OpenSSH 7.x < 7.3 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9507

Synopsis

The remote SSH server may be affected by multiple vulnerabilities.

Description

The current version of OpenSSH is 7.x prior to 7.3 and is affected by the following vulnerabilities :

- A flaw in the 'do_setup_env()' function in 'session.c' is triggered when handling user-supplied environmental variables. This may potentially allow a local attacker to gain elevated privileges.
- A flaw exists due to the program returning shorter response times for authentication requests with overly long passwords for invalid users than for valid users. This may allow a remote attacker to conduct a timing attack and enumerate valid usernames.
- A flaw in the 'crypt(3)' function via 'sshd(8)' is triggered during the handling of overly long passwords. This may allow a remote attacker to consume excessive CPU resources.
- An unspecified flaw in the 'CBC' padding oracle countermeasures in 'ssh(1)' and 'sshd(8)', which may allow an attacker to conduct a timing attack. No further details have been provided.
- A flaw in 'ssh(1)' and 'sshd(8)' is due to improper operation ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC before decrypting any ciphertext. This may allow a remote attacker to use a timing attack to gain unauthorized access to potentially sensitive information.
- A flaw exists in the 'crypt(3)' function, accessed via 'sshd(8)', that is triggered during the handling of overly long passwords. This may allow a remote attacker to affect the consumption of CPU resources.
- An unspecified timing flaw exists in the CBC padding oracle countermeasures in the 'ssh(1)' and 'sshd(8)' functions. This may allow a remote attacker to gain access to potentially sensitive information.

Solution

Upgrade to OpenSSH 7.x version 7.3 or later.

See Also

http://www.openssh.com/txt/release-7.3

Plugin Details

Severity: High

ID: 9507

Family: SSH

Published: 2016/08/12

Updated: 2019/03/06

Dependencies: 1997

Nessus ID: 92760, 92641, 92526, 92476

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:openbsd:openssh

Patch Publication Date: 2016/08/01

Vulnerability Publication Date: 2016/08/01

Reference Information

CVE: CVE-2015-8325, CVE-2016-6210, CVE-2016-6515

BID: 86187, 91812