://www.openssh.com/txt/release-7.2\");\n script_xref(name:\"URL\", value:\"https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c\");\n script_xref(name:\"URL\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1298741\");\n\n script_tag(name:\"summary\", value:\"This host is installed with openssh and\n is prone to security bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An access flaw was discovered in OpenSSH,\n It did not correctly handle failures to generate authentication cookies for\n untrusted X11 forwarding. A malicious or compromised remote X application\n could possibly use this flaw to establish a trusted connection to the\n local X server, even if only untrusted X11 forwarding was requested.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows\n local users to bypass certain security restrictions and perform unauthorized\n actions. This may lead to further attacks.\");\n\n script_tag(name:\"affected\", value:\"OpenSSH versions before 7.2 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OpenSSH version 7.2 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(port = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"7.2\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"7.2\", install_path:path);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908"], "description": "This host is installed with openssh and\n is prone to security bypass vulnerability.", "modified": "2019-05-21T00:00:00", "published": "2017-04-21T00:00:00", "id": "OPENVAS:1361412562310810768", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810768", "type": "openvas", "title": "OpenSSH X11 Forwarding Security Bypass Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenSSH X11 Forwarding Security Bypass Vulnerability (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openbsd:openssh\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810768\");\n script_version(\"2019-05-21T12:48:06+0000\");\n script_cve_id(\"CVE-2016-1908\");\n script_bugtraq_id(84427);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-21 12:48:06 +0000 (Tue, 21 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-04-21 16:24:54 +0530 (Fri, 21 Apr 2017)\");\n script_name(\"OpenSSH X11 Forwarding Security Bypass Vulnerability (Windows)\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_openssh_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"openssh/detected\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"http://openwall.com/lists/oss-security/2016/01/15/13\");\n script_xref(name:\"URL\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1298741#c4\");\n script_xref(name:\"URL\", value:\"http://www.openssh.com/txt/release-7.2\");\n script_xref(name:\"URL\", value:\"https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c\");\n script_xref(name:\"URL\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1298741\");\n\n script_tag(name:\"summary\", value:\"This host is installed with openssh and\n is prone to security bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An access flaw was discovered in OpenSSH,\n It did not correctly handle failures to generate authentication cookies for\n untrusted X11 forwarding. A malicious or compromised remote X application\n could possibly use this flaw to establish a trusted connection to the\n local X server, even if only untrusted X11 forwarding was requested.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows\n local users to bypass certain security restrictions and perform unauthorized\n actions. This may lead to further attacks.\");\n\n script_tag(name:\"affected\", value:\"OpenSSH versions before 7.2 on Windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OpenSSH version 7.2 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(port = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"7.2\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"7.2\", install_path:path);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:37:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220161008", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220161008", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2016-1008)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2016.1008\");\n script_version(\"2020-01-23T10:37:23+0000\");\n script_cve_id(\"CVE-2016-1908\", \"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:37:23 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:37:23 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2016-1008)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2016-1008\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1008\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'openssh' package(s) announced via the EulerOS-SA-2016-1008 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH, the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908)\");\n\n script_tag(name:\"affected\", value:\"'openssh' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~25.4.h3\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~25.4.h3\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~25.4.h3\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~25.4.h3\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~25.4.h3\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "Check the version of openssh", "modified": "2019-03-08T00:00:00", "published": "2016-03-22T00:00:00", "id": "OPENVAS:1361412562310882432", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882432", "type": "openvas", "title": "CentOS Update for openssh CESA-2016:0465 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for openssh CESA-2016:0465 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882432\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-22 06:12:50 +0100 (Tue, 22 Mar 2016)\");\n script_cve_id(\"CVE-2016-1908\", \"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for openssh CESA-2016:0465 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of openssh\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"OpenSSH is OpenBSD's SSH (Secure Shell)\nprotocol implementation. These packages include the core files necessary for\nboth the OpenSSH client and server.