Vulnerabilities > CVE-2000-0535
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 | |
OS | 2 |
Nessus
NASL family Gain a shell remotely NASL id OPENSSL_OVERFLOW_GENERIC_TEST.NASL description The remote service seems to be using a version of OpenSSL that is older than 0.9.6e or 0.9.7-beta3. Such versions are affected by a buffer overflow that may allow an attacker to execute arbitrary commands on the remote host with the privileges of the application itself. last seen 2020-03-18 modified 2002-08-05 plugin id 11060 published 2002-08-05 reporter This script is Copyright (C) 2002-2018 Solar Eclipse / Renaud Deraison source https://www.tenable.com/plugins/nessus/11060 title OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities code #TRUSTED 0c735fb6d18b92e7dc463c39c93d50b398065651cd7c0ed318a5d1d34834031824c3a22050ca6e31fbcc01030a07f38ce398a73c4434f40cb325e945345c784571586ec7573bbad8187a83596ed8318eaf6fbe29658c28bbe29b37b708585e162f200a9dc8e3bb88b92c4ed92cc2ba1f3a809c28160e7ce5f02d05b54fe911864cb36397a0a6c7db4ce53e6c12d096326a0b0727e3f007c5b916a75245b03a0c89887f2a18c581d7a4c49d88672878280dc6da584f38fcfb32d39750cece204f7a4cdd4d8e5a18bc563660825d4db1ee613352088fdc75b46c9dade84128772db6b409a5b09ed95b3156e4175c6d66dea8e2f1aa3db4e4c723621cec8449ba4b4869188c9e4687fd548a2c19c20bfc66382490a21d71e882380baf0c6c9b33b4382c5ce2683444bf2988676a4abe4e2865c6782ef082ebcf0ad497a1cc0c9cb35128ba8c71af2eb86b143e720d1e461e6556cd4385e503f30cea015f9d8bbaf86087917e85775f1a89b32e0323aab41988798789ba048a32d1fda6103fee96f4c882cd51ed5020991e252eee40c145fcce7c754df18a8cac345a4b4d20a503ac645e70005c5f48de74f07b68ac07b51bb6d8c05de995db8b389dce0ca9e57291b3e43a0218c94628387c12c67ba32cf4beff50a54372c43eab3040569ff783cba5fbb9ed40b3996e373be2aeec209568a4832fd3fe0d490a0857f942f69a71b9 # # (C) Tenable Network Security, Inc. # # Thanks to Solar Eclipse <[email protected]>, who did most # of the work. # # Will incidentally cover CVE-2001-1141 and CVE-2000-0535 # include("compat.inc"); if (description) { script_id(11060); script_version("1.61"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id( "CVE-2000-0535", "CVE-2001-1141", "CVE-2002-0655", "CVE-2002-0656", "CVE-2002-0657", "CVE-2002-0659" ); script_bugtraq_id(1340, 3004, 5361, 5362, 5363, 5364, 5366); script_xref(name:"SuSE", value:"SUSE-SA:2002:033"); script_name(english:"OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities"); script_summary(english:"Checks for the behavior of OpenSSL"); script_set_attribute(attribute:"synopsis", value: "The remote service uses a library that is affected by a buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "The remote service seems to be using a version of OpenSSL that is older than 0.9.6e or 0.9.7-beta3. Such versions are affected by a buffer overflow that may allow an attacker to execute arbitrary commands on the remote host with the privileges of the application itself."); script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSL version 0.9.6e / 0.9.7beta3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/05"); script_set_attribute(attribute:"patch_publication_date", value:"2002/07/30"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl"); script_end_attributes(); script_category(ACT_MIXED_ATTACK); script_copyright(english:"This script is Copyright (C) 2002-2020 Solar Eclipse / Renaud Deraison"); script_family(english:"Gain a shell remotely"); script_dependencies("ssl_supported_versions.nasl"); script_require_keys("SSL/Supported"); exit(0); } include("byte_func.inc"); include("ftp_func.inc"); include("global_settings.inc"); include("kerberos_func.inc"); include("ldap_func.inc"); include("misc_func.inc"); include("nntp_func.inc"); include("smtp_func.inc"); include("ssl_funcs.inc"); include("telnet2_func.inc"); if ( safe_checks() && report_paranoia < 2 ) exit(0); #------------------------------ Consts ----------------------# client_hello = raw_string( 0x80, 0x31, 0x01, 0x00, 0x02, 0x00, 0x18,0x00, 0x00, 0x00, 0x10,0x07, 0x00, 0xC0, 0x05, 0x00, 0x80, 0x03, 0x00, 0x80, 0x01, 0x00, 0x80, 0x08, 0x00, 0x80, 0x06, 0x00, 0x40, 0x04, 0x00, 0x80, 0x02, 0x00, 0x80, 0xE4, 0xBD, 0x00, 0x00, 0xA4, 0x41, 0xB6, 0x74, 0x71, 0x2B, 0x27, 0x95, 0x44, 0xC0, 0x3D, 0xC0); poison = raw_string( 0x80,0x5a,0x2,0x7, 0x0,0xc0,0x0,0x0, 0x0,0x40,0x0,0x10, 0x19,0x53,0xf,0x55, 0x5e,0xaa,0x68,0x71, 0x3,0x27,0x4,0x5a, 0x1f,0x5,0xea,0x33, 0x29,0x5b,0xb9,0x3f, 