OracleVM 3.3 / 3.4 : openssh (OVMSA-2016-0038)

High Nessus Plugin ID 90076

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices (#1245969)

- CVE-2016-3115: missing sanitisation of input for X11 forwarding (#1317816)

- SSH2_MSG_DISCONNECT for user initiated disconnect follow RFC 4253 (#1222500)

- Add missing dot in ssh manual page (#1197763)

- Fix minor problems found by covscan/gcc (#1196063)

- Add missing options in man ssh (#1197763)

- Add KbdInteractiveAuthentication documentation to man sshd_config (#1109251)

- Correct freeing newkeys structure when privileged monitor exits (#1208584)

- Fix problems with failing persistent connections (#1131585)

- Fix memory leaks in auditing patch (#1208584)

- Better approach to logging sftp commands in chroot

- Make sshd -T write all config options and add missing Cipher, MAC to man (#1109251)

- Add missing ControlPersist option to man ssh (#1197763)

- Add sftp option to force mode of created files (#1191055)

- Do not load RSA1 keys in FIPS mode (#1197072)

- Add missing support for ECDSA in ssh-keyscan (#1196331)

- Fix coverity/gcc issues (#1196063)

- Backport wildcard functionality for PermitOpen in sshd_config file (#1159055)

- Ability to specify an arbitrary LDAP filter in ldap.conf (#1119506)

- Fix ControlPersist option with ProxyCommand (#1160487)

- Backport fix of ssh-keygen with error : gethostname:
File name too long (#1161454)

- Backport show remote address instead of UNKNOWN after timeout at password prompt (#1161449)

- Fix printing of extensions in v01 certificates (#1093869)

- Fix confusing audit trail for unsuccessful logins (#1127312)

- Don't close fds for internal sftp sessions (#1085710)

- Fix config parsing quotes (backport) (#1134938)

- Enable logging in chroot into separate file (#1172224)

- Fix auditing when using combination of ForcedCommand and PTY (#1131585)

- Fix ssh-copy-id on non-sh remote shells (#1135521)

- ignore SIGXFSZ in postauth monitor child (#1133906)

- don't try to generate DSA keys in the init script in FIPS mode (#1118735)

- ignore SIGPIPE in ssh-keyscan (#1108836)

- ssh-add: fix fatal exit when removing card (#1042519)

- fix race in backported ControlPersist patch (#953088)

- skip requesting smartcard PIN when removing keys from agent (#1042519)

- add possibility to autocreate only RSA key into initscript (#1111568)

- fix several issues reported by coverity

- x11 forwarding - be less restrictive when can't bind to one of available addresses (#1027197)

- better fork error detection in audit patch (#1028643)

- fix openssh-5.3p1-x11.patch for non-linux platforms (#1100913)

- prevent a server from skipping SSHFP lookup (#1081338) (CVE-2014-2653)

- ignore environment variables with embedded '=' or '\0' characters (CVE-2014-2532)

- backport ControlPersist option (#953088)

- log when a client requests an interactive session and only sftp is allowed (#997377)

- don't try to load RSA1 host key in FIPS mode (#1009959)

- restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over restart (#1010429)

- ssh-keygen -V - relative-specified certificate expiry time should be relative to current time (#1022459)

- adjust the key echange DH groups and ssh-keygen according to SP800-131A (#993580)

- log failed integrity test if /etc/system-fips exists (#1020803)

- backport ECDSA and ECDH support (#1028335)

- use dracut-fips package to determine if a FIPS module is installed (#1001565)

- use dist tag in suffixes for hmac checksum files (#1001565)

- use hmac_suffix for ssh[,d] hmac checksums (#1001565)

- fix NSS keys support (#1004763)

- change default value of MaxStartups - CVE-2010-5107 - #908707

- add -fips subpackages that contains the FIPS module files (#1001565)

- don't use SSH_FP_MD5 for fingerprints in FIPS mode (#998835)

- do ssh_gssapi_krb5_storecreds twice - before and after pam sesssion (#974096)

- bump the minimum value of SSH_USE_STRONG_RNG to 14 according to SP800-131A (#993577)

- fixed an issue with broken 'ssh -I pkcs11' (#908038)

- abort non-subsystem sessions to forced internal sftp-server (#993509)

- reverted 'store krb5 credentials after a pam session is created (#974096)'

- Add support for certificate key types for users and hosts (#906872)

- Apply RFC3454 stringprep to banners when possible (#955792)

- fix chroot logging issue (#872169)

- change the bad key permissions error message (#880575)

- fix a race condition in ssh-agent (#896561)

- backport support for PKCS11 from openssh-5.4p1 (#908038)

- add a KexAlgorithms knob to the client and server configuration (#951704)

- fix parsing logic of ldap.conf file (#954094)

- Add HMAC-SHA2 algorithm support (#969565)

- store krb5 credentials after a pam session is created (#974096)

Solution

Update the affected openssh / openssh-clients / openssh-server packages.

See Also

http://www.nessus.org/u?8801e58b

http://www.nessus.org/u?11579ee9

Plugin Details

Severity: High

ID: 90076

File Name: oraclevm_OVMSA-2016-0038.nasl

Version: 2.7

Type: local

Published: 2016/03/22

Updated: 2018/07/24

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 6.4

Temporal Score: 5.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:openssh, p-cpe:/a:oracle:vm:openssh-clients, p-cpe:/a:oracle:vm:openssh-server, cpe:/o:oracle:vm_server:3.3, cpe:/o:oracle:vm_server:3.4

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/03/24

Reference Information

CVE: CVE-2010-5107, CVE-2014-2532, CVE-2014-2653, CVE-2015-5600, CVE-2016-3115

BID: 58162, 66355, 66459