CVSS: 7.5EPSS: 10%CPEs: 1EXPL: 1CVE-2016-10009 – OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading
https://notcve.org/view.php?id=CVE-2016-10009
Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket. Vulnerabilidad de ruta de búsqueda no confiable en ssh-agent.c en ssh-agent en OpenSSH en versiones anteriores a 7.4 permite a atacantes remotos ejecutar modulos locales PKCS#11 arbitrarios aprovechando el control sobre un agent-socket reenviado. It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. • https://www.exploit-db.com/exploits/40963 http://packetstormsecurity.com/files/140261/OpenSSH-Arbitrary-Library-Loading.html http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2023/Jul/31 http://www.openwall.com/lists/oss-security/2016/12/19/2 http://www.openwall.com/lists/oss-security/2023/07/19/9 http://www.openwall.com/lists/oss-security/2023/07/20/1 http://www.securityfocus.com/bid/94968 http&# • CWE-426: Untrusted Search Path •
CVSS: 7.8EPSS: 78%CPEs: 6EXPL: 0CVE-2016-8858
https://notcve.org/view.php?id=CVE-2016-8858
The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue." ** DISPUTADA ** La función kex_input_kexinit en kex.c en OpenSSH 6.x y 7.x hasta la versión 7.3 permite a atacantes remotos provocar una denegación de servicio (consumo de memoria) enviando muchas peticiones duplicadas KEXINIT. NOTA: un tercero reporta que "OpenSSH upstream no considera esto como un problema de seguridad". • http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c.diff?r1=1.126&r2=1.127&f=h http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.127&content-type=text/x-cvsweb-markup http://www.openwall.com/lists/oss-security/2016/10/19/3 http://www.openwall.com/lists/oss-security/2016/10/20/1 http://www.securityfocus.com/bid/93776 http://www.securitytracker.com/id/1037057 https://bugzilla.redhat.com/show_bug.cgi?id=1384860 https: • CWE-399: Resource Management Errors •
CVSS: 7.8EPSS: 4%CPEs: 2EXPL: 2CVE-2016-6515 – OpenSSH 7.2 - Denial of Service
https://notcve.org/view.php?id=CVE-2016-6515
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. La función auth_password en auth-passwd.c en sshd en OpenSSH en versiones anteriores a 7.3 no limita longitudes de contraseña para autenticación de contraseña, lo que permite a atacantes remotos provocar una denegación de servicio (consumo de CPU clave) a través de una cadena larga. It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. • https://www.exploit-db.com/exploits/40888 https://github.com/opsxcq/exploit-CVE-2016-6515 http://openwall.com/lists/oss-security/2016/08/01/2 http://packetstormsecurity.com/files/140070/OpenSSH-7.2-Denial-Of-Service.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.securityfocus.com/bid/92212 http://www.securitytracker.com/id/1036487 https://access.redhat.com/errata/RHSA-2017:2029 https://cert-portal.siemens.com/productcert/pdf/ssa-412672& • CWE-20: Improper Input Validation CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.9EPSS: 10%CPEs: 1EXPL: 5CVE-2016-6210 – OpenSSH 7.2p2 - Username Enumeration
https://notcve.org/view.php?id=CVE-2016-6210
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided. sshd en OpenSSH en versiones anteriores a 7.3, cuando SHA256 o SHA512 son utilizados para el hashing de la contraseña del usuario, utiliza BLOWFISH hashing en una contraseña estática cuando no existe el nombre de usuario, lo que permite a atacantes remotos enumerar usuarios aprovechando la diferencia de tiempo entre respuestas cuando se proporciona una contraseña grande. A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. • https://www.exploit-db.com/exploits/40136 https://www.exploit-db.com/exploits/40113 https://github.com/justlce/CVE-2016-6210-Exploit https://github.com/goomdan/CVE-2016-6210-exploit https://github.com/samh4cks/CVE-2016-6210-OpenSSH-User-Enumeration http://seclists.org/fulldisclosure/2016/Jul/51 http://www.debian.org/security/2016/dsa-3626 http://www.securityfocus.com/bid/91812 http://www.securitytracker.com/id/1036319 https://access.redhat.com/errata/RHSA-2017:2029 https&# • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-385: Covert Timing Channel •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2015-8325 – openssh: privilege escalation via user's PAM environment and UseLogin=yes
https://notcve.org/view.php?id=CVE-2015-8325
The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable. La función do_setup_env en session.c en sshd en OpenSSH hasta la versión 7.2p2, cuando la funcionalidad UseLogin está activa y PAM está configurado para leer archivos .pam_environment en directorios home de usuario, permite a usuarios locales obtener privilegios desencadenando un entorno manipulado para el programa /bin/login, según lo demostrado por una variable de entorno LD_PRELOAD. It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. • http://rhn.redhat.com/errata/RHSA-2016-2588.html http://rhn.redhat.com/errata/RHSA-2017-0641.html http://www.debian.org/security/2016/dsa-3550 http://www.securityfocus.com/bid/86187 http://www.securitytracker.com/id/1036487 https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755 https://bugzilla.redhat.com/show_bug.cgi?id=1328012 https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf https://people.canonical.com/~ubuntu-security/cve/2015&#x • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •