CVSS: 6.4EPSS: 1%CPEs: 2EXPL: 1CVE-2016-3115 – OpenSSH 7.2p1 - (Authenticated) xauth Command Injection
https://notcve.org/view.php?id=CVE-2016-3115
Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. Múltiples vulnerabilidades de inyección CRLF en session.c en sshd en OpenSSH en versiones anteriores a 7.2p2 permite a usuarios remotos autenticados eludir las restricciones de comandos de shell previstas a través del redireccionamiento de datos X11 manipulados, relacionadas con las funciones (1) do_authenticated1 y (2) session_x11_req. It was discovered that the OpenSSH server did not sanitize data received in requests to enable X11 forwarding. An authenticated client with restricted SSH access could possibly use this flaw to bypass intended restrictions. OpenSSH versions 7.2p1 and below suffer from a command injection and /bin/false bypass vulnerability via xauth. • https://www.exploit-db.com/exploits/39569 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&f=h http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html http://lists.fedoraproject.org/pipermail& • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 1%CPEs: 58EXPL: 0CVE-2016-0777 – OpenSSH: Client Information leak due to use of roaming connection feature
https://notcve.org/view.php?id=CVE-2016-0777
The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key. La función resend_bytes en roaming_common.c en el cliente en OpenSSH 5.x, 6.x y 7.x en versiones anteriores a 7.1p2 permite a servidores remotos obtener información sensible desde la memoria de proceso mediante la petición de transmisión de un buffer completo, según lo demostrado mediante la lectura de una clave privada. An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10734 http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176516.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175592.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175676.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176349.html http://lists.opensuse.org/opensuse-security-announce • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-682: Incorrect Calculation •
CVSS: 8.1EPSS: 0%CPEs: 44EXPL: 1CVE-2016-0778 – OpenSSH: Client buffer-overflow when using roaming connections
https://notcve.org/view.php?id=CVE-2016-0778
The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings. Las funciones (1) roaming_read y (2) roaming_write en roaming_common.c en el cliente en OpenSSH 5.x, 6.x y 7.x en versiones anteriores a 7.1p2, cuando ciertas opciones proxy y forward se encuentran habilitadas, no mantiene adecuadamente los descriptores de archivo de conexión, lo que permite a servidores remotos causar una denegación de servicio (desbordamiento de buffer basado en memoria dinámica) o posiblemente tener otro impacto no especificado mediante la petición de varios reenvíos. A buffer overflow flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to execute arbitrary code on a successfully authenticated OpenSSH client if that client used certain non-default configuration options. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10734 http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176516.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176349.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2016-01& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVSS: 6.2EPSS: 0%CPEs: 2EXPL: 0CVE-2015-6563 – openssh: Privilege separation weakness related to PAM support
https://notcve.org/view.php?id=CVE-2015-6563
The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c. Vulnerabilidad en el componente monitor en sshd en OpenSSH en versiones anteriores a 7.0 en plataformas no OpenBSD, acepta datos de nombre de usuario extraños en las solicitudes MONITOR_REQ_PAM_INIT_CTX, lo que permite a usuarios locales llevar a cabo ataques de suplantación aprovechando cualquier acceso de inicio de sesión SSH junto con el control del sshd uid para enviar una petición MONITOR_REQ_PWNAM manipulada, relacionado con monitor.c y monitor_wrap.c. A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users. • http://lists.apple.com/archives/security-announce/2015/Oct/msg00005.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165170.html http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00017.html http://rhn.redhat.com/errata/RHSA-2016-0741.html http://seclists.org/fulldisclosure/2015/Aug/54 http://www.openssh.com/txt/release-7.0 http://www.openwall.com/lists/oss-security/2015/08/22/1 http://www.oracle.com/technetwork/topics/security/bulletinjan2016- • CWE-20: Improper Input Validation CWE-266: Incorrect Privilege Assignment •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6564 – openssh: Use-after-free bug related to PAM support
https://notcve.org/view.php?id=CVE-2015-6564
Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request. Vulnerabilidad de uso después de la liberación de la memoria en la función mm_answer_pam_free_ctx en monitor.c en sshd en OpenSSH en versiones anteriores a 7.0 en plataformas no OpenBSD, podría permitir a usuarios locales obtener privilegios mediante el aprovechamiento del control del sshd uid para enviar una petición MONITOR_REQ_PAM_FREE_CTX inesperadamente temprana. A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165170.html http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00017.html http://rhn.redhat.com/errata/RHSA-2016-0741.html http://seclists.org/fulldisclosure/2015/Aug/54 http://www.openssh.com/txt/release-7.0 http://www.openwall.com/lists/oss-security/2015/08/22/1 http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html http://www.oracle.com/technetwork/topics/security/linuxbulletinapr20 • CWE-264: Permissions, Privileges, and Access Controls CWE-416: Use After Free •