Vulnerabilities > CVE-2001-0816 - Unspecified vulnerability in Openbsd Openssh
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
OpenSSH before 2.9.9, when running sftp using sftp-server and using restricted keypairs, allows remote authenticated users to bypass authorized_keys2 command= restrictions using sftp commands.
Vulnerable Configurations
Nessus
NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55992); script_version("1.17"); script_cvs_date("Date: 2018/07/31 17:27:54"); script_cve_id( "CVE-2000-0525", "CVE-2000-1169", "CVE-2001-0361", "CVE-2001-0529", "CVE-2001-0572", "CVE-2001-0816", "CVE-2001-0872", "CVE-2001-1380", "CVE-2001-1382", "CVE-2001-1459", "CVE-2001-1507", "CVE-2001-1585", "CVE-2002-0083", "CVE-2002-0575", "CVE-2002-0639", "CVE-2002-0640", "CVE-2002-0765", "CVE-2003-0190", "CVE-2003-0386", "CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695", "CVE-2003-0786", "CVE-2003-0787", "CVE-2003-1562", "CVE-2004-0175", "CVE-2004-1653", "CVE-2004-2069", "CVE-2004-2760", "CVE-2005-2666", "CVE-2005-2797", "CVE-2005-2798", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2006-5794", "CVE-2007-2243", "CVE-2007-2768", "CVE-2007-3102", "CVE-2007-4752", "CVE-2008-1483", "CVE-2008-1657", "CVE-2008-3259", "CVE-2008-4109", "CVE-2008-5161" ); script_bugtraq_id(32319); script_xref(name:"CERT", value:"958563"); script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure"); script_summary(english:"Checks SSH banner"); script_set_attribute( attribute:"synopsis", value: "The SSH service running on the remote host has an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them." ); # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9"); # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a"); script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning"); script_set_attribute( attribute:"solution", value:"Upgrade to SunSSH 1.1.1 / 1.3 or later" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399); script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17"); script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11"); script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29"); script_set_attribute(attribute:"plugin_type",value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/" + port); # Check that we're using SunSSH. if ('sun_ssh' >!< tolower(banner)) exit(0, "The SSH service on port " + port + " is not SunSSH."); # Check the version in the banner. match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE); if (isnull(match)) exit(1, "Could not parse the version string from the banner on port " + port + "."); else version = match[1]; # the Oracle (Sun) blog above explains how the versioning works. we could # probably explicitly check for each vulnerable version if it came down to it if ( ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 || version == '1.2' ) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 1.1.1 / 1.3\n'; security_hole(port:port, extra:report); } else security_hole(port); } else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");
NASL family Misc. NASL id OPENSSH_ADV_OPTION.NASL description According to its banner, the remote host appears to be running OpenSSH version between 2.5.x and 2.9. Such versions reportedly contain multiple vulnerabilities : - sftp-server does not respect the last seen 2020-06-01 modified 2020-06-02 plugin id 10771 published 2001-09-28 reporter This script is Copyright (C) 2001-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10771 title OpenSSH 2.5.x - 2.9 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(10771); script_version ("1.30"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2001-0816", "CVE-2001-1380"); script_bugtraq_id(3345, 3369); script_xref(name:"CERT", value:"905795"); script_name(english:"OpenSSH 2.5.x - 2.9 Multiple Vulnerabilities"); script_summary(english:"Checks the version reported in the SSH banner."); script_set_attribute(attribute:"synopsis", value: "The remote version of OpenSSH contains multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the remote host appears to be running OpenSSH version between 2.5.x and 2.9. Such versions reportedly contain multiple vulnerabilities : - sftp-server does not respect the 'command=' argument of keys in the authorized_keys2 file. (CVE-2001-0816) - sshd does not properly handle the 'from=' argument of keys in the authorized_keys2 file. If a key of one type (e.g. RSA) is followed by a key of another type (e.g. DSA) then the options for the latter will be applied to the former, including 'from=' restrictions. This problem allows users to circumvent the system policy and login from disallowed source IP addresses. (CVE-2001-1380)"); script_set_attribute(attribute:"see_also", value:"http://www.openbsd.org/advisories/ssh_option.txt"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?759da6a7"); script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-2.9.9"); script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSH 2.9.9" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/09/26"); script_set_attribute(attribute:"patch_publication_date", value:"2001/09/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2001/09/28"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); port = get_service(svc:"ssh", exit_on_fail:TRUE); banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); # Check the version in the backported banner. match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)"); if (isnull(match)) exit(1, "Could not parse the version string in the banner from port "+port+"."); version = match[1]; # Pull out numeric portion of version. matches = eregmatch(string:version, pattern:'^([0-9.]+)'); if (isnull(matches)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.'); if ( ver_compare(ver:matches[1], fix:"2.5", strict:FALSE) < 0 || ver_compare(ver:matches[1], fix:"2.9.9", strict:FALSE) >= 0 ) exit(0, "The OpenSSH server on port "+port+" is not affected as it's version "+version+"."); if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 2.9.9' + '\n'; security_hole(port:port, extra:report); } else security_hole(port);
Redhat
advisories |
|
References
- http://archives.neohapsis.com/archives/bugtraq/2001-09/0153.html
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000431
- http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-034-01
- http://www.osvdb.org/5536
- http://www.redhat.com/support/errata/RHSA-2001-154.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/7634