Vulnerabilities > CVE-2001-1380 - Unspecified vulnerability in Openbsd Openssh
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
OpenSSH before 2.9.9, while using keypairs and multiple keys of different types in the ~/.ssh/authorized_keys2 file, may not properly handle the "from" option associated with a key, which could allow remote attackers to login from unauthorized IP addresses.
Vulnerable Configurations
Nessus
NASL family Gain a shell remotely NASL id OPENSSH_37P.NASL description According to its banner, the remote host appears to be running OpenSSH 3.7p1 or 3.7.1p1. These versions are vulnerable to a flaw in the way they handle PAM authentication when PrivilegeSeparation is disabled. Successful exploitation of this issue may allow an attacker to gain a shell on the remote host using a null password. last seen 2020-06-01 modified 2020-06-02 plugin id 11848 published 2003-09-23 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11848 title OpenSSH < 3.7.1p2 Multiple Remote Vulnerabilities code # # (C) Tenable Network Security, Inc. # # Ref: # From: Damien Miller <[email protected]> # To: [email protected] # Subject: Multiple PAM vulnerabilities in portable OpenSSH # also covers CVE-2001-1380 include("compat.inc"); if (description) { script_id(11848); script_version ("1.27"); script_cvs_date("Date: 2018/07/16 14:09:13"); script_cve_id("CVE-2003-0786", "CVE-2003-0787"); script_bugtraq_id(8677); script_xref(name:"CERT", value:"602204"); script_name(english:"OpenSSH < 3.7.1p2 Multiple Remote Vulnerabilities"); script_summary(english:"Checks for the remote SSH version"); script_set_attribute(attribute:"synopsis", value: "The remote host has an application which may allow an attacker to login potentially as root without password." ); script_set_attribute(attribute:"description", value: "According to its banner, the remote host appears to be running OpenSSH 3.7p1 or 3.7.1p1. These versions are vulnerable to a flaw in the way they handle PAM authentication when PrivilegeSeparation is disabled. Successful exploitation of this issue may allow an attacker to gain a shell on the remote host using a null password." ); script_set_attribute(attribute:"solution", value: "Upgrade to OpenSSH 3.7.1p2 or disable PAM support in sshd_config" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/09/23"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/09/23"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Gain a shell remotely"); script_dependencie("ssh_detect.nasl", "os_fingerprint.nasl"); script_require_ports("Services/ssh", 22); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); # Windows not affected. os = get_kb_item("Host/OS"); if (! get_kb_item("Settings/PCI_DSS") && !isnull(os)) { if ("Linux" >!< os && "SCO" >!< os) exit(0); } # Ensure the port is open. port = get_service(svc:"ssh", exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); if (ereg(pattern:"openssh[-_]3\.7(\.1)?p1", string:bp_banner)) security_hole(port);NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2001-081.NASL description In some circumstances, the sshd server may not honor the last seen 2020-06-01 modified 2020-06-02 plugin id 13894 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13894 title Mandrake Linux Security Advisory : openssh (MDKSA-2001:081) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2001:081. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13894); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2001-1380"); script_xref(name:"MDKSA", value:"2001:081"); script_name(english:"Mandrake Linux Security Advisory : openssh (MDKSA-2001:081)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "In some circumstances, the sshd server may not honor the 'from=' option that can be associated with a key in a user's ~/.ssh/authorized_keys2 file if multiple keys are listed. This could allow key-based logins from hosts which should not be allowed access." ); # https://www.securityfocus.com/archive?id=1&mid=216702&start=2001-09-24&end=2001-09-30 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6f89498b" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"patch_publication_date", value:"2001/10/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-2.9.9p2-2.4mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-askpass-2.9.9p2-2.4mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-askpass-gnome-2.9.9p2-2.4mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-clients-2.9.9p2-2.4mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-server-2.9.9p2-2.4mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-2.9.9p2-2.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-askpass-2.9.9p2-2.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-askpass-gnome-2.9.9p2-2.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-clients-2.9.9p2-2.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-server-2.9.9p2-2.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-2.9.9p2-2.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-askpass-2.9.9p2-2.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-askpass-gnome-2.9.9p2-2.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-clients-2.9.9p2-2.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-server-2.9.9p2-2.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-2.9.9p2-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-askpass-2.9.9p2-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-askpass-gnome-2.9.9p2-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-clients-2.9.9p2-2.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-server-2.9.9p2-2.