The version of openssh installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-51384 advisory.

  - In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When     destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints     are only applied to the first key, even if a PKCS#11 token returns multiple keys. (CVE-2023-51384)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of OpenSSH installed on the remote host is prior to 9.6. It is, therefore, affected by multiple vulnerabilities as referenced in the release-9.6 advisory.

  - ssh(1), sshd(8): implement protocol extensions to thwart the so-called Terrapin attack discovered by     Fabian Bumer, Marcus Brinkmann and Jrg Schwenk. This attack allows a MITM to effect a limited break of     the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the     commencement of encryption, and deleting an equal number of consecutive messages immediately after     encryption starts. A peer SSH client/server would not be able to detect that messages were deleted. While     cryptographically novel, the security impact of this attack is fortunately very limited as it only allows     deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user     user authentication from proceeding and results in a stuck connection. The most serious identified impact     is that it lets a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing     the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5.
    There is no other discernable impact to session secrecy or session integrity. OpenSSH 9.6 addresses this     protocol weakness through a new strict KEX protocol extension that will be automatically enabled when     both the client and server support it. This extension makes two changes to the SSH transport protocol to     improve the integrity of the initial key exchange. Firstly, it requires endpoints to terminate the     connection if any unnecessary or unexpected message is received during key exchange (including messages     that were previously legal but not strictly required like SSH2_MSG_DEBUG). This removes most malleability     from the early protocol. Secondly, it resets the Message Authentication Code counter at the conclusion of     each key exchange, preventing previously inserted messages from being able to make persistent changes to     the sequence number across completion of a key exchange. Either of these changes should be sufficient to     thwart the Terrapin Attack. More details of these changes are in the PROTOCOL file in the OpenSSH source     distribition. (CVE-2023-48795)

  - ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the     PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular     private keys, FIDO tokens and unconstrained keys are unaffected. (CVE-2023-51384)

  - ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a     ProxyCommand, LocalCommand directive or match exec predicate referenced the user or hostname via %u, %h     or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could     potentially perform command injection depending on what quoting was present in the user-supplied     ssh_config(5) directive. This situation could arise in the case of git submodules, where a repository     could contain a submodule with shell characters in its user/hostname. Git does not ban shell     metacharacters in user or host names when checking out repositories from untrusted sources. Although we     believe it is the user's responsibility to ensure validity of arguments passed to ssh(1), especially     across a security boundary such as the git example above, OpenSSH 9.6 now bans most shell metacharacters     from user and hostnames supplied via the command-line. This countermeasure is not guaranteed to be     effective in all situations, as it is infeasible for ssh(1) to universally filter shell metacharacters     potentially relevant to user-supplied commands. User/hostnames provided via ssh_config(5) are not subject     to these restrictions, allowing configurations that use strange names to continue to be used, under the     assumption that the user knows what they are doing in their own configuration files. (CVE-2023-51385)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6565-1 advisory.

    It was discovered that OpenSSH incorrectly handled supplemental groups when running helper programs for     AuthorizedKeysCommand and AuthorizedPrincipalsCommand as a different user. An attacker could possibly use     this issue to escalate privileges. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-41617)

    It was discovered that OpenSSH incorrectly added destination constraints when PKCS#11 token keys were     added to ssh-agent, contrary to expectations. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04.
    (CVE-2023-51384)

    It was discovered that OpenSSH incorrectly handled user names or host names with shell metacharacters. An     attacker could possibly use this issue to perform OS command injection. (CVE-2023-51385)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5586 advisory.

  - sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows     privilege escalation because supplemental groups are not initialized as expected. Helper programs for     AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group     memberships of the sshd process, if the configuration specifies running the command as a different user.
    (CVE-2021-41617)

  - ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination     constraints. The earliest affected version is 8.9. (CVE-2023-28531)

  - The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other     products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the     extension negotiation message), and a client and server may consequently end up with a connection for     which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because     the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and     mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of     ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and     (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API     before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80,     AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0,     Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15,     SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH     through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang     XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd     through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and     LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3,     Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server     before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the     mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh     crate before 0.40.2 for Rust. (CVE-2023-48795)

  - In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When     destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints     are only applied to the first key, even if a PKCS#11 token returns multiple keys. (CVE-2023-51384)

  - In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell     metacharacters, and this name is referenced by an expansion token in certain situations. For example, an     untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
    (CVE-2023-51385)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the openssh package has been released.

ID	Name	Product	Family	Published	Updated	Severity
201646	CBL Mariner 2.0 Security Update: openssh (CVE-2023-51384)	Nessus	MarinerOS Local Security Checks	7/3/2024	7/3/2024	medium
187201	OpenSSH < 9.6 Multiple Vulnerabilities	Nessus	Misc.	12/22/2023	7/5/2024	medium
187627	Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 : OpenSSH vulnerabilities (USN-6565-1)	Nessus	Ubuntu Local Security Checks	1/3/2024	8/27/2024	high
187213	Debian DSA-5586-1 : openssh - security update	Nessus	Debian Local Security Checks	12/22/2023	7/5/2024	critical
191713	macOS 14.x < 14.4 Multiple Vulnerabilities (HT214084)	Nessus	MacOS X Local Security Checks	3/7/2024	11/4/2024	high
203548	Photon OS 4.0: Openssh PHSA-2024-4.0-0545	Nessus	PhotonOS Local Security Checks	7/23/2024	7/23/2024	medium
203576	Photon OS 5.0: Openssh PHSA-2024-5.0-0188	Nessus	PhotonOS Local Security Checks	7/23/2024	7/23/2024	medium

Detections

Analytics

Plugins Search

medium

medium

high

critical

high

medium

medium