According to its banner, the version of OpenSSH running on the remote host is prior to 7.4. It is, therefore, affected by multiple vulnerabilities :
A flaw exists in ssh-agent due to loading PKCS#11 modules from paths that are outside a trusted whitelist.
A local attacker can exploit this, by using a crafted request to load hostile modules via agent forwarding, to execute arbitrary code. To exploit this vulnerability, the attacker would need to control the forwarded agent-socket (on the host running the sshd server) and the ability to write to the file system of the host running ssh-agent. (CVE-2016-10009)
A flaw exists in sshd due to creating forwarded Unix-domain sockets with ‘root’ privileges whenever privilege separation is disabled. A local attacker can exploit this to gain elevated privileges.
(CVE-2016-10010)
An information disclosure vulnerability exists in sshd within the realloc() function due leakage of key material to privilege-separated child processes when reading keys. A local attacker can possibly exploit this to disclose sensitive key material. Note that no such leak has been observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users.
(CVE-2016-10011)
A flaw exists in sshd within the shared memory manager used by pre-authenticating compression support due to a bounds check being elided by some optimizing compilers and due to the memory manager being incorrectly accessible when pre-authenticating compression is disabled. A local attacker can exploit this to gain elevated privileges. (CVE-2016-10012)
A denial of service vulnerability exists in sshd when handling KEXINIT messages. An unauthenticated, remote attacker can exploit this, by sending multiple KEXINIT messages, to consume up to 128MB per connection.
A flaw exists in sshd due to improper validation of address ranges by the AllowUser and DenyUsers directives at configuration load time. A local attacker can exploit this, via an invalid CIDR address range, to gain access to restricted areas.
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable, Inc.
#
include('deprecated_nasl_level.inc');
include("compat.inc");
if (description)
{
script_id(96151);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/27");
script_cve_id(
"CVE-2016-10009",
"CVE-2016-10010",
"CVE-2016-10011",
"CVE-2016-10012",
"CVE-2016-10708"
);
script_bugtraq_id(
94968,
94972,
94975,
94977
);
script_xref(name:"EDB-ID", value:"40962");
script_name(english:"OpenSSH < 7.4 Multiple Vulnerabilities");
script_summary(english:"Checks the OpenSSH banner version.");
script_set_attribute(attribute:"synopsis", value:
"The SSH server running on the remote host is affected by multiple
vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its banner, the version of OpenSSH running on the remote
host is prior to 7.4. It is, therefore, affected by multiple
vulnerabilities :
- A flaw exists in ssh-agent due to loading PKCS#11
modules from paths that are outside a trusted whitelist.
A local attacker can exploit this, by using a crafted
request to load hostile modules via agent forwarding, to
execute arbitrary code. To exploit this vulnerability,
the attacker would need to control the forwarded
agent-socket (on the host running the sshd server) and
the ability to write to the file system of the host
running ssh-agent. (CVE-2016-10009)
- A flaw exists in sshd due to creating forwarded
Unix-domain sockets with 'root' privileges whenever
privilege separation is disabled. A local attacker can
exploit this to gain elevated privileges.
(CVE-2016-10010)
- An information disclosure vulnerability exists in sshd
within the realloc() function due leakage of key
material to privilege-separated child processes when
reading keys. A local attacker can possibly exploit this
to disclose sensitive key material. Note that no such
leak has been observed in practice for normal-sized
keys, nor does a leak to the child processes directly
expose key material to unprivileged users.
(CVE-2016-10011)
- A flaw exists in sshd within the shared memory manager
used by pre-authenticating compression support due to a
bounds check being elided by some optimizing compilers
and due to the memory manager being incorrectly
accessible when pre-authenticating compression is
disabled. A local attacker can exploit this to gain
elevated privileges. (CVE-2016-10012)
- A denial of service vulnerability exists in sshd when
handling KEXINIT messages. An unauthenticated, remote
attacker can exploit this, by sending multiple KEXINIT
messages, to consume up to 128MB per connection.
- A flaw exists in sshd due to improper validation of
address ranges by the AllowUser and DenyUsers
directives at configuration load time. A local attacker
can exploit this, via an invalid CIDR address range, to
gain access to restricted areas.
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-7.4");
script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSH version 7.4 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-10009");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/19");
script_set_attribute(attribute:"patch_publication_date", value:"2016/12/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/27");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("openssh_detect.nbin");
script_require_keys("installed_sw/OpenSSH");
script_require_ports("Services/ssh", 22);
exit(0);
}
include('backport.inc');
include('vcf.inc');
include('vcf_extras.inc');
var port = get_service(svc:'ssh', default:22, exit_on_fail:TRUE);
var app_info = vcf::openssh::get_app_info(app:'OpenSSH', port:port);
vcf::check_all_backporting(app_info:app_info);
var constraints = [
{'fixed_version' : '7.4' }
];
vcf::openssh::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);