Vulnerabilities > CVE-2004-2069 - Remote Denial Of Service vulnerability in OpenSSH LoginGraceTime

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
openbsd
nessus

Summary

sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption).

Vulnerable Configurations

Part Description Count
Application
Openbsd
2

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-550.NASL
    descriptionUpdated openssh packages that fix a potential security vulnerability and various other bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id19830
    published2005-10-05
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19830
    titleRHEL 3 : openssh (RHSA-2005:550)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:550. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19830);
      script_version ("1.23");
      script_cvs_date("Date: 2019/10/25 13:36:11");
    
      script_cve_id("CVE-2004-2069");
      script_xref(name:"RHSA", value:"2005:550");
    
      script_name(english:"RHEL 3 : openssh (RHSA-2005:550)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated openssh packages that fix a potential security vulnerability
    and various other bugs are now available.
    
    This update has been rated as having low security impact by the Red
    Hat Security Response Team.
    
    OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This
    includes the core files necessary for both the OpenSSH client and
    server.
    
    A bug was found in the way the OpenSSH server handled the MaxStartups
    and LoginGraceTime configuration variables. A malicious user could
    connect to the SSH daemon in such a way that it would prevent
    additional logins from occuring until the malicious connections are
    closed. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2004-2069 to this issue.
    
    Additionally, the following issues are resolved with this update :
    
      - The -q option of the ssh client did not suppress the
        banner message sent by the server, which caused errors
        when used in scripts.
    
      - The sshd daemon failed to close the client connection if
        multiple X clients were forwarded over the connection
        and the client session exited.
    
      - The sftp client leaked memory if used for extended
        periods.
    
      - The sshd daemon called the PAM functions incorrectly if
        the user was unknown on the system.
    
    All users of openssh should upgrade to these updated packages, which
    contain backported patches and resolve these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-2069"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2005:550"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/09/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/05");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2005:550";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL3", reference:"openssh-3.6.1p2-33.30.6")) flag++;
      if (rpm_check(release:"RHEL3", reference:"openssh-askpass-3.6.1p2-33.30.6")) flag++;
      if (rpm_check(release:"RHEL3", reference:"openssh-askpass-gnome-3.6.1p2-33.30.6")) flag++;
      if (rpm_check(release:"RHEL3", reference:"openssh-clients-3.6.1p2-33.30.6")) flag++;
      if (rpm_check(release:"RHEL3", reference:"openssh-server-3.6.1p2-33.30.6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc");
      }
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-550.NASL
    descriptionUpdated openssh packages that fix a potential security vulnerability and various other bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD
    last seen2020-06-01
    modified2020-06-02
    plugin id21839
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21839
    titleCentOS 3 : openssh (CESA-2005:550)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:550 and 
    # CentOS Errata and Security Advisory 2005:550 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21839);
      script_version("1.16");
      script_cvs_date("Date: 2019/10/25 13:36:02");
    
      script_cve_id("CVE-2004-2069");
      script_xref(name:"RHSA", value:"2005:550");
    
      script_name(english:"CentOS 3 : openssh (CESA-2005:550)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated openssh packages that fix a potential security vulnerability
    and various other bugs are now available.
    
    This update has been rated as having low security impact by the Red
    Hat Security Response Team.
    
    OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This
    includes the core files necessary for both the OpenSSH client and
    server.
    
    A bug was found in the way the OpenSSH server handled the MaxStartups
    and LoginGraceTime configuration variables. A malicious user could
    connect to the SSH daemon in such a way that it would prevent
    additional logins from occuring until the malicious connections are
    closed. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2004-2069 to this issue.
    
    Additionally, the following issues are resolved with this update :
    
      - The -q option of the ssh client did not suppress the
        banner message sent by the server, which caused errors
        when used in scripts.
    
      - The sshd daemon failed to close the client connection if
        multiple X clients were forwarded over the connection
        and the client session exited.
    
      - The sftp client leaked memory if used for extended
        periods.
    
      - The sshd daemon called the PAM functions incorrectly if
        the user was unknown on the system.
    
