├── LICENSE ├── cvescan └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright 2022 by phx 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /cvescan: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | usage() { 4 | echo " 5 | Usage: cvescan [options] 6 | 7 | Options: 8 | [no arguments - first run] initial install/update of CVE databases and exit. 9 | 10 | -h | --help display this help text and exit. 11 | -u | --update update CVE databases and exit. 12 | -1 | --vulners [nmap arguments] nmap scan using ONLY vulners NSE script. 13 | -2 | --vulscan [nmap arguments] nmap scan using ONLY vulscan NSE script. 14 | -3 | --all [nmap arguments] nmap scan using BOTH vulners AND vulscan. (optional) 15 | 16 | [nmap arguments] Same as running with '-3' or '--all'. 17 | Default functionality is to use BOTH vulners AND vulscan. 18 | 19 | The following additional arguments can be added when using '-2', '--vulscan', '-3', '--all', 20 | (or default nmap arguments) in order to only use specific vulscan databases to return results: 21 | 22 | --script-args vulscandb=cve.csv 23 | --script-args vulscandb=exploitdb.csv 24 | --script-args vulscandb=openvas.csv 25 | --script-args vulscandb=osvdb.csv 26 | --script-args vulscandb=scipvuldb.csv 27 | --script-args vulscandb=securityfocus.csv 28 | --script-args vulscandb=securitytracker.csv 29 | --script-args vulscandb=xforce.csv 30 | " 31 | } 32 | 33 | if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then 34 | usage; exit 0 35 | fi 36 | 37 | # Make sure we're running as root: 38 | if [ "$(id -u)" != "0" ]; then 39 | echo "$0 must be run as root or with 'sudo'"; exit 1 40 | fi 41 | 42 | # Check for dependencies: 43 | programs="nmap git" 44 | for program in $programs; do 45 | if ! command -v "$program" >/dev/null 2>&1; then 46 | echo "$program must already be installed to run this script"; exit 1 47 | fi 48 | done 49 | 50 | workdir="$PWD" 51 | if uname -a | grep -qi darwin; then 52 | nmapdir="/usr/local/share/nmap/scripts" 53 | else 54 | nmapdir="/usr/share/nmap/scripts" 55 | fi 56 | cd "$nmapdir" || exit 1 57 | 58 | # Make sure vulscan is installed and updated: 59 | if [ ! -d vulscan ]; then 60 | git clone https://github.com/scipag/vulscan.git 61 | cd vulscan/utilities/updater || exit 1 62 | chmod +x updateFiles.sh 63 | ./updateFiles.sh 64 | echo "Next time, run $0 with normal nmap arguments to do a CVE scan" 65 | exit 66 | fi 67 | 68 | # Options for updating vulscan databases: 69 | if [ "$1" = "-u" ] || [ "$1" = "--update" ]; then 70 | echo 'Updating vulnscan databases...' 71 | cd vulscan/utilities/updater || exit 1 72 | ./updateFiles.sh 73 | exit $? 74 | elif [ "$1" ]; then 75 | cd "$workdir" || exit 1 76 | if [ "$1" = "-1" ] || [ "$1" = "--vulners" ]; then 77 | shift 78 | if echo "${@}" | grep -q '\-sV'; then 79 | echo 'Running nmap with script: vulners' 80 | nmap --script vulners ${@} 81 | else 82 | echo 'Running nmap with script: vulners' 83 | nmap --script vulners -sV ${@} 84 | fi 85 | elif [ "$1" = "-2" ] || [ "$1" = "--vulscan" ]; then 86 | shift 87 | if echo "${@}" | grep -q '\-sV'; then 88 | echo 'Running nmap with script: vulscan' 89 | nmap --script vulscan/vulscan ${@} 90 | else 91 | echo 'Running nmap with script: vulscan' 92 | nmap --script vulscan/vulscan -sV ${@} 93 | fi 94 | elif [ "$1" = "-3" ] || [ "$1" = "--all" ]; then 95 | shift 96 | if echo "${@}" | grep -q '\-sV'; then 97 | echo 'Running nmap with scripts: vulners and vulscan' 98 | nmap --script vulners,vulscan/vulscan ${@} 99 | else 100 | echo 'Running nmap with scripts: vulners and vulscan' 101 | nmap --script vulners,vulscan/vulscan -sV ${@} 102 | fi 103 | else 104 | if echo "${@}" | grep -q '\-sV'; then 105 | echo 'Running nmap with scripts: vulners and vulscan' 106 | nmap --script vulners,vulscan/vulscan ${@} 107 | else 108 | echo 'Running nmap with scripts: vulners and vulscan' 109 | nmap --script vulners,vulscan/vulscan -sV ${@} 110 | fi 111 | fi 112 | else 113 | usage; exit 1 114 | fi 115 | 116 | 117 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVEscan 2 | 3 | Dependencies: 4 | - `/bin/sh` 5 | - `nmap` 6 | - `git` 7 | 8 | This program makes sure you have all the pre-requisites ready to scan for CVEs using `nmap`. 9 | Once the NSE scripts are in place, we do a full CVE scan using `nmap` under the hood, so all normal `nmap` options are available. 10 | 11 | Since `vulners` is now a part of `nmap`, this script just makes sure that `vulscan` is also installed and the databases up-to-date 12 | before running `nmap`. 13 | 14 | Feel free to use and edit as necessary for your use-case. 15 | 16 | ## Usage: 17 | 18 | ``` 19 | Usage: cvescan [options] 20 | 21 | Options: 22 | [no arguments - first run] initial install/update of CVE databases and exit. 23 | 24 | -h | --help display this help text and exit. 25 | -u | --update update CVE databases and exit. 26 | -1 | --vulners [nmap arguments] nmap scan using ONLY vulners NSE script. 27 | -2 | --vulscan [nmap arguments] nmap scan using ONLY vulscan NSE script. 28 | -3 | --all [nmap arguments] nmap scan using BOTH vulners AND vulscan. (optional) 29 | 30 | [nmap arguments] Same as running with '-3' or '--all'. 31 | Default functionality is to use BOTH vulners AND vulscan. 32 | 33 | The following additional arguments can be added when using '-2', '--vulscan', '-3', '--all', 34 | (or default nmap arguments) in order to only use specific vulscan databases to return results: 35 | 36 | --script-args vulscandb=cve.csv 37 | --script-args vulscandb=exploitdb.csv 38 | --script-args vulscandb=openvas.csv 39 | --script-args vulscandb=osvdb.csv 40 | --script-args vulscandb=scipvuldb.csv 41 | --script-args vulscandb=securityfocus.csv 42 | --script-args vulscandb=securitytracker.csv 43 | --script-args vulscandb=xforce.csv 44 | ``` 45 | 46 | ## Example Usage: 47 | 48 | `git clone https://github.com/phx/cvescan && cd cvescan` 49 | 50 | Put `cvescan` somewhere in your `$PATH` where you can summon it by name whenever you need it: 51 | 52 | `sudo cp cvescan /usr/local/bin/` 53 | 54 | First time usage: 55 | 56 | `sudo cvescan` 57 | 58 | Update the CVE databases: 59 | 60 | `sudo cvescan -u` 61 | 62 | Actually running a CVE scan: 63 | 64 | `sudo cvescan google.com -p443` 65 | 66 | (Yadda, yadda, will take all normal `nmap` arguments) 67 | 68 | **Note:** 69 | 70 | - requires `-sV`, and will add it automatically if it's not an existing argument. 71 | 72 | ## Example Output 73 | 74 | ``` 75 | MACC02ZQ8F3MD6X:cvescan phx$ sudo cvescan 127.0.0.1 -p22 76 | Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-13 09:37 CST 77 | Nmap scan report for localhost (127.0.0.1) 78 | Host is up (0.00016s latency). 79 | 80 | PORT STATE SERVICE VERSION 81 | 22/tcp open ssh OpenSSH 8.1 (protocol 2.0) 82 | | vulscan: VulDB - https://vuldb.com: 83 | | [170814] OpenSSH up to 8.4 ssh-agent double free 84 | | [158983] OpenSSH up to 8.3p1 scp scp.c privilege escalation 85 | | [157436] OpenSSH up to 8.3 Algorithm Negotiation information disclosure 86 | | [155909] OpenSSH 8.2 scp Client privilege escalation 87 | | 88 | | MITRE CVE - https://cve.mitre.org: 89 | | [CVE-2010-4755] The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. 90 | | [CVE-1999-0661] A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6. 91 | | [CVE-2007-4654] Unspecified vulnerability in SSHield 1.6.1 with OpenSSH 3.0.2p1 on Cisco WebNS 8.20.0.1 on Cisco Content Services Switch (CSS) series 11000 devices allows remote attackers to cause a denial of service (connection slot exhaustion and device crash) via a series of large packets designed to exploit the SSH CRC32 attack detection overflow (CVE-2001-0144), possibly a related issue to CVE-2002-1024. 92 | | 93 | | SecurityFocus - https://www.securityfocus.com/bid/: 94 | | [102780] OpenSSH CVE-2016-10708 Multiple Denial of Service Vulnerabilities 95 | | [101552] OpenSSH 'sftp-server.c' Remote Security Bypass Vulnerability 96 | | [94977] OpenSSH CVE-2016-10011 Local Information Disclosure Vulnerability 97 | | [94975] OpenSSH CVE-2016-10012 Security Bypass Vulnerability 98 | | [94972] OpenSSH CVE-2016-10010 Privilege Escalation Vulnerability 99 | | [94968] OpenSSH CVE-2016-10009 Remote Code Execution Vulnerability 100 | | [93776] OpenSSH 'ssh/kex.c' Denial of Service Vulnerability 101 | | [92212] OpenSSH CVE-2016-6515 Denial of Service Vulnerability 102 | | [92210] OpenSSH CBC Padding Weak Encryption Security Weakness 103 | | [92209] OpenSSH MAC Verification Security Bypass Vulnerability 104 | | [91812] OpenSSH CVE-2016-6210 User Enumeration Vulnerability 105 | | [90440] OpenSSH CVE-2004-1653 Remote Security Vulnerability 106 | | [90340] OpenSSH CVE-2004-2760 Remote Security Vulnerability 107 | | [89385] OpenSSH CVE-2005-2666 Local Security Vulnerability 108 | | [88655] OpenSSH CVE-2001-1382 Remote Security Vulnerability 109 | | [88513] OpenSSH CVE-2000-0999 Remote Security Vulnerability 110 | | [88367] OpenSSH CVE-1999-1010 Local Security Vulnerability 111 | | [87789] OpenSSH CVE-2003-0682 Remote Security Vulnerability 112 | | [86187] OpenSSH 'session.c' Local Security Bypass Vulnerability 113 | | [86144] OpenSSH CVE-2007-2768 Remote Security Vulnerability 114 | | [84427] OpenSSH CVE-2016-1908 Security Bypass Vulnerability 115 | | [84314] OpenSSH CVE-2016-3115 Remote Command Injection Vulnerability 116 | | [84185] OpenSSH CVE-2006-4925 Denial-Of-Service Vulnerability 117 | | [81293] OpenSSH CVE-2016-1907 Denial of Service Vulnerability 118 | | [80698] OpenSSH CVE-2016-0778 Heap Based Buffer Overflow Vulnerability 119 | | [80695] OpenSSH CVE-2016-0777 Information Disclosure Vulnerability 120 | | [76497] OpenSSH CVE-2015-6565 Local Security Bypass Vulnerability 121 | | [76317] OpenSSH PAM Support Multiple Remote Code Execution Vulnerabilities 122 | | [75990] OpenSSH Login Handling Security Bypass Weakness 123 | | [75525] OpenSSH 'x11_open_helper()' Function Security Bypass Vulnerability 124 | | [71420] Portable OpenSSH 'gss-serv-krb5.c' Security Bypass Vulnerability 125 | | [68757] OpenSSH Multiple Remote Denial of Service Vulnerabilities 126 | | [66459] OpenSSH Certificate Validation Security Bypass Vulnerability 127 | | [66355] OpenSSH 'child_set_env()' Function Security Bypass Vulnerability 128 | | [65674] OpenSSH 'ssh-keysign.c' Local Information Disclosure Vulnerability 129 | | [65230] OpenSSH 'schnorr.c' Remote Memory Corruption Vulnerability 130 | | [63605] OpenSSH 'sshd' Process Remote Memory Corruption Vulnerability 131 | | [61286] OpenSSH Remote Denial of Service Vulnerability 132 | | [58894] GSI-OpenSSH PAM_USER Security Bypass Vulnerability 133 | | [58162] OpenSSH CVE-2010-5107 Denial of Service Vulnerability 134 | | [54114] OpenSSH 'ssh_gssapi_parse_ename()' Function Denial of Service Vulnerability 135 | | [51702] Debian openssh-server Forced Command Handling Information Disclosure Vulnerability 136 | | [50416] Linux Kernel 'kdump' and 'mkdumprd' OpenSSH Integration Remote Information Disclosure Vulnerability 137 | | [49473] OpenSSH Ciphersuite Specification Information Disclosure Weakness 138 | | [48507] OpenSSH 'pam_thread()' Remote Buffer Overflow Vulnerability 139 | | [47691] Portable OpenSSH 'ssh-keysign' Local Unauthorized Access Vulnerability 140 | | [46155] OpenSSH Legacy Certificate Signing Information Disclosure Vulnerability 141 | | [45304] OpenSSH J-PAKE Security Bypass Vulnerability 142 | | [36552] Red Hat Enterprise Linux OpenSSH 'ChrootDirectory' Option Local Privilege Escalation Vulnerability 143 | | [32319] OpenSSH CBC Mode Information Disclosure Vulnerability 144 | | [30794] Red Hat OpenSSH Backdoor Vulnerability 145 | | [30339] OpenSSH 'X11UseLocalhost' X11 Forwarding Session Hijacking Vulnerability 146 | | [30276] Debian OpenSSH SELinux Privilege Escalation Vulnerability 147 | | [28531] OpenSSH ForceCommand Command Execution Weakness 148 | | [28444] OpenSSH X Connections Session Hijacking Vulnerability 149 | | [26097] OpenSSH LINUX_AUDIT_RECORD_EVENT Remote Log Injection Weakness 150 | | [25628] OpenSSH X11 Cookie Local Authentication Bypass Vulnerability 151 | | [23601] OpenSSH S/Key Remote Information Disclosure Vulnerability 152 | | [20956] OpenSSH Privilege Separation Key Signature Weakness 153 | | [20418] OpenSSH-Portable Existing Password Remote Information Disclosure Weakness 154 | | [20245] OpenSSH-Portable GSSAPI Authentication Abort Information Disclosure Weakness 155 | | [20241] Portable OpenSSH GSSAPI Remote Code Execution Vulnerability 156 | | [20216] OpenSSH Duplicated Block Remote Denial of Service Vulnerability 157 | | [16892] OpenSSH Remote PAM Denial Of Service Vulnerability 158 | | [14963] OpenSSH LoginGraceTime Remote Denial Of Service Vulnerability 159 | | [14729] OpenSSH GSSAPI Credential Disclosure Vulnerability 160 | | [14727] OpenSSH DynamicForward Inadvertent GatewayPorts Activation Vulnerability 161 | | [11781] OpenSSH-portable PAM Authentication Remote Information Disclosure Vulnerability 162 | | [9986] RCP, OpenSSH SCP Client File Corruption Vulnerability 163 | | [9040] OpenSSH PAM Conversation Memory Scrubbing Weakness 164 | | [8677] Multiple Portable OpenSSH PAM Vulnerabilities 165 | | [8628] OpenSSH Buffer Mismanagement Vulnerabilities 166 | | [7831] OpenSSH Reverse DNS Lookup Access Control Bypass Vulnerability 167 | | [7482] OpenSSH Remote Root Authentication Timing Side-Channel Weakness 168 | | [7467] OpenSSH-portable Enabled PAM Delay Information Disclosure Vulnerability 169 | | [7343] OpenSSH Authentication Execution Path Timing Information Leakage Weakness 170 | | [6168] OpenSSH Visible Password Vulnerability 171 | | [5374] OpenSSH Trojan Horse Vulnerability 172 | | [5093] OpenSSH Challenge-Response Buffer Overflow Vulnerabilities 173 | | [4560] OpenSSH Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability 174 | | [4241] OpenSSH Channel Code Off-By-One Vulnerability 175 | | [3614] OpenSSH UseLogin Environment Variable Passing Vulnerability 176 | | [3560] OpenSSH Kerberos Arbitrary Privilege Elevation Vulnerability 177 | | [3369] OpenSSH Key Based Source IP Access Control Bypass Vulnerability 178 | | [3345] OpenSSH SFTP Command Restriction Bypassing Vulnerability 179 | | [2917] OpenSSH PAM Session Evasion Vulnerability 180 | | [2825] OpenSSH Client X11 Forwarding Cookie Removal File Symbolic Link Vulnerability 181 | | [2356] OpenSSH Private Key Authentication Check Vulnerability 182 | | [1949] OpenSSH Client Unauthorized Remote Forwarding Vulnerability 183 | | [1334] OpenSSH UseLogin Vulnerability 184 | | 185 | | IBM X-Force - https://exchange.xforce.ibmcloud.com: 186 | | [83258] GSI-OpenSSH auth-pam.c security bypass 187 | | [82781] OpenSSH time limit denial of service 188 | | [82231] OpenSSH pam_ssh_agent_auth PAM code execution 189 | | [74809] OpenSSH ssh_gssapi_parse_ename denial of service 190 | | [72756] Debian openssh-server commands information disclosure 191 | | [68339] OpenSSH pam_thread buffer overflow 192 | | [67264] OpenSSH ssh-keysign unauthorized access 193 | | [65910] OpenSSH remote_glob function denial of service 194 | | [65163] OpenSSH certificate information disclosure 195 | | [64387] OpenSSH J-PAKE security bypass 196 | | [63337] Cisco Unified Videoconferencing OpenSSH weak security 197 | | [46620] OpenSSH and multiple SSH Tectia products CBC mode information disclosure 198 | | [45202] OpenSSH signal handler denial of service 199 | | [44747] RHEL OpenSSH backdoor 200 | | [44280] OpenSSH PermitRootLogin information disclosure 201 | | [44279] OpenSSH sshd weak security 202 | | [44037] OpenSSH sshd SELinux role unauthorized access 203 | | [43940] OpenSSH X11 forwarding information disclosure 204 | | [41549] OpenSSH ForceCommand directive security bypass 205 | | [41438] OpenSSH sshd session hijacking 206 | | [40897] OpenSSH known_hosts weak security 207 | | [40587] OpenSSH username weak security 208 | | [37371] OpenSSH username data manipulation 209 | | [37118] RHSA update for OpenSSH privilege separation monitor authentication verification weakness not installed 210 | | [37112] RHSA update for OpenSSH signal handler race condition not installed 211 | | [37107] RHSA update for OpenSSH identical block denial of service not installed 212 | | [36637] OpenSSH X11 cookie privilege escalation 213 | | [35167] OpenSSH packet.c newkeys[mode] denial of service 214 | | [34490] OpenSSH OPIE information disclosure 215 | | [33794] OpenSSH ChallengeResponseAuthentication information disclosure 216 | | [32975] Apple Mac OS X OpenSSH denial of service 217 | | [32387] RHSA-2006:0738 updates for openssh not installed 218 | | [32359] RHSA-2006:0697 updates for openssh not installed 219 | | [32230] RHSA-2006:0298 updates for openssh not installed 220 | | [32132] RHSA-2006:0044 updates for openssh not installed 221 | | [30120] OpenSSH privilege separation monitor authentication verification weakness 222 | | [29255] OpenSSH GSSAPI user enumeration 223 | | [29254] OpenSSH signal handler race condition 224 | | [29158] OpenSSH identical block denial of service 225 | | [28147] Apple Mac OS X OpenSSH nonexistent user login denial of service 226 | | [25116] OpenSSH OpenPAM denial of service 227 | | [24305] OpenSSH SCP shell expansion command execution 228 | | [22665] RHSA-2005:106 updates for openssh not installed 229 | | [22117] OpenSSH GSSAPI allows elevated privileges 230 | | [22115] OpenSSH GatewayPorts security bypass 231 | | [20930] OpenSSH sshd.c LoginGraceTime denial of service 232 | | [19441] Sun Solaris OpenSSH LDAP (1) client authentication denial of service 233 | | [17213] OpenSSH allows port bouncing attacks 234 | | [16323] OpenSSH scp file overwrite 235 | | [13797] OpenSSH PAM information leak 236 | | [13271] OpenSSH could allow an attacker to corrupt the PAM conversion stack 237 | | [13264] OpenSSH PAM code could allow an attacker to gain access 238 | | [13215] OpenSSH buffer management errors could