Vulnerabilities > CVE-2000-1169 - Unspecified vulnerability in Openbsd Openssh 2.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
OpenSSH SSH client before 2.3.0 does not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2000-068.NASL description A vulnerability exists with all versions of OpenSSH prior to 2.3.0 with regards to the X11 forwarding and ssh-agent. If agent or X11 forwarding is disabled in the ssh client configuration, the client does not request these features during session setup. However, when the ssh client receives an actual request asking for access to the ssh-agent, the client fails to check whether this feature has been negotiated during session setup. The client does not check whether the request is in compliance with the client configuration and grants access to the ssh-agent. A similar problem exists in the X11 forwarding implementation. Update : The packages announced yesterday for Linux-Mandrake 7.0 and 7.1 did not have PAM support enabled. This meant that the server would not allow logins. These updated packages for 7.0 and 7.1 are now available with PAM support properly enabled. last seen 2020-06-01 modified 2020-06-02 plugin id 61854 published 2012-09-06 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/61854 title Mandrake Linux Security Advisory : openssh (MDKSA-2000:068-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2000:068. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(61854); script_version("1.5"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2000-1169"); script_xref(name:"MDKSA", value:"2000:068-1"); script_name(english:"Mandrake Linux Security Advisory : openssh (MDKSA-2000:068-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability exists with all versions of OpenSSH prior to 2.3.0 with regards to the X11 forwarding and ssh-agent. If agent or X11 forwarding is disabled in the ssh client configuration, the client does not request these features during session setup. However, when the ssh client receives an actual request asking for access to the ssh-agent, the client fails to check whether this feature has been negotiated during session setup. The client does not check whether the request is in compliance with the client configuration and grants access to the ssh-agent. A similar problem exists in the X11 forwarding implementation. Update : The packages announced yesterday for Linux-Mandrake 7.0 and 7.1 did not have PAM support enabled. This meant that the server would not allow logins. These updated packages for 7.0 and 7.1 are now available with PAM support properly enabled." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"patch_publication_date", value:"2000/11/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"openssh-2.3.0p1-7.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"openssh-askpass-2.3.0p1-7.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"openssh-askpass-gnome-2.3.0p1-7.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"openssh-clients-2.3.0p1-7.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"openssh-server-2.3.0p1-7.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-2.3.0p1-7.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-askpass-2.3.0p1-7.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-askpass-gnome-2.3.0p1-7.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-clients-2.3.0p1-7.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-server-2.3.0p1-7.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-2.3.0p1-7.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-askpass-2.3.0p1-7.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-askpass-gnome-2.3.0p1-7.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-clients-2.3.0p1-7.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-server-2.3.0p1-7.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Misc. NASL id SSH_FORWARDING.NASL description The remote host is running a version of the OpenSSH client older than 2.3.0. Such versions do not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent. last seen 2020-06-01 modified 2020-06-02 plugin id 11343 published 2003-03-10 reporter This script is Copyright (C) 2003-2018 Xue Yong Zhi source https://www.tenable.com/plugins/nessus/11343 title OpenSSH Client Unauthorized X11 Remote Forwarding code # # This script was written by Xue Yong Zhi<[email protected]> # # See the Nessus Scripts License for details # # Changes by Tenable: # - Revised plugin title, changed family (8/6/09) # - Updated to use compat.inc (11/20/2009) include("compat.inc"); if(description) { script_id(11343); script_version ("1.16"); script_cve_id("CVE-2000-1169"); script_bugtraq_id(1949); script_name(english:"OpenSSH Client Unauthorized X11 Remote Forwarding"); script_set_attribute(attribute:"synopsis", value: "The remote SSH client does not disable X11 forwarding." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of the OpenSSH client older than 2.3.0. Such versions do not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent." ); script_set_attribute(attribute:"solution", value: "Upgrade to OpenSSH 2.3.0 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/10"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/11/13"); script_cvs_date("Date: 2018/08/03 11:35:08"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Checks for the remote SSH version"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Xue Yong Zhi"); script_family(english:"Misc."); script_dependencie("ssh_detect.nasl"); script_require_ports("Services/ssh", 22); exit(0); } # # The script code starts here # include("backport.inc"); port = get_kb_item("Services/ssh"); if(!port)port = 22; banner = get_kb_item("SSH/banner/" + port ); if ( ! banner ) exit(0); banner = tolower(get_backport_banner(banner:banner)); # Looking for OpenSSH product version number < 2.3 if(ereg(pattern:".*openssh[_-](1|2\.[0-2])\..*",string:banner))security_hole(port);NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55992); script_version("1.17"); script_cvs_date("Date: 2018/07/31 17:27:54"); script_cve_id( "CVE-2000-0525", "CVE-2000-1169", "CVE-2001-0361", "CVE-2001-0529", "CVE-2001-0572", "CVE-2001-0816", "CVE-2001-0872", "CVE-2001-1380", "CVE-2001-1382", "CVE-2001-1459", "CVE-2001-1507", "CVE-2001-1585", "CVE-2002-0083", "CVE-2002-0575", "CVE-2002-0639", "CVE-2002-0640", "CVE-2002-0765", "CVE-2003-0190", "CVE-2003-0386", "CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695", "CVE-2003-0786", "CVE-2003-0787", "CVE-2003-1562", "CVE-2004-0175", "CVE-2004-1653", "CVE-2004-2069", "CVE-2004-2760", "CVE-2005-2666", "CVE-2005-2797", "CVE-2005-2798", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2006-5794", "CVE-2007-2243", "CVE-2007-2768", "CVE-2007-3102", "CVE-2007-4752", "CVE-2008-1483", "CVE-2008-1657", "CVE-2008-3259", "CVE-2008-4109", "CVE-2008-5161" ); script_bugtraq_id(32319); script_xref(name:"CERT", value:"958563"); script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure"); script_summary(english:"Checks SSH banner"); script_set_attribute( attribute:"synopsis", value: "The SSH service running on the remote host has an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them." ); # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9"); # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a"); script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning"); script_set_attribute( attribute:"solution", value:"Upgrade to SunSSH 1.1.1 / 1.3 or later" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399); script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17"); script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11"); script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29"); script_set_attribute(attribute:"plugin_type",value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/" + port); # Check that we're using SunSSH. if ('sun_ssh' >!< tolower(banner)) exit(0, "The SSH service on port " + port + " is not SunSSH."); # Check the version in the banner. match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE); if (isnull(match)) exit(1, "Could not parse the version string from the banner on port " + port + "."); else version = match[1]; # the Oracle (Sun) blog above explains how the versioning works. we could # probably explicitly check for each vulnerable version if it came down to it if ( ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 || version == '1.2' ) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 1.1.1 / 1.3\n'; security_hole(port:port, extra:report); } else security_hole(port); } else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");
Redhat
| advisories |
|
References
- http://archives.neohapsis.com/archives/bugtraq/2000-11/0195.html
- http://archives.neohapsis.com/archives/bugtraq/2000-11/0217.html
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000345
- http://lists.suse.com/archives/suse-security-announce/2000-Nov/0004.html
- http://www.debian.org/security/2000/20001118
- http://www.linux-mandrake.com/en/security/MDKSA-2000-068.php3
- http://www.osvdb.org/2114
- http://www.osvdb.org/6248
- http://www.redhat.com/support/errata/RHSA-2000-111.html
- http://www.securityfocus.com/bid/1949
- https://exchange.xforce.ibmcloud.com/vulnerabilities/5517