ID CVE-2017-15906
Summary The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
References
Vulnerable Configurations
  • OpenBSD OpenSSH 1.2
    cpe:2.3:a:openbsd:openssh:1.2
  • OpenBSD OpenSSH 1.2.1
    cpe:2.3:a:openbsd:openssh:1.2.1
  • OpenBSD OpenSSH 1.2.2
    cpe:2.3:a:openbsd:openssh:1.2.2
  • OpenBSD OpenSSH 1.2.3
    cpe:2.3:a:openbsd:openssh:1.2.3
  • OpenBSD OpenSSH 1.2.27
    cpe:2.3:a:openbsd:openssh:1.2.27
  • OpenBSD OpenSSH 1.3
    cpe:2.3:a:openbsd:openssh:1.3
  • OpenBSD OpenSSH 1.5
    cpe:2.3:a:openbsd:openssh:1.5
  • OpenBSD OpenSSH 1.5.7
    cpe:2.3:a:openbsd:openssh:1.5.7
  • OpenBSD OpenSSH 1.5.8
    cpe:2.3:a:openbsd:openssh:1.5.8
  • OpenBSD OpenSSH 2
    cpe:2.3:a:openbsd:openssh:2
  • OpenBSD OpenSSH 2.1
    cpe:2.3:a:openbsd:openssh:2.1
  • OpenBSD OpenSSH 2.1.1
    cpe:2.3:a:openbsd:openssh:2.1.1
  • OpenBSD OpenSSH 2.2
    cpe:2.3:a:openbsd:openssh:2.2
  • OpenBSD OpenSSH 2.3
    cpe:2.3:a:openbsd:openssh:2.3
  • OpenBSD OpenSSH 2.3.1
    cpe:2.3:a:openbsd:openssh:2.3.1
  • OpenBSD OpenSSH 2.5
    cpe:2.3:a:openbsd:openssh:2.5
  • OpenBSD OpenSSH 2.5.1
    cpe:2.3:a:openbsd:openssh:2.5.1
  • OpenBSD OpenSSH 2.5.2
    cpe:2.3:a:openbsd:openssh:2.5.2
  • OpenBSD OpenSSH 2.9
    cpe:2.3:a:openbsd:openssh:2.9
  • OpenBSD OpenSSH 2.9.9
    cpe:2.3:a:openbsd:openssh:2.9.9
  • OpenBSD OpenSSH 2.9.9 p2
    cpe:2.3:a:openbsd:openssh:2.9.9p2
  • OpenBSD OpenSSH 2.9 p1
    cpe:2.3:a:openbsd:openssh:2.9p1
  • OpenBSD OpenSSH 2.9 p2
    cpe:2.3:a:openbsd:openssh:2.9p2
  • OpenBSD OpenSSH 3.0
    cpe:2.3:a:openbsd:openssh:3.0
  • OpenBSD OpenSSH 3.0.1
    cpe:2.3:a:openbsd:openssh:3.0.1
  • OpenBSD OpenSSH 3.0.1 p1
    cpe:2.3:a:openbsd:openssh:3.0.1p1
  • OpenBSD OpenSSH 3.0.2
    cpe:2.3:a:openbsd:openssh:3.0.2
  • OpenBSD OpenSSH 3.0.2p1
    cpe:2.3:a:openbsd:openssh:3.0.2p1
  • OpenBSD OpenSSH 3.0 p1
    cpe:2.3:a:openbsd:openssh:3.0p1
  • OpenBSD OpenSSH 3.1
    cpe:2.3:a:openbsd:openssh:3.1
  • OpenBSD OpenSSH 3.1 p1
    cpe:2.3:a:openbsd:openssh:3.1p1
  • OpenBSD OpenSSH 3.2
    cpe:2.3:a:openbsd:openssh:3.2
  • OpenBSD OpenSSH 3.2.2
    cpe:2.3:a:openbsd:openssh:3.2.2
  • OpenBSD OpenSSH 3.2.2 p1
    cpe:2.3:a:openbsd:openssh:3.2.2p1
  • OpenBSD OpenSSH 3.2.3 p1
    cpe:2.3:a:openbsd:openssh:3.2.3p1
  • OpenBSD OpenSSH 3.3
    cpe:2.3:a:openbsd:openssh:3.3
  • OpenBSD OpenSSH 3.3 p1
    cpe:2.3:a:openbsd:openssh:3.3p1
  • OpenBSD OpenSSH 3.4
    cpe:2.3:a:openbsd:openssh:3.4
  • OpenBSD OpenSSH 3.4 p1
    cpe:2.3:a:openbsd:openssh:3.4p1
  • OpenBSD OpenSSH 3.5
    cpe:2.3:a:openbsd:openssh:3.5
  • OpenBSD OpenSSH 3.5 p1
    cpe:2.3:a:openbsd:openssh:3.5p1
  • OpenBSD OpenSSH 3.6
    cpe:2.3:a:openbsd:openssh:3.6
  • OpenBSD OpenSSH 3.6.1
    cpe:2.3:a:openbsd:openssh:3.6.1
  • OpenBSD OpenSSH 3.6.1 p1
    cpe:2.3:a:openbsd:openssh:3.6.1p1
  • OpenBSD OpenSSH 3.6.1 p2
    cpe:2.3:a:openbsd:openssh:3.6.1p2
  • OpenBSD OpenSSH 3.7
    cpe:2.3:a:openbsd:openssh:3.7
  • OpenBSD OpenSSH 3.7.1
    cpe:2.3:a:openbsd:openssh:3.7.1
  • OpenBSD OpenSSH 3.7.1 p1
    cpe:2.3:a:openbsd:openssh:3.7.1p1
  • OpenBSD OpenSSH 3.7.1 p2
    cpe:2.3:a:openbsd:openssh:3.7.1p2
  • OpenBSD OpenSSH 3.8
    cpe:2.3:a:openbsd:openssh:3.8
  • OpenBSD OpenSSH 3.8.1
    cpe:2.3:a:openbsd:openssh:3.8.1
  • OpenBSD OpenSSH 3.8.1 p1
    cpe:2.3:a:openbsd:openssh:3.8.1p1