allow an attacker to execute code 239 | | [13214] OpenSSH memory vulnerabilities 240 | | [13191] OpenSSH large packet buffer overflow 241 | | [12196] OpenSSH could allow an attacker to bypass login restrictions 242 | | [11970] OpenSSH could allow an attacker to obtain valid administrative account 243 | | [11902] OpenSSH PAM support enabled information leak 244 | | [9803] OpenSSH " 245 | | [9763] OpenSSH downloaded from the OpenBSD FTP site or OpenBSD FTP mirror sites could contain a Trojan Horse 246 | | [9307] OpenSSH is running on the system 247 | | [9169] OpenSSH " 248 | | [8896] OpenSSH Kerberos 4 TGT/AFS buffer overflow 249 | | [8697] FreeBSD libutil in OpenSSH fails to drop privileges prior to using the login class capability database 250 | | [8383] OpenSSH off-by-one error in channel code 251 | | [7647] OpenSSH UseLogin option arbitrary code execution 252 | | [7634] OpenSSH using sftp and restricted keypairs could allow an attacker to bypass restrictions 253 | | [7598] OpenSSH with Kerberos allows attacker to gain elevated privileges 254 | | [7179] OpenSSH source IP access control bypass 255 | | [6757] OpenSSH " 256 | | [6676] OpenSSH X11 forwarding symlink attack could allow deletion of arbitrary files 257 | | [6084] OpenSSH 2.3.1 allows remote users to bypass authentication 258 | | [5517] OpenSSH allows unauthorized access to resources 259 | | [4646] OpenSSH UseLogin option allows remote users to execute commands as root 260 | | 261 | | Exploit-DB - https://www.exploit-db.com: 262 | | [21579] OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities (2) 263 | | [21578] OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities (1) 264 | | [21402] OpenSSH 2.x/3.x Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability 265 | | [21314] OpenSSH 2.x/3.0.1/3.0.2 Channel Code Off-By-One Vulnerability 266 | | [20253] OpenSSH 1.2 scp File Create/Overwrite Vulnerability 267 | | [17462] FreeBSD OpenSSH 3.5p1 - Remote Root Exploit 268 | | [14866] Novell Netware 6.5 - OpenSSH Remote Stack Overflow 269 | | [6094] Debian OpenSSH Remote SELinux Privilege Elevation Exploit (auth) 270 | | [3303] Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit 271 | | [2444] OpenSSH <= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit 272 | | [1572] Dropbear / OpenSSH Server (MAX_UNAUTH_CLIENTS) Denial of Service 273 | | [258] glibc-2.2 and openssh-2.3.0p1 exploits glibc => 2.1.9x 274 | | [26] OpenSSH/PAM <= 3.6.1p1 Remote Users Ident (gossh.sh) 275 | | [25] OpenSSH/PAM <= 3.6.1p1 Remote Users Discovery Tool 276 | | 277 | | OpenVAS (Nessus) - http://www.openvas.org: 278 | | [902488] OpenSSH 'sshd' GSSAPI Credential Disclosure Vulnerability 279 | | [900179] OpenSSH CBC Mode Information Disclosure Vulnerability 280 | | [881183] CentOS Update for openssh CESA-2012:0884 centos6 281 | | [880802] CentOS Update for openssh CESA-2009:1287 centos5 i386 282 | | [880746] CentOS Update for openssh CESA-2009:1470 centos5 i386 283 | | [870763] RedHat Update for openssh RHSA-2012:0884-04 284 | | [870129] RedHat Update for openssh RHSA-2008:0855-01 285 | | [861813] Fedora Update for openssh FEDORA-2010-5429 286 | | [861319] Fedora Update for openssh FEDORA-2007-395 287 | | [861170] Fedora Update for openssh FEDORA-2007-394 288 | | [861012] Fedora Update for openssh FEDORA-2007-715 289 | | [840345] Ubuntu Update for openssh vulnerability USN-597-1 290 | | [840300] Ubuntu Update for openssh update USN-612-5 291 | | [840271] Ubuntu Update for openssh vulnerability USN-612-2 292 | | [840268] Ubuntu Update for openssh update USN-612-7 293 | | [840259] Ubuntu Update for openssh vulnerabilities USN-649-1 294 | | [840214] Ubuntu Update for openssh vulnerability USN-566-1 295 | | [831074] Mandriva Update for openssh MDVA-2010:162 (openssh) 296 | | [830929] Mandriva Update for openssh MDVA-2010:090 (openssh) 297 | | [830807] Mandriva Update for openssh MDVA-2010:026 (openssh) 298 | | [830603] Mandriva Update for openssh MDVSA-2008:098 (openssh) 299 | | [830523] Mandriva Update for openssh MDVSA-2008:078 (openssh) 300 | | [830317] Mandriva Update for openssh-askpass-qt MDKA-2007:127 (openssh-askpass-qt) 301 | | [830191] Mandriva Update for openssh MDKSA-2007:236 (openssh) 302 | | [802407] OpenSSH 'sshd' Challenge Response Authentication Buffer Overflow Vulnerability 303 | | [103503] openssh-server Forced Command Handling Information Disclosure Vulnerability 304 | | [103247] OpenSSH Ciphersuite Specification Information