RHEL 6 : openssh (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory openssh. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(195377);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-6515",
    "CVE-2016-10009",
    "CVE-2016-10011",
    "CVE-2016-10012",
    "CVE-2016-10708",
    "CVE-2016-20012",
    "CVE-2018-20685",
    "CVE-2019-6109",
    "CVE-2019-6110",
    "CVE-2019-6111",
    "CVE-2020-14145",
    "CVE-2020-15778",
    "CVE-2021-41617",
    "CVE-2023-51385",
    "CVE-2023-51767"
  );

  script_name(english:"RHEL 6 : openssh (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 6 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - openssh: loading of untrusted PKCS#11 modules in ssh-agent (CVE-2016-10009)

  - openssh: scp allows command injection when using backtick characters in the destination argument
    (CVE-2020-15778)

  - authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer
    contents, which might allow local users to obtain sensitive private-key information by leveraging access
    to a privilege-separated child process. (CVE-2016-10011)

  - The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4
    does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain
    privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and
    m_zlib data structures. (CVE-2016-10012)

  - sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference
    and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c
    and packet.c. (CVE-2016-10708)

  - OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username
    and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a
    challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not
    recognize user enumeration as a vulnerability for this product (CVE-2016-20012)

  - The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths
    for password authentication, which allows remote attackers to cause a denial of service (crypt CPU
    consumption) via a long string. (CVE-2016-6515)

  - In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions
    via the filename of . or an empty filename. The impact is modifying the permissions of the target
    directory on the client side. (CVE-2018-20685)

  - An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a
    malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client
    output, e.g., by using ANSI control codes to hide additional files being transferred. This affects
    refresh_progress_meter() in progressmeter.c. (CVE-2019-6109)

  - In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious
    server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control
    codes to hide additional files being transferred. (CVE-2019-6110)

  - An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the
    server chooses which files/directories are sent to the client. However, the scp client only performs
    cursory validation of the object name returned (only directory traversal attacks are prevented). A
    malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client
    target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as
    well (for example, to overwrite the .ssh/authorized_keys file). (CVE-2019-6111)

  - The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in
    the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts
    (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and
    8.6 are also affected. (CVE-2020-14145)

  - sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows
    privilege escalation because supplemental groups are not initialized as expected. Helper programs for
    AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group
    memberships of the sshd process, if the configuration specifies running the command as a different user.
    (CVE-2021-41617)

  - In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell
    metacharacters, and this name is referenced by an expansion token in certain situations. For example, an
    untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
    (CVE-2023-51385)

  - OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for
    authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not
    resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-
    location in which the attacker has user privileges. (CVE-2023-51767)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-10009");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-15778");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'openssh', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE, 'unpatched_pkg':'openssh'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openssh');
}