Vulnerabilities > CVE-2002-0640 - Buffer Overflow vulnerability in OpenSSH Challenge-Response
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).
Vulnerable Configurations
Exploit-Db
description OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities (2). CVE-2002-0640. Remote exploit for unix platform id EDB-ID:21579 last seen 2016-02-02 modified 2002-06-24 published 2002-06-24 reporter Gobbles Security source https://www.exploit-db.com/download/21579/ title OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities 2 description OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities (1). CVE-2002-0640. Remote exploit for unix platform id EDB-ID:21578 last seen 2016-02-02 modified 2002-06-24 published 2002-06-24 reporter Christophe Devine source https://www.exploit-db.com/download/21578/ title OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities 1
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2002-131.NASL description Updated openssh packages are now available for Red Hat Linux Advanced Server. These updates fix an input validation error in OpenSSH. OpenSSH provides an implementation of the SSH (secure shell) protocol used for logging into and executing commands on remote machines. Versions of the OpenSSH server between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. At this time, Red Hat does not believe that the default installation of OpenSSH on Red Hat Linux is vulnerable to this issue; however a user would be vulnerable if the configuration option last seen 2020-06-01 modified 2020-06-02 plugin id 12309 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12309 title RHEL 2.1 : openssh (RHSA-2002:131) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2002:131. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12309); script_version ("1.28"); script_cvs_date("Date: 2019/10/25 13:36:09"); script_cve_id("CVE-2002-0640"); script_xref(name:"RHSA", value:"2002:131"); script_name(english:"RHEL 2.1 : openssh (RHSA-2002:131)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages are now available for Red Hat Linux Advanced Server. These updates fix an input validation error in OpenSSH. OpenSSH provides an implementation of the SSH (secure shell) protocol used for logging into and executing commands on remote machines. Versions of the OpenSSH server between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. At this time, Red Hat does not believe that the default installation of OpenSSH on Red Hat Linux is vulnerable to this issue; however a user would be vulnerable if the configuration option 'PAMAuthenticationViaKbdInt' is enabled in the sshd configuration file (it is not enabled by default). We have applied the security fix provided by the OpenSSH team to these errata packages which are based on OpenSSH 3.1p1. This should minimize the impact of upgrading to our errata packages. All users of OpenSSH should update to these errata packages which are not vulnerable to this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2002-0640" ); # http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102510268109227 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=openssh-unix-dev&m=102510268109227" ); # http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102511867031136 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=openssh-unix-dev&m=102511867031136" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2002:131" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/03"); script_set_attribute(attribute:"patch_publication_date", value:"2002/06/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2002:131"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-3.1p1-6")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-askpass-3.1p1-6")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-askpass-gnome-3.1p1-6")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-clients-3.1p1-6")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openssh-server-3.1p1-6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc"); } }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2002-040.NASL description An input validation error exists in the OpenSSH server between versions 2.3.1 and 3.3 that can result in an integer overflow and privilege escalation. This error is found in the PAMAuthenticationViaKbdInt code in versions 2.3.1 to 3.3, and the ChallengeResponseAuthentication code in versions 2.9.9 to 3.3. OpenSSH 3.4 and later are not affected, and OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled; in OpenSSH 3.3 and higher this is the default behaviour of OpenSSH. To protect yourself, users should be using OpenSSH 3.3 with UsePrivilegeSeparation enabled (see MDKSA:2002-040). However, it is highly recommended that all Mandrake Linux users upgrade to version 3.4 which corrects these errors. There are a few caveats with this upgrade, however, that users should be aware of : - On Linux kernel 2.2 (the default for Mandrake Linux 7.x), the use of Compression and UsePrivilegeSeparation are mutually exclusive. You can use one feature or the other, not both; we recommend disabling Compression and using privsep until this can be resolved. - Using privsep may cause some PAM modules which expect to run with root privilege to fail. For instance, users will not be able to change their password if they attempt to log into an account with an expired password. If you absolutely must use one of these features that conflict with privsep, you can disable it in /etc/ssh/sshd_config by using : UsePrivilegeSeparation no However, if you do this, be sure you are running OpenSSH 3.4. Updates to OpenSSH will be made available once these problems are resolved. last seen 2020-06-01 modified 2020-06-02 plugin id 13944 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13944 title Mandrake Linux Security Advisory : openssh (MDKSA-2002:040-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2002:040. