OpenSSH < 7.0 Multiple Vulnerabilities

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The SSH server running on the remote host is affected by multiple
vulnerabilities.

Description :

According to its banner, the version of OpenSSH running on the remote
host is prior to 7.0. It is, therefore, affected by the following
vulnerabilities :

- A security bypass vulnerability exists in the
kbdint_next_device() function in file auth2-chall.c that
allows the circumvention of MaxAuthTries during
keyboard-interactive authentication. A remote attacker
can exploit this issue to force the same authentication
method to be tried thousands of times in a single pass
by using a crafted keyboard-interactive 'devices'
string, thus allowing a brute-force attack or causing a
denial of service. (CVE-2015-5600)

- A security bypass vulnerability exists in sshd due to
improper handling of username data in
MONITOR_REQ_PAM_INIT_CTX requests. A local attacker can
exploit this, by sending a MONITOR_REQ_PWNAM request, to
conduct an impersonation attack. Note that this issue
only affects Portable OpenSSH. (CVE-2015-6563)

- A privilege escalation vulnerability exists due to a
use-after-free error in sshd that is triggered when
handling a MONITOR_REQ_PAM_FREE_CTX request. A local
attacker can exploit this to gain elevated privileges.
Note that this issue only affects Portable OpenSSH.
(CVE-2015-6564)

- A local command execution vulnerability exists in sshd
due to setting insecure world-writable permissions for
TTYs. A local attacker can exploit this, by injecting
crafted terminal escape sequences, to execute commands
for logged-in users. (CVE-2015-6565)

See also :

http://www.openssh.com/txt/release-7.0

Solution :

Upgrade to OpenSSH 7.0 or later.

Risk factor :

High / CVSS Base Score : 8.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C)
CVSS Temporal Score : 7.0
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 85382 ()

Bugtraq ID: 75990
76317
76497

CVE ID: CVE-2015-5600
CVE-2015-6563
CVE-2015-6564
CVE-2015-6565

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now