{"cve": [{"lastseen": "2020-10-03T11:48:12", "description": "scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.", "edition": 3, "cvss3": {}, "published": "2006-01-25T11:03:00", "title": "CVE-2006-0225", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-0225"], "modified": "2018-10-19T15:43:00", "cpe": ["cpe:/a:openbsd:openssh:3.1", "cpe:/a:openbsd:openssh:3.7.1p2", "cpe:/a:openbsd:openssh:3.9.1", "cpe:/a:openbsd:openssh:3.0p1", "cpe:/a:openbsd:openssh:3.0.1p1", "cpe:/a:openbsd:openssh:3.6.1p2", "cpe:/a:openbsd:openssh:3.0.2p1", "cpe:/a:openbsd:openssh:4.0p1", "cpe:/a:openbsd:openssh:3.1p1", "cpe:/a:openbsd:openssh:3.3", "cpe:/a:openbsd:openssh:3.2", "cpe:/a:openbsd:openssh:3.6.1p1", "cpe:/a:openbsd:openssh:3.9", "cpe:/a:openbsd:openssh:3.9.1p1", "cpe:/a:openbsd:openssh:3.7", "cpe:/a:openbsd:openssh:3.3p1", "cpe:/a:openbsd:openssh:3.8.1p1", "cpe:/a:openbsd:openssh:3.6.1", "cpe:/a:openbsd:openssh:3.4", "cpe:/a:openbsd:openssh:3.5p1", "cpe:/a:openbsd:openssh:3.2.2p1", "cpe:/a:openbsd:openssh:4.2p1", "cpe:/a:openbsd:openssh:3.8.1", "cpe:/a:openbsd:openssh:3.8", "cpe:/a:openbsd:openssh:4.1p1", "cpe:/a:openbsd:openssh:3.4p1", "cpe:/a:openbsd:openssh:3.0.2", "cpe:/a:openbsd:openssh:3.2.3p1", "cpe:/a:openbsd:openssh:3.5", "cpe:/a:openbsd:openssh:3.0", "cpe:/a:openbsd:openssh:3.7.1", "cpe:/a:openbsd:openssh:3.0.1", "cpe:/a:openbsd:openssh:3.6"], "id": "CVE-2006-0225", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0225", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:openbsd:openssh:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.8.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.9:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0.2p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.4:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.3p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.7.1p2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.4p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.2p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.6.1p2:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.5p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.2.2p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.9.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.0p1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:3.2.3p1:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2017-06-08T00:16:13", "bulletinFamily": "software", "cvelist": ["CVE-2001-0572", "CVE-2001-0361", "CVE-2006-0225", "CVE-2006-0883", "CVE-2004-2069"], "edition": 1, "description": "\nF5 Product Development has assigned ID 552898 to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | \nNone \n| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| \n \nNone \n \nBIG-IP AAM | None | 12.0.0 \n11.4.0 - 11.6.0 \n| Not vulnerable \n| None \n \nBIG-IP AFM | None | 12.0.0 \n11.3.0 - 11.6.0 \n| Not vulnerable \n| None \n \nBIG-IP Analytics | None | 12.0.0 \n11.0.0 - 11.6.0 \n| Not vulnerable \n| None \n \nBIG-IP APM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP ASM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP DNS \n| None | 12.0.0 \n| Not vulnerable \n| None \n \nBIG-IP Edge Gateway \n| None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP GTM | None | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP Link Controller | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP PEM | None | 12.0.0 \n11.3.0 - 11.6.0 \n| Not vulnerable \n| None \n \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nARX | None | 6.0.0 - 6.4.0 \n| Not vulnerable \n| None \n \nEnterprise Manager | None | 3.0.0 - 3.1.1 \n| Not vulnerable \n| None \n \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 \n| Not vulnerable \n| None \n \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 \n| Not vulnerable \n| None \n \nBIG-IQ Device | None | 4.2.0 - 4.5.0 \n| Not vulnerable \n| None \n \nBIG-IQ Security | None | 4.0.0 - 4.5.0 \n| Not vulnerable \n| None \n \nBIG-IQ ADC | None | 4.5.0 \n| Not vulnerable \n| None \n \nLineRate | None | 2.5.0 - 2.6.1 \n| Not vulnerable \n| None \n \nF5 WebSafe | None | 1.0.0 \n| Not vulnerable \n| None \n \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 \n| Not vulnerable \n| None \n\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2016-01-09T02:32:00", "published": "2015-10-17T01:17:00", "id": "F5:K17452", "href": "https://support.f5.com/csp/article/K17452", "title": "OpenSSH vulnerabilities CVE-2001-0361, CVE-2001-0572, CVE-2004-2069, CVE-2006-0225, and CVE-2006-0883", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:22", "bulletinFamily": "software", "cvelist": ["CVE-2001-0572", "CVE-2001-0361", "CVE-2006-0225", "CVE-2006-0883", "CVE-2004-2069"], "edition": 1, "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2015-10-16T00:00:00", "published": "2015-10-16T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/17000/400/sol17452.html", "id": "SOL17452", "title": "SOL17452 - OpenSSH vulnerabilities CVE-2001-0361, CVE-2001-0572, CVE-2004-2069, CVE-2006-0225, and CVE-2006-0883", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-04-06T11:38:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n openssh-askpass\n openssh\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5021162 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2018-04-06T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:136141256231065019", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065019", "type": "openvas", "title": "SLES9: Security update for OpenSSH", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5021162.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Security update for OpenSSH\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n openssh-askpass\n openssh\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5021162 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.65019\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2006-0225\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"SLES9: Security update for OpenSSH\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~4.1p1~11.16\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2006-045-06.", "modified": "2019-03-15T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:136141256231056294", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231056294", "type": "openvas", "title": "Slackware Advisory SSA:2006-045-06 openssh", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2006_045_06.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.56294\");\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_bugtraq_id(16369);\n script_cve_id(\"CVE-2006-0225\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 14202 $\");\n script_name(\"Slackware Advisory SSA:2006-045-06 openssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK(8\\.1|9\\.0|9\\.1|10\\.0|10\\.1|10\\.2)\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2006-045-06\");\n\n script_tag(name:\"insight\", value:\"New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix a security issue.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2006-045-06.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i386-1\", rls:\"SLK8.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i386-1\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK10.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK10.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK10.2\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:50:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2006-045-06.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:56294", "href": "http://plugins.openvas.org/nasl.php?oid=56294", "type": "openvas", "title": "Slackware Advisory SSA:2006-045-06 openssh", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2006_045_06.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix a security issue.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2006-045-06.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2006-045-06\";\n \nif(description)\n{\n script_id(56294);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_bugtraq_id(16369);\n script_cve_id(\"CVE-2006-0225\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2006-045-06 openssh \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i386-1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i386-1\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK10.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssh\", ver:\"4.3p1-i486-1\", rls:\"SLK10.2\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200602-11.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:56330", "href": "http://plugins.openvas.org/nasl.php?oid=56330", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200602-11 (OpenSSH)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A flaw in OpenSSH and Dropbear allows local users to elevate their\nprivileges via scp.\";\ntag_solution = \"All OpenSSH users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/openssh-4.2_p1-r1'\n\nAll Dropbear users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/dropbear-0.47-r1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200602-11\nhttp://bugs.gentoo.org/show_bug.cgi?id=119232\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200602-11.