Test Kennung:	1.3.6.1.4.1.25623.1.1.2.2020.1657
Kategorie:	Huawei EulerOS Local Security Checks
Titel:	Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2020-1657)
Zusammenfassung:	The remote host is missing an update for the Huawei EulerOS 'openssh' package(s) announced via the EulerOS-SA-2020-1657 advisory.
Beschreibung:	Summary: The remote host is missing an update for the Huawei EulerOS 'openssh' package(s) announced via the EulerOS-SA-2020-1657 advisory. Vulnerability Insight: Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or 'oracle') as a vulnerability.'(CVE-2018-15919) An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.(CVE-2019-6109) An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).(CVE-2019-6111) Affected Software/OS: 'openssh' package(s) on Huawei EulerOS V2.0SP2. Solution: Please install the updated package(s). CVSS Score: 5.8 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2019-6109 Debian Security Information: DSA-4387 (Google Search) https://www.debian.org/security/2019/dsa-4387 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W3YVQ2BPTOVDCFDVNC2GGF5P5ISFG37G/ https://security.gentoo.org/glsa/201903-16 https://cvsweb.openbsd.org/src/usr.bin/ssh/progressmeter.c https://cvsweb.openbsd.org/src/usr.bin/ssh/scp.c https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://lists.debian.org/debian-lts-announce/2019/03/msg00030.html RedHat Security Advisories: RHSA-2019:3702 https://access.redhat.com/errata/RHSA-2019:3702 SuSE Security Announcement: openSUSE-SU-2019:1602 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00058.html https://usn.ubuntu.com/3885-1/ Common Vulnerability Exposure (CVE) ID: CVE-2019-6111 BugTraq ID: 106741 http://www.securityfocus.com/bid/106741 https://www.exploit-db.com/exploits/46193/ FreeBSD Security Advisory: FreeBSD-EN-19:10 https://www.freebsd.org/security/advisories/FreeBSD-EN-19:10.scp.asc https://bugzilla.redhat.com/show_bug.cgi?id=1677794 https://lists.apache.org/thread.html/c45d9bc90700354b58fb7455962873c44229841880dcb64842fa7d23@%3Cdev.mina.apache.org%3E https://lists.apache.org/thread.html/c7301cab36a86825359e1b725fc40304d1df56dc6d107c1fe885148b@%3Cdev.mina.apache.org%3E https://lists.apache.org/thread.html/e47597433b351d6e01a5d68d610b4ba195743def9730e49561e8cf3f@%3Cdev.mina.apache.org%3E https://lists.apache.org/thread.html/d540139359de999b0f1c87d05b715be4d7d4bec771e1ae55153c5c7a@%3Cdev.mina.apache.org%3E http://www.openwall.com/lists/oss-security/2019/04/18/1 https://usn.ubuntu.com/3885-2/
Copyright	Copyright (C) 2020 Greenbone Networks GmbH

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.