Dropbear SSH < 2016.74.0 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 700028

Synopsis

The remote host is running an outdated SSH server that is vulnerable to muliple attack vectors.

Description

Dropbear is an SSH client and server application. Versions of Dropbear SSH server prior to 2016.74.0 are potentially vulnerable to the following vulnerabilities :

- A format string flaw exists that is triggered as string format specifiers (e.g. %s and %x) are not properly used when handling usernames or host arguments. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-7406)
- A flaw exists that is triggered during the handling of specially crafted OpenSSH key files that are imported via 'dropbearconvert'. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2016-7407)
- A flaw exists in 'dbclient' that is triggered during the handling of '-m' or '-c' arguments, as used in scripts. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-7408)
- A flaw exists in 'dbclient' or 'dropbear server' that is triggered when compiling with 'DEBUG_TRACE' and running with '-v'. This may allow a local attacker to gain access to process memory. (CVE-2016-7409)

Solution

Update to Dropbear version 2016.74.0 or later.

See Also

http://matt.ucc.asn.au/dropbear/CHANGES

Plugin Details

Severity: Critical

ID: 700028

Family: SSH

Published: 3/28/2017

Updated: 3/6/2019

Nessus ID: 93650

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:matt_johnston:dropbear_ssh_server

Patch Publication Date: 7/21/2016

Vulnerability Publication Date: 7/21/2016

Reference Information

CVE: CVE-2016-7406, CVE-2016-7407, CVE-2016-7408, CVE-2016-7409

BID: 92970, 92972, 92973, 92974