Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-5308-1.NASL
HistoryOct 23, 2023 - 12:00 a.m.

Ubuntu 16.04 ESM : libssh2 vulnerabilities (USN-5308-1)

2023-10-2300:00:00
Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
3
ubuntu 16.04 esm
libssh2
vulnerabilities
integer overflow
out of bounds
ssh server
denial of service
remote attacker
cve-2019-13115
cve-2019-17498
cve-2019-3855
cve-2019-3856
cve-2019-3857
cve-2019-3858
cve-2019-3859
cve-2019-3860
cve-2019-3861
cve-2019-3862
cve-2019-3863
JSON

The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5308-1 advisory.

  • In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an
    _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855. (CVE-2019-13115)

  • In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. (CVE-2019-17498)

  • An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. (CVE-2019-3855)

  • An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. (CVE-2019-3856)

  • An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. (CVE-2019-3857)

  • An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. (CVE-2019-3858)

  • An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and
    _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. (CVE-2019-3859)

  • An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. (CVE-2019-3860)

  • An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. (CVE-2019-3861)

  • An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. (CVE-2019-3862)

  • A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error. (CVE-2019-3863)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-5308-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(183694);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/23");

  script_cve_id(
    "CVE-2019-3855",
    "CVE-2019-3856",
    "CVE-2019-3857",
    "CVE-2019-3858",
    "CVE-2019-3859",
    "CVE-2019-3860",
    "CVE-2019-3861",
    "CVE-2019-3862",
    "CVE-2019-3863",
    "CVE-2019-13115",
    "CVE-2019-17498"
  );
  script_xref(name:"USN", value:"5308-1");

  script_name(english:"Ubuntu 16.04 ESM : libssh2 vulnerabilities (USN-5308-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in
the USN-5308-1 advisory.

  - In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an
    integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A
    remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a
    denial of service condition on the client system when a user connects to the server. This is related to an
    _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as
    CVE-2019-3855. (CVE-2019-13115)

  - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow
    in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent
    memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of
    service condition on the client system when a user connects to the server. (CVE-2019-17498)

  - An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1
    in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to
    execute code on the client system when a user connects to the server. (CVE-2019-3855)

  - An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before
    1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may
    be able to execute code on the client system when a user connects to the server. (CVE-2019-3856)

  - An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1
    in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who
    compromises a SSH server may be able to execute code on the client system when a user connects to the
    server. (CVE-2019-3857)

  - An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is
    received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of
    Service or read data in the client memory. (CVE-2019-3858)

  - An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and
    _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a
    Denial of Service or read data in the client memory. (CVE-2019-3859)

  - An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty
    payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of
    Service or read data in the client memory. (CVE-2019-3860)

  - An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding
    length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may
    be able to cause a Denial of Service or read data in the client memory. (CVE-2019-3861)

  - An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST
    packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH
    server may be able to cause a Denial of Service or read data in the client memory. (CVE-2019-3862)

  - A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response
    messages whose total length are greater than unsigned char max characters. This value is used as an index
    to copy memory causing in an out of bounds memory write error. (CVE-2019-3863)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-5308-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected libssh2-1 and / or libssh2-1-dev packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3855");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-3862");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/03/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libssh2-1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libssh2-1-dev");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '16.04', 'pkgname': 'libssh2-1', 'pkgver': '1.5.0-2ubuntu0.1+esm1'},
    {'osver': '16.04', 'pkgname': 'libssh2-1-dev', 'pkgver': '1.5.0-2ubuntu0.1+esm1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libssh2-1 / libssh2-1-dev');
}
VendorProductVersionCPE
canonicalubuntu_linux16.04cpe:/o:canonical:ubuntu_linux:16.04:-:esm
canonicalubuntu_linuxlibssh2-1p-cpe:/a:canonical:ubuntu_linux:libssh2-1
canonicalubuntu_linuxlibssh2-1-devp-cpe:/a:canonical:ubuntu_linux:libssh2-1-dev