\n\nIt was discovered that the OpenSSH server did not sanitize data received\nin requests to enable X11 forwarding. An authenticated client with\nrestricted SSH access could possibly use this flaw to bypass intended\nrestrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for untrusted\nX11 forwarding. A malicious or compromised remote X application could\npossibly use this flaw to establish a trusted connection to the local X\nserver, even if only untrusted X11 forwarding was requested.\n(CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the OpenSSH server daemon (sshd) will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"openssh on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:0465\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-March/021746.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-ldap\", rpm:\"openssh-ldap~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server-sysvinit\", rpm:\"openssh-server-sysvinit~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"pam_ssh_agent_auth\", rpm:\"pam_ssh_agent_auth~0.9.3~9.25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "Oracle Linux Local Security Checks ELSA-2016-0465", "modified": "2019-03-14T00:00:00", "published": "2016-03-23T00:00:00", "id": "OPENVAS:1361412562310122910", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122910", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2016-0465", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2016-0465.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.fi>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://solinor.fi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122910\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-03-23 07:08:57 +0200 (Wed, 23 Mar 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2016-0465\");\n script_tag(name:\"insight\", value:\"ELSA-2016-0465 - openssh security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2016-0465\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2016-0465.html\");\n script_cve_id(\"CVE-2016-1908\", \"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~25.el7_2\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~25.el7_2\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~25.el7_2\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~25.el7_2\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-ldap\", rpm:\"openssh-ldap~6.6.1p1~25.el7_2\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~25.el7_2\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-server-sysvinit\", rpm:\"openssh-server-sysvinit~6.6.1p1~25.el7_2\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"pam_ssh_agent_auth\", rpm:\"pam_ssh_agent_auth~0.9.3~9.25.el7_2\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-03-22T00:00:00", "id": "OPENVAS:1361412562310871580", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871580", "type": "openvas", "title": "RedHat Update for openssh RHSA-2016:0465-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for openssh RHSA-2016:0465-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871580\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-22 06:12:30 +0100 (Tue, 22 Mar 2016)\");\n script_cve_id(\"CVE-2016-1908\", \"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for openssh RHSA-2016:0465-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"OpenSSH is OpenBSD's SSH (Secure Shell)\nprotocol implementation. These packages include the core files necessary for both\nthe OpenSSH client and server.\n\nIt was discovered that the OpenSSH server did not sanitize data received\nin requests to enable X11 forwarding. An authenticated client with\nrestricted SSH access could possibly use this flaw to bypass intended\nrestrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for untrusted\nX11 forwarding. A malicious or compromised remote X application could\npossibly use this flaw to establish a trusted connection to the local X\nserver, even if only untrusted X11 forwarding was requested.\n(CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the OpenSSH server daemon (sshd) will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"openssh on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:0465-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-March/msg00052.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~25.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~25.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~25.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~6.6.1p1~25.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~25.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~25.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2015-8325", "CVE-2016-1907", "CVE-2016-3115"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-05-10T00:00:00", "id": "OPENVAS:1361412562310842740", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842740", "type": "openvas", "title": "Ubuntu Update for openssh USN-2966-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for openssh USN-2966-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842740\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-10 05:21:23 +0200 (Tue, 10 May 2016)\");\n script_cve_id(\"CVE-2015-8325\", \"CVE-2016-1907\", \"CVE-2016-1908\", \"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for openssh USN-2966-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Shayan Sadigh discovered that OpenSSH\n incorrectly handled environment files when the UseLogin feature is enabled.