OpenSSH < 7.0 Multiple Vulnerabilities

medium Nessus Plugin ID 85382

Synopsis

The SSH server running on the remote host is affected by multiple vulnerabilities.

Description

According to its banner, the version of OpenSSH running on the remote host is prior to 7.0. It is, therefore, affected by the following vulnerabilities :

- A security bypass vulnerability exists in the kbdint_next_device() function in file auth2-chall.c that allows the circumvention of MaxAuthTries during keyboard-interactive authentication. A remote attacker can exploit this issue to force the same authentication method to be tried thousands of times in a single pass by using a crafted keyboard-interactive 'devices' string, thus allowing a brute-force attack or causing a denial of service. (CVE-2015-5600)

- A security bypass vulnerability exists in sshd due to improper handling of username data in MONITOR_REQ_PAM_INIT_CTX requests. A local attacker can exploit this, by sending a MONITOR_REQ_PWNAM request, to conduct an impersonation attack. Note that this issue only affects Portable OpenSSH. (CVE-2015-6563)

- A privilege escalation vulnerability exists due to a use-after-free error in sshd that is triggered when handling a MONITOR_REQ_PAM_FREE_CTX request. A local attacker can exploit this to gain elevated privileges.
Note that this issue only affects Portable OpenSSH.
(CVE-2015-6564)

- A local command execution vulnerability exists in sshd due to setting insecure world-writable permissions for TTYs. A local attacker can exploit this, by injecting crafted terminal escape sequences, to execute commands for logged-in users. (CVE-2015-6565)

Solution

Upgrade to OpenSSH 7.0 or later.

See Also

http://www.openssh.com/txt/release-7.0

Plugin Details

Severity: Medium

ID: 85382

File Name: openssh_70.nasl

Version: 1.9

Type: remote

Family: Misc.

Published: 8/13/2015

Updated: 7/16/2018

Configuration: Enable paranoid mode

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:openbsd:openssh

Required KB Items: Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/11/2015

Vulnerability Publication Date: 7/16/2015

Reference Information

CVE: CVE-2015-5600, CVE-2015-6563, CVE-2015-6564, CVE-2015-6565

BID: 75990, 76317, 76497

EDB-ID: 41173