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13944); script_version ("1.20"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-0639", "CVE-2002-0640"); script_xref(name:"MDKSA", value:"2002:040-1"); script_name(english:"Mandrake Linux Security Advisory : openssh (MDKSA-2002:040-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An input validation error exists in the OpenSSH server between versions 2.3.1 and 3.3 that can result in an integer overflow and privilege escalation. This error is found in the PAMAuthenticationViaKbdInt code in versions 2.3.1 to 3.3, and the ChallengeResponseAuthentication code in versions 2.9.9 to 3.3. OpenSSH 3.4 and later are not affected, and OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled; in OpenSSH 3.3 and higher this is the default behaviour of OpenSSH. To protect yourself, users should be using OpenSSH 3.3 with UsePrivilegeSeparation enabled (see MDKSA:2002-040). However, it is highly recommended that all Mandrake Linux users upgrade to version 3.4 which corrects these errors. There are a few caveats with this upgrade, however, that users should be aware of : - On Linux kernel 2.2 (the default for Mandrake Linux 7.x), the use of Compression and UsePrivilegeSeparation are mutually exclusive. You can use one feature or the other, not both; we recommend disabling Compression and using privsep until this can be resolved. - Using privsep may cause some PAM modules which expect to run with root privilege to fail. For instance, users will not be able to change their password if they attempt to log into an account with an expired password. If you absolutely must use one of these features that conflict with privsep, you can disable it in /etc/ssh/sshd_config by using : UsePrivilegeSeparation no However, if you do this, be sure you are running OpenSSH 3.4. Updates to OpenSSH will be made available once these problems are resolved." ); # http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102495293705094&w=2 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=openssh-unix-dev&m=102495293705094&w=2" ); # http://web.archive.org/web/20030218003736/http://online.securityfocus.com:80/archive/1/280070/2002-06-29/2002-07-05/0 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e2bfc14c" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"patch_publication_date", value:"2002/07/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-3.4p1-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-askpass-3.4p1-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-askpass-gnome-3.4p1-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-clients-3.4p1-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"openssh-server-3.4p1-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-3.4p1-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-askpass-3.4p1-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-askpass-gnome-3.4p1-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-clients-3.4p1-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"openssh-server-3.4p1-1.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-askpass-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-askpass-gnome-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-clients-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"openssh-server-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-askpass-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-askpass-gnome-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-clients-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"openssh-server-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-askpass-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-askpass-gnome-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-clients-3.4p1-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"openssh-server-3.4p1-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gain a shell remotely NASL id OPENSSH_AFS.NASL description You are running a version of OpenSSH older than OpenSSH 3.2.1. A buffer overflow exists in the daemon if AFS is enabled on your system, or if the options KerberosTgtPassing or AFSTokenPassing are enabled. Even in this scenario, the vulnerability may be avoided by enabling UsePrivilegeSeparation. Versions prior to 2.9.9 are vulnerable to a remote root exploit. Versions prior to 3.2.1 are vulnerable to a local root exploit. last seen 2020-06-01 modified 2020-06-02 plugin id 10954 published 2002-05-12 reporter This script is Copyright (C) 2002-2018 Thomas Reinke source https://www.tenable.com/plugins/nessus/10954 title OpenSSH Kerberos TGT/AFS Token Passing Remote Overflow code # # This script was written by Thomas Reinke <[email protected]> # # See the Nessus Scripts License for details # # Changes by Tenable: # - Revised plugin title, formatted output, enhanced solution, changed plugin family (8/18/09) include("compat.inc"); if(description) { script_id(10954); script_version ("1.28"); script_cvs_date("Date: 2018/07/16 14:09:13"); script_cve_id("CVE-2002-0575"); script_bugtraq_id(4560); script_name(english:"OpenSSH Kerberos TGT/AFS Token Passing Remote Overflow"); script_summary(english:"Checks for the remote SSH version"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code may be run on the remote host." ); script_set_attribute(attribute:"description", value: "You are running a version of OpenSSH older than OpenSSH 3.2.1. A buffer overflow exists in the daemon if AFS is enabled on your system, or if the options KerberosTgtPassing or AFSTokenPassing are enabled. Even in this scenario, the vulnerability may be avoided by enabling UsePrivilegeSeparation. Versions prior to 2.9.9 are vulnerable to a remote root exploit. Versions prior to 3.2.1 are vulnerable to a local root exploit." ); script_set_attribute(attribute:"solution", value: "Upgrade to version 3.2.