Disclosure Weakness 305 | | [103064] OpenSSH Legacy Certificate Signing Information Disclosure Vulnerability 306 | | [100584] OpenSSH X Connections Session Hijacking Vulnerability 307 | | [100153] OpenSSH CBC Mode Information Disclosure Vulnerability 308 | | [66170] CentOS Security Advisory CESA-2009:1470 (openssh) 309 | | [65987] SLES10: Security update for OpenSSH 310 | | [65819] SLES10: Security update for OpenSSH 311 | | [65514] SLES9: Security update for OpenSSH 312 | | [65513] SLES9: Security update for OpenSSH 313 | | [65334] SLES9: Security update for OpenSSH 314 | | [65248] SLES9: Security update for OpenSSH 315 | | [65218] SLES9: Security update for OpenSSH 316 | | [65169] SLES9: Security update for openssh,openssh-askpass 317 | | [65126] SLES9: Security update for OpenSSH 318 | | [65019] SLES9: Security update for OpenSSH 319 | | [65015] SLES9: Security update for OpenSSH 320 | | [64931] CentOS Security Advisory CESA-2009:1287 (openssh) 321 | | [61639] Debian Security Advisory DSA 1638-1 (openssh) 322 | | [61030] Debian Security Advisory DSA 1576-2 (openssh) 323 | | [61029] Debian Security Advisory DSA 1576-1 (openssh) 324 | | [60840] FreeBSD Security Advisory (FreeBSD-SA-08:05.openssh.asc) 325 | | [60803] Gentoo Security Advisory GLSA 200804-03 (openssh) 326 | | [60667] Slackware Advisory SSA:2008-095-01 openssh 327 | | [59014] Slackware Advisory SSA:2007-255-01 openssh 328 | | [58741] Gentoo Security Advisory GLSA 200711-02 (openssh) 329 | | [57919] Gentoo Security Advisory GLSA 200611-06 (openssh) 330 | | [57895] Gentoo Security Advisory GLSA 200609-17 (openssh) 331 | | [57585] Debian Security Advisory DSA 1212-1 (openssh (1:3.8.1p1-8.sarge.6)) 332 | | [57492] Slackware Advisory SSA:2006-272-02 openssh 333 | | [57483] Debian Security Advisory DSA 1189-1 (openssh-krb5) 334 | | [57476] FreeBSD Security Advisory (FreeBSD-SA-06:22.openssh.asc) 335 | | [57470] FreeBSD Ports: openssh 336 | | [56352] FreeBSD Security Advisory (FreeBSD-SA-06:09.openssh.asc) 337 | | [56330] Gentoo Security Advisory GLSA 200602-11 (OpenSSH) 338 | | [56294] Slackware Advisory SSA:2006-045-06 openssh 339 | | [53964] Slackware Advisory SSA:2003-266-01 New OpenSSH packages 340 | | [53885] Slackware Advisory SSA:2003-259-01 OpenSSH Security Advisory 341 | | [53884] Slackware Advisory SSA:2003-260-01 OpenSSH updated again 342 | | [53788] Debian Security Advisory DSA 025-1 (openssh) 343 | | [52638] FreeBSD Security Advisory (FreeBSD-SA-03:15.openssh.asc) 344 | | [52635] FreeBSD Security Advisory (FreeBSD-SA-03:12.openssh.asc) 345 | | [11343] OpenSSH Client Unauthorized Remote Forwarding 346 | | [10954] OpenSSH AFS/Kerberos ticket/token passing 347 | | [10883] OpenSSH Channel Code Off by 1 348 | | [10823] OpenSSH UseLogin Environment Variables 349 | | 350 | | SecurityTracker - https://www.securitytracker.com: 351 | | [1028187] OpenSSH pam_ssh_agent_auth Module on Red Hat Enterprise Linux Lets Remote Users Execute Arbitrary Code 352 | | [1026593] OpenSSH Lets Remote Authenticated Users Obtain Potentially Sensitive Information 353 | | [1025739] OpenSSH on FreeBSD Has Buffer Overflow in pam_thread() That Lets Remote Users Execute Arbitrary Code 354 | | [1025482] OpenSSH ssh-keysign Utility Lets Local Users Gain Elevated Privileges 355 | | [1025028] OpenSSH Legacy Certificates May Disclose Stack Contents to Remote Users 356 | | [1022967] OpenSSH on Red Hat Enterprise Linux Lets Remote Authenticated Users Gain Elevated Privileges 357 | | [1021235] OpenSSH CBC Mode Error Handling May Let Certain Remote Users Obtain Plain Text in Certain Cases 358 | | [1020891] OpenSSH on Debian Lets Remote Users Prevent Logins 359 | | [1020730] OpenSSH for Red Hat Enterprise Linux Packages May Have Been Compromised 360 | | [1020537] OpenSSH on HP-UX Lets Local Users Hijack X11 Sessions 361 | | [1019733] OpenSSH Unsafe Default Configuration May Let Local Users Execute Arbitrary Commands 362 | | [1019707] OpenSSH Lets Local Users Hijack Forwarded X Sessions in Certain Cases 363 | | [1017756] Apple OpenSSH Key Generation Process Lets Remote Users Deny Service 364 | | [1017183] OpenSSH Privilege Separation Monitor Validation Error May Cause the Monitor to Fail to Properly Control the Unprivileged Process 365 | | [1016940] OpenSSH Race Condition in Signal Handler Lets Remote Users Deny Service and May Potentially Permit Code Execution 366 | | [1016939] OpenSSH GSSAPI Authentication Abort Error Lets Remote Users Determine