\";\n\n \n\nif(description)\n{\n script_id(56330);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_bugtraq_id(16369);\n script_cve_id(\"CVE-2006-0225\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200602-11 (OpenSSH)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-misc/openssh\", unaffected: make_list(\"ge 4.2_p1-r1\"), vulnerable: make_list(\"lt 4.2_p1-r1\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"net-misc/dropbear\", unaffected: make_list(\"ge 0.47-r1\"), vulnerable: make_list(\"lt 0.47-r1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-26T08:55:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n openssh-askpass\n openssh\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5021162 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-10T00:00:00", "id": "OPENVAS:65019", "href": "http://plugins.openvas.org/nasl.php?oid=65019", "type": "openvas", "title": "SLES9: Security update for OpenSSH", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5021162.nasl 6666 2017-07-11 13:13:36Z cfischer $\n# Description: Security update for OpenSSH\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n openssh-askpass\n openssh\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5021162 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_id(65019);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2006-0225\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"SLES9: Security update for OpenSSH\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"openssh-askpass\", rpm:\"openssh-askpass~4.1p1~11.16\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:13:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-0957", "CVE-2006-0225"], "description": "Check for the Version of kernel", "modified": "2017-02-20T00:00:00", "published": "2009-06-03T00:00:00", "id": "OPENVAS:855205", "href": "http://plugins.openvas.org/nasl.php?oid=855205", "type": "openvas", "title": "Solaris Update for kernel 120012-14", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for kernel 120012-14\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"kernel on solaris_5.10_x86\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n kernel\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(855205);\n script_version(\"$Revision: 5359 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 12:20:19 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:31:50 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"120012-14\");\n script_cve_id(\"CVE-2007-0957\", \"CVE-2006-0225\");\n script_name( \"Solaris Update for kernel 120012-14\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-120012-14-1\");\n\n script_summary(\"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.10\", arch:\"i386\", patch:\"120012-14\", package:\"SUNWcpc.i SUNWsshcu SUNWpcmci SUNWnge SUNWcnetr SUNWdhcsu SUNWrcmdc SUNWperl584usr SUNWixgb SUNWpsu SUNWfss SUNWatfsu SUNWpmu SUNWlldap SUNWipfr SUNWudapltu SUNWzoner SUNWarc SUNWipfu SUNWfmd SUNWintgige SUNWscpu SUNWbtool SUNWxge SUNWsra SUNWperl584core SUNWbart SUNWkrbu SUNWsmapi SUNWtavor SUNWipfh SUNWmdb SUNWzfsu SUNWsndmr SUNWaudit SUNWncar SUNWpapi SUNWsshdu SUNWsndmu SUNWpppdu SUNWnfssu SUNWdhcm SUNWkdcu SUNWpsdir SUNWpool SUNWxcu4 SUNWudapltr SUNWdtrc SUNWopenssl-libraries SUNWcsl SUNWcpcu SUNWses SUNWsadmi SUNWvolu SUNWib SUNWkey SUNWnisu SUNWos86r SUNWtoo SUNWdmgtu SUNWusbu SUNWypu SUNWpoolr SUNWftduu SUNWppm SUNWuksp SUNWusb SUNWzfsr SUNWroute SUNWckr SUNWcsr SUNWdoc SUNWaudh SUNWrge SUNWtecla SUNWmdbr SUNWpcu SUNWzfskr SUNWarcr SUNWrcapu SUNWwbsup SUNWhea SUNWcakr.i SUNWqos SUNWntpu SUNWnfsckr SUNWdtrp SUNWlibsasl SUNWcslr SUNWippcore SUNWrmodr SUNWsshu SUNWcsu SUNWnfscu SUNWesu SUNWcsd SUNWipplr SUNWpsm-lpd SUNWuprl SUNWzoneu SUNWipplu SUNWrcapr SUNWdfbh SUNWftdur SUNWauda\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-09T11:38:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-0957", "CVE-2006-0225"], "description": "Check for the Version of kernel", "modified": "2018-04-06T00:00:00", "published": "2009-06-03T00:00:00", "id": "OPENVAS:1361412562310855205", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855205", "type": "openvas", "title": "Solaris Update for kernel 120012-14", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for kernel 120012-14\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"kernel on solaris_5.10_x86\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n kernel\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.855205\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:31:50 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"120012-14\");\n script_cve_id(\"CVE-2007-0957\", \"CVE-2006-0225\");\n script_name( \"Solaris Update for kernel 120012-14\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-120012-14-1\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.10\", arch:\"i386\", patch:\"120012-14\", package:\"SUNWcpc.i SUNWsshcu SUNWpcmci SUNWnge SUNWcnetr SUNWdhcsu SUNWrcmdc SUNWperl584usr SUNWixgb SUNWpsu SUNWfss SUNWatfsu SUNWpmu SUNWlldap SUNWipfr SUNWudapltu SUNWzoner SUNWarc SUNWipfu SUNWfmd SUNWintgige SUNWscpu SUNWbtool SUNWxge SUNWsra SUNWperl584core SUNWbart SUNWkrbu SUNWsmapi SUNWtavor SUNWipfh SUNWmdb SUNWzfsu SUNWsndmr SUNWaudit SUNWncar SUNWpapi SUNWsshdu SUNWsndmu SUNWpppdu SUNWnfssu SUNWdhcm SUNWkdcu SUNWpsdir SUNWpool SUNWxcu4 SUNWudapltr SUNWdtrc SUNWopenssl-libraries SUNWcsl SUNWcpcu SUNWses SUNWsadmi SUNWvolu SUNWib SUNWkey SUNWnisu SUNWos86r SUNWtoo SUNWdmgtu SUNWusbu SUNWypu SUNWpoolr SUNWftduu SUNWppm SUNWuksp SUNWusb SUNWzfsr SUNWroute SUNWckr SUNWcsr SUNWdoc SUNWaudh SUNWrge SUNWtecla SUNWmdbr SUNWpcu SUNWzfskr SUNWarcr SUNWrcapu SUNWwbsup SUNWhea SUNWcakr.i SUNWqos SUNWntpu SUNWnfsckr SUNWdtrp SUNWlibsasl SUNWcslr SUNWippcore SUNWrmodr SUNWsshu SUNWcsu SUNWnfscu SUNWesu SUNWcsd SUNWipplr SUNWpsm-lpd SUNWuprl SUNWzoneu SUNWipplu SUNWrcapr SUNWdfbh SUNWftdur SUNWauda\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-03-10T18:58:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-1206", "CVE-2006-0225"], "description": "This host is installed with Dropbear SSH and\n is prone to multiple vulnerabilities.", "modified": "2020-03-09T00:00:00", "published": "2014-11-14T00:00:00", "id": "OPENVAS:1361412562310105118", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105118", "type": "openvas", "title": "Dropbear SSH < 0.48 Multiple Vulnerabilities", "sourceData": "# Copyright (C) 2014 SCHUTZWERK GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:dropbear_ssh_project:dropbear_ssh\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105118\");\n script_version(\"2020-03-09T10:54:00+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-09 10:54:00 +0000 (Mon, 09 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-11-14 12:00:00 +0100 (Fri, 14 Nov 2014)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_cve_id(\"CVE-2006-0225\", \"CVE-2006-1206\");\n script_bugtraq_id(16369, 17024);\n\n script_name(\"Dropbear SSH < 0.48 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2014 SCHUTZWERK GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_dropbear_ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"dropbear/installed\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Dropbear SSH and\n is prone to multiple vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - A large number of connection attempts that exceeds the MAX_UNAUTH_CLIENTS defined\n value of 30 is possible.\n\n - The shipped scp command of OpenSSH 4.2p1 expands filenames that contain shell metacharacters or spaces twice.\");\n script_tag(name:\"impact\", value:\"The flaws allows remote attackers to cause a denial of service\n (connection slot exhaustion) and local attackers to execute arbitrary commands.\");\n script_tag(name:\"affected\", value:\"Versions prior to Dropbear SSH 0.48 are vulnerable.\");\n script_tag(name:\"solution\", value:\"Updates are available.\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/17024\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/16369\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/1572\");\n script_xref(name:\"URL\", value:\"https://matt.ucc.asn.au/dropbear/dropbear.html\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nver = eregmatch( pattern:\"^([0-9]+)\\.([0-9]+)\", string:vers );\n\nif( isnull( ver[2] ) ) exit( 0 );\n\nif( int( ver[1] ) > 0 ) exit( 99 );\n\nif( version_is_less( version:ver[2], test_version:\"48\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"0.48\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2018-04-09T11:41:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "description": "Check for the Version of /usr/bin/ssh", "modified": "2018-04-06T00:00:00", "published": "2009-06-03T00:00:00", "id": "OPENVAS:1361412562310855023", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310855023", "type": "openvas", "title": "Solaris Update for /usr/bin/ssh 114356-18", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for /usr/bin/ssh 114356-18\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"/usr/bin/ssh on solaris_5.9_sparc\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n /usr/bin/ssh\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.855023\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:24:08 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"114356-18\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-0225\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\");\n script_name( \"Solaris Update for /usr/bin/ssh 114356-18\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-114356-18-1\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of /usr/bin/ssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"114356-18\", package:\"SUNWsshcu SUNWsshu\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:14:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3738", "CVE-2006-2940", "CVE-2006-2937", "CVE-2006-4343", "CVE-2006-4339", "CVE-2008-1483", "CVE-2006-0225"], "description": "Check for the Version of /usr/bin/ssh", "modified": "2017-02-20T00:00:00", "published": "2009-06-03T00:00:00", "id": "OPENVAS:855023", "href": "http://plugins.openvas.org/nasl.php?oid=855023", "type": "openvas", "title": "Solaris Update for /usr/bin/ssh 114356-18", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Solaris Update for /usr/bin/ssh 114356-18\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"/usr/bin/ssh on solaris_5.9_sparc\";\ntag_insight = \"The remote host is missing a patch containing a security fix,\n which affects the following component(s): \n /usr/bin/ssh\n For more information please visit the below reference link.