scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.

The remote NewStart CGSL host, running version MAIN 6.06, has openssh packages installed that are affected by multiple vulnerabilities:

  - The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and     relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a     fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11     server, as demonstrated by lack of the SECURITY extension on this X11 server. (CVE-2016-1908)

  - Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service     (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors     that lead to a double-free. (CVE-2006-5051)

  - scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell     metacharacters or spaces, which are expanded twice. (CVE-2006-0225)

  - sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a     denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not     properly handled by the CRC compensation attack detector. (CVE-2006-4924)

  - Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker     verification that authentication has been successful, which might allow attackers to bypass     authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging     vulnerabilities in the unprivileged process, which are not known to exist. (CVE-2006-5794)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version MAIN 4.05, has openssh-latest packages installed that are affected by multiple vulnerabilities:

  - scp in OpenSSH 4.2p1 allows attackers to execute     arbitrary commands via filenames that contain shell     metacharacters or spaces, which are expanded twice.
    (CVE-2006-0225)

  - sshd in OpenSSH before 4.4, when using the version 1 SSH     protocol, allows remote attackers to cause a denial of     service (CPU consumption) via an SSH packet that     contains duplicate blocks, which is not properly handled     by the CRC compensation attack detector. (CVE-2006-4924)

  - Signal handler race condition in OpenSSH before 4.4     allows remote attackers to cause a denial of service     (crash), and possibly execute arbitrary code if GSSAPI     authentication is enabled, via unspecified vectors that     lead to a double-free. (CVE-2006-5051)

  - Unspecified vulnerability in the sshd Privilege     Separation Monitor in OpenSSH before 4.5 causes weaker     verification that authentication has been successful,     which might allow attackers to bypass authentication.
    NOTE: as of 20061108, it is believed that this issue is     only exploitable by leveraging vulnerabilities in the     unprivileged process, which are not known to exist.
    (CVE-2006-5794)

  - Unspecified vulnerability in the     linux_audit_record_event function in OpenSSH 4.3p2, as     used on Fedora Core 6 and possibly other systems, allows     remote attackers to write arbitrary characters to an     audit log via a crafted username. NOTE: some of these     details are obtained from third party information.
    (CVE-2007-3102)

  - The (1) remote_glob function in sftp-glob.c and the (2)     process_put function in sftp.c in OpenSSH 5.8 and     earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2,     OpenBSD 4.7, and other products, allow remote     authenticated users to cause a denial of service (CPU     and memory consumption) via crafted glob expressions     that do not match any pathnames, as demonstrated by glob     expressions in SSH_FXP_STAT requests to an sftp daemon,     a different vulnerability than CVE-2010-2632.
    (CVE-2010-4755)

  - The default configuration of OpenSSH through 6.1     enforces a fixed time limit between establishing a TCP     connection and completing a login, which makes it easier     for remote attackers to cause a denial of service     (connection-slot exhaustion) by periodically making many     new TCP connections. (CVE-2010-5107)

  - It was found that OpenSSH did not properly handle     certain AcceptEnv parameter values with wildcard     characters. A remote attacker could use this flaw to     bypass intended environment variable restrictions.
    (CVE-2014-2532)

  - It was discovered that OpenSSH clients did not correctly     verify DNS SSHFP records. A malicious server could use     this flaw to force a connecting client to skip the DNS     SSHFP record check and require the user to perform     manual host verification of the DNS SSHFP record.
    (CVE-2014-2653)

  - It was found that when OpenSSH was used in a Kerberos     environment, remote authenticated users were allowed to     log in as a different user if they were listed in the     ~/.k5users file of that user, potentially bypassing     intended authentication restrictions. (CVE-2014-9278)

  - It was discovered that the OpenSSH sshd daemon did not     check the list of keyboard-interactive authentication     methods for duplicates. A remote attacker could use this     flaw to bypass the MaxAuthTries limit, making it easier     to perform password guessing attacks. (CVE-2015-5600)

  - It was discovered that the OpenSSH sshd daemon fetched     PAM environment settings before running the login     program. In configurations with UseLogin=yes and the     pam_env PAM module configured to read user environment     settings, a local user could use this flaw to execute     arbitrary code as root. (CVE-2015-8325)