Related

openvas 38
ubuntu 1
osv 9
suse 4
fedora 7
nessus 69
ibm 12
debian 6
thn 1
archlinux 1
mageia 2
fortinet 1
freebsd 1
slackware 1
oraclelinux 6
altlinux 1
photon 6
rosalinux 1
amazon 6
redhat 8
centos 4
f5 2
cve 1
alpinelinux 2
ubuntucve 2
redhatcve 1
prion 2
debiancve 1
myhack58 1
githubexploit 2
openvas
openvas
Ubuntu: Security Advisory (USN-5308-1)
2023-01-27 00:00:00
Debian: Security Advisory (DLA-1730-1)
2019-03-25 00:00:00
Fedora Update for libssh2 FEDORA-2019-5885663621
2019-08-05 00:00:00
ubuntu
ubuntu
libssh2 vulnerabilities
2022-03-07 00:00:00
osv
osv
libssh2 vulnerabilities
2022-03-07 23:47:01
libssh2 - security update
2019-03-26 00:00:00
libssh2 - security update
2019-04-13 00:00:00
suse
suse
Security update for libssh2_org (moderate)
2020-12-01 00:00:00
Security update for libssh2_org (moderate)
2020-12-01 00:00:00
Security update for libssh2_org (moderate)
2019-04-02 00:00:00
fedora
fedora
[SECURITY] Fedora 29 Update: libssh2-1.9.0-1.fc29
2019-08-04 02:40:41
[SECURITY] Fedora 28 Update: libssh2-1.8.1-1.fc28
2019-04-05 01:56:16
[SECURITY] Fedora 29 Update: libssh2-1.8.1-1.fc29
2019-03-23 02:58:27
nessus
nessus
SUSE SLED15 / SLES15 Security Update : libssh2_org (SUSE-SU-2020:3551-1)
2020-12-09 00:00:00
openSUSE Security Update : libssh2_org (openSUSE-2020-2126)
2020-12-07 00:00:00
openSUSE Security Update : libssh2_org (openSUSE-2020-2129)
2020-12-03 00:00:00
ibm
ibm
Security Bulletin: Security vulnerabilities have been identified in BigFix Platform shipped with IBM License Metric Tool.
2019-11-28 08:40:05
Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by multiple vulnerabilities in libssh2
2020-06-04 15:26:02
Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in libssh2
2023-12-07 22:45:07
debian
debian
[SECURITY] [DLA 1730-1] libssh2 security update
2019-03-26 14:15:42
[SECURITY] [DSA 4431-1] libssh2 security update
2019-04-13 13:11:16
[SECURITY] [DSA 4431-1] libssh2 security update
2019-04-13 13:11:30
thn
thn
Libssh Releases Update to Patch 9 New Security Vulnerabilities
2019-03-19 10:27:00
archlinux
archlinux
[ASA-201903-12] libssh2: multiple issues
2019-03-22 00:00:00
mageia
mageia
Updated libssh2 packages fix security vulnerability
2019-04-11 00:25:19
Updated libssh2 packages fix security vulnerability
2019-11-30 16:06:06
fortinet
fortinet
Protect
2019-11-14 00:00:00
freebsd
freebsd
libssh2 -- multiple issues
2019-03-14 00:00:00
slackware
slackware
[slackware-security] libssh2
2019-03-18 23:39:28
oraclelinux
oraclelinux
libssh2 security update
2020-10-06 00:00:00
libssh2 security, bug fix, and enhancement update
2019-08-13 00:00:00
libssh2 security update
2019-03-28 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 8 package libssh2 version 1.4.3-alt3.M80P.1
2019-04-24 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2019-0222
2019-04-02 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2019-1.0-0222
2019-04-03 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2019-2.0-0149
2019-04-05 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2021-1893
2021-07-02 17:17:12
amazon
amazon
Important: libssh2
2019-04-25 16:44:00
Important: libssh2
2019-08-12 18:05:00
Medium: libssh2
2023-05-25 17:41:00
redhat
redhat
(RHSA-2019:2399) Important: libssh2 security update
2019-08-07 11:03:42
(RHSA-2019:1791) Important: libssh2 security update
2019-07-16 11:50:39
(RHSA-2019:1652) Important: libssh2 security update
2019-07-02 10:35:51
centos
centos
libssh2 security update
2019-07-03 17:00:57
libssh2 security update
2019-04-01 19:09:06
libssh2 security update
2019-08-30 03:29:04
f5
f5
K90011301 : libssh2 vulnerabilities CVE-2019-3856, CVE-2019-3857, and CVE-2019-3863
2020-09-18 00:00:00
K13322484 : libssh2 vulnerability CVE-2019-13115
2019-09-12 00:00:00
cve
cve
CVE-2019-13115
2019-07-16 18:15:00
alpinelinux
alpinelinux
CVE-2019-13115
2019-07-16 18:15:00
CVE-2019-17498
2019-10-21 22:15:00
ubuntucve
ubuntucve
CVE-2019-13115
2019-07-16 00:00:00
CVE-2019-17498
2019-10-21 00:00:00
redhatcve
redhatcve
CVE-2019-13115
2019-07-19 06:21:40
prion
prion
Integer overflow
2019-07-16 18:15:00
Integer overflow
2019-10-21 22:15:00
debiancve
debiancve
CVE-2019-13115
2019-07-16 18:15:00
myhack58
myhack58
For libssh2 integer overflow vulnerability (CVE-2019-17498)analysis-vulnerability warning-the black bar safety net
2019-11-07 00:00:00
githubexploit
githubexploit
Exploit for Out-of-bounds Read in Libssh2
2019-10-03 17:58:03
Exploit for Integer Overflow or Wraparound in Libssh2
2019-10-03 17:26:08
JSON
Related for UBUNTU_USN-5308-1.NASL
openvas38ubuntu1osv9suse4fedora7nessus69ibm12debian6thn1archlinux1mageia2fortinet1freebsd1slackware1oraclelinux6altlinux1photon6rosalinux1amazon6redhat8centos4f52cve1alpinelinux2ubuntucve2redhatcve1prion2debiancve1myhack581githubexploit2