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\nif(description)\n{\n script_id(855023);\n script_version(\"$Revision: 5359 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 12:20:19 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-03 12:24:08 +0200 (Wed, 03 Jun 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUNSolve\", value: \"114356-18\");\n script_cve_id(\"CVE-2008-1483\", \"CVE-2006-0225\", \"CVE-2006-3738\", \"CVE-2006-4343\", \"CVE-2006-4339\", \"CVE-2006-2937\", \"CVE-2006-2940\");\n script_name( \"Solaris Update for /usr/bin/ssh 114356-18\");\n\n script_xref(name : \"URL\" , value : \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-114356-18-1\");\n\n script_summary(\"Check for the Version of /usr/bin/ssh\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Solaris Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/solosversion\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"solaris.inc\");\n\nrelease = get_kb_item(\"ssh/login/solosversion\");\n\nif(release == NULL){\n exit(0);\n}\n\nif(solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"114356-18\", package:\"SUNWsshcu SUNWsshu\") < 0)\n{\n security_message(0);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:07", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0225"], "description": "### Background\n\nOpenSSH is a free application suite consisting of server and clients that replace tools like telnet, rlogin, rcp and ftp with more secure versions offering additional functionality. Dropbear is an SSH server and client designed with a small memory footprint that includes OpenSSH scp code. \n\n### Description\n\nTo copy from a local filesystem to another local filesystem, scp constructs a command line using 'cp' which is then executed via system(). Josh Bressers discovered that special characters are not escaped by scp, but are simply passed to the shell. \n\n### Impact\n\nBy tricking other users or applications to use scp on maliciously crafted filenames, a local attacker user can execute arbitrary commands with the rights of the user running scp. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll OpenSSH users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/openssh-4.2_p1-r1\"\n\nAll Dropbear users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/dropbear-0.47-r1\"", "edition": 1, "modified": "2006-02-20T00:00:00", "published": "2006-02-20T00:00:00", "id": "GLSA-200602-11", "href": "https://security.gentoo.org/glsa/200602-11", "type": "gentoo", "title": "OpenSSH, Dropbear: Insecure use of system() call", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "slackware": [{"lastseen": "2020-10-25T16:36:21", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0225"], "description": "New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix a security issue.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225\n\n\nHere are the details from the Slackware 10.2 ChangeLog:\n\npatches/packages/openssh-4.3p1-i486-1.tgz: Upgraded to openssh-4.3p1.\n This fixes a security issue when using scp to copy files that could\n cause commands embedded in filenames to be executed.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225\n (* Security fix *)\n\nWhere to find the new packages:\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-4.3p1-i386-1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/openssh-4.3p1-i386-1.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/openssh-4.3p1-i486-1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/openssh-4.3p1-i486-1.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/openssh-4.3p1-i486-1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/openssh-4.3p1-i486-1.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssh-4.3p1-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\ne48cf3c1dd582b5e21e6acc3daea1af0 openssh-4.3p1-i386-1.tgz\n\nSlackware 9.0 package:\n47ad2060666d1beafec836ad3c20d5fd openssh-4.3p1-i386-1.tgz\n\nSlackware 9.1 package:\nb795fea0fa188746c2b5edc93273e7b7 openssh-4.3p1-i486-1.tgz\n\nSlackware 10.0 package:\nf02633326a65201fcb1187cf86d101f4 openssh-4.3p1-i486-1.tgz\n\nSlackware 10.1 package:\nadbdf45d3476c146c40f3990665cf2bf openssh-4.3p1-i486-1.tgz\n\nSlackware 10.2 package:\n8ca842462851056fa3ce129dae847fbe openssh-4.3p1-i486-1.tgz\n\nSlackware -current package:\ndf20d506217f453e60190120b1c69a8e openssh-4.3p1-i486-1.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg openssh-4.3p1-i486-1.tgz\n\nNext, restart the sshd daemon:\n. /etc/rc.d/rc.sshd restart", "modified": "2006-02-15T00:27:52", "published": "2006-02-15T00:27:52", "id": "SSA-2006-045-06", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.425802", "type": "slackware", "title": "[slackware-security] openssh", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:24:22", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0225"], "description": "**CentOS Errata and Security Advisory** CESA-2006:0044\n\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nAn arbitrary command execution flaw was discovered in the way scp copies\r\nfiles locally. It is possible for a local attacker to create a file with a\r\ncarefully crafted name that could execute arbitrary commands as the user\r\nrunning scp to copy files locally. The Common Vulnerabilities and Exposures\r\nproject (cve.mitre.org) assigned the name CVE-2006-0225 to this issue. \r\n\r\nThe following issue has also been fixed in this update:\r\n\r\n* If the sshd service was stopped using the sshd init script while the\r\n main sshd daemon was not running, the init script would kill other sshd\r\n processes, such as the running sessions. For example, this could happen\r\n when the 'service sshd stop' command was issued twice.\r\n\r\nAdditionally, this update implements auditing of user logins through the\r\nsystem audit service.\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\nresolve these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2006-March/024740.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-March/024744.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-March/024748.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-March/024769.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-March/024776.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-askpass-gnome\nopenssh-clients\nopenssh-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2006-0044.html", "edition": 4, "modified": "2006-03-13T14:28:10", "published": "2006-03-08T00:16:52", "href": "http://lists.centos.org/pipermail/centos-announce/2006-March/024740.html", "id": "CESA-2006:0044", "title": "openssh security update", "type": "centos", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-15T11:39:50", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0225", "CVE-2003-0386"], "description": "**CentOS Errata and Security Advisory** CESA-2006:0298\n\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nAn arbitrary command execution flaw was discovered in the way scp copies\r\nfiles locally. It is possible for a local attacker to create a file with a\r\ncarefully crafted name that could execute arbitrary commands as the user\r\nrunning scp to copy files locally. (CVE-2006-0225)\r\n\r\nThe SSH daemon, when restricting host access by numeric IP addresses and\r\nwith VerifyReverseMapping disabled, allows remote attackers to bypass\r\n\"from=\" and \"user@host\" address restrictions by connecting to a host from a\r\nsystem whose reverse DNS hostname contains the numeric IP address.\r\n(CVE-2003-0386)\r\n\r\nThe following issues have also been fixed in this update:\r\n\r\n* If the sshd service was stopped using the sshd init script while the\r\n main sshd daemon was not running, the init script would kill other sshd\r\n processes, such as the running sessions. For example, this could happen\r\n when the 'service sshd stop' command was issued twice.\r\n\r\n* When privilege separation was enabled, the last login message was printed\r\n only for the root user.\r\n\r\n* The sshd daemon was sending messages to the system log from a signal\r\n handler when debug logging was enabled. This could cause a deadlock of\r\n the user's connection.\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\nresolve these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/025131.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/025132.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-July/025088.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-July/025090.