Vulnerability Assessment Penetration Testing Network Security Bug Hunting Tools Metasploit Glossary Contact Support

OpenSSH < 7.4 Multiple Vulnerabilities - Nessus SEARCH THIS SITE

HIGH    Plugin ID: 96151

This page contains detailed information about the OpenSSH < 7.4 Multiple Vulnerabilities Nessus plugin
FOLLOW US
including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this
vulnerability. Github | Twitter | Facebook

Enter your email address:

Table Of Contents [hide]
Plugin Overview
Vulnerability Information Subscribe
Synopsis
Description
Solution
Public Exploits CATEGORIES
Risk Information
Plugin Source Bug Bounty Tips (10)
How to Run Exploitation (13)
References
Network Security (8)
Version
Penetration Testing (42)

Plugin Overview Tools and Utilities (9)

Vulnerability Assessment (8)

ID: 96151
Name: OpenSSH < 7.4 Multiple Vulnerabilities
ARCHIVES
Filename: openssh_74.nasl
Vulnerability Published: 2016-12-19
January 2022 (1)
This Plugin Published: 2016-12-27
Last Modi cation Time: 2022-04-04 November 2021 (1)

Plugin Version: 1.8 October 2021 (1)

Plugin Type: remote
July 2021 (1)
Plugin Family: Misc.
Dependencies: ssh_detect.nasl June 2021 (1)
Required KB Items [?]: Settings/ParanoidReport
May 2021 (5)

Vulnerability Information April 2021 (6)

December 2020 (3)

Severity: High November 2020 (3)

Vulnerability Published: 2016-12-19
October 2020 (3)
Patch Published: 2016-12-19
CVE [?]: CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2016-10708 September 2020 (3)
CPE [?]: cpe:/a:openbsd:openssh
August 2020 (4)

Synopsis July 2020 (4)

The SSH server running on the remote host is affected by multiple vulnerabilities. June 2020 (6)

Description May 2020 (6)

According to its banner, the version of OpenSSH running on the remote host is prior to 7.4. It is, therefore, April 2020 (4)
affected by multiple vulnerabilities :
March 2020 (4)
- A aw exists in ssh-agent due to loading PKCS#11 modules from paths that are outside a trusted whitelist. A
February 2020 (7)
local attacker can exploit this, by using a crafted request to load hostile modules via agent forwarding, to
execute arbitrary code. To exploit this vulnerability, the attacker would need to control the forwarded agent- January 2020 (1)
socket (on the host running the sshd server) and the ability to write to the le system of the host running ssh-
agent. (CVE-2016-10009)

- A aw exists in sshd due to creating forwarded Unix-domain sockets with 'root' privileges whenever privilege RECENT POSTS
separation is disabled. A local attacker can exploit this to gain elevated privileges. (CVE-2016-10010)

- An information disclosure vulnerability exists in sshd within the realloc() function due leakage of key material
to privilege-separated child processes when reading keys. A local attacker can possibly exploit this to disclose
sensitive key material. Note that no such leak has been observed in practice for normal-sized keys, nor does a
leak to the child processes directly expose key material to unprivileged users. (CVE-2016-10011)

- A aw exists in sshd within the shared memory manager used by pre-authenticating compression support due
to a bounds check being elided by some optimizing compilers and due to the memory manager being incorrectly
accessible when pre-authenticating compression is disabled. A local attacker can exploit this to gain elevated Nessus Plugin Library
privileges. (CVE-2016-10012)

- A denial of service vulnerability exists in sshd when handling KEXINIT messages. An unauthenticated, remote
attacker can exploit this, by sending multiple KEXINIT messages, to consume up to 128MB per connection.

- A aw exists in sshd due to improper validation of address ranges by the AllowUser and DenyUsers directives
at con guration load time. A local attacker can exploit this, via an invalid CIDR address range, to gain access to
restricted areas.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported Solving Problems with Of ce
version number. 365 Email from GoDaddy

Solution
Upgrade to OpenSSH version 7.4 or later.