  • OpenBSD OpenSSH 3.9
    cpe:2.3:a:openbsd:openssh:3.9
  • OpenBSD OpenSSH 3.9.1
    cpe:2.3:a:openbsd:openssh:3.9.1
  • OpenBSD OpenSSH 3.9.1 p1
    cpe:2.3:a:openbsd:openssh:3.9.1p1
  • OpenBSD OpenSSH 4.0
    cpe:2.3:a:openbsd:openssh:4.0
  • OpenBSD OpenSSH Portable 4.0.p1
    cpe:2.3:a:openbsd:openssh:4.0p1
  • OpenBSD OpenSSH 4.1
    cpe:2.3:a:openbsd:openssh:4.1
  • OpenBSD OpenSSH Portable 4.1.p1
    cpe:2.3:a:openbsd:openssh:4.1p1
  • OpenBSD OpenSSH 4.2
    cpe:2.3:a:openbsd:openssh:4.2
  • OpenBSD OpenSSH Portable 4.2.p1
    cpe:2.3:a:openbsd:openssh:4.2p1
  • OpenBSD OpenSSH 4.3
    cpe:2.3:a:openbsd:openssh:4.3
  • OpenBSD OpenSSH Portable 4.3.p1
    cpe:2.3:a:openbsd:openssh:4.3p1
  • OpenBSD OpenSSH Portable 4.3.p2
    cpe:2.3:a:openbsd:openssh:4.3p2
  • OpenBSD OpenSSH 4.4
    cpe:2.3:a:openbsd:openssh:4.4
  • OpenBSD OpenSSH Portable 4.4.p1
    cpe:2.3:a:openbsd:openssh:4.4p1
  • OpenBSD OpenSSH 4.5
    cpe:2.3:a:openbsd:openssh:4.5
  • OpenBSD OpenSSH 4.6
    cpe:2.3:a:openbsd:openssh:4.6
  • OpenBSD OpenSSH 4.7
    cpe:2.3:a:openbsd:openssh:4.7
  • OpenBSD OpenSSH 4.7p1
    cpe:2.3:a:openbsd:openssh:4.7p1
  • OpenBSD OpenSSH 4.8
    cpe:2.3:a:openbsd:openssh:4.8
  • OpenBSD OpenSSH 4.9
    cpe:2.3:a:openbsd:openssh:4.9
  • OpenBSD OpenSSH 5.0
    cpe:2.3:a:openbsd:openssh:5.0
  • OpenBSD OpenSSH 5.0 Patch 1
    cpe:2.3:a:openbsd:openssh:5.0:p1
  • OpenBSD OpenSSH 5.1
    cpe:2.3:a:openbsd:openssh:5.1
  • OpenBSD OpenSSH 5.1 Patch 1
    cpe:2.3:a:openbsd:openssh:5.1:p1
  • OpenBSD OpenSSH 5.2
    cpe:2.3:a:openbsd:openssh:5.2
  • OpenBSD OpenSSH 5.2 Patch 1
    cpe:2.3:a:openbsd:openssh:5.2:p1
  • OpenBSD OpenSSH 5.3
    cpe:2.3:a:openbsd:openssh:5.3
  • OpenBSD OpenSSH 5.3 Patch 1
    cpe:2.3:a:openbsd:openssh:5.3:p1
  • OpenBSD OpenSSH 5.4
    cpe:2.3:a:openbsd:openssh:5.4
  • OpenBSD OpenSSH 5.4 Patch 1
    cpe:2.3:a:openbsd:openssh:5.4:p1
  • OpenBSD OpenSSH 5.5
    cpe:2.3:a:openbsd:openssh:5.5
  • OpenBSD OpenSSH 5.5 Patch 1
    cpe:2.3:a:openbsd:openssh:5.5:p1
  • OpenBSD OpenSSH 5.6
    cpe:2.3:a:openbsd:openssh:5.6
  • OpenBSD OpenSSH 5.6 Patch 1
    cpe:2.3:a:openbsd:openssh:5.6:p1
  • OpenBSD OpenSSH 5.7
    cpe:2.3:a:openbsd:openssh:5.7
  • OpenBSD OpenSSH 5.7 Patch 1
    cpe:2.3:a:openbsd:openssh:5.7:p1
  • OpenBSD OpenSSH 5.8
    cpe:2.3:a:openbsd:openssh:5.8
  • OpenBSD OpenSSH 5.8 Patch 1
    cpe:2.3:a:openbsd:openssh:5.8:p1
  • OpenBSD OpenSSH 5.8p2
    cpe:2.3:a:openbsd:openssh:5.8p2
  • OpenBSD OpenSSH 5.9
    cpe:2.3:a:openbsd:openssh:5.9
  • OpenBSD OpenSSH 5.9 Patch 1
    cpe:2.3:a:openbsd:openssh:5.9:p1
  • OpenBSD OpenSSH 6.0
    cpe:2.3:a:openbsd:openssh:6.0
  • OpenBSD OpenSSH 6.0 Patch 1
    cpe:2.3:a:openbsd:openssh:6.0:p1
  • OpenBSD OpenSSH 6.1
    cpe:2.3:a:openbsd:openssh:6.1
  • OpenBSD OpenSSH 6.1 Patch 1
    cpe:2.3:a:openbsd:openssh:6.1:p1
  • OpenBSD OpenSSH 6.2
    cpe:2.3:a:openbsd:openssh:6.2
  • OpenBSD OpenSSH 6.2 Patch 1
    cpe:2.3:a:openbsd:openssh:6.2:p1
  • OpenBSD OpenSSH 6.2 Patch 2
    cpe:2.3:a:openbsd:openssh:6.2:p2
  • OpenBSD OpenSSH 6.3
    cpe:2.3:a:openbsd:openssh:6.3
  • OpenBSD OpenSSH 6.3 Patch 1
    cpe:2.3:a:openbsd:openssh:6.3:p1
  • OpenBSD OpenSSH 6.4
    cpe:2.3:a:openbsd:openssh:6.4
  • OpenBSD OpenSSH 6.4 Patch 1
    cpe:2.3:a:openbsd:openssh:6.4:p1
  • OpenBSD OpenSSH 6.5