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-askpass-gnome\nopenssh-clients\nopenssh-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2006-0298.html", "edition": 8, "modified": "2006-08-03T13:59:39", "published": "2006-07-20T15:13:49", "href": "http://lists.centos.org/pipermail/centos-announce/2006-July/025088.html", "id": "CESA-2006:0298", "title": "openssh security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-20T18:27:40", "bulletinFamily": "unix", "cvelist": ["CVE-2006-5051", "CVE-2006-0225", "CVE-2003-0386", "CVE-2006-4924"], "description": "**CentOS Errata and Security Advisory** CESA-2006:0698-01\n\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nMark Dowd discovered a signal handler race condition in the OpenSSH sshd\r\nserver. A remote attacker could possibly leverage this flaw to cause a\r\ndenial of service (crash). (CVE-2006-5051) The OpenSSH project believes the\r\nlikelihood of successful exploitation leading to arbitrary code execution\r\nappears remote. However, the Red Hat Security Response Team have not yet\r\nbeen able to verify this claim due to lack of upstream vulnerability\r\ninformation. We are therefore including a fix for this flaw and have rated\r\nit important security severity in the event our continued investigation\r\nfinds this issue to be exploitable.\r\n\r\nTavis Ormandy of the Google Security Team discovered a denial of service\r\nbug in the OpenSSH sshd server. A remote attacker can send a specially\r\ncrafted SSH-1 request to the server causing sshd to consume a large\r\nquantity of CPU resources. (CVE-2006-4924)\r\n\r\nAn arbitrary command execution flaw was discovered in the way scp copies\r\nfiles locally. It is possible for a local attacker to create a file with a\r\ncarefully crafted name that could execute arbitrary commands as the user\r\nrunning scp to copy files locally. (CVE-2006-0225)\r\n\r\nThe SSH daemon, when restricting host access by numeric IP addresses and\r\nwith VerifyReverseMapping disabled, allows remote attackers to bypass\r\n\"from=\" and \"user@host\" address restrictions by connecting to a host from a\r\nsystem whose reverse DNS hostname contains the numeric IP address.\r\n(CVE-2003-0386)\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\ncontain backported patches that resolve these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2006-October/025348.html\n\n**Affected packages:**\nopenssh\nopenssh-askpass\nopenssh-askpass-gnome\nopenssh-clients\nopenssh-server\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "edition": 5, "modified": "2006-10-02T01:42:56", "published": "2006-10-02T01:42:56", "href": "http://lists.centos.org/pipermail/centos-announce/2006-October/025348.html", "id": "CESA-2006:0698-01", "title": "openssh security update", "type": "centos", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:44:34", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0225"], "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nAn arbitrary command execution flaw was discovered in the way scp copies\r\nfiles locally. It is possible for a local attacker to create a file with a\r\ncarefully crafted name that could execute arbitrary commands as the user\r\nrunning scp to copy files locally. The Common Vulnerabilities and Exposures\r\nproject (cve.mitre.org) assigned the name CVE-2006-0225 to this issue. \r\n\r\nThe following issue has also been fixed in this update:\r\n\r\n* If the sshd service was stopped using the sshd init script while the\r\n main sshd daemon was not running, the init script would kill other sshd\r\n processes, such as the running sessions. For example, this could happen\r\n when the 'service sshd stop' command was issued twice.\r\n\r\nAdditionally, this update implements auditing of user logins through the\r\nsystem audit service.\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\nresolve these issues.", "modified": "2017-09-08T12:09:39", "published": "2006-03-07T17:56:55", "id": "RHSA-2006:0044", "href": "https://access.redhat.com/errata/RHSA-2006:0044", "type": "redhat", "title": "(RHSA-2006:0044) openssh security update", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:00", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0386", "CVE-2006-0225"], "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nAn arbitrary command execution flaw was discovered in the way scp copies\r\nfiles locally. It is possible for a local attacker to create a file with a\r\ncarefully crafted name that could execute arbitrary commands as the user\r\nrunning scp to copy files locally. (CVE-2006-0225)\r\n\r\nThe SSH daemon, when restricting host access by numeric IP addresses and\r\nwith VerifyReverseMapping disabled, allows remote attackers to bypass\r\n\"from=\" and \"user@host\" address restrictions by connecting to a host from a\r\nsystem whose reverse DNS hostname contains the numeric IP address.\r\n(CVE-2003-0386)\r\n\r\nThe following issues have also been fixed in this update:\r\n\r\n* If the sshd service was stopped using the sshd init script while the\r\n main sshd daemon was not running, the init script would kill other sshd\r\n processes, such as the running sessions. For example, this could happen\r\n when the 'service sshd stop' command was issued twice.\r\n\r\n* When privilege separation was enabled, the last login message was printed\r\n only for the root user.\r\n\r\n* The sshd daemon was sending messages to the system log from a signal\r\n handler when debug logging was enabled. This could cause a deadlock of\r\n the user's connection.\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\nresolve these issues.", "modified": "2017-07-29T20:31:10", "published": "2006-07-20T13:25:51", "id": "RHSA-2006:0298", "href": "https://access.redhat.com/errata/RHSA-2006:0298", "type": "redhat", "title": "(RHSA-2006:0298) openssh security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:29", "bulletinFamily": "unix", "cvelist": ["CVE-2003-0386", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-5051"], "description": "OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\r\npackage includes the core files necessary for both the OpenSSH client and\r\nserver.\r\n\r\nMark Dowd discovered a signal handler race condition in the OpenSSH sshd\r\nserver. A remote attacker could possibly leverage this flaw to cause a\r\ndenial of service (crash). (CVE-2006-5051) The OpenSSH project believes the\r\nlikelihood of successful exploitation leading to arbitrary code execution\r\nappears remote. However, the Red Hat Security Response Team have not yet\r\nbeen able to verify this claim due to lack of upstream vulnerability\r\ninformation. We are therefore including a fix for this flaw and have rated\r\nit important security severity in the event our continued investigation\r\nfinds this issue to be exploitable.\r\n\r\nTavis Ormandy of the Google Security Team discovered a denial of service\r\nbug in the OpenSSH sshd server. A remote attacker can send a specially\r\ncrafted SSH-1 request to the server causing sshd to consume a large\r\nquantity of CPU resources. (CVE-2006-4924)\r\n\r\nAn arbitrary command execution flaw was discovered in the way scp copies\r\nfiles locally. It is possible for a local attacker to create a file with a\r\ncarefully crafted name that could execute arbitrary commands as the user\r\nrunning scp to copy files locally. (CVE-2006-0225)\r\n\r\nThe SSH daemon, when restricting host access by numeric IP addresses and\r\nwith VerifyReverseMapping disabled, allows remote attackers to bypass\r\n\"from=\" and \"user@host\" address restrictions by connecting to a host from a\r\nsystem whose reverse DNS hostname contains the numeric IP address.\r\n(CVE-2003-0386)\r\n\r\nAll users of openssh should upgrade to these updated packages, which\r\ncontain backported patches that resolve these issues.", "modified": "2018-03-14T19:26:44", "published": "2006-09-28T04:00:00", "id": "RHSA-2006:0698", "href": "https://access.redhat.com/errata/RHSA-2006:0698", "type": "redhat", "title": "(RHSA-2006:0698) openssh security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T22:01:34", "description": "CVE ID:CVE-2006-0225\r\nCNCVE ID:CNCVE-20060225\r\nAvaya Call Management System\u662f\u4e00\u6b3eAvaya\u7684\u8fd0\u8425\u6548\u7387\u89e3\u51b3\u65b9\u6848\uff0c\u63d0\u4f9b\u96c6\u6210\u7684\u5206\u6790\u4e0e\u62a5\u544a\u3002\r\n\r\n\u8fd0\u884c\u5728Sun Solaris\u4e0a\u7684CMS\u548cIR\u5e94\u7528\u7a0b\u5e8f\u5904\u7406scp\u547d\u4ee4\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u95ee\u9898\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u4ee5\u7528\u6237\u7279\u6743\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\r\n\r\n\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\n0\nAvaya Call Management System (CMS)\n\u53ef\u53c2\u8003\u5982\u4e0b\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\n\r\n<a href="http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm" target="_blank">http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm</a>", "published": "2007-07-10T00:00:00", "title": "Avaya CMS / IR Solaris scp\u547d\u4ee4\u884cshell\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0225"], "modified": "2007-07-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-1979", "id": "SSV:1979", "sourceData": "", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "nessus": [{"lastseen": "2021-01-07T11:51:32", "description": "A flaw was discovered in the scp local-to-local copy implementation\nwhere filenames that contain shell metacharacters or spaces are\nexpanded twice, which could lead to the execution of arbitrary\ncommands if a local user could be tricked into a scp'ing a specially\ncrafted filename.\n\nThe provided updates bump the OpenSSH version to the latest release\nversion of 4.3p1. A number of differences exist, primarily dealing\nwith PAM authentication over the version included in Corporate 3.0 and\nMNF2. In particular, the default sshd_config now only accepts protocol\n2 connections and UsePAM is now disabled by default.