Lucene search

HistoryDec 27, 2016 - 12:00 a.m.

OpenSSH < 7.4 Multiple Vulnerabilities

2016-12-2700:00:00

www.tenable.com

10929

8.3 High

AI Score

Confidence

High

JSON

According to its banner, the version of OpenSSH running on the remote host is prior to 7.4. It is, therefore, affected by multiple vulnerabilities :

A flaw exists in ssh-agent due to loading PKCS#11 modules from paths that are outside a trusted whitelist.
A local attacker can exploit this, by using a crafted request to load hostile modules via agent forwarding, to execute arbitrary code. To exploit this vulnerability, the attacker would need to control the forwarded agent-socket (on the host running the sshd server) and the ability to write to the file system of the host running ssh-agent. (CVE-2016-10009)
A flaw exists in sshd due to creating forwarded Unix-domain sockets with ‘root’ privileges whenever privilege separation is disabled. A local attacker can exploit this to gain elevated privileges.
(CVE-2016-10010)
An information disclosure vulnerability exists in sshd within the realloc() function due leakage of key material to privilege-separated child processes when reading keys. A local attacker can possibly exploit this to disclose sensitive key material. Note that no such leak has been observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users.
(CVE-2016-10011)
A flaw exists in sshd within the shared memory manager used by pre-authenticating compression support due to a bounds check being elided by some optimizing compilers and due to the memory manager being incorrectly accessible when pre-authenticating compression is disabled. A local attacker can exploit this to gain elevated privileges. (CVE-2016-10012)
A denial of service vulnerability exists in sshd when handling KEXINIT messages. An unauthenticated, remote attacker can exploit this, by sending multiple KEXINIT messages, to consume up to 128MB per connection.
A flaw exists in sshd due to improper validation of address ranges by the AllowUser and DenyUsers directives at configuration load time. A local attacker can exploit this, via an invalid CIDR address range, to gain access to restricted areas.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable, Inc.
#

include('deprecated_nasl_level.inc');
include("compat.inc");

if (description)
{
  script_id(96151);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/27");

  script_cve_id(
    "CVE-2016-10009",
    "CVE-2016-10010",
    "CVE-2016-10011",
    "CVE-2016-10012",
    "CVE-2016-10708"
  );
  script_bugtraq_id(
    94968,
    94972,
    94975,
    94977
  );
  script_xref(name:"EDB-ID", value:"40962");

  script_name(english:"OpenSSH < 7.4 Multiple Vulnerabilities");
  script_summary(english:"Checks the OpenSSH banner version.");

  script_set_attribute(attribute:"synopsis", value:
"The SSH server running on the remote host is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the version of OpenSSH running on the remote
host is prior to 7.4. It is, therefore, affected by multiple
vulnerabilities :

  - A flaw exists in ssh-agent due to loading PKCS#11
    modules from paths that are outside a trusted whitelist.
    A local attacker can exploit this, by using a crafted
    request to load hostile modules via agent forwarding, to
    execute arbitrary code. To exploit this vulnerability,
    the attacker would need to control the forwarded
    agent-socket (on the host running the sshd server) and
    the ability to write to the file system of the host
    running ssh-agent. (CVE-2016-10009)

  - A flaw exists in sshd due to creating forwarded
    Unix-domain sockets with 'root' privileges whenever
    privilege separation is disabled. A local attacker can
    exploit this to gain elevated privileges.
    (CVE-2016-10010)

  - An information disclosure vulnerability exists in sshd
    within the realloc() function due leakage of key
    material to privilege-separated child processes when
    reading keys. A local attacker can possibly exploit this
    to disclose sensitive key material. Note that no such
    leak has been observed in practice for normal-sized
    keys, nor does a leak to the child processes directly
    expose key material to unprivileged users.
    (CVE-2016-10011)

  - A flaw exists in sshd within the shared memory manager
    used by pre-authenticating compression support due to a
    bounds check being elided by some optimizing compilers
    and due to the memory manager being incorrectly
    accessible when pre-authenticating compression is
    disabled. A local attacker can exploit this to gain
    elevated privileges. (CVE-2016-10012)

  - A denial of service vulnerability exists in sshd when
    handling KEXINIT messages. An unauthenticated, remote
    attacker can exploit this, by sending multiple KEXINIT
    messages, to consume up to 128MB per connection.

  - A flaw exists in sshd due to improper validation of
    address ranges by the AllowUser and DenyUsers
    directives at configuration load time. A local attacker
    can exploit this, via an invalid CIDR address range, to
    gain access to restricted areas.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-7.4");
  script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSH version 7.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-10009");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/12/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("openssh_detect.nbin");
  script_require_keys("installed_sw/OpenSSH");
  script_require_ports("Services/ssh", 22);

  exit(0);
}

include('backport.inc');
include('vcf.inc');
include('vcf_extras.inc');

var port = get_service(svc:'ssh', default:22, exit_on_fail:TRUE);
var app_info = vcf::openssh::get_app_info(app:'OpenSSH', port:port);

vcf::check_all_backporting(app_info:app_info);

var constraints = [
  {'fixed_version' : '7.4' }
];

vcf::openssh::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

VendorProductVersionCPE
openbsdopensshcpe:/a:openbsd:openssh

Vendor	Product	Version	CPE
openbsd	openssh		cpe:/a:openbsd:openssh

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10708

www.openssh.com/txt/release-7.4