    cpe:2.3:a:openbsd:openssh:6.5
  • OpenBSD OpenSSH 6.5 Patch 1
    cpe:2.3:a:openbsd:openssh:6.5:p1
  • OpenBSD OpenSSH 6.6
    cpe:2.3:a:openbsd:openssh:6.6
  • OpenBSD OpenSSH 6.6 Patch 1
    cpe:2.3:a:openbsd:openssh:6.6:p1
  • OpenBSD OpenSSH 6.7
    cpe:2.3:a:openbsd:openssh:6.7
  • OpenBSD OpenSSH 6.7 Patch 1
    cpe:2.3:a:openbsd:openssh:6.7:p1
  • OpenBSD OpenSSH 6.8
    cpe:2.3:a:openbsd:openssh:6.8
  • OpenBSD OpenSSH 6.8 Patch 1
    cpe:2.3:a:openbsd:openssh:6.8:p1
  • OpenBSD OpenSSH 6.9
    cpe:2.3:a:openbsd:openssh:6.9
  • OpenBSD OpenSSH 6.9 Patch 1
    cpe:2.3:a:openbsd:openssh:6.9:p1
  • OpenBSD OpenSSH 7.0
    cpe:2.3:a:openbsd:openssh:7.0
  • OpenBSD OpenSSH 7.0 Patch 1
    cpe:2.3:a:openbsd:openssh:7.0:p1
  • OpenBSD OpenSSH 7.1
    cpe:2.3:a:openbsd:openssh:7.1
  • OpenBSD OpenSSH 7.1 Patch 1
    cpe:2.3:a:openbsd:openssh:7.1:p1
  • OpenBSD OpenSSH 7.2 Patch 2
    cpe:2.3:a:openbsd:openssh:7.2:p2
  • OpenBSD OpenSSH 7.3
    cpe:2.3:a:openbsd:openssh:7.3
  • OpenBSD OpenSSH 7.3 p1
    cpe:2.3:a:openbsd:openssh:7.3:p1
  • OpenBSD OpenSSH 7.4
    cpe:2.3:a:openbsd:openssh:7.4
  • OpenBSD OpenSSH 7.4 p1
    cpe:2.3:a:openbsd:openssh:7.4:p1
  • OpenBSD OpenSSH 7.5
    cpe:2.3:a:openbsd:openssh:7.5
  • OpenBSD OpenSSH 7.5 p1
    cpe:2.3:a:openbsd:openssh:7.5:p1
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-275
CAPEC
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
nessus via4
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0051.NASL
    description An update of [rsync,linux,openssh,procmail,python2,libvirt] packages for PhotonOS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111900
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111900
    title Photon OS 2.0: Libvirt / Linux / Openssh / Procmail / Python2 / Rsync PHSA-2017-0051 (deprecated)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3230-1.NASL
    description This update for openssh fixes the following issues: Security issue fixed : - CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). Bug fixes : - FIPS: Startup selfchecks (bsc#1068310). - FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166). - Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). - Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 105093
    published 2017-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105093
    title SUSE SLED12 / SLES12 Security Update : openssh (SUSE-SU-2017:3230-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2685-1.NASL
    description This update for openssh provides the following fixes : Security issues fixed : CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). CVE-2016-10012: Remove pre-auth compression support from the server to prevent possible cryptographic attacks (bsc#1016370). CVE-2008-1483: Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). Bug fixes: bsc#1017099: Enable case-insensitive hostname matching. bsc#1023275: Add a new switch for printing diagnostic messages in sftp client's batch mode. bsc#1048367: systemd integration to work around various race conditions. bsc#1053972: Remove duplicate KEX method. bsc#1092582: Add missing piece of systemd integration. Remove the limit on the amount of tasks sshd can run. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 117452
    published 2018-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117452
