Test ID:	1.3.6.1.4.1.25623.1.0.120615
Category:	Amazon Linux Local Security Checks
Title:	Amazon Linux: Security Advisory (ALAS-2015-625)
Summary:	The remote host is missing an update for the 'openssh' package(s) announced via the ALAS-2015-625 advisory.
Description:	Summary: The remote host is missing an update for the 'openssh' package(s) announced via the ALAS-2015-625 advisory. Vulnerability Insight: A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users. It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges. Affected Software/OS: 'openssh' package(s) on Amazon Linux. Solution: Please install the updated package(s). CVSS Score: 8.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2015-5600 http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html BugTraq ID: 75990 http://www.securityfocus.com/bid/75990 BugTraq ID: 91787 http://www.securityfocus.com/bid/91787 BugTraq ID: 92012 http://www.securityfocus.com/bid/92012 http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162955.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165170.html http://seclists.org/fulldisclosure/2015/Jul/92 https://security.gentoo.org/glsa/201512-04 https://www.arista.com/en/support/advisories-notices/security-advisories/1174-security-advisory-12 https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html http://openwall.com/lists/oss-security/2015/07/23/4 RedHat Security Advisories: RHSA-2016:0466 http://rhn.redhat.com/errata/RHSA-2016-0466.html http://www.securitytracker.com/id/1032988 SuSE Security Announcement: SUSE-SU-2015:1581 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00017.html http://www.ubuntu.com/usn/USN-2710-1 http://www.ubuntu.com/usn/USN-2710-2 Common Vulnerability Exposure (CVE) ID: CVE-2015-6563 http://lists.apple.com/archives/security-announce/2015/Oct/msg00005.html BugTraq ID: 76317 http://www.securityfocus.com/bid/76317 http://seclists.org/fulldisclosure/2015/Aug/54 http://www.openwall.com/lists/oss-security/2015/08/22/1 RedHat Security Advisories: RHSA-2016:0741 http://rhn.redhat.com/errata/RHSA-2016-0741.html Common Vulnerability Exposure (CVE) ID: CVE-2015-6564
Copyright	Copyright (C) 2015 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.