Detections
Analytics
Debian dla-3899 : python-asyncssh-doc - security update
critical Nessus Plugin ID 207872
Language:
Synopsis
The remote Debian host is missing one or more security-related updates.Description
The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3899 advisory.------------------------------------------------------------------------- Debian LTS Advisory DLA-3899-1 [email protected] https://www.debian.org/lts/security/ Daniel Leidert September 27, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-asyncssh Version : 2.5.0-0.1+deb11u1 CVE ID : CVE-2023-46445 CVE-2023-46446 CVE-2023-48795 Debian Bug : 1055999 1056000 1059007
AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python 3.4+ asyncio framework. It has been discovered that it is vulnerable to
CVE-2023-46445
A vulnerability has been discovered that allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack (aka Rogue Extension Negotiation).
CVE-2023-46446
A vulnerability has been discovered that allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation (aka Rogue Session attack).
CVE-2023-48795
A vulnerability has been discovered allows remote attackers to bypass integrity checks, and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled (aka Terrapin attack).
For Debian 11 bullseye, these problems have been fixed in version 2.5.0-0.1+deb11u1.
We recommend that you upgrade your python-asyncssh packages.
For the detailed security status of python-asyncssh please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/python-asyncssh
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc Description: This is a digitally signed message part
Tenable has extracted the preceding description block directly from the Debian security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the python-asyncssh-doc packages.See Also
http://www.nessus.org/u?1c055cfb
https://security-tracker.debian.org/tracker/CVE-2023-46445
https://security-tracker.debian.org/tracker/CVE-2023-46446
Plugin Details
Severity: Critical
ID: 207872
File Name: debian_DLA-3899.nasl
Version: 1.1
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 9/27/2024
Updated: 9/27/2024
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.1
CVSS v2
Risk Factor: Medium
Base Score: 6.6
Temporal Score: 5.2
Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:N
CVSS Score Source: CVE-2023-46446
CVSS v3
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 6.1
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS v4
Risk Factor: Critical
Base Score: 9.3
Threat Score: 8.9
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score Source: CVE-2023-48795
Vulnerability Information
CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:python-asyncssh-doc, p-cpe:/a:debian:debian_linux:python3-asyncssh
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 9/27/2024
Vulnerability Publication Date: 11/9/2023