CVE-2018-15473 – OpenSSH < 7.7 - User Enumeration
https://notcve.org/view.php?id=CVE-2018-15473
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. OpenSSH hasta la versión 7.7 es propenso a una vulnerabilidad de enumeración de usuarios debido a que no retrasa el rescate de un usuario de autenticación no válido hasta que el paquete que contiene la petición haya sido analizado completamente. Esto está relacionado con auth2-gss.c, auth2-hostbased.c, y auth2-pubkey.c. A user enumeration vulnerability flaw was found in OpenSSH, though version 7.7. The vulnerability occurs by not delaying bailout for an invalid authenticated user until after the packet containing the request has been fully parsed. • https://www.exploit-db.com/exploits/45939 https://www.exploit-db.com/exploits/45233 https://www.exploit-db.com/exploits/45210 https://github.com/Rhynorater/CVE-2018-15473-Exploit https://github.com/r3dxpl0it/CVE-2018-15473 https://github.com/Sait-Nuri/CVE-2018-15473 https://github.com/LINYIKAI/CVE-2018-15473-exp https://github.com/MrDottt/CVE-2018-15473 https://github.com/yZ1337/CVE-2018-15473 https://github.com/1stPeak/CVE-2018-15473 https://github.com/0xrobiu • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2016-10708 – openssh: Out of sequence NEWKEYS message can allow remote attacker to cause denial of service
https://notcve.org/view.php?id=CVE-2016-10708
sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. sshd en OpenSSH, en versiones anteriores a la 7.4, permite que atacantes remotos provoquen una denegación de servicio (desreferencia de puntero NULL y cierre inesperado del demonio) mediante un mensaje NEWKEYS fuera de secuencia, tal y como demuestra Honggfuzz, relacionado con kex.c y packet.c. • http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html http://www.securityfocus.com/bid/102780 https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737 https://cert-portal.siemens.com/productcert/pdf/ssa-676336.pdf https://kc.mcafee.com/corporate/index?page=content&id=SB10284 https://lists.debian.org/debian-lts-announce/2018/01/msg00031.html https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html https://security.netapp.com/advisory/ntap-20180423 • CWE-20: Improper Input Validation CWE-476: NULL Pointer Dereference •
CVE-2017-15906 – openssh: Improper write operations in readonly mode allow for zero-length file creation
https://notcve.org/view.php?id=CVE-2017-15906
The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files. La función process_open en sftp-server.c en OpenSSH, en versiones anteriores a la 7.6, no evita correctamente las operaciones de escritura en el modo readonly, lo que permite que los atacantes creen archivos de longitud cero. • http://www.securityfocus.com/bid/101552 https://access.redhat.com/errata/RHSA-2018:0980 https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf https://github.com/openbsd/src/commit/a6981567e8e215acc1ef690c8dbb30f2d9b00a19 https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html https://security.gentoo.org/glsa/201801-05 https://security.netapp.com/advisory/ntap-20180423-0004 https://www.openssh.com/txt/release-7.6 https://www.oracle.com/security-alerts/cpujan2020.html http • CWE-20: Improper Input Validation CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2015-8325 – openssh: privilege escalation via user's PAM environment and UseLogin=yes
https://notcve.org/view.php?id=CVE-2015-8325
The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable. La función do_setup_env en session.c en sshd en OpenSSH hasta la versión 7.2p2, cuando la funcionalidad UseLogin está activa y PAM está configurado para leer archivos .pam_environment en directorios home de usuario, permite a usuarios locales obtener privilegios desencadenando un entorno manipulado para el programa /bin/login, según lo demostrado por una variable de entorno LD_PRELOAD. It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. • http://rhn.redhat.com/errata/RHSA-2016-2588.html http://rhn.redhat.com/errata/RHSA-2017-0641.html http://www.debian.org/security/2016/dsa-3550 http://www.securityfocus.com/bid/86187 http://www.securitytracker.com/id/1036487 https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755 https://bugzilla.redhat.com/show_bug.cgi?id=1328012 https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf https://people.canonical.com/~ubuntu-security/cve/2015 • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •
CVE-2016-1908 – openssh: possible fallback from untrusted to trusted X11 forwarding
https://notcve.org/view.php?id=CVE-2016-1908
The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server. El cliente en OpenSSH en versiones anteriores a 7.2 no maneja correctamente falló en la generación de cookies para el reenvío X11 no confiable y confía en el servidor X11 local para las decisiones de control de acceso, lo que permite a los clientes remotos X11 activar un fallback y obtener privilegios de reenvío X11 confiables aprovechando los problemas de configuración de este servidor X11, como lo demuestra la falta de la extensión SECURITY en este servidor X11. An access flaw was discovered in OpenSSH; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. • http://openwall.com/lists/oss-security/2016/01/15/13 http://rhn.redhat.com/errata/RHSA-2016-0465.html http://rhn.redhat.com/errata/RHSA-2016-0741.html http://www.openssh.com/txt/release-7.2 http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.securityfocus.com/bid/84427 http://www.securitytracker.com/id/1034705 https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c https://bugzilla.redhat.com/show_bug.cgi • CWE-284: Improper Access Control CWE-287: Improper Authentication •