\n A local attacker could use this issue to gain privileges. (CVE-2015-8325)\n\n Ben Hawkes discovered that OpenSSH incorrectly handled certain network\n traffic. A remote attacker could possibly use this issue to cause OpenSSH\n to crash, resulting in a denial of service. This issue only applied to\n Ubuntu 15.10. (CVE-2016-1907)\n\n Thomas Hoger discovered that OpenSSH incorrectly handled untrusted X11\n forwarding when the SECURITY extension is disabled. A connection configured\n as being untrusted could get switched to trusted in certain scenarios,\n contrary to expectations. (CVE-2016-1908)\n\n It was discovered that OpenSSH incorrectly handled certain X11 forwarding\n data. A remote authenticated attacker could possibly use this issue to\n bypass certain intended command restrictions. (CVE-2016-3115)\");\n script_tag(name:\"affected\", value:\"openssh on Ubuntu 15.10,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"2966-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2966-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|15\\.10)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:6.6p1-2ubuntu2.7\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:5.9p1-5ubuntu1.9\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU15.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:6.9p1-2ubuntu0.2\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2015-6564", "CVE-2015-5352", "CVE-2015-6563"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-05-11T00:00:00", "id": "OPENVAS:1361412562310871613", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871613", "type": "openvas", "title": "RedHat Update for openssh RHSA-2016:0741-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for openssh RHSA-2016:0741-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871613\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-11 05:23:17 +0200 (Wed, 11 May 2016)\");\n script_cve_id(\"CVE-2015-5352\", \"CVE-2015-6563\", \"CVE-2015-6564\", \"CVE-2016-1908\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for openssh RHSA-2016:0741-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"OpenSSH is an SSH protocol implementation supported by a number of Linux,\nUNIX, and similar operating systems. It includes the core files necessary\nfor both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n * It was found that the OpenSSH client did not properly enforce the\nForwardX11Timeout setting. A malicious or compromised remote X application\ncould possibly use this flaw to establish a trusted connection to the local\nX server, even if only untrusted X11 forwarding was requested.\n(CVE-2015-5352)\n\n * A flaw was found in the way OpenSSH handled PAM authentication when using\nprivilege separation. An attacker with valid credentials on the system and\nable to fully compromise a non-privileged pre-authentication process using\na different flaw could use this flaw to authenticate as other users.\n(CVE-2015-6563)\n\n * A use-after-free flaw was found in OpenSSH. An attacker able to fully\ncompromise a non-privileged pre-authentication process using a different\nflaw could possibly cause sshd to crash or execute arbitrary code with root\nprivileges. (CVE-2015-6564)\n\n * An access flaw was discovered in OpenSSH the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for untrusted\nX11 forwarding. A malicious or compromised remote X application could\npossibly use this flaw to establish a trusted connection to the local X\nserver, even if only untrusted X11 forwarding was requested.\n(CVE-2016-1908)\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8\nTechnical Notes linked from the References section.\");\n script_tag(name:\"affected\", value:\"openssh on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:0741-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-May/msg00019.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~5.3p1~117.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~5.3p1~117.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~5.3p1~117.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~5.3p1~117.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~5.3p1~117.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:35:51", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "[6.6.1p1-25 + 0.9.3-9]\n- CVE-2016-1908: possible fallback from untrusted to trusted X11 forwarding (#1298741)\n[6.6.1p1-24 + 0.9.3-9]\n- CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317818)", "edition": 4, "modified": "2016-03-21T00:00:00", "published": "2016-03-21T00:00:00", "id": "ELSA-2016-0465", "href": "http://linux.oracle.com/errata/ELSA-2016-0465.html", "title": "openssh security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2015-6564", "CVE-2015-5352", "CVE-2016-3115", "CVE-2015-6563"], "description": "[5.3p1-117]\n- CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317817)\n[5.3p1-116]\n- Restore functionallity of pam_ssh_agent_auth in FIPS mode (#1278315)\n- Initialize devices_done variable for challenge response (#1281468)\n- Update behaviour of X11 forwarding to match upstream (#1299048)\n[5.3p1-115]\n- Ammends previous release, fixing typos and behaviour changes", "edition": 4, "modified": "2016-05-12T00:00:00", "published": "2016-05-12T00:00:00", "id": "ELSA-2016-0741", "href": "http://linux.oracle.com/errata/ELSA-2016-0741.html", "title": "openssh security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:46:50", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation.\nThese packages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that the OpenSSH server did not sanitize data received\nin requests to enable X11 forwarding. An authenticated client with\nrestricted SSH access could possibly use this flaw to bypass intended\nrestrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH; the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for untrusted\nX11 forwarding. A malicious or compromised remote X application could\npossibly use this flaw to establish a trusted connection to the local X\nserver, even if only untrusted X11 forwarding was requested.\n(CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the OpenSSH server daemon (sshd) will be restarted automatically.", "modified": "2018-04-12T03:32:38", "published": "2016-03-22T00:03:21", "id": "RHSA-2016:0465", "href": "https://access.redhat.com/errata/RHSA-2016:0465", "type": "redhat", "title": "(RHSA-2016:0465) Moderate: openssh security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:28", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5352", "CVE-2015-6563", "CVE-2015-6564", "CVE-2016-1908"], "description": "OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n* It was found that the OpenSSH client did not properly enforce the ForwardX11Timeout setting. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2015-5352)\n\n* A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users. (CVE-2015-6563)\n\n* A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges. (CVE-2015-6564)\n\n* An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908)\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.", "modified": "2018-06-06T20:24:16", "published": "2016-05-10T10:42:16", "id": "RHSA-2016:0741", "href": "https://access.redhat.com/errata/RHSA-2016:0741", "type": "redhat", "title": "(RHSA-2016:0741) Moderate: openssh security, bug fix, and enhancement update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2020-12-24T10:41:28", "bulletinFamily": "software", "cvelist": ["CVE-2015-8325", "CVE-2016-1908"], "description": "### SUMMARY\n\nBlue Coat products that include a vulnerable version of OpenSSH are susceptible to two vulnerabilities. A malicious user with local shell access** **can escalate their privileges and execute arbitrary code with root privileges. A remote attacker acting as an SSH server can establish trusted X11 connections to take screenshots and inject mouse movements and keypresses on an SSH client host. \n \n\n\n### AFFECTED PRODUCTS\n\nThe following products are vulnerable:\n\n**Director** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8325 | 6.1 | Upgrade to 6.1.23.1. \n \n \n\n**Malware Analysis Appliance (MAA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8325 | 4.2 | Upgrade to 4.2.10. \n \n \n\n**Norman Shark Industrial Control System Protection (ICSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 5.4 and later | Not vulnerable, fixed in 5.4.1 \n5.3 | Upgrade to 5.3.6. \n \n \n\n**Norman Shark Network Protection (NNP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 5.3 | Upgrade to 5.3.6. \n \n \n\n**Norman Shark SCADA Protection (NSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 5.3 | Upgrade to 5.3.6. \n \n \n\n**Security Analytics** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 7.2 and later | Not vulnerable, fixed in 7.2.1 \n7.1 | Apply patch RPM from customer support. \n7.0 | Upgrade to later release with fixes. \n6.6 | Apply patch RPM from customer support. \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 11.0 | Not available at this time \n10.0 | Not available at this time \n9.7 | Upgrade to later release with fixes. \n \n \n\nThe following products contain a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8325 | 7.1 and later | Not vulnerable, fixed in 71.1.1 \n6.7 | Upgrade to 6.7.3.1. \n6.6 | Upgrade to 6.6.5.8. \nCVE-2016-1908 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1 \n6.6 | Upgrade to 6.6.5.1. \n \n \n\n**Content Analysis System (CAS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8325 | 2.2 and later | Not vulnerable, fixed in 2.2.1.1 \n2.1 | Upgrade to later release with fixes. \n1.3 | Upgrade to 1.3.7.5. \nCVE-2016-1908 | 1.3 | Upgrade to 1.3.7.1. \n \n \n\n**Mail Threat Defense (MTD)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 1.1 | Not available at this time \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8325 | 1.10 and later | Not vulnerable, fixed in 1.10.1.1 \n1.5 - 1.9 | Upgrade to later release with fixes. \nCVE-2016-1908 | 1.6 and later | Not vulnerable, fixed in 1.6.1.1. \n1.5 | Upgrade to later release with fixes. \n \n \n\n**PacketShaper (PS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8325 | 9.2 | Not vulnerable, fixed in 9.2.13p7 \n \n \n\n**PacketShaper (PS) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8325 | 11.9 and later | Not vulnerable, fixed in 11.9.1.1 \n11.7 - 11.8 | Upgrade to later release with fixes. \n11.6 | Upgrade to 11.6.4.2. \n11.5 | Upgrade to later release with fixes. \nCVE-2016-1908 | 11.6 and later | Not vulnerable, fixed in 11.6.1.1 \n11.5 | Upgrade to later release with fixes. \n \n \n\n**PolicyCenter (PC) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8325 | 1.1 | Upgrade to 1.1.4.2. \nCVE-2016-1908 | 1.1 | Upgrade to 1.1.2.2. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 10.2 | Not vulnerable, fixed in 10.2.1.1 \n9.4, 9.5 | Not vulnerable \nCVE-2015-8325 | 10.1 | Upgrade to 10.1.5.4. \nCVE-2016-1908 | 10.1 | Upgrade to 10.1.4.2. \n \n \n\n**SSL Visibility** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8325 | 4.1 and later | Not vulnerable, fixed in 4.1.1.1 \n4.0 | Upgrade to later release with fixes. \n3.10 - 3.12 | Not vulnerable, fixed in 3.10.1.1 \nCVE-2016-1908 | 3.10 and later | Not vulnerable, fixed in 3.10.1.1 \nAll CVEs | 3.9 | Upgrade to 3.9.4.1. \n3.8.4FC | Upgrade to 3.8.4FC-55. \n \n \n\n### ADDITIONAL PRODUCT INFORMATION\n\nSome Blue Coat products do not enable or use all functionality within OpenSSH. