OpenSSH < 7.0 Multiple Vulnerabilities
High Nessus Network Monitor Plugin ID 9309
SynopsisThe remote SSH server may be affected by multiple vulnerabilities.
DescriptionVersions of OpenSSH server before 7.0 are affected by multiple vulnerabilities:
- A flaw in the 'kbdint_next_device()' function in 'file auth2-chall.c' that allows the circumvention of MaxAuthTries during keyboard-interactive authentication. An attacker can exploit this issue to force the same authentication method to be tried thousands of times in a single pass by using a crafted keyboard-interactive 'devices' string, thus allowing a brute-force attack or causing a denial of service. (CVE-2015-5600)
- A flaw in sshd(8) is due to the program setting insecure world-writable permissions for TTYs allowing a local attacker to execute arbitrary commands for logged-in users by injecting crafted terminal escape sequences. (CVE-2015-6565)
- A flaw in the monitor component is triggered when handling username data in MONITOR_REQ_PAM_INIT_CTX requests allowing a local user to leverage the SSH login access and control of the sshd(8) UID to send a MONITOR_REQ_PWNAM request to conduct an impersonation attack. (CVE-2015-6563)
- A use-after-free error in the 'mm_answer_pam_free_ctx()' function of monitor.c is triggered when handling a MONITOR_REQ_PAM_FREE_CTX request allowing a local attacker to take control of the sshd UID to send a request leading to a dereference of already freed memory and gain elevated privileges. (CVE-2015-6564)
Note: NNM has solely relied on the banner of the SSH client to perform this check. Any backported patches or workarounds such as recompiling or edited configurations are not observable through the banner.
SolutionUpgrade to OpenSSH version 7.0 or later.