  - An information leak flaw was found in the way the     OpenSSH client roaming feature was implemented. A     malicious server could potentially use this flaw to leak     portions of memory (possibly including private SSH keys)     of a successfully authenticated OpenSSH client.
    (CVE-2016-0777)

  - An access flaw was discovered in OpenSSH; the OpenSSH     client did not correctly handle failures to generate     authentication cookies for untrusted X11 forwarding. A     malicious or compromised remote X application could     possibly use this flaw to establish a trusted connection     to the local X server, even if only untrusted X11     forwarding was requested. (CVE-2016-1908)

  - A covert timing channel flaw was found in the way     OpenSSH handled authentication of non-existent users. A     remote unauthenticated attacker could possibly use this     flaw to determine valid user names by measuring the     timing of server responses. (CVE-2016-6210)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssh packages installed that are affected by multiple vulnerabilities:

  - scp in OpenSSH 4.2p1 allows attackers to execute     arbitrary commands via filenames that contain shell     metacharacters or spaces, which are expanded twice.
    (CVE-2006-0225)

  - sshd in OpenSSH before 4.4, when using the version 1 SSH     protocol, allows remote attackers to cause a denial of     service (CPU consumption) via an SSH packet that     contains duplicate blocks, which is not properly handled     by the CRC compensation attack detector. (CVE-2006-4924)

  - Signal handler race condition in OpenSSH before 4.4     allows remote attackers to cause a denial of service     (crash), and possibly execute arbitrary code if GSSAPI     authentication is enabled, via unspecified vectors that     lead to a double-free. (CVE-2006-5051)

  - Unspecified vulnerability in the sshd Privilege     Separation Monitor in OpenSSH before 4.5 causes weaker     verification that authentication has been successful,     which might allow attackers to bypass authentication.
    NOTE: as of 20061108, it is believed that this issue is     only exploitable by leveraging vulnerabilities in the     unprivileged process, which are not known to exist.
    (CVE-2006-5794)

  - Unspecified vulnerability in the     linux_audit_record_event function in OpenSSH 4.3p2, as     used on Fedora Core 6 and possibly other systems, allows     remote attackers to write arbitrary characters to an     audit log via a crafted username. NOTE: some of these     details are obtained from third party information.
    (CVE-2007-3102)

  - The (1) remote_glob function in sftp-glob.c and the (2)     process_put function in sftp.c in OpenSSH 5.8 and     earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2,     OpenBSD 4.7, and other products, allow remote     authenticated users to cause a denial of service (CPU     and memory consumption) via crafted glob expressions     that do not match any pathnames, as demonstrated by glob     expressions in SSH_FXP_STAT requests to an sftp daemon,     a different vulnerability than CVE-2010-2632.
    (CVE-2010-4755)

  - The default configuration of OpenSSH through 6.1     enforces a fixed time limit between establishing a TCP     connection and completing a login, which makes it easier     for remote attackers to cause a denial of service     (connection-slot exhaustion) by periodically making many     new TCP connections. (CVE-2010-5107)

  - It was found that OpenSSH did not properly handle     certain AcceptEnv parameter values with wildcard     characters. A remote attacker could use this flaw to     bypass intended environment variable restrictions.
    (CVE-2014-2532)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

SunOS 5.10_x86: sshd patch.
Date this patch was last updated by Sun : Jun/21/07

SunOS 5.10: sshd patch.
Date this patch was last updated by Sun : Jun/20/07

According to the version of one or more Juniper NSM servers running on the remote host, it is potentially vulnerable to multiple vulnerabilities, the worst of which may allow an authenticated user to trigger a denial of service condition or execute arbitrary code.

According to its banner, the version of OpenSSH running on the remote host is potentially affected by an arbitrary command execution vulnerability.  The scp utility does not properly sanitize user-supplied input prior to using a system() function call.  A local attacker could exploit this by creating filenames with shell metacharacters, which could cause arbitrary code to be executed if copied by a user running scp.

The version of SunSSH running on the remote host has an information disclosure vulnerability.  A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration.  An attacker could exploit this to gain access to sensitive information.

Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.

