ESB-2018.2693 - [Debian] openssh: Multiple vulnerabilities 2018-09-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2693
                          openssh security update
                             11 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openssh
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Increased Privileges            -- Existing Account      
                   Access Privileged Data          -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Existing Account      
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-15906 CVE-2016-10708 CVE-2016-10012
                   CVE-2016-10011 CVE-2016-10009 CVE-2016-6515
                   CVE-2016-3115 CVE-2016-1908 CVE-2015-6564
                   CVE-2015-6563 CVE-2015-5600 CVE-2015-5352

Reference:         ESB-2018.0230
                   ASB-2016.0048
                   ASB-2015.0090
                   ESB-2015.1814
                   ESB-2015.1975.2

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : openssh
Version        : 1:6.7p1-5+deb8u6
CVE ID         : CVE-2015-5352 CVE-2015-5600 CVE-2015-6563 CVE-2015-6564
                 CVE-2016-1908 CVE-2016-3115 CVE-2016-6515 CVE-2016-10009
                 CVE-2016-10011 CVE-2016-10012 CVE-2016-10708
                 CVE-2017-15906
Debian Bug     : 790798 793616 795711 848716 848717


Several vulnerabilities have been found in OpenSSH, a free implementation
of the SSH protocol suite:

CVE-2015-5352

    OpenSSH incorrectly verified time window deadlines for X connections.
    Remote attackers could take advantage of this flaw to bypass intended
    access restrictions. Reported by Jann Horn.

CVE-2015-5600

    OpenSSH improperly restricted the processing of keyboard-interactive
    devices within a single connection, which could allow remote attackers
    to perform brute-force attacks or cause a denial of service, in a
    non-default configuration.

CVE-2015-6563

    OpenSSH incorrectly handled usernames during PAM authentication. In
    conjunction with an additional flaw in the OpenSSH unprivileged child
    process, remote attackers could make use if this issue to perform user
    impersonation. Discovered by Moritz Jodeit.

CVE-2015-6564

    Moritz Jodeit discovered a use-after-free flaw in PAM support in
    OpenSSH, that could be used by remote attackers to bypass
    authentication or possibly execute arbitrary code.

CVE-2016-1908

    OpenSSH mishandled untrusted X11 forwarding when the X server disables
    the SECURITY extension. Untrusted connections could obtain trusted X11
    forwarding privileges. Reported by Thomas Hoger.

CVE-2016-3115

    OpenSSH improperly handled X11 forwarding data related to
    authentication credentials. Remote authenticated users could make use
    of this flaw to bypass intended shell-command restrictions. Identified
    by github.com/tintinweb.

CVE-2016-6515

    OpenSSH did not limit password lengths for password authentication.
    Remote attackers could make use of this flaw to cause a denial of
    service via long strings.

CVE-2016-10009

    Jann Horn discovered an untrusted search path vulnerability in
    ssh-agent allowing remote attackers to execute arbitrary local
    PKCS#11 modules by leveraging control over a forwarded agent-socket.

CVE-2016-10011

    Jann Horn discovered that OpenSSH did not properly consider the
    effects of realloc on buffer contents. This may allow local users to
    obtain sensitive private-key information by leveraging access to a
    privilege-separated child process.

CVE-2016-10012

    Guido Vranken discovered that the OpenSSH shared memory manager
    did not ensure that a bounds check was enforced by all compilers,
    which could allow local users to gain privileges by leveraging access
    to a sandboxed privilege-separation process.

CVE-2016-10708

    NULL pointer dereference and daemon crash via an out-of-sequence
    NEWKEYS message.

CVE-2017-15906

    Michal Zalewski reported that OpenSSH improperly prevent write
    operations in readonly mode, allowing attackers to create zero-length
    files.

For Debian 8 "Jessie", these problems have been fixed in version
1:6.7p1-5+deb8u6.

We recommend that you upgrade your openssh packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW5dJ82aOgq3Tt24GAQitYg/+MDr6CxOf5yRc7Dfq8mHZSyaXq56j3Ggo
ZyM6aTYGtXuO0g4xKQXJVyjxi/N1D4jO7+0Z9NPMoRIrVjSrsuWoyQfwfb1BiPgl
hO3h2PHVDyriTTbt2B7Ib1RJ2HcnrLblPL8LoEFGzkmyRKy+sELqUiwLlfV5/6uh
GkZToayZoI+RMH7Cq3UNu6kwYJPvNpyWa18JuciU3EHb7sTlVpGw9M6V1S/rh/eh
E5mjECzJvw758hSwPSpc0aSrFbL4MZaXv0YtjxA2ed/593pxPN1VOj4ZcWw2Kl2m
58iE+ObPqp6gP7O3MbRrezzNnPlP9lc+TplE9pRiHVNQAr7zPE3koVw3NxICGLWm
BezDjwGd8C+eBaAxPk44yqZaSSU5467k14iO+Ceu+p/eUuQ1olLKTP78JLd1wrCI
lHCsO8jVpDOalz/1mxhiKite3CfcMTYswFOaSwL5M8aTLFz7+Z5jhO5C4CNiFOgn
W2+LRqu5zpiqCriVGmSDIOTtg5zFpcI2y6wLfgdy0WGt2t4Ux2STUmkJxQWxvp9O
hnaVSgZh0Cobu4k4r/g8sO8Wl3bARmTSI4+ywfPYHz/MABtYLMQ4uOaZvAwk4Gcz
stvxJshUKMBTEGOKix0btA1xESC4nTwMWib/E65i/oNLJycIJEvWfIBb8E2z36EI
/5L35qxXlT0=
=Sho2
-----END PGP SIGNATURE-----

« Back to bulletins