\n\nOn systems using alternate authentication methods (ie. LDAP) that use\nthe PAM stack for authentication, you will need to enable UsePAM. Note\nthat the default /etc/pam.d/sshd file has also been modified to use\nthe pam_listfile.so module which will deny access to any users listed\nin /etc/ssh/denyusers (by default, this is only the root user). This\nis required to preserve the expected behaviour when using\n'PermitRootLogin without-password'; otherwise it would still be\npossible to obtain a login prompt and login without using keys.\n\nMandriva Linux 10.1 and newer already have these changes in their\nshipped versions. There are new features in OpenSSH and users are\nencouraged to review the new sshd_config and ssh_config files when\nupgrading.", "edition": 25, "published": "2006-02-10T00:00:00", "title": "Mandrake Linux Security Advisory : openssh (MDKSA-2006:034)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "modified": "2006-02-10T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:openssh-server", "cpe:/o:mandrakesoft:mandrake_linux:10.1", "p-cpe:/a:mandriva:linux:openssh-clients", "p-cpe:/a:mandriva:linux:openssh-askpass", "p-cpe:/a:mandriva:linux:openssh-askpass-gnome", "cpe:/o:mandriva:linux:2006", "x-cpe:/o:mandrakesoft:mandrake_linux:le2005", "p-cpe:/a:mandriva:linux:openssh"], "id": "MANDRAKE_MDKSA-2006-034.NASL", "href": "https://www.tenable.com/plugins/nessus/20875", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2006:034. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20875);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"MDKSA\", value:\"2006:034\");\n\n script_name(english:\"Mandrake Linux Security Advisory : openssh (MDKSA-2006:034)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was discovered in the scp local-to-local copy implementation\nwhere filenames that contain shell metacharacters or spaces are\nexpanded twice, which could lead to the execution of arbitrary\ncommands if a local user could be tricked into a scp'ing a specially\ncrafted filename.\n\nThe provided updates bump the OpenSSH version to the latest release\nversion of 4.3p1. A number of differences exist, primarily dealing\nwith PAM authentication over the version included in Corporate 3.0 and\nMNF2. In particular, the default sshd_config now only accepts protocol\n2 connections and UsePAM is now disabled by default.\n\nOn systems using alternate authentication methods (ie. LDAP) that use\nthe PAM stack for authentication, you will need to enable UsePAM. Note\nthat the default /etc/pam.d/sshd file has also been modified to use\nthe pam_listfile.so module which will deny access to any users listed\nin /etc/ssh/denyusers (by default, this is only the root user). This\nis required to preserve the expected behaviour when using\n'PermitRootLogin without-password'; otherwise it would still be\npossible to obtain a login prompt and login without using keys.\n\nMandriva Linux 10.1 and newer already have these changes in their\nshipped versions. There are new features in OpenSSH and users are\nencouraged to review the new sshd_config and ssh_config files when\nupgrading.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2006\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:mandrakesoft:mandrake_linux:le2005\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/02/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.1\", reference:\"openssh-4.3p1-0.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"openssh-askpass-4.3p1-0.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"openssh-askpass-gnome-4.3p1-0.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"openssh-clients-4.3p1-0.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", reference:\"openssh-server-4.3p1-0.1.101mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK10.2\", reference:\"openssh-4.3p1-0.1.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"openssh-askpass-4.3p1-0.1.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"openssh-askpass-gnome-4.3p1-0.1.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"openssh-clients-4.3p1-0.1.102mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.2\", reference:\"openssh-server-4.3p1-0.1.102mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK2006.0\", reference:\"openssh-4.3p1-0.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"openssh-askpass-4.3p1-0.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"openssh-askpass-gnome-4.3p1-0.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"openssh-clients-4.3p1-0.1.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"openssh-server-4.3p1-0.1.20060mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:52:01", "description": "The remote host is affected by the vulnerability described in GLSA-200602-11\n(OpenSSH, Dropbear: Insecure use of system() call)\n\n To copy from a local filesystem to another local filesystem, scp\n constructs a command line using 'cp' which is then executed via\n system(). Josh Bressers discovered that special characters are not\n escaped by scp, but are simply passed to the shell.\n \nImpact :\n\n By tricking other users or applications to use scp on maliciously\n crafted filenames, a local attacker user can execute arbitrary commands\n with the rights of the user running scp.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 26, "published": "2006-02-21T00:00:00", "title": "GLSA-200602-11 : OpenSSH, Dropbear: Insecure use of system() call", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "modified": "2006-02-21T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:dropbear", "p-cpe:/a:gentoo:linux:openssh"], "id": "GENTOO_GLSA-200602-11.NASL", "href": "https://www.tenable.com/plugins/nessus/20953", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200602-11.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20953);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"GLSA\", value:\"200602-11\");\n\n script_name(english:\"GLSA-200602-11 : OpenSSH, Dropbear: Insecure use of system() call\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200602-11\n(OpenSSH, Dropbear: Insecure use of system() call)\n\n To copy from a local filesystem to another local filesystem, scp\n constructs a command line using 'cp' which is then executed via\n system(). Josh Bressers discovered that special characters are not\n escaped by scp, but are simply passed to the shell.\n \nImpact :\n\n By tricking other users or applications to use scp on maliciously\n crafted filenames, a local attacker user can execute arbitrary commands\n with the rights of the user running scp.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200602-11\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All OpenSSH users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/openssh-4.2_p1-r1'\n All Dropbear users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/dropbear-0.47-r1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:dropbear\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/02/21\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/09/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/dropbear\", unaffected:make_list(\"ge 0.47-r1\"), vulnerable:make_list(\"lt 0.47-r1\"))) flag++;\nif (qpkg_check(package:\"net-misc/openssh\", unaffected:make_list(\"ge 4.2_p1-r1\"), vulnerable:make_list(\"lt 4.2_p1-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"OpenSSH / Dropbear\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T14:14:47", "description": "The remote host is missing the patch for the advisory SUSE-SA:2006:008 (openssh).\n\n\nA problem in the handling of scp in openssh could be used to execute\ncommands on remote hosts even using a scp-only configuration.\n\nThis requires doing a remote-remote scp and a hostile server. (CVE-2006-0225)\n\nOn SUSE Linux Enterprise Server 9 the xauth pollution problem was fixed too.\n\nThe security fix changes the handling of quoting filenames which might\nbreak automated scripts using this functionality.\n\nPlease check that your automated scp scripts still work after the\nupdate.", "edition": 6, "published": "2006-02-15T00:00:00", "title": "SUSE-SA:2006:008: openssh", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "modified": "2006-02-15T00:00:00", "cpe": [], "id": "SUSE_SA_2006_008.NASL", "href": "https://www.tenable.com/plugins/nessus/20923", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:008\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(20923);\n script_version(\"1.9\");\n \n name[\"english\"] = \"SUSE-SA:2006:008: openssh\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SUSE-SA:2006:008 (openssh).\n\n\nA problem in the handling of scp in openssh could be used to execute\ncommands on remote hosts even using a scp-only configuration.\n\nThis requires doing a remote-remote scp and a hostile server. (CVE-2006-0225)\n\nOn SUSE Linux Enterprise Server 9 the xauth pollution problem was fixed too.\n\nThe security fix changes the handling of quoting filenames which might\nbreak automated scripts using this functionality.\n\nPlease check that your automated scp scripts still work after the\nupdate.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/advisories/2006_08_openssh.html\" );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\" );\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2006/02/15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the openssh package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"openssh-4.1p1-10.4\", release:\"SUSE10.