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55992); script_version("1.17"); script_cvs_date("Date: 2018/07/31 17:27:54"); script_cve_id( "CVE-2000-0525", "CVE-2000-1169", "CVE-2001-0361", "CVE-2001-0529", "CVE-2001-0572", "CVE-2001-0816", "CVE-2001-0872", "CVE-2001-1380", "CVE-2001-1382", "CVE-2001-1459", "CVE-2001-1507", "CVE-2001-1585", "CVE-2002-0083", "CVE-2002-0575", "CVE-2002-0639", "CVE-2002-0640", "CVE-2002-0765", "CVE-2003-0190", "CVE-2003-0386", "CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695", "CVE-2003-0786", "CVE-2003-0787", "CVE-2003-1562", "CVE-2004-0175", "CVE-2004-1653", "CVE-2004-2069", "CVE-2004-2760", "CVE-2005-2666", "CVE-2005-2797", "CVE-2005-2798", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2006-5794", "CVE-2007-2243", "CVE-2007-2768", "CVE-2007-3102", "CVE-2007-4752", "CVE-2008-1483", "CVE-2008-1657", "CVE-2008-3259", "CVE-2008-4109", "CVE-2008-5161" ); script_bugtraq_id(32319); script_xref(name:"CERT", value:"958563"); script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure"); script_summary(english:"Checks SSH banner"); script_set_attribute( attribute:"synopsis", value: "The SSH service running on the remote host has an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them." ); # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9"); # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a"); script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning"); script_set_attribute( attribute:"solution", value:"Upgrade to SunSSH 1.1.1 / 1.3 or later" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399); script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17"); script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11"); script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29"); script_set_attribute(attribute:"plugin_type",value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/" + port); # Check that we're using SunSSH. if ('sun_ssh' >!< tolower(banner)) exit(0, "The SSH service on port " + port + " is not SunSSH."); # Check the version in the banner. match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE); if (isnull(match)) exit(1, "Could not parse the version string from the banner on port " + port + "."); else version = match[1]; # the Oracle (Sun) blog above explains how the versioning works. we could # probably explicitly check for each vulnerable version if it came down to it if ( ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 || version == '1.2' ) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 1.1.1 / 1.3\n'; security_hole(port:port, extra:report); } else security_hole(port); } else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");NASL family Misc. NASL id OPENSSH_ADV_OPTION.NASL description According to its banner, the remote host appears to be running OpenSSH version between 2.5.x and 2.9. Such versions reportedly contain multiple vulnerabilities : - sftp-server does not respect the last seen 2020-06-01 modified 2020-06-02 plugin id 10771 published 2001-09-28 reporter This script is Copyright (C) 2001-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10771 title OpenSSH 2.5.x - 2.9 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(10771); script_version ("1.30"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2001-0816", "CVE-2001-1380"); script_bugtraq_id(3345, 3369); script_xref(name:"CERT", value:"905795"); script_name(english:"OpenSSH 2.5.x - 2.9 Multiple Vulnerabilities"); script_summary(english:"Checks the version reported in the SSH banner."); script_set_attribute(attribute:"synopsis", value: "The remote version of OpenSSH contains multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the remote host appears to be running OpenSSH version between 2.5.x and 2.9. Such versions reportedly contain multiple vulnerabilities : - sftp-server does not respect the 'command=' argument of keys in the authorized_keys2 file. (CVE-2001-0816) - sshd does not properly handle the 'from=' argument of keys in the authorized_keys2 file. If a key of one type (e.g. RSA) is followed by a key of another type (e.g. DSA) then the options for the latter will be applied to the former, including 'from=' restrictions. This problem allows users to circumvent the system policy and login from disallowed source IP addresses. (CVE-2001-1380)"); script_set_attribute(attribute:"see_also", value:"http://www.openbsd.org/advisories/ssh_option.txt"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?759da6a7"); script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-2.9.9"); script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSH 2.9.9" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/09/26"); script_set_attribute(attribute:"patch_publication_date", value:"2001/09/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2001/09/28"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); port = get_service(svc:"ssh", exit_on_fail:TRUE); banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); # Check the version in the backported banner. match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)"); if (isnull(match)) exit(1, "Could not parse the version string in the banner from port "+port+"."); version = match[1]; # Pull out numeric portion of version. matches = eregmatch(string:version, pattern:'^([0-9.]+)'); if (isnull(matches)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.'); if ( ver_compare(ver:matches[1], fix:"2.5", strict:FALSE) < 0 || ver_compare(ver:matches[1], fix:"2.9.9", strict:FALSE) >= 0 ) exit(0, "The OpenSSH server on port "+port+" is not affected as it's version "+version+"."); if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 2.9.9' + '\n'; security_hole(port:port, extra:report); } else security_hole(port);
Redhat
| advisories |
|
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000431
- http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-034-01
- http://marc.info/?l=bugtraq&m=100154541809940&w=2
- http://rhn.redhat.com/errata/RHSA-2001-114.html
- http://www.ciac.org/ciac/bulletins/m-010.shtml
- http://www.kb.cert.org/vuls/id/905795
- http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-081.php
- http://www.osvdb.org/642
- http://www.securityfocus.com/bid/3369
- https://exchange.xforce.ibmcloud.com/vulnerabilities/7179