CVE-2018-10933 – libSSH - Authentication Bypass
https://notcve.org/view.php?id=CVE-2018-10933
A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access. Se ha detectado una vulnerabilidad en la máquina de estado del lado del servidor de libssh en versiones anteriores a la 0.7.6 y 0.8.4. Un cliente malicioso podría crear canales sin realizar antes la autenticación, lo que resulta en un acceso no autorizado. libSSH suffers from an authentication bypass vulnerability. • https://www.exploit-db.com/exploits/45638 https://www.exploit-db.com/exploits/46307 https://github.com/blacknbunny/CVE-2018-10933 https://github.com/SoledaD208/CVE-2018-10933 https://github.com/jas502n/CVE-2018-10933 https://github.com/Virgula0/POC-CVE-2018-10933 https://github.com/shifa123/pythonprojects-CVE-2018-10933 https://github.com/kn6869610/CVE-2018-10933 https://github.com/xFreed0m/CVE-2018-10933 https://github.com/r3dxpl0it/CVE-2018-10933 https://github.com • CWE-287: Improper Authentication CWE-592: DEPRECATED: Authentication Bypass Issues •
CVE-2015-3146
https://notcve.org/view.php?id=CVE-2015-3146
The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in package_cb.c in libssh before 0.6.5 do not properly validate state, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted SSH packet. Los manejadores de paquete (1) SSH_MSG_NEWKEYS y (2) SSH_MSG_KEXDH_REPLY en package_cb.c en libssh en versiones anteriores a 0.6.5 no valida correctamente el estado, lo que permite a atacantes remotos provocar una denegación de servicio (referencia a puntero NULL y caída) a través de un paquete SSH manipulado. • http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161802.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158013.html http://www.debian.org/security/2016/dsa-3488 http://www.ubuntu.com/usn/USN-2912-1 https://git.libssh.org/projects/libssh.git/commit/?h=libssh-0.6.5&id=94f6955fbaee6fda9385a23e505497efe21f5b4f https://www.libssh.org/2015/04/30/libssh-0-6-5-security-and-bugfix-release https://www.libssh.org/security/advisories/CVE-2015-3146.txt •
CVE-2016-0739 – libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length
https://notcve.org/view.php?id=CVE-2016-0739
libssh before 0.7.3 improperly truncates ephemeral secrets generated for the (1) diffie-hellman-group1 and (2) diffie-hellman-group14 key exchange methods to 128 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug." libssh en versiones anteriores a 0.7.3 trunca de manera incorrecta secretos efímeros generados para los métodos de intercambio de clave (1) diffie-hellman-group1 y (2) diffie-hellman-group14 a 128 bits, lo que hace más fácil a atacantes man-in-the-middle descifrar o interceptar sesiones SSH a través de vectores no especificados, también conocido como "bits/bytes confusion bug". A type confusion issue was found in the way libssh generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178058.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178822.html http://lists.opensuse.org/opensuse-updates/2016-03/msg00111.html http://rhn.redhat.com/errata/RHSA-2016-0566.html http://www.debian.org/security/2016/dsa-3488 http://www.ubuntu.com/usn/USN-2912-1 https://puppet.com/security/cve/CVE-2016-0739 https://security.gentoo.org/glsa/201606-12 https://www.libssh.org/2016/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-704: Incorrect Type Conversion or Cast •
CVE-2014-8132
https://notcve.org/view.php?id=CVE-2014-8132
Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet. Vulnerabilidad de doble liberación en la función ssh_packet_kexinit en kex.c en libssh 0.5.x y 0.6.x anterior a 0.6.4 permite a atacantes remotos causar una denegación de servicio a través del paquete modificado kexinit. • http://advisories.mageia.org/MGASA-2015-0014.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147367.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147452.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147464.html http://lists.opensuse.org/opensuse-updates/2015-01/msg00007.html http://secunia.com/advisories/60838 http://www.debian.org/security/2016/dsa-3488 http://www.libssh.org/2014/12/19/libssh-0-6-4-secu •
CVE-2014-0017
https://notcve.org/view.php?id=CVE-2014-0017
The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared between children processes and allows local users to obtain sensitive information by leveraging a pid collision. La función RAND_bytes en libssh anterior a 0.6.3, cuando la creación de procesos (“forking”) está habilitada, no restablece debidamente el estado del generador de números pseudo-aleatorios OpenSSL (PRNG), lo que causa que el estado se comparte entre procesos de niños y permite a usuarios locales obtener información sensible mediante el aprovechamiento de una colisión pid. • http://lists.opensuse.org/opensuse-updates/2014-03/msg00036.html http://lists.opensuse.org/opensuse-updates/2014-03/msg00040.html http://secunia.com/advisories/57407 http://www.debian.org/security/2014/dsa-2879 http://www.libssh.org/2014/03/04/libssh-0-6-3-security-release http://www.openwall.com/lists/oss-security/2014/03/05/1 http://www.ubuntu.com/usn/USN-2145-1 https://bugzilla.redhat.com/show_bug.cgi?id=1072191 • CWE-310: Cryptographic Issues •