The version of openssh installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-51384 advisory.

  - In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When     destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints     are only applied to the first key, even if a PKCS#11 token returns multiple keys. (CVE-2023-51384)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6565-1 advisory.

    It was discovered that OpenSSH incorrectly handled supplemental groups when running helper programs for     AuthorizedKeysCommand and AuthorizedPrincipalsCommand as a different user. An attacker could possibly use     this issue to escalate privileges. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-41617)

    It was discovered that OpenSSH incorrectly added destination constraints when PKCS#11 token keys were     added to ssh-agent, contrary to expectations. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04.
    (CVE-2023-51384)

    It was discovered that OpenSSH incorrectly handled user names or host names with shell metacharacters. An     attacker could possibly use this issue to perform OS command injection. (CVE-2023-51385)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5586 advisory.

    Several vulnerabilities have been discovered in OpenSSH, an implementation of the SSH protocol suite.
    CVE-2021-41617 It was discovered that sshd failed to correctly initialise supplemental groups when     executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or     AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead     these commands would inherit the groups that sshd was started with. CVE-2023-28531 Luci Stanescu reported     that a error prevented constraints being communicated to the ssh-agent when adding smartcard keys to the     agent with per-hop destination constraints, resulting in keys being added without constraints.
    CVE-2023-48795 Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is     prone to a prefix truncation attack, known as the Terrapin attack. This attack allows a MITM attacker to     effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra     messages prior to the commencement of encryption, and deleting an equal number of consecutive messages     immediately after encryption starts. Details can be found at https://terrapin-attack.com/ CVE-2023-51384     It was discovered that when PKCS#11-hosted private keys were added while specifying destination     constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints     applied. CVE-2023-51385 It was discovered that if an invalid user or hostname that contained shell     metacharacters was passed to ssh, and a ProxyCommand, LocalCommand directive or match exec predicate     referenced the user or hostname via expansion tokens, then an attacker who could supply arbitrary     user/hostnames to ssh could potentially perform command injection. The situation could arise in case of     git repositories with submodules, where the repository could contain a submodule with shell characters in     its user or hostname. For the oldstable distribution (bullseye), these problems have been fixed in version     1:8.4p1-5+deb11u3. For the stable distribution (bookworm), these problems have been fixed in version     1:9.2p1-2+deb12u2. We recommend that you upgrade your openssh packages. For the detailed security status     of openssh please refer to its security tracker page at: https://security-     tracker.debian.org/tracker/openssh

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the openssh package has been released.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When     destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints     are only applied to the first key, even if a PKCS#11 token returns multiple keys. (CVE-2023-51384)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of OpenSSH installed on the remote host is prior to 9.6. It is, therefore, affected by multiple vulnerabilities as referenced in the release-9.6 advisory.

  - ssh(1), sshd(8): implement protocol extensions to thwart the so-called Terrapin attack discovered by     Fabian Bumer, Marcus Brinkmann and Jrg Schwenk. This attack allows a MITM to effect a limited break of     the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the     commencement of encryption, and deleting an equal number of consecutive messages immediately after     encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. While     cryptographically novel, the security impact of this attack is fortunately very limited as it only allows     deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user     user authentication from proceeding and results in a stuck connection. The most serious identified impact     is that it lets a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing     the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5.
    There is no other discernable impact to session secrecy or session integrity. OpenSSH 9.6 addresses this     protocol weakness through a new strict KEX protocol extension that will be automatically enabled when     both the client and server support it. This extension makes two changes to the SSH transport protocol to     improve the integrity of the initial key exchange. Firstly, it requires endpoints to terminate the     connection if any unnecessary or unexpected message is received during key exchange (including messages     that were previously legal but not strictly required like SSH2_MSG_DEBUG). This removes most malleability     from the early protocol. Secondly, it resets the Message Authentication Code counter at the conclusion of     each key exchange, preventing previously inserted messages from being able to make persistent changes to     the sequence number across completion of a key exchange. Either of these changes should be sufficient to     thwart the Terrapin Attack. More details of these changes are in the PROTOCOL file in the OpenSSH source     distribition. (CVE-2023-48795)

  - ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the     PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular     private keys, FIDO tokens and unconstrained keys are unaffected. (CVE-2023-51384)

  - ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a     ProxyCommand, LocalCommand directive or match exec predicate referenced the user or hostname via %u, %h     or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could     potentially perform command injection depending on what quoting was present in the user-supplied     ssh_config(5) directive. This situation could arise in the case of git submodules, where a repository     could contain a submodule with shell characters in its user/hostname. Git does not ban shell     metacharacters in user or host names when checking out repositories from untrusted sources. Although we     believe it is the user's responsibility to ensure validity of arguments passed to ssh(1), especially     across a security boundary such as the git example above, OpenSSH 9.6 now bans most shell metacharacters     from user and hostnames supplied via the command-line. This countermeasure is not guaranteed to be     effective in all situations, as it is infeasible for ssh(1) to universally filter shell metacharacters     potentially relevant to user-supplied commands. User/hostnames provided via ssh_config(5) are not subject     to these restrictions, allowing configurations that use strange names to continue to be used, under the     assumption that the user knows what they are doing in their own configuration files. (CVE-2023-51385)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version MAIN 7.02, has openssh packages installed that are affected by multiple vulnerabilities:

  - A race condition in sshd affecting versions between 8.5p1 and 9.7p1 (inclusive) may allow arbitrary code     execution with root privileges. Successful exploitation has been demonstrated on 32-bit Linux/glibc     systems with ASLR. According to OpenSSH, the attack has been tested under lab conditions and requires on     average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on     64-bit systems is believed to be possible but has not been demonstrated at this time.  (CVE-2024-6387)

  - A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition     which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be     able to trigger it by failing to authenticate within a set time period. (CVE-2024-6387)

  - The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path,     leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in     /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an     incomplete fix for CVE-2016-10009. (CVE-2023-38408)

  - OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling.
    This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in     the default configuration, to jump to any location in the sshd address space. One third-party report     states remote code execution is theoretically possible. (CVE-2023-25136)

  - In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When     destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints     are only applied to the first key, even if a PKCS#11 token returns multiple keys. (CVE-2023-51384)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

ID	Name	Product	Family	Published	Updated	Severity
201646	CBL Mariner 2.0 Security Update: openssh (CVE-2023-51384)	Nessus	MarinerOS Local Security Checks	7/3/2024	7/3/2024	medium
191713	macOS 14.x < 14.4 Multiple Vulnerabilities (HT214084)	Nessus	MacOS X Local Security Checks	3/7/2024	12/6/2024	high
187627	Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 : OpenSSH vulnerabilities (USN-6565-1)	Nessus	Ubuntu Local Security Checks	1/3/2024	9/3/2025	high
187213	Debian DSA-5586-1 : openssh - security update	Nessus	Debian Local Security Checks	12/22/2023	1/24/2025	critical
203548	Photon OS 4.0: Openssh PHSA-2024-4.0-0545	Nessus	PhotonOS Local Security Checks	7/23/2024	7/23/2024	medium
251321	Linux Distros Unpatched Vulnerability : CVE-2023-51384	Nessus	Misc.	8/18/2025	8/18/2025	medium
203576	Photon OS 5.0: Openssh PHSA-2024-5.0-0188	Nessus	PhotonOS Local Security Checks	7/23/2024	7/23/2024	medium
187201	OpenSSH < 9.6 Multiple Vulnerabilities	Nessus	Misc.	12/22/2023	2/28/2025	medium
242758	NewStart CGSL MAIN 7.02 : openssh Multiple Vulnerabilities (NS-SA-2025-0124)	Nessus	NewStart CGSL Local Security Checks	7/25/2025	7/25/2025	critical
502918	Siemens SCALANCE W700 Missing Critical Step in Authentication (CVE-2023-51384)	Tenable OT Security	Tenable.ot	2/24/2025	2/25/2025	medium

Detections

Analytics

Plugins Search

medium

high

high

critical

medium

medium

medium

medium

critical

medium