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-askpass-4.1p1-10.4\", release:\"SUSE10.0\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-4.1p1-11.16\", release:\"SUSE9.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-askpass-4.1p1-11.16\", release:\"SUSE9.1\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-3.9p1-3.6\", release:\"SUSE9.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-askpass-3.9p1-3.6\", release:\"SUSE9.2\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-3.9p1-12.4\", release:\"SUSE9.3\") )\n{\n security_hole(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssh-askpass-3.9p1-12.4\", release:\"SUSE9.3\") )\n{\n security_hole(0);\n exit(0);\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-09-26T17:24:44", "description": "SunOS 5.9_x86: /usr/bin/ssh patch.\nDate this patch was last updated by Sun : Sep/16/09", "edition": 1, "published": "2007-07-02T00:00:00", "type": "nessus", "title": "Solaris 9 (x86) : 114357-18", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "modified": "2011-09-18T00:00:00", "id": "SOLARIS9_X86_114357.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=25654", "sourceData": "# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/09/17.\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(25654);\n script_version(\"$Revision: 1.21 $\");\n\n script_name(english: \"Solaris 9 (x86) : 114357-18\");\n script_osvdb_id(22692);\n script_cve_id(\"CVE-2006-0225\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 114357-18\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.9_x86: /usr/bin/ssh patch.\nDate this patch was last updated by Sun : Sep/16/09');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"https://getupdates.oracle.com/readme/114357-18\");\n script_set_attribute(attribute: \"cvss_vector\", value: \"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/02\");\n script_cvs_date(\"$Date: 2011/09/18 01:40:37 $\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/09/28\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 114357-18\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2011 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n\ninclude(\"solaris.inc\");\n\ne += solaris_check_patch(release:\"5.9_x86\", arch:\"i386\", patch:\"114357-18\", obsoleted_by:\"122301-47 \", package:\"SUNWsshcu\", version:\"11.9.0,REV=2002.11.04.02.51\");\ne += solaris_check_patch(release:\"5.9_x86\", arch:\"i386\", patch:\"114357-18\", obsoleted_by:\"122301-47 \", package:\"SUNWsshu\", version:\"11.9.0,REV=2002.11.04.02.51\");\nif ( e < 0 ) { \n\tif ( NASL_LEVEL < 3000 ) \n\t security_warning(0);\n\telse \n\t security_warning(port:0, extra:solaris_get_report());\n\texit(0); \n} \nexit(0, \"Host is not affected\");\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-01-12T10:05:54", "description": "This is a minor security update which fixes double shell expansion in\nlocal to local and remote to remote copy with scp. It also fixes a few\nother minor non-security issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2006-01-24T00:00:00", "title": "Fedora Core 4 : openssh-4.2p1-fc4.10 (2006-056)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "modified": "2006-01-24T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:openssh-debuginfo", "p-cpe:/a:fedoraproject:fedora:openssh-askpass", "p-cpe:/a:fedoraproject:fedora:openssh", "p-cpe:/a:fedoraproject:fedora:openssh-askpass-gnome", "cpe:/o:fedoraproject:fedora_core:4", "p-cpe:/a:fedoraproject:fedora:openssh-clients", "p-cpe:/a:fedoraproject:fedora:openssh-server"], "id": "FEDORA_2006-056.NASL", "href": "https://www.tenable.com/plugins/nessus/20802", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2006-056.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20802);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"FEDORA\", value:\"2006-056\");\n\n script_name(english:\"Fedora Core 4 : openssh-4.2p1-fc4.10 (2006-056)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This is a minor security update which fixes double shell expansion in\nlocal to local and remote to remote copy with scp. It also fixes a few\nother minor non-security issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2006-January/001767.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d3d25dcd\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/01/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/01/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 4.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC4\", reference:\"openssh-4.2p1-fc4.10\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"openssh-askpass-4.2p1-fc4.10\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"openssh-askpass-gnome-4.2p1-fc4.10\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"openssh-clients-4.2p1-fc4.10\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"openssh-debuginfo-4.2p1-fc4.10\")) flag++;\nif (rpm_check(release:\"FC4\", reference:\"openssh-server-4.2p1-fc4.10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T06:42:38", "description": "Tomas Mraz discovered a shell code injection flaw in scp. When doing\nlocal-to-local or remote-to-remote copying, scp expanded shell escape\ncharacters. By tricking an user into using scp on a specially crafted\nfile name (which could also be caught by using an innocuous wild card\nlike '*'), an attacker could exploit this to execute arbitrary shell\ncommands with the privilege of that user.\n\nPlease be aware that scp is not designed to operate securely on\nuntrusted file names, since it needs to stay compatible with rcp.\nPlease use sftp for automated systems and potentially untrusted file\nnames.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2006-03-13T00:00:00", "title": "Ubuntu 4.10 / 5.04 / 5.10 : openssh vulnerability (USN-255-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:ssh", "p-cpe:/a:canonical:ubuntu_linux:openssh-server", "cpe:/o:canonical:ubuntu_linux:5.04", "p-cpe:/a:canonical:ubuntu_linux:ssh-askpass-gnome", "cpe:/o:canonical:ubuntu_linux:4.10", "p-cpe:/a:canonical:ubuntu_linux:openssh-client", "cpe:/o:canonical:ubuntu_linux:5.10"], "id": "UBUNTU_USN-255-1.NASL", "href": "https://www.tenable.com/plugins/nessus/21063", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-255-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21063);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/08/02 13:33:00\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"USN\", value:\"255-1\");\n\n script_name(english:\"Ubuntu 4.10 / 5.04 / 5.10 : openssh vulnerability (USN-255-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tomas Mraz discovered a shell code injection flaw in scp. When doing\nlocal-to-local or remote-to-remote copying, scp expanded shell escape\ncharacters. By tricking an user into using scp on a specially crafted\nfile name (which could also be caught by using an innocuous wild card\nlike '*'), an attacker could exploit this to execute arbitrary shell\ncommands with the privilege of that user.\n\nPlease be aware that scp is not designed to operate securely on\nuntrusted file names, since it needs to stay compatible with rcp.\nPlease use sftp for automated systems and potentially untrusted file\nnames.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openssh-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:4.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/03/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/09/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(4\\.10|5\\.04|5\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 4.10 / 5.04 / 5.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"4.10\", pkgname:\"openssh-client\", pkgver:\"3.8.1p1-11ubuntu3.3\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"openssh-server\", pkgver:\"3.8.1p1-11ubuntu3.3\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"ssh\", pkgver:\"3.8.1p1-11ubuntu3.3\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"ssh-askpass-gnome\", pkgver:\"3.8.1p1-11ubuntu3.3\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"openssh-client\", pkgver:\"3.9p1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"openssh-server\", pkgver:\"3.9p1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"ssh\", pkgver:\"3.9p1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"ssh-askpass-gnome\", pkgver:\"3.9p1-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"openssh-client\", pkgver:\"4.1p1-7ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"openssh-server\", pkgver:\"4.1p1-7ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"ssh\", pkgver:\"4.1p1-7ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"ssh-askpass-gnome\", pkgver:\"4.1p1-7ubuntu4.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh-client / openssh-server / ssh / ssh-askpass-gnome\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:24:54", "description": "Updated openssh packages that fix bugs in sshd and add auditing of\nuser logins are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\npackage includes the core files necessary for both the OpenSSH client\nand server.\n\nAn arbitrary command execution flaw was discovered in the way scp\ncopies files locally. It is possible for a local attacker to create a\nfile with a carefully crafted name that could execute arbitrary\ncommands as the user running scp to copy files locally. The Common\nVulnerabilities and Exposures project (cve.mitre.org) assigned the\nname CVE-2006-0225 to this issue.