0x7d,0x28,0xe6,0x4c, 0xd4,0xb3,0x8e,0x36, 0x44,0xb5,0x86,0x6c, 0x6c,0x6,0xc1,0x5c, 0x45,0x73,0xb8,0x11, 0x55,0x23,0x3e,0x2a, 0x52,0xe0,0x52,0x30, 0xda,0xf8,0xee,0x15, 0x79,0xe1,0x3c,0x68, 0x36,0xd1,0x14,0x26, 0xae,0xd4,0x30,0x2, 0x0,0x0,0x0,0x0, 0x4,0x0,0x0,0x0, 0x41,0x41,0x41,0x41, 0x41,0x41,0x41,0x41); big_poison = raw_string( 0x81, 0xca, 0x2, 0x7, 0x0, 0xc0, 0x0, 0x0, 0x0, 0x40, 0x1, 0x80, 0xa4, 0x20, 0xb4, 0x44, 0xd, 0xe, 0x7c, 0x5, 0xc2, 0x21, 0x28, 0x4d, 0xd3, 0xab, 0x6b, 0x72, 0x10, 0xa3, 0x64, 0x7e, 0x9, 0x7e, 0xe8, 0x28, 0xe, 0x98, 0x5a, 0x5, 0x2f, 0x32, 0xbb, 0xa, 0x3c, 0xe0, 0x58, 0x5a, 0xc5, 0xf1, 0x91, 0x36, 0x1a, 0x27, 0x2c, 0x37, 0x4b, 0xc2, 0xd2, 0x49, 0x28, 0xc4, 0xf1, 0x76, 0x41, 0xe5, 0xa4, 0x2d, 0xe6, 0x9a, 0x55, 0x7e, 0x27, 0x38, 0x89, 0x13, 0x0, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41); #-------- The code. We need the check what happens on each port ------------# moderate_report = "Note that since safe checks are enabled, this check might be fooled by non-openssl implementations and produce a false positive. In doubt, re-execute the scan without the safe checks"; get_kb_item_or_exit("SSL/Supported"); port = get_ssl_ports(fork:TRUE); if (isnull(port)) exit(1, "The host does not appear to have any SSL-based services."); # Find out if the port is open. if (!get_port_state(port)) exit(0, "Port " + port + " is not open."); # Connect to the port, issuing the StartTLS command if necessary. soc = open_sock_ssl(port); if (!soc) exit(1, "open_sock_ssl() returned NULL for port " + port + "."); send(socket:soc, data:client_hello); buf = recv(socket:soc, length:8192); if(!strlen(buf))exit(0); send(socket:soc, data:poison); buf = recv(socket:soc, length:10); close(soc); if(safe_checks()) { if(strlen(buf) > 5)security_hole(port:port, extra: moderate_report); } else { if(strlen(buf) > 5) { # Connect to the port, issuing the StartTLS command if necessary. soc = open_sock_ssl(port); if (!soc) exit(1, "open_sock_ssl() returned NULL for port " + port + "."); send(socket:soc, data:client_hello); buf = recv(socket:soc, length:8192); if(!strlen(buf))exit(0); n = send(socket:soc, data:big_poison); if ( n != strlen(big_poison) ) exit(0); buf = recv(socket:soc, length:4096); close(soc); if(strlen(buf) == 0)security_hole(port); } }
NASL family Web Servers NASL id OPENSSL_0_9_5A.NASL description According to its banner, the version of OpenSSL running on the remote host is less than 0.9.5a. On a FreeBSD system running on the Alpha architecture, versions earlier than that may not use the /dev/random and /dev/urandom devices to provide a strong source of cryptographic entropy, which could lead to the generation of keys with weak cryptographic strength. last seen 2020-06-01 modified 2020-06-02 plugin id 17707 published 2011-11-18 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17707 title OpenSSL < 0.9.5a /dev/random Check Failure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17707); script_version("1.7"); script_cvs_date("Date: 2018/07/17 12:00:07"); script_cve_id("CVE-2000-0535"); script_bugtraq_id(1340); script_name(english:"OpenSSL < 0.9.5a /dev/random Check Failure"); script_summary(english:"Checks the version of OpenSSL"); script_set_attribute(attribute:"synopsis", value: "The remote host uses a version of OpenSSL that may have weak encryption keys."); script_set_attribute(attribute:"description", value: "According to its banner, the version of OpenSSL running on the remote host is less than 0.9.5a. On a FreeBSD system running on the Alpha architecture, versions earlier than that may not use the /dev/random and /dev/urandom devices to provide a strong source of cryptographic entropy, which could lead to the generation of keys with weak cryptographic strength."); script_set_attribute(attribute:"see_also", value:"http://cvs.openssl.org/fileview?f=openssl/CHANGES&v=1.514"); # https://web.archive.org/web/20000819114726/http://archives.neohapsis.com/archives/freebsd/2000-06/0083.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?16bc8320"); script_set_attribute(attribute:"solution", value: "Upgrade OpenSSL to version 0.9.5a or higher and re-generate encryption keys."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/12"); script_set_attribute(attribute:"patch_publication_date", value:"2010/05/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/18"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencie("http_version.