Dropbear SSH Server < 2016.72 Multiple Vulnerabilities

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The SSH service running on the remote host is affected by multiple
vulnerabilities.

Description :

According to its self-reported version in its banner, Dropbear SSH
running on the remote host is prior to 2016.74. It is, therefore,
affected by the following vulnerabilities :

- A format string flaw exists due to improper handling of
string format specifiers (e.g., %s and %x) in usernames
and host arguments. An unauthenticated, remote attacker
can exploit this to execute arbitrary code with root
privileges. (CVE-2016-7406)

- A flaw exists in dropbearconvert due to improper
handling of specially crafted OpenSSH key files. An
unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2016-7407)

- A flaw exists in dbclient when handling the -m or -c
arguments in scripts. An unauthenticated, remote attacker
can exploit this, via a specially crafted script, to
execute arbitrary code. (CVE-2016-7408)

- A flaw exists in dbclient or dropbear server if they are
compiled with the DEBUG_TRACE option and then run using
the -v switch. A local attacker can exploit this to
disclose process memory. (CVE-2016-7409)

See also :

https://matt.ucc.asn.au/dropbear/CHANGES

Solution :

Upgrade to Dropbear SSH version 2016.74 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Misc.

Nessus Plugin ID: 93650 ()

Bugtraq ID: 92970
92972
92973
92974

CVE ID: CVE-2016-7406
CVE-2016-7407
CVE-2016-7408
CVE-2016-7409

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now