\n\nThe following issue has also been fixed in this update :\n\n* If the sshd service was stopped using the sshd init script while the\nmain sshd daemon was not running, the init script would kill other\nsshd processes, such as the running sessions. For example, this could\nhappen when the 'service sshd stop' command was issued twice.\n\nAdditionally, this update implements auditing of user logins through\nthe system audit service.\n\nAll users of openssh should upgrade to these updated packages, which\nresolve these issues.", "edition": 28, "published": "2006-07-05T00:00:00", "title": "CentOS 4 : openssh (CESA-2006:0044)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "modified": "2006-07-05T00:00:00", "cpe": ["p-cpe:/a:centos:centos:openssh", "p-cpe:/a:centos:centos:openssh-server", "cpe:/o:centos:centos:4", "p-cpe:/a:centos:centos:openssh-clients", "p-cpe:/a:centos:centos:openssh-askpass", "p-cpe:/a:centos:centos:openssh-askpass-gnome"], "id": "CENTOS_RHSA-2006-0044.NASL", "href": "https://www.tenable.com/plugins/nessus/21975", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0044 and \n# CentOS Errata and Security Advisory 2006:0044 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(21975);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"RHSA\", value:\"2006:0044\");\n\n script_name(english:\"CentOS 4 : openssh (CESA-2006:0044)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix bugs in sshd and add auditing of\nuser logins are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\npackage includes the core files necessary for both the OpenSSH client\nand server.\n\nAn arbitrary command execution flaw was discovered in the way scp\ncopies files locally. It is possible for a local attacker to create a\nfile with a carefully crafted name that could execute arbitrary\ncommands as the user running scp to copy files locally. The Common\nVulnerabilities and Exposures project (cve.mitre.org) assigned the\nname CVE-2006-0225 to this issue.\n\nThe following issue has also been fixed in this update :\n\n* If the sshd service was stopped using the sshd init script while the\nmain sshd daemon was not running, the init script would kill other\nsshd processes, such as the running sessions. For example, this could\nhappen when the 'service sshd stop' command was issued twice.\n\nAdditionally, this update implements auditing of user logins through\nthe system audit service.\n\nAll users of openssh should upgrade to these updated packages, which\nresolve these issues.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-March/012702.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a20391fc\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-March/012731.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5093f768\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-March/012738.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?23f5115f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssh packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 4.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-4\", reference:\"openssh-3.9p1-8.RHEL4.12\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"openssh-askpass-3.9p1-8.RHEL4.12\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"openssh-askpass-gnome-3.9p1-8.RHEL4.12\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"openssh-clients-3.9p1-8.RHEL4.12\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"openssh-server-3.9p1-8.RHEL4.12\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T04:32:53", "description": "According to its banner, the version of OpenSSH running on the remote\nhost is potentially affected by an arbitrary command execution\nvulnerability. The scp utility does not properly sanitize\nuser-supplied input prior to using a system() function call. A local\nattacker could exploit this by creating filenames with shell\nmetacharacters, which could cause arbitrary code to be executed if\ncopied by a user running scp.", "edition": 24, "published": "2011-10-04T00:00:00", "title": "OpenSSH < 4.3 scp Command Line Filename Processing Command Injection", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:openbsd:openssh"], "id": "OPENSSH_43.NASL", "href": "https://www.tenable.com/plugins/nessus/44076", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44076);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/16 14:09:13\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_bugtraq_id(16369);\n\n script_name(english:\"OpenSSH < 4.3 scp Command Line Filename Processing Command Injection\");\n script_summary(english:\"Checks SSH banner\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The version of SSH running on the remote host has a command injection\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its banner, the version of OpenSSH running on the remote\nhost is potentially affected by an arbitrary command execution\nvulnerability. The scp utility does not properly sanitize\nuser-supplied input prior to using a system() function call. A local\nattacker could exploit this by creating filenames with shell\nmetacharacters, which could cause arbitrary code to be executed if\ncopied by a user running scp.\"\n );\n script_set_attribute(attribute:\"see_also\",value:\"https://bugzilla.mindrot.org/show_bug.cgi?id=1094\");\n script_set_attribute(attribute:\"see_also\",value:\"http://www.openssh.com/txt/release-4.3\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to OpenSSH 4.3 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/09/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/04\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openbsd:openssh\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\");\n\n exit(0);\n}\n\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Ensure the port is open.\nport = get_service(svc:\"ssh\", exit_on_fail:TRUE);\n\n# Get banner for service.\nbanner = get_kb_item_or_exit(\"SSH/banner/\"+port);\nbp_banner = tolower(get_backport_banner(banner:banner));\nif (\"openssh\" >!< bp_banner) exit(0, \"The SSH service on port \"+port+\" is not OpenSSH.\");\nif (backported) exit(1, \"The banner from the OpenSSH server on port \"+port+\" indicates patches may have been backported.\");\n\n# Check the version in the backported banner.\nmatch = eregmatch(string:bp_banner, pattern:\"openssh[-_]([0-9][-._0-9a-z]+)\");\nif (isnull(match)) exit(1, \"Could not parse the version string in the banner from port \"+port+\".\");\nversion = match[1];\n\nmatch = eregmatch(string:version, pattern:'^([0-9.]+)');\nif (isnull(match)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway\n exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');\n\nver = match[1];\nfix = '4.3';\n\nif (ver_compare(ver:ver, fix:fix, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse exit(0, \"The OpenSSH server on port \"+port+\" is not affected as it's version \"+version+\".\");\n\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:05:33", "description": "Updated openssh packages that fix bugs in sshd and add auditing of\nuser logins are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\npackage includes the core files necessary for both the OpenSSH client\nand server.\n\nAn arbitrary command execution flaw was discovered in the way scp\ncopies files locally. It is possible for a local attacker to create a\nfile with a carefully crafted name that could execute arbitrary\ncommands as the user running scp to copy files locally. The Common\nVulnerabilities and Exposures project (cve.mitre.org) assigned the\nname CVE-2006-0225 to this issue.\n\nThe following issue has also been fixed in this update :\n\n* If the sshd service was stopped using the sshd init script while the\nmain sshd daemon was not running, the init script would kill other\nsshd processes, such as the running sessions. For example, this could\nhappen when the 'service sshd stop' command was issued twice.\n\nAdditionally, this update implements auditing of user logins through\nthe system audit service.\n\nAll users of openssh should upgrade to these updated packages, which\nresolve these issues.", "edition": 29, "published": "2006-03-08T00:00:00", "title": "RHEL 4 : openssh (RHSA-2006:0044)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "modified": "2006-03-08T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:4", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome", "p-cpe:/a:redhat:enterprise_linux:openssh", "p-cpe:/a:redhat:enterprise_linux:openssh-askpass", "p-cpe:/a:redhat:enterprise_linux:openssh-clients", "p-cpe:/a:redhat:enterprise_linux:openssh-server"], "id": "REDHAT-RHSA-2006-0044.NASL", "href": "https://www.tenable.com/plugins/nessus/21030", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0044. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(21030);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-0225\");\n script_xref(name:\"RHSA\", value:\"2006:0044\");\n\n script_name(english:\"RHEL 4 : openssh (RHSA-2006:0044)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated openssh packages that fix bugs in sshd and add auditing of\nuser logins are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\nOpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This\npackage includes the core files necessary for both the OpenSSH client\nand server.\n\nAn arbitrary command execution flaw was discovered in the way scp\ncopies files locally. It is possible for a local attacker to create a\nfile with a carefully crafted name that could execute arbitrary\ncommands as the user running scp to copy files locally. The Common\nVulnerabilities and Exposures project (cve.mitre.org) assigned the\nname CVE-2006-0225 to this issue.