Public Exploits
Target Network Port(s): N/A
Target Asset(s): Services/ssh Empire Module Library
Exploit Available: True (Exploit-DB, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the OpenSSH < 7.4 Multiple Vulnerabilities
vulnerability:

1. Exploit-DB: exploits/linux/local/40962.txt
[EDB-40962: OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege
Escalation]
2. GitHub: https://github.com/biswajitde/dsm_ips CrackMapExec Module Library
[CVE-2016-10009]
3. GitHub: https://github.com/gabrieljcs/ips-assessment-reports
[CVE-2016-10009]
4. GitHub: https://github.com/phx/cvescan
[CVE-2016-10009]
5. GitHub: https://github.com/scmanjarrez/CVEScannerV2
[CVE-2016-10009]
6. GitHub: https://github.com/phx/cvescan
Metasploit Android Modules
[CVE-2016-10010]
7. GitHub: https://github.com/scmanjarrez/CVEScannerV2
[CVE-2016-10010]
8. GitHub: https://github.com/phx/cvescan MOST VIEWED POSTS
[CVE-2016-10011]
9. GitHub: https://github.com/phx/cvescan
[CVE-2016-10012]
10. GitHub: https://github.com/scmanjarrez/CVEScannerV2
[CVE-2016-10012]
11. GitHub: https://github.com/phx/cvescan
[CVE-2016-10708]
12. GitHub: https://github.com/project7io/nmap
[CVE-2016-10708]
13. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/40962.zip Top 16 Active Directory
Vulnerabilities
[EDB-40962]

Before running any exploit against any system, make sure you are authorized by the owner of the target
system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unveri ed exploits from sources such as GitHub or Exploit-DB. These exploits and
PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information
Top 10 Vulnerabilities: Internal
Infrastructure Pentest
CVSS Score Source [?]: CVE-2016-10009
CVSS V2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C
CVSS Base Score: 7.5 (High)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
CVSS Temporal Score: 5.9 (Medium)
CVSS Environmental Score: NA (None)
Modi ed Impact Subscore: NA
Overall CVSS Score: 5.9 (Medium) Terminal Escape Injection

CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

CVSS Base Score: 7.3 (High)
Impact Subscore: 3.4
Exploitability Subscore: 3.9
CVSS Temporal Score: 6.6 (Medium)
CVSS Environmental Score: NA (None)
Modi ed Impact Subscore: NA
Overall CVSS Score: 6.6 (Medium) Cisco Password Cracking and
Decrypting Guide
Go back to menu.

Plugin Source
This is the openssh_74.nasl nessus plugin source code. This script is Copyright (C) 2016-2022 and is owned by
Tenable, Inc. or an Af liate thereof.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
Capture Passwords using
# Wireshark

include('deprecated_nasl_level.inc');
include("compat.inc");

if (description)
{ MOST VIEWED TOOLS
script_id(96151);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/04");

script_cve_id(
"CVE-2016-10009",
"CVE-2016-10010",
"CVE-2016-10011",
"CVE-2016-10012",
"CVE-2016-10708"
);
script_bugtraq_id(
94968,
94972,
94975, SSH Brute Force Attack Tool
94977
);
using PuTTY / Plink (ssh-putty-
script_xref(name:"EDB-ID", value:"40962"); brute.ps1)

script_name(english:"OpenSSH < 7.4 Multiple Vulnerabilities");

script_summary(english:"Checks the OpenSSH banner version.");

script_set_attribute(attribute:"synopsis", value:
"The SSH server running on the remote host is affected by multiple
vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its banner, the version of OpenSSH running on the remote
host is prior to 7.4. It is, therefore, affected by multiple
vulnerabilities :

- A flaw exists in ssh-agent due to loading PKCS#11

modules from paths that are outside a trusted whitelist. SMB Brute Force Attack Tool in
A local attacker can exploit this, by using a crafted
request to load hostile modules via agent forwarding, to
PowerShell (SMBLogin.ps1)
execute arbitrary code. To exploit this vulnerability,
the attacker would need to control the forwarded
agent-socket (on the host running the sshd server) and
the ability to write to the file system of the host
running ssh-agent. (CVE-2016-10009)

- A flaw exists in sshd due to creating forwarded

Unix-domain sockets with 'root' privileges whenever
privilege separation is disabled. A local attacker can
exploit this to gain elevated privileges.
(CVE-2016-10010)

- An information disclosure vulnerability exists in sshd

within the realloc() function due leakage of key Port Scanner in PowerShell
material to privilege-separated child processes when (TCP/UDP)
reading keys. A local attacker can possibly exploit this
to disclose sensitive key material. Note that no such
leak has been observed in practice for normal-sized
keys, nor does a leak to the child processes directly
expose key material to unprivileged users.
(CVE-2016-10011)

- A flaw exists in sshd within the shared memory manager

used by pre-authenticating compression support due to a
bounds check being elided by some optimizing compilers
and due to the memory manager being incorrectly
accessible when pre-authenticating compression is
disabled. A local attacker can exploit this to gain
elevated privileges. (CVE-2016-10012) Nessus CSV Parser and
Extractor
- A denial of service vulnerability exists in sshd when
handling KEXINIT messages. An unauthenticated, remote
attacker can exploit this, by sending multiple KEXINIT
messages, to consume up to 128MB per connection.

