Lucene search
Ubuntu: Security Advisory (USN-6585-1)
🗓️ 16 Jan 2024 00:00:00Reported by Copyright (C) 2024 Greenbone AGType 
openvas🔗 plugins.openvas.org👁 14 Views
The 'libssh2' package on Ubuntu 23.10 is missing an update due to vulnerability CVE-2023-48795 caused by a prefix truncation attack known as the Terrapin attack. The update adds protocol extensions to mitigate this issue
Show more
| Reporter | Title | Published | Views | Family All 200 |
|---|---|---|---|---|
 | Fedora 38 : podman-tui (2023-cb8c606fbb) | 28 Dec 202300:00 | – | nessus |
| openSUSE 15 Security Update : putty (openSUSE-SU-2023:0411-1) | 20 Dec 202300:00 | – | nessus |
| Fedora 39 : python-asyncssh (2023-e77300e4b5) | 29 Dec 202300:00 | – | nessus |
| SUSE SLES15 Security Update : openssh (SUSE-SU-2023:4904-1) | 21 Dec 202300:00 | – | nessus |
| SUSE SLES12 Security Update : openssh (SUSE-SU-2023:4903-1) | 21 Dec 202300:00 | – | nessus |
| openSUSE 15 Security Update : putty (openSUSE-SU-2024:0005-1) | 4 Jan 202400:00 | – | nessus |
| Debian dsa-5750 : python-asyncssh-doc - security update | 18 Aug 202400:00 | – | nessus |
| RHEL 9 : libssh (RHSA-2024:0499) | 25 Jan 202400:00 | – | nessus |
| QNAP QTS / QuTS hero Vulnerability in OpenSSH (QSA-24-06) | 13 Feb 202400:00 | – | nessus |
| EulerOS 2.0 SP11 : libssh2 (EulerOS-SA-2024-1217) | 12 Mar 202400:00 | – | nessus |
10
| Source | Link |
|---|---|
| ubuntu | www.ubuntu.com/security/notices/USN-6585-1 |
# SPDX-FileCopyrightText: 2024 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.1.12.2024.6585.1");
script_cve_id("CVE-2023-48795");
script_tag(name:"creation_date", value:"2024-01-16 09:59:41 +0000 (Tue, 16 Jan 2024)");
script_version("2024-02-02T05:06:10+0000");
script_tag(name:"last_modification", value:"2024-02-02 05:06:10 +0000 (Fri, 02 Feb 2024)");
script_tag(name:"cvss_base", value:"5.4");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:H/Au:N/C:N/I:C/A:N");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2023-12-28 18:26:44 +0000 (Thu, 28 Dec 2023)");
script_name("Ubuntu: Security Advisory (USN-6585-1)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2024 Greenbone AG");
script_family("Ubuntu Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/ubuntu_linux", "ssh/login/packages", re:"ssh/login/release=UBUNTU23\.10");
script_xref(name:"Advisory-ID", value:"USN-6585-1");
script_xref(name:"URL", value:"https://ubuntu.com/security/notices/USN-6585-1");
script_tag(name:"summary", value:"The remote host is missing an update for the 'libssh2' package(s) announced via the USN-6585-1 advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");
script_tag(name:"insight", value:"Fabian Baumer, Marcus Brinkmann, Jorg Schwenk discovered that the SSH
protocol was vulnerable to a prefix truncation attack. If a remote attacker
was able to intercept SSH communications, extension negotiation messages
could be truncated, possibly leading to certain algorithms and features
being downgraded. This issue is known as the Terrapin attack. This update
adds protocol extensions to mitigate this issue.");
script_tag(name:"affected", value:"'libssh2' package(s) on Ubuntu 23.10.");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"package");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-deb.inc");
release = dpkg_get_ssh_release();
if(!release)
exit(0);
res = "";
report = "";
if(release == "UBUNTU23.10") {
if(!isnull(res = isdpkgvuln(pkg:"libssh2-1", ver:"1.11.0-2ubuntu0.1", rls:"UBUNTU23.10"))) {
report += res;
}
if(report != "") {
security_message(data:report);
} else if(__pkg_match) {
exit(99);
}
exit(0);
}
exit(0);
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo16 Jan 2024 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS35.9
EPSS0.95381