\n\nThe following issue has also been fixed in this update :\n\n* If the sshd service was stopped using the sshd init script while the\nmain sshd daemon was not running, the init script would kill other\nsshd processes, such as the running sessions. For example, this could\nhappen when the 'service sshd stop' command was issued twice.\n\nAdditionally, this update implements auditing of user logins through\nthe system audit service.\n\nAll users of openssh should upgrade to these updated packages, which\nresolve these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-0225\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2006:0044\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/01/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/03/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2006:0044\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL4\", reference:\"openssh-3.9p1-8.RHEL4.12\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"openssh-askpass-3.9p1-8.RHEL4.12\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"openssh-askpass-gnome-3.9p1-8.RHEL4.12\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"openssh-clients-3.9p1-8.RHEL4.12\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"openssh-server-3.9p1-8.RHEL4.12\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc\");\n }\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-09-26T17:25:19", "description": "SunOS 5.9: /usr/bin/ssh patch.\nDate this patch was last updated by Sun : Sep/16/09", "edition": 1, "published": "2007-07-02T00:00:00", "type": "nessus", "title": "Solaris 9 (sparc) : 114356-19", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0225"], "modified": "2011-09-18T00:00:00", "id": "SOLARIS9_114356.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=25653", "sourceData": "# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/09/17.\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(25653);\n script_version(\"$Revision: 1.21 $\");\n\n script_name(english: \"Solaris 9 (sparc) : 114356-19\");\n script_osvdb_id(22692);\n script_cve_id(\"CVE-2006-0225\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 114356-19\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.9: /usr/bin/ssh patch.\nDate this patch was last updated by Sun : Sep/16/09');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"https://getupdates.oracle.com/readme/114356-19\");\n script_set_attribute(attribute: \"cvss_vector\", value: \"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/02\");\n script_cvs_date(\"$Date: 2011/09/18 01:40:36 $\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/09/28\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 114356-19\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2011 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n\ninclude(\"solaris.inc\");\n\ne += solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"114356-19\", obsoleted_by:\"122300-47 \", package:\"SUNWsshcu\", version:\"11.9.0,REV=2002.04.06.15.27\");\ne += solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"114356-19\", obsoleted_by:\"122300-47 \", package:\"SUNWsshu\", version:\"11.9.0,REV=2002.04.06.15.27\");\nif ( e < 0 ) { \n\tif ( NASL_LEVEL < 3000 ) \n\t security_warning(0);\n\telse \n\t security_warning(port:0, extra:solaris_get_report());\n\texit(0); \n} \nexit(0, \"Host is not affected\");\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2020-07-09T19:42:36", "bulletinFamily": "unix", "cvelist": ["CVE-2006-0225"], "description": "Tomas Mraz discovered a shell code injection flaw in scp. When doing \nlocal-to-local or remote-to-remote copying, scp expanded shell escape \ncharacters. By tricking an user into using scp on a specially crafted \nfile name (which could also be caught by using an innocuous wild card \nlike '*'), an attacker could exploit this to execute arbitrary shell \ncommands with the privilege of that user.\n\nPlease be aware that scp is not designed to operate securely on \nuntrusted file names, since it needs to stay compatible with rcp. \nPlease use sftp for automated systems and potentially untrusted file \nnames.", "edition": 5, "modified": "2006-02-22T00:00:00", "published": "2006-02-22T00:00:00", "id": "USN-255-1", "href": "https://ubuntu.com/security/notices/USN-255-1", "title": "openssh vulnerability", "type": "ubuntu", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:19", "bulletinFamily": "software", "cvelist": ["CVE-2006-0225"], "edition": 1, "description": "## Vulnerability Description\nOpenSSH contains a flaw that may allow an attacker to execute arbitrary commands. The flaw is due to the way OpenSSH's scp utility handles file names during local-to-local copies. During the file name expansion, the utility does not properly sanitize filenames allowing a crafted file name with shell meta-characters. This can be used to trick a user into executing arbitrary commands under with a different set of (potentially higher) privileges.\n## Solution Description\nUpgrade to version 4.3p1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nOpenSSH contains a flaw that may allow an attacker to execute arbitrary commands. The flaw is due to the way OpenSSH's scp utility handles file names during local-to-local copies. During the file name expansion, the utility does not properly sanitize filenames allowing a crafted file name with shell meta-characters. This can be used to trick a user into executing arbitrary commands under with a different set of (potentially higher) privileges.\n## References:\nVendor Specific News/Changelog Entry: http://bugs.gentoo.org/show_bug.cgi?id=119232\nVendor Specific News/Changelog Entry: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174026\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060703-01-U.asc)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-158.htm)\n[Vendor Specific Advisory URL](http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-262.htm)\n[Vendor Specific Advisory URL](http://www.ubuntu.com/usn/usn-255-1)\n[Vendor Specific Advisory URL](http://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v52.Readme.html#MH00688)\n[Vendor Specific Advisory URL](http://www.trustix.org/errata/2006/0004/)\n[Vendor Specific Advisory URL](http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:034)\n[Vendor Specific Advisory URL](http://lists.suse.de/archive/suse-security-announce/2006-Feb/0004.html)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-174.htm)\n[Vendor Specific Advisory URL](http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.425802)\n[Vendor Specific Advisory URL](http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html)\nSecurity Tracker: 1015540\n[Secunia Advisory ID:18964](https://secuniaresearch.flexerasoftware.com/advisories/18964/)\n[Secunia Advisory ID:21129](https://secuniaresearch.flexerasoftware.com/advisories/21129/)\n[Secunia Advisory ID:21492](https://secuniaresearch.flexerasoftware.com/advisories/21492/)\n[Secunia Advisory ID:23340](https://secuniaresearch.flexerasoftware.com/advisories/23340/)\n[Secunia Advisory ID:18595](https://secuniaresearch.flexerasoftware.com/advisories/18595/)\n[Secunia Advisory ID:18969](https://secuniaresearch.flexerasoftware.com/advisories/18969/)\n[Secunia Advisory ID:21724](https://secuniaresearch.flexerasoftware.com/advisories/21724/)\n[Secunia Advisory ID:23241](https://secuniaresearch.flexerasoftware.com/advisories/23241/)\n[Secunia Advisory ID:25607](https://secuniaresearch.flexerasoftware.com/advisories/25607/)\n[Secunia Advisory ID:18650](https://secuniaresearch.flexerasoftware.com/advisories/18650/)\n[Secunia Advisory ID:18736](https://secuniaresearch.flexerasoftware.com/advisories/18736/)\n[Secunia Advisory ID:18798](https://secuniaresearch.flexerasoftware.com/advisories/18798/)\n[Secunia Advisory ID:18850](https://secuniaresearch.flexerasoftware.com/advisories/18850/)\n[Secunia Advisory ID:18910](https://secuniaresearch.flexerasoftware.com/advisories/18910/)\n[Secunia Advisory ID:19159](https://secuniaresearch.flexerasoftware.com/advisories/19159/)\n[Secunia Advisory ID:21262](https://secuniaresearch.flexerasoftware.com/advisories/21262/)\n[Secunia Advisory ID:25936](https://secuniaresearch.flexerasoftware.com/advisories/25936/)\n[Secunia Advisory ID:18579](https://secuniaresearch.flexerasoftware.com/advisories/18579/)\n[Secunia Advisory ID:18970](https://secuniaresearch.flexerasoftware.com/advisories/18970/)\n[Secunia Advisory ID:20723](https://secuniaresearch.flexerasoftware.com/advisories/20723/)\n[Secunia Advisory ID:22196](https://secuniaresearch.flexerasoftware.com/advisories/22196/)\n[Secunia Advisory ID:23680](https://secuniaresearch.flexerasoftware.com/advisories/23680/)\nRedHat RHSA: RHSA-2006:0298\nRedHat RHSA: RHSA-2006:0698\nRedHat RHSA: RHSA-2006:0044\nOther Advisory URL: http://www.openbsd.org/errata.html#ssh\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200602-11.xml\nOther Advisory URL: http://support.avaya.com/elmodocs2/security/ASA-2007-246.htm\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0091.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0306.html\nISS X-Force ID: 24305\nFrSIRT Advisory: ADV-2006-4869\nFrSIRT Advisory: ADV-2006-2490\nFrSIRT Advisory: ADV-2006-0306\nFrSIRT Advisory: ADV-2007-0930\n[CVE-2006-0225](https://vulners.com/cve/CVE-2006-0225)\nBugtraq ID: 16369\n", "modified": "2005-09-28T04:48:19", "published": "2005-09-28T04:48:19", "href": "https://vulners.com/osvdb/OSVDB:22692", "id": "OSVDB:22692", "type": "osvdb", "title": "OpenSSH scp Command Line Filename Processing Command Injection", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