Valid Usernames 367 | | [1016931] OpenSSH SSH v1 CRC Attack Detection Implementation Lets Remote Users Deny Service 368 | | [1016672] OpenSSH on Mac OS X Lets Remote Users Deny Service 369 | | [1015706] OpenSSH Interaction With OpenPAM Lets Remote Users Deny Service 370 | | [1015540] OpenSSH scp Double Shell Character Expansion During Local-to-Local Copying May Let Local Users Gain Elevated Privileges in Certain Cases 371 | | [1014845] OpenSSH May Unexpectedly Activate GatewayPorts and Also May Disclose GSSAPI Credentials in Certain Cases 372 | | [1011193] OpenSSH scp Directory Traversal Flaw Lets Remote SSH Servers Overwrite Files in Certain Cases 373 | | [1011143] OpenSSH Default Configuration May Be Unsafe When Used With Anonymous SSH Services 374 | | [1007791] Portable OpenSSH PAM free() Bug May Let Remote Users Execute Root Code 375 | | [1007716] OpenSSH buffer_append_space() and Other Buffer Management Errors May Let Remote Users Execute Arbitrary Code 376 | | [1006926] OpenSSH Host Access Restrictions Can Be Bypassed By Remote Users 377 | | [1006688] OpenSSH Timing Flaw With Pluggable Authentication Modules Can Disclose Valid User Account Names to Remote Users 378 | | [1004818] OpenSSH's Secure Shell (SSH) Implementation Weakness May Disclose User Passwords to Remote Users During Man-in-the-Middle Attacks 379 | | [1004616] OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System 380 | | [1004391] OpenSSH 'BSD_AUTH' Access Control Bug May Allow Unauthorized Remote Users to Authenticated to the System 381 | | [1004115] OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local Users Execute Arbitrary Code With Root Level Permissions 382 | | [1003758] OpenSSH Off-by-one 'Channels' Bug May Let Authorized Remote Users Execute Arbitrary Code with Root Privileges 383 | | [1002895] OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access 384 | | [1002748] OpenSSH 3.0 Denial of Service Condition May Allow Remote Users to Crash the sshd Daemon and KerberosV Configuration Error May Allow Remote Users to Partially Authenticate When Authentication Should Not Be Permitted 385 | | [1002734] OpenSSH's S/Key Implementation Information Disclosure Flaw Provides Remote Users With Information About Valid User Accounts 386 | | [1002455] OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations 387 | | [1002432] OpenSSH's Sftp-server Subsystem Lets Authorized Remote Users with Restricted Keypairs Obtain Additional Access on the Server 388 | | [1001683] OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies 389 | | 390 | | OSVDB - http://www.osvdb.org: 391 | | [92034] GSI-OpenSSH auth-pam.c Memory Management Authentication Bypass 392 | | [90474] Red Hat / Fedora PAM Module for OpenSSH Incorrect error() Function Calling Local Privilege Escalation 393 | | [90007] OpenSSH logingracetime / maxstartup Threshold Connection Saturation Remote DoS 394 | | [81500] OpenSSH gss-serv.c ssh_gssapi_parse_ename Function Field Length Value Parsing Remote DoS 395 | | [78706] OpenSSH auth-options.c sshd auth_parse_options Function authorized_keys Command Option Debug Message Information Disclosure 396 | | [75753] OpenSSH PAM Module Aborted Conversation Local Information Disclosure 397 | | [75249] OpenSSH sftp-glob.c remote_glob Function Glob Expression Parsing Remote DoS 398 | | [75248] OpenSSH sftp.c process_put Function Glob Expression Parsing Remote DoS 399 | | [72183] Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure 400 | | [70873] OpenSSH Legacy Certificates Stack Memory Disclosure 401 | | [69658] OpenSSH J-PAKE Public Parameter Validation Shared Secret Authentication Bypass 402 | | [67743] Novell NetWare OpenSSH SSHD.NLM Absolute Path Handling Remote Overflow 403 | | [59353] OpenSSH sshd Local TCP Redirection Connection Masking Weakness 404 | | [58495] OpenSSH sshd ChrootDirectory Feature SetUID Hard Link Local Privilege Escalation 405 | | [56921] OpenSSH Unspecified Remote Compromise 406 | | [53021] OpenSSH on ftp.openbsd.org Trojaned Distribution 407 | | [50036] OpenSSH CBC Mode Chosen Ciphertext 32-bit Chunk Plaintext Context Disclosure 408 | | [49386] OpenSSH sshd TCP Connection State Remote Account Enumeration 409 | | [48791] OpenSSH on Debian sshd Crafted Username Arbitrary Remote SELinux Role Access 410 | | [47635] OpenSSH Packages on Red Hat Enterprise Linux Compromised Distribution 411 | | [47227] OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking 412 | | [45873] Cisco