Anolis OS update for openssh

1) Security restrictions bypass

EUVDB-ID: #VU16946

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-20685

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper validation of filenames by the scp.c source code file in the SCP client . A remote unauthenticated attacker can trick the victim into accessing a file with the filename of . or an empty filename from an attacker-controlled Secure Shell (SSH) server to bypass access restrictions on the system, which could be used to conduct further attacks.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

pam_ssh_agent_auth: before 0.10.3-7.13.0.1

openssh-server: before 8.0p1-13.0.1

openssh-ldap: before 8.0p1-13.0.1

openssh-keycat: before 8.0p1-13.0.1

openssh-clients: before 8.0p1-13.0.1

openssh-cavs: before 8.0p1-13.0.1

openssh-askpass: before 8.0p1-13.0.1

openssh: before 8.0p1-13.0.1

CPE2.3

• cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:pam_ssh_agent_auth:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-server:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-ldap:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-keycat:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-clients:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-cavs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-askpass:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh:*:*:*:*:*:anolis_os:*:*

External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0433

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Spoofing attack

EUVDB-ID: #VU16990

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-6109

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to conduct spoofing attack on the target system.

The weakness exists due to accepting and displaying arbitrary stderr output from the scp server by the scp client. A malicious SCP server can use the object name to manipulate the client output, for example to employ ANSI codes to hide additional files being transferred.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

pam_ssh_agent_auth: before 0.10.3-7.13.0.1

openssh-server: before 8.0p1-13.0.1

openssh-ldap: before 8.0p1-13.0.1

openssh-keycat: before 8.0p1-13.0.1

openssh-clients: before 8.0p1-13.0.1

openssh-cavs: before 8.0p1-13.0.1

openssh-askpass: before 8.0p1-13.0.1

openssh: before 8.0p1-13.0.1

CPE2.3

• cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:pam_ssh_agent_auth:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-server:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-ldap:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-keycat:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-clients:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-cavs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-askpass:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh:*:*:*:*:*:anolis_os:*:*

External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0433

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Security restrictions bypass

EUVDB-ID: #VU16988

Risk: Low

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-6111

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to missing received object name validation by the scp client. A malicious SCP server can overwrite arbitrary files in the SCP client target directory. If a recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example overwrite .ssh/authorized_keys).

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

pam_ssh_agent_auth: before 0.10.3-7.13.0.1

openssh-server: before 8.0p1-13.0.1

openssh-ldap: before 8.0p1-13.0.1

openssh-keycat: before 8.0p1-13.0.1

openssh-clients: before 8.0p1-13.0.1

openssh-cavs: before 8.0p1-13.0.1

openssh-askpass: before 8.0p1-13.0.1

openssh: before 8.0p1-13.0.1

CPE2.3

• cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:pam_ssh_agent_auth:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-server:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-ldap:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-keycat:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-clients:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-cavs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-askpass:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh:*:*:*:*:*:anolis_os:*:*

External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0433

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Use of a broken or risky cryptographic algorithm

EUVDB-ID: #VU32937

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-14145

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists in openssh client during algorithm negotiation due to observable discrepancy. A remote attacker can perform a Man-in-the-Middle (MitM) attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

pam_ssh_agent_auth: before 0.10.3-7.13.0.1

openssh-server: before 8.0p1-13.0.1

openssh-ldap: before 8.0p1-13.0.1

openssh-keycat: before 8.0p1-13.0.1

openssh-clients: before 8.0p1-13.0.1

openssh-cavs: before 8.0p1-13.0.1

openssh-askpass: before 8.0p1-13.0.1

openssh: before 8.0p1-13.0.1

CPE2.3

• cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:pam_ssh_agent_auth:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-server:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-ldap:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-keycat:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-clients:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-cavs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-askpass:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh:*:*:*:*:*:anolis_os:*:*

External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0433

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper Privilege Management

EUVDB-ID: #VU58333

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-41617

CWE-ID: CWE-269 - Improper Privilege Management

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to improper privilege management in sshd, when certain non-default configurations are used, because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. A local user can escalate privileges on the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

pam_ssh_agent_auth: before 0.10.3-7.13.0.1

openssh-server: before 8.0p1-13.0.1

openssh-ldap: before 8.0p1-13.0.1

openssh-keycat: before 8.0p1-13.0.1

openssh-clients: before 8.0p1-13.0.1

openssh-cavs: before 8.0p1-13.0.1

openssh-askpass: before 8.0p1-13.0.1

openssh: before 8.0p1-13.0.1

CPE2.3

• cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
• cpe:2.3:a:openanolis:pam_ssh_agent_auth:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-server:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-ldap:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-keycat:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-clients:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-cavs:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh-askpass:*:*:*:*:*:anolis_os:*:*
• cpe:2.3:a:openanolis:openssh:*:*:*:*:*:anolis_os:*:*

External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0433

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.