OpenSSH < 7.0 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9309

Synopsis

The remote SSH server may be affected by multiple vulnerabilities.

Description

Versions of OpenSSH server before 7.0 are affected by multiple vulnerabilities:

- A flaw in the 'kbdint_next_device()' function in 'file auth2-chall.c' that allows the circumvention of MaxAuthTries during keyboard-interactive authentication. An attacker can exploit this issue to force the same authentication method to be tried thousands of times in a single pass by using a crafted keyboard-interactive 'devices' string, thus allowing a brute-force attack or causing a denial of service. (CVE-2015-5600)
- A flaw in sshd(8) is due to the program setting insecure world-writable permissions for TTYs allowing a local attacker to execute arbitrary commands for logged-in users by injecting crafted terminal escape sequences. (CVE-2015-6565)
- A flaw in the monitor component is triggered when handling username data in MONITOR_REQ_PAM_INIT_CTX requests allowing a local user to leverage the SSH login access and control of the sshd(8) UID to send a MONITOR_REQ_PWNAM request to conduct an impersonation attack. (CVE-2015-6563)
- A use-after-free error in the 'mm_answer_pam_free_ctx()' function of monitor.c is triggered when handling a MONITOR_REQ_PAM_FREE_CTX request allowing a local attacker to take control of the sshd UID to send a request leading to a dereference of already freed memory and gain elevated privileges. (CVE-2015-6564)

Note: PVS has solely relied on the banner of the SSH client to perform this check. Any backported patches or workarounds such as recompiling or edited configurations are not observable through the banner.

Solution

Upgrade to OpenSSH version 7.0 or later.

See Also

http://www.openssh.com/txt/release-7.0

Plugin Details

Severity: High

ID: 9309

Family: SSH

Published: 2016/04/22

Modified: 2017/05/24

Dependencies: 1997

Nessus ID: 85382

Risk Information

Risk Factor: High

CVSSv2

Base Score: 8.5

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 8.2

Temporal Score: 7.8

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:openbsd:openssh

Patch Publication Date: 2015/08/11

Vulnerability Publication Date: 2015/08/11

Reference Information

CVE: CVE-2015-5600, CVE-2015-6563, CVE-2015-6564, CVE-2015-6565

BID: 75990, 76317, 76497