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/www", 443); exit(0); } include("audit.inc"); include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:80); banner = get_backport_banner(banner:get_http_banner(port:port)); if (!banner) exit(1, "Unable to get the banner from web server on port "+port+"."); if (!egrep(string:banner, pattern:'^Server:')) exit(1, "The web server on port "+port+" doesn't return a Server response header."); if ("OpenSSL/" >!< banner) exit(1, "The Server response header for the web server on port "+port+" doesn't mention OpenSSL."); pat = "^Server:.*OpenSSL/([^ ]+)"; version = ""; foreach line (split(banner, sep:'\r\n', keep:FALSE)) { match = eregmatch(pattern:pat, string:line); if (!isnull(match)) { version = match[1]; break; } } if (isnull(version)) exit(0, "Failed to extract the version of OpenSSL used by the web server on port "+port+"."); # Anything less than 0.9.5a. if (version =~ "^0\.9\.([0-4]|5([^a-z0-9]|$))") { if (report_verbosity > 0) { report = '\nOpenSSL version '+version+' appears to be running on the remote\n'+ 'host based on the following Server response header :\n\n'+ ' '+line+'\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else exit(0, 'The web server on port ' +port+ ' uses OpenSSL '+version+', which is not affected.');
NASL family Misc. NASL id OPENSSH_210.NASL description According to its banner, the version of OpenSSH running on the remote host is less than 2.1.0. On a FreeBSD system running on the Alpha architecture, versions earlier than that may not use the /dev/random and /dev/urandom devices to provide a strong source of cryptographic entropy, which could lead to the generation of keys with weak cryptographic strength. last seen 2020-06-01 modified 2020-06-02 plugin id 17700 published 2011-11-18 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17700 title OpenSSH < 2.1.0 /dev/random Check Failure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17700); script_version("1.8"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2000-0535"); script_bugtraq_id(1340); script_name(english:"OpenSSH < 2.1.0 /dev/random Check Failure"); script_summary(english:"Checks the version of OpenSSH"); script_set_attribute(attribute:"synopsis", value: "The remote host is running a version of SSH that may have weak encryption keys."); script_set_attribute(attribute:"description", value: "According to its banner, the version of OpenSSH running on the remote host is less than 2.1.0. On a FreeBSD system running on the Alpha architecture, versions earlier than that may not use the /dev/random and /dev/urandom devices to provide a strong source of cryptographic entropy, which could lead to the generation of keys with weak cryptographic strength."); script_set_attribute(attribute:"see_also", value:"http://cvs.openssl.org/fileview?f=openssl/CHANGES&v=1.514"); # https://web.archive.org/web/20000819114726/http://archives.neohapsis.com/archives/freebsd/2000-06/0083.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?16bc8320"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dca3a5e9"); script_set_attribute(attribute:"solution", value: "Upgrade OpenSSH to version 2.1.0 or higher / OpenSSL to version 0.9.5a or higher and re-generate encryption keys."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/12"); script_set_attribute(attribute:"patch_publication_date", value:"2010/05/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/18"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/ssh"); exit(0); } include("audit.inc"); include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); # Ensure the port is open. port = get_service(svc:"ssh", exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); # Check the version in the backported banner. match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)"); if (isnull(match)) exit(1, "Could not parse the version string in the banner from port "+port+"."); version = match[1]; match = eregmatch(string:version, pattern:"^([0-9.]+)"); if (isnull(match)) exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.'); fix = "2.1.0"; if (ver_compare(ver:match[1], fix:fix, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_warning(port:port, extra:report); } else security_warning(port); } else exit(0, "The OpenSSH version "+version+" server listening on port "+port+" is not affected.");