ID CVE-2018-1000805
Summary Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.
References
Vulnerable Configurations
  • cpe:2.3:a:paramiko:paramiko:2.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:paramiko:paramiko:2.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:paramiko:paramiko:1.18.5:*:*:*:*:*:*:*
    cpe:2.3:a:paramiko:paramiko:1.18.5:*:*:*:*:*:*:*
  • cpe:2.3:a:paramiko:paramiko:2.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:paramiko:paramiko:2.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:paramiko:paramiko:2.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:paramiko:paramiko:2.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:paramiko:paramiko:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:paramiko:paramiko:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:paramiko:paramiko:2.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:paramiko:paramiko:2.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:paramiko:paramiko:1.17.6:*:*:*:*:*:*:*
    cpe:2.3:a:paramiko:paramiko:1.17.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:6.4:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_aus:6.4:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
CVSS
Base: 6.5 (as of 06-04-2022 - 18:35)
Impact:
Exploitability:
CWE CWE-863
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1637263
    title CVE-2018-1000805 python-paramiko: Authentication bypass in auth_handler.py
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment python-paramiko is earlier than 0:2.1.1-9.el7
            oval oval:com.redhat.rhsa:tst:20183347001
          • comment python-paramiko is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20181124002
        • AND
          • comment python-paramiko-doc is earlier than 0:2.1.1-9.el7
            oval oval:com.redhat.rhsa:tst:20183347003
          • comment python-paramiko-doc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20183347004
    rhsa
    id RHSA-2018:3347
    released 2018-10-30
    severity Critical
    title RHSA-2018:3347: python-paramiko security update (Critical)
  • bugzilla
    id 1637263
    title CVE-2018-1000805 python-paramiko: Authentication bypass in auth_handler.py
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 6 is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment python-paramiko is earlier than 0:1.7.5-5.el6_10
        oval oval:com.redhat.rhsa:tst:20183406001
      • comment python-paramiko is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20181124002
    rhsa
    id RHSA-2018:3406
    released 2018-10-30
    severity Critical
    title RHSA-2018:3406: python-paramiko security update (Critical)
  • rhsa
    id RHBA-2018:3497
  • rhsa
    id RHSA-2018:3505
rpms
  • rhvm-appliance-2:4.2-20181026.1.el7
  • python-paramiko-0:2.1.1-9.el7
  • python-paramiko-doc-0:2.1.1-9.el7
  • python-paramiko-0:1.7.5-4.el6_4.1
  • python-paramiko-0:1.7.5-4.el6_5.1
  • python-paramiko-0:1.7.5-4.el6_6.1
  • python-paramiko-0:1.7.5-4.el6_7.1
  • python-paramiko-0:1.7.5-5.el6_10
  • imgbased-0:1.0.29-1.el7ev
  • python-imgbased-0:1.0.29-1.el7ev
  • redhat-release-virtualization-host-0:4.2-7.3.el7
  • redhat-virtualization-host-image-update-0:4.2-20181026.0.el7_6
  • redhat-virtualization-host-image-update-placeholder-0:4.2-7.3.el7
refmap via4
confirm https://github.com/paramiko/paramiko/issues/1283
misc https://herolab.usd.de/wp-content/uploads/sites/4/usd20180023.txt
mlist [debian-lts-announce] 20181027 [SECURITY] [DLA 1556-1] paramiko security update
ubuntu
  • USN-3796-1
  • USN-3796-2
  • USN-3796-3
Last major update 06-04-2022 - 18:35
Published 08-10-2018 - 15:29
Last modified 06-04-2022 - 18:35
Back to Top