EulerOS Virtualization 3.0.1.0 : openssh (EulerOS-SA-2019-1426)

medium Nessus Plugin ID 124929

Synopsis

The remote EulerOS Virtualization host is missing multiple security updates.

Description

According to the versions of the openssh packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

- The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.(CVE-2017-15906)

- In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.(CVE-2018-20685)

- An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.(CVE-2019-6109)

- An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client.
However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).(CVE-2019-6111)

- OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.(CVE-2018-15473)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected openssh packages.

See Also

http://www.nessus.org/u?18436e35

Plugin Details

Severity: Medium

ID: 124929

File Name: EulerOS_SA-2019-1426.nasl

Version: 1.9

Type: local

Published: 5/14/2019

Updated: 5/23/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.1

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2019-6111

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2019-6109

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:openssh-keycat, p-cpe:/a:huawei:euleros:pam_ssh_agent_auth, p-cpe:/a:huawei:euleros:openssh, cpe:/o:huawei:euleros:uvp:3.0.1.0, p-cpe:/a:huawei:euleros:openssh-clients, p-cpe:/a:huawei:euleros:openssh-server

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/uvp_version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/7/2019

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2017-15906, CVE-2018-15473, CVE-2018-20685, CVE-2019-6109, CVE-2019-6111