1.2.25

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

ssh

nessus

NVD

Published: 1998-06-12

Updated: 2024-11-20

Summary

SSH 1.2.25, 1.2.23, and other versions, when used in in CBC (Cipher Block Chaining) or CFB (Cipher Feedback 64 bits) modes, allows remote attackers to insert arbitrary data into an existing stream between an SSH client and server by using a known plaintext attack and computing a valid CRC-32 checksum for the packet, aka the "SSH insertion attack."

Vulnerable Configurations

Part	Description	Count
Application	Ssh SSH Secure Shell 1.2.25 SSH Secure Shell 1.2.23	2

Nessus

NASL family	Misc.
NASL id	SSH_INSERTION.NASL
description	The remote host is running a version of SSH that is older than (or as old as) version 1.2.23. The remote version of this software is vulnerable to a known plaintext attack, which could allow an attacker to insert encrypted packets in the client - server stream that will be deciphered by the server, thus allowing the attacker to execute arbitrary commands on the remote server
last seen	2020-06-01
modified	2020-06-02
plugin id	10268
published	1999-07-23
reporter	This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10268
title	SSH CBC/CFB Data Stream Injection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10268); script_version ("1.36"); script_cvs_date("Date: 2018/07/30 15:31:32"); script_cve_id("CVE-1999-1085"); script_name(english:"SSH CBC/CFB Data Stream Injection"); script_set_attribute(attribute:"synopsis", value: "The remote SSH server contains a cryptographical weakness that might allow a third party to decrypt the traffic." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of SSH that is older than (or as old as) version 1.2.23. The remote version of this software is vulnerable to a known plaintext attack, which could allow an attacker to insert encrypted packets in the client - server stream that will be deciphered by the server, thus allowing the attacker to execute arbitrary commands on the remote server" ); script_set_attribute(attribute:"solution", value: "Upgrade to version 1.2.25 of SSH which solves this problem." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "1999/07/23"); script_set_attribute(attribute:"vuln_publication_date", value: "1998/06/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Checks for the remote SSH version"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencie("ssh_detect.nasl"); script_require_ports("Services/ssh", 22); exit(0); } # # The script code starts here # include("backport.inc"); port = get_kb_item("Services/ssh"); if(!port)port = 22; banner = get_kb_item("SSH/banner/" + port ); if ( ! banner ) exit(0); banner = get_backport_banner(banner:banner); if ( "openssh" >< tolower(banner) ) exit(0); if(ereg(pattern:"^SSH-.*-1\.2(\.([0-9]\|1[0-9]\|2[0123])\|)$", string:banner)) security_warning(port);

Summary

Vulnerable Configurations

Nessus

References