WebNS SSHield w/ OpenSSH Crafted Large Packet Remote DoS 413 | | [43911] OpenSSH ~/.ssh/rc ForceCommand Bypass Arbitrary Command Execution 414 | | [43745] OpenSSH X11 Forwarding Local Session Hijacking 415 | | [43371] OpenSSH Trusted X11 Cookie Connection Policy Bypass 416 | | [39214] OpenSSH linux_audit_record_event Crafted Username Audit Log Injection 417 | | [37315] pam_usb OpenSSH Authentication Unspecified Issue 418 | | [34850] OpenSSH on Mac OS X Key Generation Remote Connection DoS 419 | | [34601] OPIE w/ OpenSSH Account Enumeration 420 | | [34600] OpenSSH S/KEY Authentication Account Enumeration 421 | | [32721] OpenSSH Username Password Complexity Account Enumeration 422 | | [30232] OpenSSH Privilege Separation Monitor Weakness 423 | | [29494] OpenSSH packet.c Invalid Protocol Sequence Remote DoS 424 | | [29266] OpenSSH GSSAPI Authentication Abort Username Enumeration 425 | | [29264] OpenSSH Signal Handler Pre-authentication Race Condition Code Execution 426 | | [29152] OpenSSH Identical Block Packet DoS 427 | | [27745] Apple Mac OS X OpenSSH Nonexistent Account Login Enumeration DoS 428 | | [23797] OpenSSH with OpenPAM Connection Saturation Forked Process Saturation DoS 429 | | [22692] OpenSSH scp Command Line Filename Processing Command Injection 430 | | [20216] OpenSSH with KerberosV Remote Authentication Bypass 431 | | [19142] OpenSSH Multiple X11 Channel Forwarding Leaks 432 | | [19141] OpenSSH GSSAPIAuthentication Credential Escalation 433 | | [18236] OpenSSH no pty Command Execution Local PAM Restriction Bypass 434 | | [16567] OpenSSH Privilege Separation LoginGraceTime DoS 435 | | [16039] Solaris 108994 Series Patch OpenSSH LDAP Client Authentication DoS 436 | | [9562] OpenSSH Default Configuration Anon SSH Service Port Bounce Weakness 437 | | [9550] OpenSSH scp Traversal Arbitrary File Overwrite 438 | | [6601] OpenSSH *realloc() Unspecified Memory Errors 439 | | [6245] OpenSSH SKEY/BSD_AUTH Challenge-Response Remote Overflow 440 | | [6073] OpenSSH on FreeBSD libutil Arbitrary File Read 441 | | [6072] OpenSSH PAM Conversation Function Stack Modification 442 | | [6071] OpenSSH SSHv1 PAM Challenge-Response Authentication Privilege Escalation 443 | | [5536] OpenSSH sftp-server Restricted Keypair Restriction Bypass 444 | | [5408] OpenSSH echo simulation Information Disclosure 445 | | [5113] OpenSSH NIS YP Netgroups Authentication Bypass 446 | | [4536] OpenSSH Portable AIX linker Privilege Escalation 447 | | [3938] OpenSSL and OpenSSH /dev/random Check Failure 448 | | [3456] OpenSSH buffer_append_space() Heap Corruption 449 | | [2557] OpenSSH Multiple Buffer Management Multiple Overflows 450 | | [2140] OpenSSH w/ PAM Username Validity Timing Attack 451 | | [2112] OpenSSH Reverse DNS Lookup Bypass 452 | | [2109] OpenSSH sshd Root Login Timing Side-Channel Weakness 453 | | [1853] OpenSSH Symbolic Link 'cookies' File Removal 454 | | [839] OpenSSH PAMAuthenticationViaKbdInt Challenge-Response Remote Overflow 455 | | [781] OpenSSH Kerberos TGT/AFS Token Passing Remote Overflow 456 | | [730] OpenSSH Channel Code Off by One Remote Privilege Escalation 457 | | [688] OpenSSH UseLogin Environment Variable Local Command Execution 458 | | [642] OpenSSH Multiple Key Type ACL Bypass 459 | | [504] OpenSSH SSHv2 Public Key Authentication Bypass 460 | | [341] OpenSSH UseLogin Local Privilege Escalation 461 | |_ 462 | | vulners: 463 | | cpe:/a:openbsd:openssh:8.1: 464 | | CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778 465 | | C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT* 466 | | 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT* 467 | | CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617 468 | | CVE-2019-16905 4.4 https://vulners.com/cve/CVE-2019-16905 469 | | MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ *EXPLOIT* 470 | | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/ *EXPLOIT* 471 | | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/ *EXPLOIT* 472 | | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/ *EXPLOIT* 473 | | MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/ *EXPLOIT* 474 | | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 475 | |_ CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012 476 | 477 | Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 478 | Nmap done: 1 IP address (1 host up) scanned in 5.24 seconds 479 | ``` 480 | --------------------------------------------------------------------------------