Advisory ROSA-SA-2021-1938

Software: openssh 7.4p1
OS: Cobalt 7.9

CVE-ID: CVE-2011-4327
CVE-Crit: CRITICAL
CVE-DESC: ssh-keysign.c in ssh-keysign in OpenSSH before version 5.8p2 on certain platforms executes ssh-rand-helper with unintended open file descriptors, allowing local users to obtain sensitive key information via a ptrace system call.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2011-5000
CVE-Crit: CRITICAL
CVE-DESC: The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a specific length field. NOTE: there may be limited scenarios where this issue is relevant.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2012-0814
CVE-Crit: HIGH
CVE-DESC: The auth_parse_options function in auth-options.c in sshd in OpenSSH before version 5.7 provides debug messages containing authorized_keys command parameters, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as shown on the required shared user account. user Gitolite. NOTE: this may cross privilege boundaries because the user account may intentionally not have shell or file system access and therefore may not have a supported way to read the authorized_keys file in its own home directory.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2014-2532
CVE-Crit: MEDIUM
CVE-DESC: sshd in OpenSSH before 6.6 incorrectly supports wildcards in AcceptEnv strings in sshd_config, allowing remote attackers to bypass the intended environment restrictions by using a substring before the wildcard.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2014-1692
CVE-Crit: HIGH
CVE-DESC: The hash_buffer function in schnorr.c in OpenSSH before 6.4, when Makefile.inc is modified to include the J-PAKE protocol, fails to initialize certain data structures, which could allow remote attackers to cause a denial of service (memory corruption) or exert unspecified other influence via vectors causing an error condition.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-6563
CVE-Crit: CRITICAL
CVE-DESC: The monitor component in sshd in OpenSSH before 7.0 on platforms other than OpenBSD accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, allowing local users to conduct impersonation attacks using any SSH login access combined with sshd uid control to send a crafted MONITOR_REQ_PWNAM request associated with monitor.c and monitor_wrap.c.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2015-6564
CVE-Crit: CRITICAL
CVE-DESC: A post-release exploit vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on platforms other than OpenBSD could allow local users to gain privileges by using sshd uid control to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request .
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-10009
CVE-Crit: HIGH
CVE-DESC: Unreliable search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to run arbitrary local PKCS #11 modules using control of the redirected socket agent.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-10010
CVE-Crit: HIGH
CVE-DESC: sshd in OpenSSH before 7.4, when privilege separation is not used, creates redirected Unix domain sockets as root, which may allow local users to gain privileges via undefined vectors associated with serverloop.c.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-10011
CVE-Crit: MEDIUM
CVE-DESC: authfile.c in sshd in OpenSSH before 7.4 does not properly consider the impact of redistribution on buffer contents, which could allow local users to obtain sensitive private key information using split privilege access to a child process.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-10012
CVE-Crit: HIGH
CVE-DESC: shared memory manager (related to pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that bounds checking is performed by all compilers, which may allow local users to gain privileges using isolated privilege access. -separation process associated with the m_zback and m_zlib data structures.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-10708
CVE-Crit: HIGH
CVE-DESC: sshd in OpenSSH before 7.4 allows remote attackers to cause denial of service (null pointer dereferencing and daemon crash) via NEWKEYS message out of sequence, as demonstrated by Honggfuzz related to kex.c and packet.c .
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-6210
CVE-Crit: MEDIUM
CVE-DESC: sshd in OpenSSH before 7.3, when SHA256 or SHA512 is used to hash user passwords, uses BLOWFISH hashing for a static password when the username does not exist, allowing remote attackers to enumerate users using the time difference between responses when a large password is provided.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2016-6515
CVE-Crit: HIGH
CVE-DESC: The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit the password length for password authentication, allowing remote attackers to cause a denial of service (CPU consumption by encryption) with a long string.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-20685
CVE-Crit: MEDIUM
CVE-DESC: In OpenSSH 7.9 scp.c in the scp client allows remote SSH servers to bypass implied access restrictions via filename. or an empty filename. The impact is to change the client-side permissions of the target directory.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-6109
CVE-Crit: MEDIUM
CVE-DESC: A problem was discovered in OpenSSH 7.9. Due to the lack of character encoding on the progress bar, a malicious server (or an intermediary attacker) can use crafted object names to control client output, such as using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter () in progressmeter.c.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-6110
CVE-Crit: MEDIUM
CVE-DESC: In OpenSSH 7.9, due to receiving and displaying arbitrary stderr output from the server, a malicious server (or a Man-in-The-Middle attacker) can manipulate client output, for example, to use ANSI control codes to hide additional files being transferred.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-6111
CVE-Crit: MEDIUM
CVE-DESC: a problem was discovered in OpenSSH 7.9. Since the scp implementation is derived from 1983 rcp, the server chooses which files/directories to send to the client. However, the scp client only performs a cursory check of the returned object name (only directory traversal attacks are prevented). A malicious scp server (or an intermediary attacker) can overwrite arbitrary files in the target directory of the scp client. If a recursive operation (-r) is performed, the server can also manipulate subdirectories (for example, overwriting the .ssh / authorized_keys file).
CVE-STATUS: default
CVE-REV: default