OpenSSH < 7.4 Multiple Vulnerabilities

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The SSH server running on the remote host is affected by multiple
vulnerabilities.

Description :

According to its banner, the version of OpenSSH running on the remote
host is prior to 7.4. It is, therefore, affected by multiple
vulnerabilities :

- A flaw exists in ssh-agent due to loading PKCS#11
modules from paths that are outside a trusted whitelist.
A local attacker can exploit this, by using a crafted
request to load hostile modules via agent forwarding, to
execute arbitrary code. To exploit this vulnerability,
the attacker would need to control the forwarded
agent-socket (on the host running the sshd server) and
the ability to write to the file system of the host
running ssh-agent. (CVE-2016-10009)

- A flaw exists in sshd due to creating forwarded
Unix-domain sockets with 'root' privileges whenever
privilege separation is disabled. A local attacker can
exploit this to gain elevated privileges.
(CVE-2016-10010)

- An information disclosure vulnerability exists in sshd
within the realloc() function due leakage of key
material to privilege-separated child processes when
reading keys. A local attacker can possibly exploit this
to disclose sensitive key material. Note that no such
leak has been observed in practice for normal-sized
keys, nor does a leak to the child processes directly
expose key material to unprivileged users.
(CVE-2016-10011)

- A flaw exists in sshd within the shared memory manager
used by pre-authenticating compression support due to a
bounds check being elided by some optimizing compilers
and due to the memory manager being incorrectly
accessible when pre-authenticating compression is
disabled. A local attacker can exploit this to gain
elevated privileges. (CVE-2016-10012)

- A denial of service vulnerability exists in sshd when
handling KEXINIT messages. An unauthenticated, remote
attacker can exploit this, by sending multiple KEXINIT
messages, to consume up to 128MB per connection.
(VulnDB 148976)

- A flaw exists in sshd due to improper validation of
address ranges by the AllowUser and DenyUsers
directives at configuration load time. A local attacker
can exploit this, via an invalid CIDR address range, to
gain access to restricted areas. (VulnDB 148977)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.openssh.com/txt/release-7.4

Solution :

Upgrade to OpenSSH version 7.4 or later.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 5.7
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 96151 ()

Bugtraq ID: 94968
94972
94975
94977

CVE ID: CVE-2016-10009
CVE-2016-10010
CVE-2016-10011
CVE-2016-10012

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now