The remote host is running a version of Mac OS X 10.4 that is older than version 10.4.9 or a version of Mac OS X 10.3 that does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs :

 - ColorSync
 - CoreGraphics
 - Crash Reporter
 - CUPS
 - Disk Images
 - DS Plugins
 - Flash Player
 - GNU Tar
 - HFS
 - HID Family
 - ImageIO
 - Kernel
 - MySQL server
 - Networking
 - OpenSSH
 - Printing
 - QuickDraw Manager
 - servermgrd
 - SMB File Server
 - Software Update
 - sudo 
 - WebLog

The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied.

This update contains several security fixes for the following programs :

 - ColorSync
 - CoreGraphics
 - Crash Reporter
 - CUPS
 - Disk Images
 - DS Plugins
 - Flash Player
 - GNU Tar
 - HFS
 - HID Family
 - ImageIO
 - Kernel
 - MySQL server
 - Networking
 - OpenSSH
 - Printing
 - QuickDraw Manager
 - servermgrd
 - SMB File Server
 - Software Update
 - sudo 
 - WebLog

Updated openssh packages that fix several security issues in sshd are now available for Red Hat Enterprise Linux 2.1.

This update has been rated as having important security impact by the Red Hat Security Response Team.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server.

Mark Dowd discovered a signal handler race condition in the OpenSSH sshd server. A remote attacker could possibly leverage this flaw to cause a denial of service (crash). (CVE-2006-5051) The OpenSSH project believes the likelihood of successful exploitation leading to arbitrary code execution appears remote. However, the Red Hat Security Response Team have not yet been able to verify this claim due to lack of upstream vulnerability information. We are therefore including a fix for this flaw and have rated it important security severity in the event our continued investigation finds this issue to be exploitable.

Tavis Ormandy of the Google Security Team discovered a denial of service bug in the OpenSSH sshd server. A remote attacker can send a specially crafted SSH-1 request to the server causing sshd to consume a large quantity of CPU resources. (CVE-2006-4924)

An arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally.
(CVE-2006-0225)

The SSH daemon, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass 'from=' and 'user@host' address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. (CVE-2003-0386)

All users of openssh should upgrade to these updated packages, which contain backported patches that resolve these issues.

Updated openssh packages that fix bugs in sshd are now available for Red Hat Enterprise Linux 3.

This update has been rated as having low security impact by the Red Hat Security Response Team.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server.

An arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally.
(CVE-2006-0225)

The SSH daemon, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass 'from=' and 'user@host' address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. (CVE-2003-0386)

The following issues have also been fixed in this update :

* If the sshd service was stopped using the sshd init script while the main sshd daemon was not running, the init script would kill other sshd processes, such as the running sessions. For example, this could happen when the 'service sshd stop' command was issued twice.

* When privilege separation was enabled, the last login message was printed only for the root user.

* The sshd daemon was sending messages to the system log from a signal handler when debug logging was enabled. This could cause a deadlock of the user's connection.

All users of openssh should upgrade to these updated packages, which resolve these issues.

Updated openssh packages that fix bugs in sshd and add auditing of user logins are now available for Red Hat Enterprise Linux 4.

This update has been rated as having low security impact by the Red Hat Security Response Team.

OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server.

An arbitrary command execution flaw was discovered in the way scp copies files locally. It is possible for a local attacker to create a file with a carefully crafted name that could execute arbitrary commands as the user running scp to copy files locally. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-0225 to this issue.

The following issue has also been fixed in this update :

* If the sshd service was stopped using the sshd init script while the main sshd daemon was not running, the init script would kill other sshd processes, such as the running sessions. For example, this could happen when the 'service sshd stop' command was issued twice.

Additionally, this update implements auditing of user logins through the system audit service.

All users of openssh should upgrade to these updated packages, which resolve these issues.

Tomas Mraz discovered a shell code injection flaw in scp. When doing local-to-local or remote-to-remote copying, scp expanded shell escape characters. By tricking an user into using scp on a specially crafted file name (which could also be caught by using an innocuous wild card like '*'), an attacker could exploit this to execute arbitrary shell commands with the privilege of that user.

Please be aware that scp is not designed to operate securely on untrusted file names, since it needs to stay compatible with rcp.
Please use sftp for automated systems and potentially untrusted file names.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200602-11 (OpenSSH, Dropbear: Insecure use of system() call)

    To copy from a local filesystem to another local filesystem, scp     constructs a command line using 'cp' which is then executed via     system(). Josh Bressers discovered that special characters are not     escaped by scp, but are simply passed to the shell.
  Impact :

    By tricking other users or applications to use scp on maliciously     crafted filenames, a local attacker user can execute arbitrary commands     with the rights of the user running scp.
  Workaround :

    There is no known workaround at this time.

