NewStart CGSL MAIN 6.02 : libssh Multiple Vulnerabilities (NS-SA-2024-0052)

critical Nessus Plugin ID 206832

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 6.02, has libssh packages installed that are affected by multiple vulnerabilities:

- The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared between children processes and allows local users to obtain sensitive information by leveraging a pid collision.
(CVE-2014-0017)

- A vulnerability was found in libssh's server-side state machine. A malicious client could create channels without first performing authentication, resulting in unauthorized access. (CVE-2018-10933)

- A flaw was found with the libssh API function ssh_scp_new(). A user able to connect to a server using SCP could execute arbitrary command using a user-provided path, leading to a compromise of the remote target.
(CVE-2019-14889)

- A flaw was found in libssh. A NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.
(CVE-2020-16135)

- A flaw was found in the way libssh handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability.
(CVE-2020-1730)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL libssh packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

https://security.gd-linux.com/notice/NS-SA-2024-0052

https://security.gd-linux.com/info/CVE-2014-0017

https://security.gd-linux.com/info/CVE-2018-10933

https://security.gd-linux.com/info/CVE-2019-14889

https://security.gd-linux.com/info/CVE-2020-16135

https://security.gd-linux.com/info/CVE-2020-1730

https://security.gd-linux.com/info/CVE-2021-3634

Plugin Details

Severity: Critical

ID: 206832

File Name: newstart_cgsl_NS-SA-2024-0052_libssh.nasl

Version: 1.1

Type: local

Published: 9/10/2024

Updated: 9/10/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-14889

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2018-10933

Vulnerability Information

CPE: cpe:/o:zte:cgsl_main:6, p-cpe:/a:zte:cgsl_main:libssh-config, p-cpe:/a:zte:cgsl_main:libssh

Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/3/2024

Vulnerability Publication Date: 3/4/2014

Reference Information

CVE: CVE-2014-0017, CVE-2018-10933, CVE-2019-14889, CVE-2020-16135, CVE-2020-1730, CVE-2021-3634

IAVA: 2018-A-0347-S, 2020-A-0203, 2022-A-0041-S