EulerOS 2.0 SP12 : openssh (EulerOS-SA-2024-2222)

low Nessus Plugin ID 205932

Synopsis

The remote EulerOS host is missing a security update.

Description

According to the versions of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is 'this is not an authentication bypass, since nothing is being bypassed.(CVE-2021-36368)

Tenable has extracted the preceding description block directly from the EulerOS openssh security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected openssh packages.

See Also

http://www.nessus.org/u?757c3824

Plugin Details

Severity: Low

ID: 205932

File Name: EulerOS_SA-2024-2222.nasl

Version: 1.1

Type: local

Published: 8/20/2024

Updated: 8/20/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-36368

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:openssh-server-8.8p1, p-cpe:/a:huawei:euleros:openssh-8.8p1, p-cpe:/a:huawei:euleros:openssh-clients-8.8p1, cpe:/o:huawei:euleros:2.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp

Excluded KB Items: Host/EulerOS/uvp_version

Exploit Ease: No known exploits are available

Patch Publication Date: 8/20/2024

Vulnerability Publication Date: 3/12/2022

Reference Information

CVE: CVE-2021-36368