New openssh packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue.

A flaw was discovered in the scp local-to-local copy implementation where filenames that contain shell metacharacters or spaces are expanded twice, which could lead to the execution of arbitrary commands if a local user could be tricked into a scp'ing a specially crafted filename.

The provided updates bump the OpenSSH version to the latest release version of 4.3p1. A number of differences exist, primarily dealing with PAM authentication over the version included in Corporate 3.0 and MNF2. In particular, the default sshd_config now only accepts protocol 2 connections and UsePAM is now disabled by default.

On systems using alternate authentication methods (ie. LDAP) that use the PAM stack for authentication, you will need to enable UsePAM. Note that the default /etc/pam.d/sshd file has also been modified to use the pam_listfile.so module which will deny access to any users listed in /etc/ssh/denyusers (by default, this is only the root user). This is required to preserve the expected behaviour when using 'PermitRootLogin without-password'; otherwise it would still be possible to obtain a login prompt and login without using keys.

Mandriva Linux 10.1 and newer already have these changes in their shipped versions. There are new features in OpenSSH and users are encouraged to review the new sshd_config and ssh_config files when upgrading.

This is a minor security update which fixes double shell expansion in local to local and remote to remote copy with scp. It also fixes a few other minor non-security issues.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
266250	NewStart CGSL MAIN 6.06 : openssh Multiple Vulnerabilities (NS-SA-2025-0210)	Nessus	NewStart CGSL Local Security Checks	critical
127415	NewStart CGSL MAIN 4.05 : openssh-latest Multiple Vulnerabilities (NS-SA-2019-0146)	Nessus	NewStart CGSL Local Security Checks	critical
127206	NewStart CGSL CORE 5.04 / MAIN 5.04 : openssh Multiple Vulnerabilities (NS-SA-2019-0036)	Nessus	NewStart CGSL Local Security Checks	high
107891	Solaris 10 (x86) : 123325-03	Nessus	Solaris Local Security Checks	medium
107389	Solaris 10 (sparc) : 123324-03	Nessus	Solaris Local Security Checks	medium
69872	Juniper NSM Servers < 2012.1 Multiple Vulnerabilities	Nessus	Misc.	high
44076	OpenSSH < 4.3 scp Command Line Filename Processing Command Injection	Nessus	Misc.	medium
55992	SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure	Nessus	Misc.	critical
25645	Solaris 10 (x86) : 123325-03	Nessus	Solaris Local Security Checks	high
25642	Solaris 10 (sparc) : 123324-03	Nessus	Solaris Local Security Checks	high
3947	Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)	Nessus Network Monitor	Web Clients	high
24811	Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)	Nessus	MacOS X Local Security Checks	critical
22474	RHEL 2.1 : openssh (RHSA-2006:0698)	Nessus	Red Hat Local Security Checks	high
22134	CentOS 3 : openssh (CESA-2006:0298)	Nessus	CentOS Local Security Checks	high
22084	RHEL 3 : openssh (RHSA-2006:0298)	Nessus	Red Hat Local Security Checks	high
21975	CentOS 4 : openssh (CESA-2006:0044)	Nessus	CentOS Local Security Checks	medium
21063	Ubuntu 4.10 / 5.04 / 5.10 : openssh vulnerability (USN-255-1)	Nessus	Ubuntu Local Security Checks	medium
21030	RHEL 4 : openssh (RHSA-2006:0044)	Nessus	Red Hat Local Security Checks	medium
20953	GLSA-200602-11 : OpenSSH, Dropbear: Insecure use of system() call	Nessus	Gentoo Local Security Checks	medium
20917	Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : openssh (SSA:2006-045-06)	Nessus	Slackware Local Security Checks	medium
20875	Mandrake Linux Security Advisory : openssh (MDKSA-2006:034)	Nessus	Mandriva Local Security Checks	medium
20802	Fedora Core 4 : openssh-4.2p1-fc4.10 (2006-056)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2006-0225

critical

Tenable Plugins

critical

critical

high

medium

medium

high

medium

critical

high

high

high

critical

high

high

high

medium

medium

medium

medium

medium

medium

medium