    title SUSE SLES12 Security Update : openssh (SUSE-SU-2018:2685-1)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1140.NASL
    description According to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.(CVE-2017-15906) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 110144
    published 2018-05-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110144
    title EulerOS 2.0 SP1 : openssh (EulerOS-SA-2018-1140)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201801-05.NASL
    description The remote host is affected by the vulnerability described in GLSA-201801-05 (OpenSSH: Permission issue) The process_open function in sftp-server.c in OpenSSH did not properly prevent write operations in readonly mode. Impact : A remote attacker could cause the creation of zero-length files. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 105631
    published 2018-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105631
    title GLSA-201801-05 : OpenSSH: Permission issue
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1351.NASL
    description This update for openssh fixes the following issues : Security issue fixed : - CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). Bug fixes : - FIPS: Startup selfchecks (bsc#1068310). - FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166). - Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). - Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 105237
    published 2017-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105237
    title openSUSE Security Update : openssh (openSUSE-2017-1351)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1141.NASL
    description According to the version of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.(CVE-2017-15906) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 110145
    published 2018-05-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110145
    title EulerOS 2.0 SP2 : openssh (EulerOS-SA-2018-1141)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-4862A3BFB1.NASL
    description Security fix for CVE-2017-15906: Improper write operations in readonly mode Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 104824
    published 2017-11-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104824
    title Fedora 26 : openssh (2017-4862a3bfb1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1018.NASL
    description Improper write operations in readonly mode allow for zero-length file creation The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.(CVE-2017-15906)
    last seen 2019-02-21
    modified 2018-05-11
    plugin id 109700
    published 2018-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109700
    title Amazon Linux AMI : openssh (ALAS-2018-1018)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-78F0991378.NASL
    description Security fix for CVE-2017-15906: Improper write operations in readonly mode (#1506630) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 105202
    published 2017-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105202
    title Fedora 25 : openssh (2017-78f0991378)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2018-067-01.NASL
    description New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and 14.2 to fix a security issue.