- A flaw exists in sshd due to improper validation of

address ranges by the AllowUser and DenyUsers
directives at configuration load time. A local attacker
can exploit this, via an invalid CIDR address range, to
gain access to restricted areas.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-7.4");
script_set_attribute(attribute:"solution", value: Default Password Scanner
"Upgrade to OpenSSH version 7.4 or later."); (default-http-login-hunter.sh)
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

The latest version of this script can be found in these locations depending on your platform:

Linux / Unix:
/opt/nessus/lib/nessus/plugins/openssh_74.nasl
Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\openssh_74.nasl
Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/openssh_74.nasl

Go back to menu.

How to Run
Here is how to run the OpenSSH < 7.4 Multiple Vulnerabilities as a standalone plugin via the Nessus web user
interface (https://localhost:8834/):

1. Click to start a New Scan.

2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select Misc. plugin family.
6. On the right side table select OpenSSH < 7.4 Multiple Vulnerabilities plugin ID 96151.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below
demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl openssh_74.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a openssh_74.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - openssh_74.nasl -t <IP/HOST>

Run the plugin with using a state le for the target and updating it (useful for running multiple plugins on the
target):

/opt/nessus/bin/nasl -K /tmp/state openssh_74.nasl -t <IP/HOST>

Go back to menu.

References
BID | SecurityFocus Bugtraq ID:
94968, 94972, 94975, 94977

See also:
https://www.tenable.com/plugins/nessus/96151
http://www.openssh.com/txt/release-7.4
https://vulners.com/nessus/OPENSSH_74.NASL

Similar and related Nessus plugins:

136324 - AIX OpenSSH Advisory : openssh_advisory10.asc
130514 - Juniper JSA10940
126510 - Juniper Junos Space < 18.2R1 Multiple Vulnerabilities (JSA10880)
99134 - macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)
106503 - pfSense < 2.3.3 Multiple Vulnerabilities (SA-17_01 - SA-17_03)
17839 - OpenSSH < 2.1.1p3 Format String Privilege Escalation
44070 - OpenSSH < 2.9.9p2 echo simulation Information Disclosure
44075 - OpenSSH < 4.0 known_hosts Plaintext Host Information Disclosure
22466 - OpenSSH < 4.4 Multiple Vulnerabilities
44077 - OpenSSH < 4.5 Multiple Vulnerabilities
44079 - OpenSSH < 4.9 'ForceCommand' Directive Bypass
31737 - OpenSSH X11 Forwarding Session Hijacking
44081 - OpenSSH < 5.7 Multiple Vulnerabilities
51920 - OpenSSH Legacy Certi cate Signing Information Disclosure
73079 - OpenSSH < 6.6 Multiple Vulnerabilities
84638 - OpenSSH < 6.9 Multiple Vulnerabilities
85382 - OpenSSH < 7.0 Multiple Vulnerabilities
90924 - OpenSSH 6.8p1 - 7.x < 7.1p2 ssh_packet_read_poll2() Packet Handling DoS
106608 - OpenSSH 5.4 < 7.1p2 Multiple Vulnerabilities
90022 - OpenSSH < 7.2 Untrusted X11 Forwarding Fallback Security Bypass
90023 - OpenSSH < 7.2p2 X11Forwarding xauth Command Injection
93194 - OpenSSH < 7.3 Multiple Vulnerabilities
103781 - OpenSSH < 7.6
159490 - OpenSSH < 7.8
159491 - OpenSSH < 8.0
130455 - OpenSSH 7.7 < 8.1
147662 - OpenSSH 8.2 < 8.5
154174 - OpenSSH 6.2 < 8.8
86122 - OpenSSH MaxAuthTries Bypass
11574 - OpenSSH w/ PAM Multiple Timing Attack Weaknesses
159492 - OpenSSH PCI Disputed Vulnerabilities.
44065 - OpenSSH < 5.2 CBC Plaintext Disclosure
78655 - OpenSSH SSHFP Record Veri cation Weakness
17744 - OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing

Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin le openssh_74.nasl version 1.8. For more plugins, visit the Nessus Plugin Library.

Go back to menu.

Copyright © 2023 InfosecMatter | About | Privacy Policy | Contact Us

| Infosec Glossary | Support |