Ubuntu 14.04 LTS : OpenSSH vulnerabilities (USN-2710-1)

2015-08-1700:00:00

www.tenable.com

Moritz Jodeit discovered that OpenSSH incorrectly handled usernames when using PAM authentication. If an additional vulnerability were discovered in the OpenSSH unprivileged child process, this issue could allow a remote attacker to perform user impersonation. (CVE number pending)

Moritz Jodeit discovered that OpenSSH incorrectly handled context memory when using PAM authentication. If an additional vulnerability were discovered in the OpenSSH unprivileged child process, this issue could allow a remote attacker to bypass authentication or possibly execute arbitrary code. (CVE number pending)

Jann Horn discovered that OpenSSH incorrectly handled time windows for X connections. A remote attacker could use this issue to bypass certain access restrictions. (CVE-2015-5352)

It was discovered that OpenSSH incorrectly handled keyboard-interactive authentication. In a non-default configuration, a remote attacker could possibly use this issue to perform a brute-force password attack. (CVE-2015-5600).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2710-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(85445);
  script_version("2.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/20");

  script_cve_id("CVE-2015-5352", "CVE-2015-5600");
  script_xref(name:"USN", value:"2710-1");

  script_name(english:"Ubuntu 14.04 LTS : OpenSSH vulnerabilities (USN-2710-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"Moritz Jodeit discovered that OpenSSH incorrectly handled usernames
when using PAM authentication. If an additional vulnerability were
discovered in the OpenSSH unprivileged child process, this issue could
allow a remote attacker to perform user impersonation. (CVE number
pending)

Moritz Jodeit discovered that OpenSSH incorrectly handled context
memory when using PAM authentication. If an additional vulnerability
were discovered in the OpenSSH unprivileged child process, this issue
could allow a remote attacker to bypass authentication or possibly
execute arbitrary code. (CVE number pending)

Jann Horn discovered that OpenSSH incorrectly handled time windows for
X connections. A remote attacker could use this issue to bypass
certain access restrictions. (CVE-2015-5352)

It was discovered that OpenSSH incorrectly handled
keyboard-interactive authentication. In a non-default configuration, a
remote attacker could possibly use this issue to perform a brute-force
password attack. (CVE-2015-5600).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2710-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-5600");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/08/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-server-udeb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-sftp-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ssh-askpass-gnome");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ssh-krb5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openssh-client-udeb");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '14.04', 'pkgname': 'openssh-client', 'pkgver': '1:6.6p1-2ubuntu2.2'},
    {'osver': '14.04', 'pkgname': 'openssh-client-udeb', 'pkgver': '1:6.6p1-2ubuntu2.2'},
    {'osver': '14.04', 'pkgname': 'openssh-server', 'pkgver': '1:6.6p1-2ubuntu2.2'},
    {'osver': '14.04', 'pkgname': 'openssh-server-udeb', 'pkgver': '1:6.6p1-2ubuntu2.2'},
    {'osver': '14.04', 'pkgname': 'openssh-sftp-server', 'pkgver': '1:6.6p1-2ubuntu2.2'},
    {'osver': '14.04', 'pkgname': 'ssh', 'pkgver': '1:6.6p1-2ubuntu2.2'},
    {'osver': '14.04', 'pkgname': 'ssh-askpass-gnome', 'pkgver': '1:6.6p1-2ubuntu2.2'},
    {'osver': '14.04', 'pkgname': 'ssh-krb5', 'pkgver': '1:6.6p1-2ubuntu2.2'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openssh-client / openssh-client-udeb / openssh-server / etc');
}

VendorProductVersionCPE
canonicalubuntu_linuxopenssh-serverp-cpe:/a:canonical:ubuntu_linux:openssh-server
canonicalubuntu_linuxopenssh-server-udebp-cpe:/a:canonical:ubuntu_linux:openssh-server-udeb
canonicalubuntu_linuxopenssh-sftp-serverp-cpe:/a:canonical:ubuntu_linux:openssh-sftp-server
canonicalubuntu_linuxsshp-cpe:/a:canonical:ubuntu_linux:ssh
canonicalubuntu_linuxssh-askpass-gnomep-cpe:/a:canonical:ubuntu_linux:ssh-askpass-gnome
canonicalubuntu_linuxssh-krb5p-cpe:/a:canonical:ubuntu_linux:ssh-krb5
canonicalubuntu_linux14.04cpe:/o:canonical:ubuntu_linux:14.04:-:lts
canonicalubuntu_linuxopenssh-clientp-cpe:/a:canonical:ubuntu_linux:openssh-client
canonicalubuntu_linuxopenssh-client-udebp-cpe:/a:canonical:ubuntu_linux:openssh-client-udeb

Vendor	Product	Version	CPE
canonical	ubuntu_linux	openssh-server	p-cpe:/a:canonical:ubuntu_linux:openssh-server
canonical	ubuntu_linux	openssh-server-udeb	p-cpe:/a:canonical:ubuntu_linux:openssh-server-udeb
canonical	ubuntu_linux	openssh-sftp-server	p-cpe:/a:canonical:ubuntu_linux:openssh-sftp-server
canonical	ubuntu_linux	ssh	p-cpe:/a:canonical:ubuntu_linux:ssh
canonical	ubuntu_linux	ssh-askpass-gnome	p-cpe:/a:canonical:ubuntu_linux:ssh-askpass-gnome
canonical	ubuntu_linux	ssh-krb5	p-cpe:/a:canonical:ubuntu_linux:ssh-krb5
canonical	ubuntu_linux	14.04	cpe:/o:canonical:ubuntu_linux:14.04:-:lts
canonical	ubuntu_linux	openssh-client	p-cpe:/a:canonical:ubuntu_linux:openssh-client
canonical	ubuntu_linux	openssh-client-udeb	p-cpe:/a:canonical:ubuntu_linux:openssh-client-udeb