    last seen 2019-02-21
    modified 2018-03-09
    plugin id 107233
    published 2018-03-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107233
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : openssh (SSA:2018-067-01)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-96D1995B70.NASL
    description This update provides new upstream release OpenSSH 7.6 with several bug fixes and new features, including CVE-2017-15906, compatibility with WinSCP, improvement for PAM stack, enablement for s390x sandbox, new GSSAPI key exchange methods and improvement of handling kerberos tickets. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 105931
    published 2018-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105931
    title Fedora 27 : openssh (2017-96d1995b70)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-0980.NASL
    description An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix(es) : * openssh: Improper write operations in readonly mode allow for zero-length file creation (CVE-2017-15906) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 109378
    published 2018-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109378
    title CentOS 7 : openssh (CESA-2018:0980)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0980.NASL
    description An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix(es) : * openssh: Improper write operations in readonly mode allow for zero-length file creation (CVE-2017-15906) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108992
    published 2018-04-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108992
    title RHEL 7 : openssh (RHSA-2018:0980)
  • NASL family Misc.
    NASL id OPENSSH_76.NASL
    description According to its banner, the version of OpenSSH running on the remote host is prior to 7.6. It is, therefore, affected by a file creation restriction bypass vulnerability related to the 'process_open' function in the file 'sftp-server.c' that allows authenticated users to create zero-length files regardless of configuration. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 103781
    published 2017-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103781
    title OpenSSH < 7.6
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-1042.NASL
    description The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.(CVE-2017-15906)
    last seen 2019-02-21
    modified 2018-06-29
    plugin id 110781
    published 2018-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110781
    title Amazon Linux 2 : openssh (ALAS-2018-1042)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0051_OPENSSH.NASL
    description An update of the openssh package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121772
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121772
    title Photon OS 2.0: Openssh PHSA-2017-0051
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180410_OPENSSH_ON_SL7_X.NASL
    description Security Fix(es) : - openssh: Improper write operations in readonly mode allow for zero- length file creation (CVE-2017-15906) Additional Changes :
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 109454
    published 2018-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109454
    title Scientific Linux Security Update : openssh on SL7.x x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-0980.NASL
    description From Red Hat Security Advisory 2018:0980 : An update for openssh is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix(es) : * openssh: Improper write operations in readonly mode allow for zero-length file creation (CVE-2017-15906) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 109111
    published 2018-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109111
    title Oracle Linux 7 : openssh (ELSA-2018-0980)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-2275-1.NASL
    description This update for openssh fixes the following issues: Security issues fixed : - CVE-2016-10012: Fix pre-auth compression checks that could be optimized away (bsc#1016370). - CVE-2016-10708: Fix remote denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYSmessage (bsc#1076957). - CVE-2017-15906: Fix r/o sftp-server zero byte file creation (bsc#1065000). - CVE-2008-1483: Fix accidental re-introduction of CVE-2008-1483 (bsc#1069509). Bug fixes : - bsc#1017099: Match conditions with uppercase hostnames fail (bsc#1017099) - bsc#1053972: supportedKeyExchanges diffie-hellman-group1-sha1 is duplicated (bsc#1053972) - bsc#1023275: Messages suppressed after upgrade from SLES 11 SP3 to SP4 (bsc#1023275) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 111639
    published 2018-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111639
    title SUSE SLES11 Security Update : openssh (SUSE-SU-2018:2275-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3538-1.NASL