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.\n\n * **ASG:** CVE-2015-8325 and CVE-2016-1908 (6.6 only)\n * **CAS:** CVE-2015-8325 and CVE-2016-1908 (1.x only)\n * **Director:** CVE-2016-1908\n * **MTD:** CVE-2015-8325 and CVE-2016-1908\n * **MAA:** CVE-2016-1908\n * **MC:** CVE-2015-8325 and CVE-2016-1908\n * **PS:** CVE-2015-8325\n * **PS S-Series:** CVE-2015-8325 and CVE-2016-1908\n * **PC S-Series:** CVE-2015-8325 and CVE-2016-1908\n * **Reporter 10.1:** CVE-2015-8325 and CVE-2016-1908\n * **SSLV:** CVE-2015-8325 and CVE-2016-1908 (3.x only)\n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nBlue Coat HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Communication Server \nCloud Data Protection Integration Server \nCloud Data Protection Policy Builder \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nPolicyCenter \nProxyAV \nProxyAV ConLog and ConLogXP \nProxyClient \nProxySG \nUnified Agent \nWeb Isolation**\n\nBlue Coat no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP. \n \n\n\n### ISSUES \n\n**CVE-2015-8325** \n--- \n**Severity / CVSSv2** | High / 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) \n**References** | SecurityFocus: [BID 86187](<https://www.securityfocus.com/bid/86187>) / NVD: [CVE-2015-8325](<https://nvd.nist.gov/vuln/detail/CVE-2015-8325>) \n**Impact** | Privilege escalation \n**Description** | A flaw in the SSH server implementation allows a local, non-root user with shell access to execute arbitrary code with root privileges. The vulnerability is only exploitable when the SSH server accepts user-provided environment variables and uses the 'login' tool to authenticate users. \n \n \n\n**CVE-2016-1908** \n--- \n**Severity / CVSSv2** | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n**References** | SecurityFocus: [BID 84427](<https://www.securityfocus.com/bid/84427>) / NVD: [CVE-2016-1908](<https://nvd.nist.gov/vuln/detail/CVE-2016-1908>) \n**Impact** | Information disclosure, code execution \n**Description** | A flaw in the SSH client implementation allows a remote attacker acting as a malicious SSH server to establish a trusted X11 connection with the SSH client when the client has requested only an untrusted connection. The trusted X11 connection allows the attacker to take screenshots and inject mouse movements and keypresses on the SSH client host. \n \n \n\n### MITIGATION\n\nBy default, Director, MAA, ICSP, NNP, and NSP do not use the 'login' tool for user authentication and do not use PAM to read user-provided environment variables. Customers who leave this default behavior unchanged prevent attacks against these products using CVE-2015-8325.\n\nBy default, Security Analytics does not use the 'login' tool for user authentication. Customers who leave this default behavior unchanged prevent attacks against Security Analytics using CVE-2015-8325. \n \n\n\n### REVISION\n\n2020-04-22 Advisory status moved to Closed. \n2019-10-07 Web Isolation is not vulnerable. \n2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-07-01 A fix for PacketShaper 9.2 is available in 9.2.13p7. \n2018-04-26 A fix for CVE-2015-8325 in SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-23 A fix for CVE-2015-8325 in PolicyCenter S-Series 1.1 is available in 1.1.4.2. \n2018-04-22 CAS 2.3 is not vulnerable. A fix for CVE-2015-8325 in PacketShaper S-Series 11.6 is available in 11.6.4.2. PacketShaper S-Series 11.10 is not vulnerable. \n2018-01-31 A fix for ASG 6.7 is available in 6.7.3.1. \n2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-11-08 CAS 2.2 is not vulnerable because a fix is available in 2.2.1.1. \n2017-11-06 ASG 6.7 has a vulnerable version of OpenSSH for CVE-2015-8325, but is not vulnerable to known vectors of attack. \n2017-08-03 SSLV 4.1 is not vulnerable because a fix is available in 4.1.1.1. \n2017-07-25 PS S-Series 11.9 is not vulnerable because a fix is available in 11.9.1.1. \n2017-07-20 A fix for CVE-2015-8325 in MC 1.10 is available in 1.10.1.1. A fix for CVE-2015-8325 in MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fix. \n2017-06-26 A fix for CVE-2015-8325 in ASG 6.6 is available in 6.6.5.8. \n2017-06-22 Security Analytics 7.3 is not vulnerable. \n2017-06-22 A fix for CVE-2015-8325 in Reporter 10.1 is available in 10.1.5.4. \n2017-06-05 PacketShaper S-Series 11.8 has a vulnerable version of OpenSSH for CVE-2015-8325, but is not vulnerable to known vectors of attack. A fix is not available at this time. \n2017-05-26 A fix for CVE-2015-8325 in CAS 1.3 is available in 1.3.7.5. \n2017-05-18 CAS 2.1 has a vulnerable version of OpenSSH for CVE-2015-8325, but is not vulnerable to known vectors of attack. \n2017-04-30 A fix for Director 6.1 is available in 6.1.23.1. \n2017-04-26 Added CVSS v2 score for CVE-2016-1908 and base score for Security Advisory. \n2017-03-30 MC 1.8 and 1.9 have a vulnerable version of OpenSSH for CVE-2015-8325, but are not vulnerable to known vectors of attack. \n2017-03-06 MC 1.8 is not vulnerable. SSLV 4.0 has a vulnerable version of OpenSSH for CVE-2015-8325, but is not vulnerable to known vectors of attack. \n2017-02-16 Previously, it was reported that Security Analytics by default is not vulnerable to CVE-2016-1908 because it does not act as an SSH client. Further investigation has shown that Security Analytics acts as an SSH client and is vulnerable to CVE-2016-1908 by default. \n2016-12-04 PacketShaper S-Series 11.7 has a vulnerable version of OpenSSH for CVE-2015-8325, but is not vulnerable to known vectors of attack. A fix is not available at this time. \n2016-12-04 SSLV 3.11 is not