OpenSSH < 9.3 Multiple Vulnerabilities

critical Nessus Plugin ID 173384

Language:

Synopsis

The SSH server running on the remote host is affected by multiple vulnerabilities.

Description

The version of OpenSSH installed on the remote host is prior to 9.3. It is, therefore, affected by multiple vulnerabilities as referenced in the release-9.3 advisory.

- ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add
-h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. (CVE-2023-28531)

- ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to OpenSSH version 9.3 or later.

See Also

https://www.openssh.com/txt/release-9.3

Plugin Details

Severity : Critical

ID : 173384

File Name : openssh_93.nasl

Version : 1.1

Type : remote

Family : Misc.

Published : 3/24/2023

Updated : 3/27/2023

Configuration : Enable paranoid mode

Risk Information

VPR

Risk Factor : Medium

Score : 6.7

CVSS v2

Risk Factor : Critical

Base Score : 10

Temporal Score : 7.4

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector : E:U/RL:OF/RC:C

CVSS Score Source : CVE-2023-28531

CVSS v3

Risk Factor : Critical

Base Score : 9.8

Temporal Score : 8.5

Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector : E:U/RL:O/RC:C

Vulnerability Information

CPE : cpe:/a:openbsd:openssh

Required KB Items : Settings/ParanoidReport

Exploit Ease : No known exploits are available

Patch Publication Date : 3/15/2023

Vulnerability Publication Date : 3/15/2023

Reference Information

CVE : CVE-2023-28531

IAVA : 2023-A-0152