    description Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from untrusted directories. A remote attacker could possibly use this issue to execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10009) Jann Horn discovered that OpenSSH incorrectly handled permissions on Unix-domain sockets when privilege separation is disabled. A local attacker could possibly use this issue to gain privileges. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-10010) Jann Horn discovered that OpenSSH incorrectly handled certain buffer memory operations. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10011) Guido Vranken discovered that OpenSSH incorrectly handled certain shared memory manager operations. A local attacker could possibly use issue to gain privileges. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10012) Michal Zalewski discovered that OpenSSH incorrectly prevented write operations in readonly mode. A remote attacker could possibly use this issue to create zero-length files, leading to a denial of service. (CVE-2017-15906). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 106266
    published 2018-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106266
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : openssh vulnerabilities (USN-3538-1)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0052.NASL
    description An update of [rsync,python2,procmail,libvirt,linux,mongodb,openssh,binutils,glibc] packages for photonOS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111901
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111901
    title Photon OS 1.0: Binutils / Glibc / Linux / Mongodb / Openssh / Procmail / Python2 / Rsync PHSA-2017-0052 (deprecated)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-3540-1.NASL
    description This update for openssh fixes the following issues : Security issues fixed : CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to treat such a username enumeration (or 'oracle') as a vulnerability. (bsc#1106163) CVE-2017-15906: The process_open function in sftp-server.c in OpenSSH did not properly prevent write operations in readonly mode, which allowed attackers to create zero-length files. (bsc#1065000, bsc#1106726) CVE-2016-10708: sshd allowed remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. (bsc#1076957) CVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010) CVE-2016-10012: Removed pre-auth compression support from the server to prevent possible cryptographic attacks. (bsc#1016370) Bugs fixed: Fixed failing 'AuthorizedKeysCommand' within a 'Match User' block in sshd_config (bsc#1105180) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 118498
    published 2018-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118498
    title SUSE SLES11 Security Update : openssh (SUSE-SU-2018:3540-1)
redhat via4
advisories
bugzilla
id 1506630
title CVE-2017-15906 openssh: Improper write operations in readonly mode allow for zero-length file creation
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhsa:tst:20140675001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhsa:tst:20140675002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20140675003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20140675004
  • OR
    • AND
      • comment openssh is earlier than 0:7.4p1-16.el7
        oval oval:com.redhat.rhsa:tst:20180980009
      • comment openssh is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20120884006
    • AND
      • comment openssh-askpass is earlier than 0:7.4p1-16.el7
        oval oval:com.redhat.rhsa:tst:20180980005
      • comment openssh-askpass is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20120884008
    • AND
      • comment openssh-cavs is earlier than 0:7.4p1-16.el7
        oval oval:com.redhat.rhsa:tst:20180980011
      • comment openssh-cavs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20172029008
    • AND
      • comment openssh-clients is earlier than 0:7.4p1-16.el7
        oval oval:com.redhat.rhsa:tst:20180980019
      • comment openssh-clients is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20120884014
    • AND
      • comment openssh-keycat is earlier than 0:7.4p1-16.el7
        oval oval:com.redhat.rhsa:tst:20180980007
      • comment openssh-keycat is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20150425012
    • AND
      • comment openssh-ldap is earlier than 0:7.4p1-16.el7
        oval oval:com.redhat.rhsa:tst:20180980021
      • comment openssh-ldap is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20120884012
    • AND
      • comment openssh-server is earlier than 0:7.4p1-16.el7
        oval oval:com.redhat.rhsa:tst:20180980017
      • comment openssh-server is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20120884016
    • AND
      • comment openssh-server-sysvinit is earlier than 0:7.4p1-16.el7
        oval oval:com.redhat.rhsa:tst:20180980013
      • comment openssh-server-sysvinit is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20150425016
    • AND
      • comment pam_ssh_agent_auth is earlier than 0:0.10.3-2.16.el7
        oval oval:com.redhat.rhsa:tst:20180980015
      • comment pam_ssh_agent_auth is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20120884010
rhsa
id RHSA-2018:0980
released 2018-04-10
severity Low
title RHSA-2018:0980: openssh security, bug fix, and enhancement update (Low)
rpms
  • openssh-0:7.4p1-16.el7
  • openssh-askpass-0:7.4p1-16.el7
  • openssh-cavs-0:7.4p1-16.el7
  • openssh-clients-0:7.4p1-16.el7
  • openssh-keycat-0:7.4p1-16.el7
  • openssh-ldap-0:7.4p1-16.el7
  • openssh-server-0:7.4p1-16.el7
  • openssh-server-sysvinit-0:7.4p1-16.el7
  • pam_ssh_agent_auth-0:0.10.3-2.16.el7
refmap via4
bid 101552
confirm
gentoo GLSA-201801-05
mlist [debian-lts-announce] 20180910 [SECURITY] [DLA 1500-1] openssh security update
Last major update 25-10-2017 - 23:29
Published 25-10-2017 - 23:29
Last modified 11-09-2018 - 06:29
Back to Top