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2002/05/12"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/22"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2002-2018 Thomas Reinke"); script_family(english:"Gain a shell remotely"); if ( ! defined_func("bn_random") ) script_dependencie("ssh_detect.nasl"); else script_dependencie("ssh_detect.nasl", "redhat-RHSA-2002-131.nasl"); script_require_ports("Services/ssh", 22); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); if (get_kb_item("CVE-2002-0640")) exit(0); # Ensure the port is open. port = get_service(svc:"ssh", exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); if (ereg(pattern:"openssh[-_](2\..*|3\.([01].*|2\.0))", string:bp_banner)) security_hole(port);NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55992); script_version("1.17"); script_cvs_date("Date: 2018/07/31 17:27:54"); script_cve_id( "CVE-2000-0525", "CVE-2000-1169", "CVE-2001-0361", "CVE-2001-0529", "CVE-2001-0572", "CVE-2001-0816", "CVE-2001-0872", "CVE-2001-1380", "CVE-2001-1382", "CVE-2001-1459", "CVE-2001-1507", "CVE-2001-1585", "CVE-2002-0083", "CVE-2002-0575", "CVE-2002-0639", "CVE-2002-0640", "CVE-2002-0765", "CVE-2003-0190", "CVE-2003-0386", "CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695", "CVE-2003-0786", "CVE-2003-0787", "CVE-2003-1562", "CVE-2004-0175", "CVE-2004-1653", "CVE-2004-2069", "CVE-2004-2760", "CVE-2005-2666", "CVE-2005-2797", "CVE-2005-2798", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2006-5794", "CVE-2007-2243", "CVE-2007-2768", "CVE-2007-3102", "CVE-2007-4752", "CVE-2008-1483", "CVE-2008-1657", "CVE-2008-3259", "CVE-2008-4109", "CVE-2008-5161" ); script_bugtraq_id(32319); script_xref(name:"CERT", value:"958563"); script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure"); script_summary(english:"Checks SSH banner"); script_set_attribute( attribute:"synopsis", value: "The SSH service running on the remote host has an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them." ); # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9"); # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a"); script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning"); script_set_attribute( attribute:"solution", value:"Upgrade to SunSSH 1.1.1 / 1.3 or later" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399); script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17"); script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11"); script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29"); script_set_attribute(attribute:"plugin_type",value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/" + port); # Check that we're using SunSSH. if ('sun_ssh' >!< tolower(banner)) exit(0, "The SSH service on port " + port + " is not SunSSH."); # Check the version in the banner. match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE); if (isnull(match)) exit(1, "Could not parse the version string from the banner on port " + port + "."); else version = match[1]; # the Oracle (Sun) blog above explains how the versioning works. we could # probably explicitly check for each vulnerable version if it came down to it if ( ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 || version == '1.2' ) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 1.1.1 / 1.3\n'; security_hole(port:port, extra:report); } else security_hole(port); } else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-134.NASL description ISS X-Force released an advisory about an OpenSSH last seen 2020-06-01 modified 2020-06-02 plugin id 14971 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14971 title Debian DSA-134-4 : ssh - remote exploit NASL family Gain a shell remotely NASL id OPENSSH_33.NASL description According to its banner, the remote host appears to be running OpenSSH version 3.4 or older. Such versions are reportedly affected by multiple flaws. An attacker may exploit these vulnerabilities to gain a shell on the remote system. Note that several distributions patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive. If you are running a RedHat host, make sure that the command : rpm -q openssh-server Returns : openssh-server-3.1p1-6 last seen 2020-06-01 modified 2020-06-02 plugin id 11031 published 2002-06-25 reporter This script is Copyright (C) 2002-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11031 title OpenSSH < 3.4 Multiple Remote Overflows
Redhat
| advisories |
|
References
- ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-030.0.txt
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000502
- http://marc.info/?l=bugtraq&m=102514371522793&w=2
- http://marc.info/?l=bugtraq&m=102514631524575&w=2
- http://marc.info/?l=bugtraq&m=102521542826833&w=2
- http://marc.info/?l=bugtraq&m=102532054613894&w=2
- http://www.cert.org/advisories/CA-2002-18.html
- http://www.debian.org/security/2002/dsa-134
- http://www.kb.cert.org/vuls/id/369347
- http://www.linuxsecurity.com/advisories/other_advisory-2177.html
- http://www.mandrakesoft.com/security/advisories?name=MDKSA-2002:040
- http://www.novell.com/linux/security/advisories/2002_024_openssh_txt.html
- http://www.osvdb.org/839
- http://www.redhat.com/support/errata/RHSA-2002-127.html
- http://www.redhat.com/support/errata/RHSA-2002-131.html
- http://www.securityfocus.com/bid/5093
- http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0206-195