vulnerable. \n2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable. \n2016-11-11 SSLV 3.10 is not vulnerable. \n2016-11-06 It was previously reported that SA 7.2 is vulnerable to CVE-2015-8325. Further information indicates that SA 7.2 is not vulnerable because a fix is available in 7.2.1. Fixes for CVE-2015-8325 in Security Analytics 6.6 and 7.1 are available through patch RPMs from customer support. \n2016-11-03 A fix for CVE-2015-8325 will not be provided for MC 1.6. Please upgrade to a later version with the vulnerability fixes. \n2016-11-03 A fix for CVE-2016-1908 in ASG is available in 6.6.5.1. A fix for CVE-2016-1908 in MC 1.6 is available in 1.6.1.1. MC 1.6 and 1.7 have vulnerable code for CVE-2015-8325, but are not vulnerable to known vectors of attack. A fix for CVE-2016-1908 in Reporter 10.1 is available in 10.1.4.2. A fix for MAA is available in 4.2.10. A fix for SSLV 3.8.4FC is available in 3.8.4.FC-55. \n2016-08-12 A fix for CVE-2016-1908 in CAS 1.3 is available in 1.3.7.1. Security Analytics 7.2 is vulnerable to CVE-2015-8325. \n2016-08-10 A fix for SSLV 3.9 is available in 3.9.4.1. \n2016-07-01 A fix for CVE-2016-1908 in Security Analytics 6.6 and 7.1 is available through a patch RPM from customer support. \n2016-06-30 A fix for CVE-2016-1908 in PacketShaper S-Series 11.6 is available in 11.6.1.1. \n2016-06-27 Fixes will not be provided for PacketShaper S-Series 11.2, 11.3, and 11.4. Please upgrade to a later version with the vulnerability fixes. \n2016-06-24 A fix for CVE-2016-1908 in PacketShaper S-Series 11.5 is available in 11.5.3.2. A fix for CVE-2016-1908 in PolicyCenter S-Series is available in 1.1.2.2. \n2016-06-14 initial public release\n", "modified": "2020-04-22T21:35:48", "published": "2016-06-14T08:00:00", "id": "SMNTC-1368", "href": "", "type": "symantec", "title": "SA126 : OpenSSH Vulnerabilities January/April 2016", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:28:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "**CentOS Errata and Security Advisory** CESA-2016:0465\n\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation.\nThese packages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that the OpenSSH server did not sanitize data received\nin requests to enable X11 forwarding. An authenticated client with\nrestricted SSH access could possibly use this flaw to bypass intended\nrestrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH; the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for untrusted\nX11 forwarding. A malicious or compromised remote X application could\npossibly use this flaw to establish a trusted connection to the local X\nserver, even if only untrusted X11 forwarding was requested.\n(CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the OpenSSH server daemon (sshd) will be restarted automatically.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-March/033784.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-clients\nopenssh-keycat\nopenssh-ldap\nopenssh-server\nopenssh-server-sysvinit\npam_ssh_agent_auth\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0465.html", "edition": 3, "modified": "2016-03-21T22:38:14", "published": "2016-03-21T22:38:14", "href": "http://lists.centos.org/pipermail/centos-announce/2016-March/033784.html", "id": "CESA-2016:0465", "title": "openssh, pam_ssh_agent_auth security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-20T18:26:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2015-6564", "CVE-2015-5352", "CVE-2015-6563"], "description": "**CentOS Errata and Security Advisory** CESA-2016:0741\n\n\nOpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n* It was found that the OpenSSH client did not properly enforce the ForwardX11Timeout setting. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2015-5352)\n\n* A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users. (CVE-2015-6563)\n\n* A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges. (CVE-2015-6564)\n\n* An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908)\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2016-May/009133.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-clients\nopenssh-ldap\nopenssh-server\npam_ssh_agent_auth\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0741.html", "edition": 3, "modified": "2016-05-16T10:19:28", "published": "2016-05-16T10:19:28", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2016-May/009133.html", "id": "CESA-2016:0741", "title": "openssh, pam_ssh_agent_auth security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "aix": [{"lastseen": "2019-05-29T19:19:13", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Tue May 3 10:03:39 CDT 2016 \n|Updated: Fri May 13 09:51:05 CDT 2016 \n|Update: New iFixes now available. \n\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc\nhttps://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc\nftp://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc\n\nSecurity Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2016-3115 and\n CVE-2016-1908)\n \n \n===============================================================================\n\nSUMMARY:\n\n Vulnerabilities in OpenSSH affect AIX \n \n \n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2016-3115\n DESCRIPTION: OpenSSH could allow a remote authenticated attacker to\n execute arbitrary commands on the system, caused by improper\n validation of user-supplied X11 authentication credentials by the sshd\n server. By sending specially crafted X11 credential data, an attacker\n could exploit this vulnerability to inject xauth commands and execute\n arbitrary commands on the system with the privileges of the victim. \n CVSS Base Score: 8.8 \n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/111431 for the \n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\n \n CVEID: CVE-2016-1908\n DESCRIPTION: OpenSSH could allow a remote authenticated attacker to bypass\n security restrictions, caused by the improper handling of errors when\n generating authentication cookies for untrusted X11 forwarding. An\n attacker could exploit this vulnerability to gain access to the target\n local X server. \n CVSS Base Score: 4.3 \n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110030 for the\n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) \n \n AFFECTED PRODUCTS AND VERSION:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x\n \n The following fileset levels are vulnerable:\n \n key_fileset = osrcaix\n \n Fileset Lower Level Upper Level KEY\n -------------------------------------------------------------\n openssh.base.client 4.0.0.5200 6.0.0.6201 key_w_fs\n openssh.base.server 4.0.0.5200 6.0.0.6201 key_w_fs\n \n Note: To determine if your system is vulnerable, execute the\n following commands:\n\n lslpp -L | grep -i openssh.base.client\n lslpp -L | grep -i openssh.base.server\n\n \n REMEDIATION:\n\n A. FIXES\n\n Fixes are available. The fixes can be downloaded via ftp and\n http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/openssh_fix8.tar\n http://aix.software.ibm.com/aix/efixes/security/openssh_fix8.tar\n https://aix.software.ibm.com/aix/efixes/security/openssh_fix8.tar\n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n releases.\n\n Note that the tar file contains Interim fixes that are based on\n OpenSSH version as given below - \n\n You must be on the 'prereq for installation' level before\n applying the interim fix. This may require installing a new\n level(prereq version) first.\n \n AIX OpenSSH fixes are cumulative, so installing the latest fixes\n will cover previously released AIX security bulletins for\n OpenSSH. \n\n AIX Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY\n --------------------------------------------------------------------------------------------\n| 5.3, 6.1, 7.1, 7.2 IV84698m9b.160513.epkg.Z openssh.base(6.0.0.6110 version) key_w_fix\n| 5.3, 6.1, 7.1, 7.2 IV84698m9a.160513.epkg.Z openssh.base(6.0.0.6201 version) key_w_fix\n\n VIOS Level Interim Fix (*.Z)\t Fileset Name(prereq for installation) KEY\n ----------------------------------------------------------------------------------------\n| 2.2.* IV84698m9b.160513.epkg.Z openssh.base(6.0.0.6110 version) key_w_fix\n| 2.2.* IV84698m9a.160513.epkg.Z openssh.base(6.0.0.6201 version) key_w_fix\n\n\n| The above fixes are cumulative and contain fixes for all\n| previously announced OpenSSH security vulnerabilities on\n| AIX.\n\n| The ssh connection hang is specifically seen in scenarios\n| when ssh is used with pseudo tty. The login will succeed\n| but later connections get hanged.\n\n Note - OpenSSH releases 6.0.0.6110 and 6.0.0.6201 are same\n except that 6.0.0.6201 is compiled with OpenSSL v1.0.1 and\n contains ECDSA key support. Refer to the fileset readme file for\n more details.\n \n Latest level of OpenSSH fileset is available from the web download site:\n https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=openssh&cp=UTF-8\n\n OpenSSH 6.0.0.6201 version is also part of AIX Service pack: \n 6100-09-06-1543, that was released in Dec. 2015.\n \n To extract the fix from the tar file:\n\n tar xvf openssh_fix8.tar\n cd openssh_fix8\n\n Verify you have retrieved the fix intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command is the followng:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n| 933ac42222856c63beae729fce8ea3f94a428904a622e5395e6df4dc2b8d41b2 IV84698m9b.160513.epkg.Z key_w_csum\n| 974370174695d0be3f65baa87be7bca6238d7d980531c21c50348c6f8ee25121 IV84698m9a.160513.epkg.Z key_w_csum\n \n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the integrity\n of the fixes. If the sums or signatures cannot be confirmed,\n contact IBM AIX Security at security-alert@austin.ibm.com and\n describe the discrepancy.\n \n Published advisory OpenSSL signature file location:\n\n http://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc.sig \n\n openssl dgst -sha1 -verify <pubkey_file> -signature\n <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature\n <ifix_file>.sig <ifix_file>\n\n \n B. FIX AND INTERIM FIX INSTALLATION\n\n After applying fix, IBM recommends that you regenerate your SSH keys as\n a precaution. \n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n\n WORKAROUNDS AND MITIGATIONS:\n \n None.\n \n \n===============================================================================\n\nCONTACT US:\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n eServer is a trademark of International Business Machines\n Corporation. IBM, AIX and pSeries are registered trademarks of\n International Business Machines Corporation. All other trademarks\n are property of their respective holders.\n\n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n\n X-Force Vulnerability Database:\n https://exchange.xforce.ibmcloud.com/vulnerabilities/111431\n X-Force Vulnerability Database:\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110030\n CVE-2016-3115:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3115\n CVE-2016-1908:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1908\n \n\nACKNOWLEDGEMENTS:\n\n None\n \n \nCHANGE HISTORY:\n\n First Issued: Tue May 3 10:03:39 CDT 2016 \n Updated: Tue May 10 11:23:23 CDT 2016\n Update: Temporarily removing fixes due to a potential hanging issue\n introduced by the fixes. Updated fixes will be live within 24 hours.\n Updated: Thu May 12 10:42:22 CDT 2016\n Update: Temporarily removing fixes due to a potential hanging issue\n introduced by the fixes. Updated fixes will be live on May 13.\n| Updated: Fri May 13 09:51:05 CDT 2016\n| Update: New iFixes now available.\n\n\n===============================================================================\n\n *The CVSS Environment Score is customer environment specific and will\n ultimately impact the Overall CVSS Score. Customers can evaluate the\n impact of this vulnerability in their environments by accessing the links\n in the Reference section of this Flash.\n\n Note: According to the Forum of Incident Response and Security Teams\n (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry\n open standard designed to convey vulnerability severity and help to\n determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\n RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\n VULNERABILITY.\n\n", "edition": 5, "modified": "2016-05-13T09:51:05", "published": "2016-05-03T10:03:39", "id": "OPENSSH_ADVISORY8.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc", "title": "Vulnerabilities in OpenSSH affect AIX", "type": "aix", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:33:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2015-8325", "CVE-2016-1907", "CVE-2016-3115"], "description": "Shayan Sadigh discovered that OpenSSH incorrectly handled environment files \nwhen the UseLogin feature is enabled. A local attacker could use this issue \nto gain privileges. (CVE-2015-8325)\n\nBen Hawkes discovered that OpenSSH incorrectly handled certain network \ntraffic. A remote attacker could possibly use this issue to cause OpenSSH \nto crash, resulting in a denial of service. This issue only applied to \nUbuntu 15.10. (CVE-2016-1907)\n\nThomas Hoger discovered that OpenSSH incorrectly handled untrusted X11 \nforwarding when the SECURITY extension is disabled. A connection configured \nas being untrusted could get switched to trusted in certain scenarios, \ncontrary to expectations. (CVE-2016-1908)\n\nIt was discovered that OpenSSH incorrectly handled certain X11 forwarding \ndata. A remote authenticated attacker could possibly use this issue to \nbypass certain intended command restrictions. (CVE-2016-3115)", "edition": 5, "modified": "2016-05-09T00:00:00", "published": "2016-05-09T00:00:00", "id": "USN-2966-1", "href": "https://ubuntu.com/security/notices/USN-2966-1", "title": "OpenSSH vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:58", "bulletinFamily": "software", "cvelist": ["CVE-2016-1908", "CVE-2015-8325", "CVE-2016-1907", "CVE-2016-3115"], "description": "USN-2966-1 OpenSSH vulnerabilities\n\n# \n\nLow\n\n# Vendor\n\nCanonical Ubuntu, openssh\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04 LTS \n\n# Description\n\nShayan Sadigh discovered that OpenSSH incorrectly handled environment files when the UseLogin feature is enabled. A local attacker could use this issue to gain privileges. ([CVE-2015-8325](<http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8325.html>))\n\nBen Hawkes discovered that OpenSSH incorrectly handled certain network traffic. A remote attacker could possibly use this issue to cause OpenSSH to crash, resulting in a denial of service. This issue only applied to Ubuntu 15.10. ([CVE-2016-1907](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1907.html>))\n\nThomas Hoger discovered that OpenSSH incorrectly handled untrusted X11 forwarding when the SECURITY extension is disabled. A connection configured as being untrusted could get switched to trusted in certain scenarios, contrary to expectations. ([CVE-2016-1908](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1908.html>))\n\nIt was discovered that OpenSSH incorrectly handled certain X11 forwarding data. A remote authenticated attacker could possibly use this issue to bypass certain intended command restrictions. ([CVE-2016-3115](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3115.html>))\n\n# Affected Products and Versions\n\n_Severity is low unless otherwise noted. \n_\n\n * All versions of Cloud Foundry cflinuxfs2 prior to v.1.56.0 \n * Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.12 AND other versions prior to 3232.4 are vulnerable \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.56.0 or later versions \n * The Cloud Foundry project recommends that Cloud Foundry upgrade BOSH stemcell 3146.x versions to 3146.12 OR other versions to 3232.4 \n\n# Credit\n\nBen Hawkes, Thomas Hoger, Shayan Sadigh\n\n# References\n\n * <http://www.ubuntu.com/usn/usn-2966-1/>\n * <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8325.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1907.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1908.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3115.html>\n", "edition": 5, "modified": "2016-06-13T00:00:00", "published": "2016-06-13T00:00:00", "id": "CFOUNDRY:782597A83B98B15285C8A73B8555B7B2", "href": "https://www.cloudfoundry.org/blog/usn-2966-1/", "title": "USN-2966-1 OpenSSH vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-12-07T12:54:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2015-8325", "CVE-2016-3115", "CVE-2016-6210", "CVE-2016-8858"], "edition": 1, "description": "### Background\n\nOpenSSH is a complete SSH protocol implementation that includes SFTP client and server support. \n\n### Description\n\nMultiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nRemote attackers could cause Denial of Service and conduct user enumeration. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll OpenSSH users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/openssh-7.3_p1-r7\"", "modified": "2016-12-07T00:00:00", "published": "2016-12-07T00:00:00", "href": "https://security.gentoo.org/glsa/201612-18", "id": "GLSA-201612-18", "type": "gentoo", "title": "OpenSSH: Multiple vulnerabilities", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}