Debian LTS Advisory ([SECURITY] [DLA 1500-1] openssh security update)

Information

Severity

Severity

High

Family

Family

Debian Local Security Checks

CVSSv2 Base

CVSSv2 Base

8.5

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:C

Solution Type

Solution Type

Vendor Patch

Created

Created

3 years ago

Modified

Modified

3 years ago

Summary

Several vulnerabilities have been found in OpenSSH, a free implementation of the SSH protocol suite: CVE-2015-5352 OpenSSH incorrectly verified time window deadlines for X connections. Remote attackers could take advantage of this flaw to bypass intended access restrictions. Reported by Jann Horn. CVE-2015-5600 OpenSSH improperly restricted the processing of keyboard-interactive devices within a single connection, which could allow remote attackers to perform brute-force attacks or cause a denial of service, in a non-default configuration. CVE-2015-6563 OpenSSH incorrectly handled usernames during PAM authentication. In conjunction with an additional flaw in the OpenSSH unprivileged child process, remote attackers could make use if this issue to perform user impersonation. Discovered by Moritz Jodeit. CVE-2015-6564 Moritz Jodeit discovered a use-after-free flaw in PAM support in OpenSSH, that could be used by remote attackers to bypass authentication or possibly execute arbitrary code. CVE-2016-1908 OpenSSH mishandled untrusted X11 forwarding when the X server disables the SECURITY extension. Untrusted connections could obtain trusted X11 forwarding privileges. Reported by Thomas Hoger. CVE-2016-3115 OpenSSH improperly handled X11 forwarding data related to authentication credentials. Remote authenticated users could make use of this flaw to bypass intended shell-command restrictions. Identified by github.com/tintinweb. CVE-2016-6515 OpenSSH did not limit password lengths for password authentication. Remote attackers could make use of this flaw to cause a denial of service via long strings. CVE-2016-10009 Jann Horn discovered an untrusted search path vulnerability in ssh-agent allowing remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket. CVE-2016-10011 Jann Horn discovered that OpenSSH did not properly consider the effects of realloc on buffer contents. This may allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process. CVE-2016-10012 Guido Vranken discovered that the OpenSSH shared memory manager did not ensure that a bounds check was enforced by all compilers, which could allow local users to gain privileges by leveraging access to a sandboxed privilege-separation process. CVE-2016-10708 NULL pointer dereference and daemon crash via an out-of-sequence NEWKEYS message. CVE-2017-15906 Michal Zalewski reported that OpenSSH improperly prevent write operations in readonly mode, allowing attackers to create zero-length files.

Affected Software

Affected Software

openssh on Debian Linux

Detection Method

Detection Method

This check tests the installed software version using the apt package manager.

Solution

Solution

For Debian 8 'Jessie', these problems have been fixed in version 1:6.7p1-5+deb8u6. We recommend that you upgrade your openssh packages.

Ready to dive in? Start your free trial today.

Companies of all sizes—from startups to Fortune 500s—use Mageni to scan their assets for vulnerabilities, reduce risk exposure and minimizing the likelihood of a data breach. Free for 7-days then $39 USD Monthly. No Contracts, Cancel at Anytime and 7-days Money-Back Guarantee.

Get Started For Free
App screenshot