    All users of openssh should upgrade to these updated packages, which
    contain backported patches and resolve these issues."
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-September/012216.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?24cdacc0"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-September/012229.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9da0c1da"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-September/012230.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?237aa73b"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openssh packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass-gnome");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/09/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"openssh-3.6.1p2-33.30.6")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"openssh-askpass-3.6.1p2-33.30.6")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"openssh-askpass-gnome-3.6.1p2-33.30.6")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"openssh-clients-3.6.1p2-33.30.6")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"openssh-server-3.6.1p2-33.30.6")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc");
    }
    
  • NASL familyMisc.
    NASL idSUNSSH_PLAINTEXT_RECOVERY.NASL
    descriptionThe version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen2020-06-01
    modified2020-06-02
    plugin id55992
    published2011-08-29
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55992
    titleSunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(55992);
      script_version("1.17");
      script_cvs_date("Date: 2018/07/31 17:27:54");
    
      script_cve_id(
        "CVE-2000-0525",
        "CVE-2000-1169",
        "CVE-2001-0361",
        "CVE-2001-0529",
        "CVE-2001-0572",
        "CVE-2001-0816",
        "CVE-2001-0872",
        "CVE-2001-1380",
        "CVE-2001-1382",
        "CVE-2001-1459",
        "CVE-2001-1507",
        "CVE-2001-1585",
        "CVE-2002-0083",
        "CVE-2002-0575",
        "CVE-2002-0639",
        "CVE-2002-0640",
        "CVE-2002-0765",
        "CVE-2003-0190",
        "CVE-2003-0386",
        "CVE-2003-0682",
        "CVE-2003-0693",
        "CVE-2003-0695",
        "CVE-2003-0786",
        "CVE-2003-0787",
        "CVE-2003-1562",
        "CVE-2004-0175",
        "CVE-2004-1653",
        "CVE-2004-2069",
        "CVE-2004-2760",
        "CVE-2005-2666",
        "CVE-2005-2797",
        "CVE-2005-2798",
        "CVE-2006-0225",
        "CVE-2006-4924",
        "CVE-2006-4925",
        "CVE-2006-5051",
        "CVE-2006-5052",
        "CVE-2006-5229",
        "CVE-2006-5794",
        "CVE-2007-2243",
        "CVE-2007-2768",
        "CVE-2007-3102",
        "CVE-2007-4752",
        "CVE-2008-1483",
        "CVE-2008-1657",
        "CVE-2008-3259",
        "CVE-2008-4109",
        "CVE-2008-5161"
      );
      script_bugtraq_id(32319);
      script_xref(name:"CERT", value:"958563");
    
      script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure");
      script_summary(english:"Checks SSH banner");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The SSH service running on the remote host has an information
    disclosure vulnerability."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The version of SunSSH running on the remote host has an information
    disclosure vulnerability.  A design flaw in the SSH specification
    could allow a man-in-the-middle attacker to recover up to 32 bits of
    plaintext from an SSH-protected connection in the standard
    configuration.  An attacker could exploit this to gain access to
    sensitive information.
    
    Note that this version of SunSSH is also prone to several additional
    issues but Nessus did not test for them." );
    
      # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt
      script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9");
      # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH
      script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a");
      script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning");
      script_set_attribute(
        attribute:"solution",
        value:"Upgrade to SunSSH 1.1.1 / 1.3 or later"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399);
      script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17");
      script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11");
      script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29");
      script_set_attribute(attribute:"plugin_type",value:"remote");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_detect.nasl");
      script_require_ports("Services/ssh");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Ensure the port is open.
    port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE);
    
    # Get banner for service.
    banner = get_kb_item_or_exit("SSH/banner/" + port);
    
    # Check that we're using SunSSH.
    if ('sun_ssh' >!< tolower(banner))
      exit(0, "The SSH service on port " + port + " is not SunSSH.");
    
    # Check the version in the banner.
    match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE);
    if (isnull(match))
      exit(1, "Could not parse the version string from the banner on port " + port + ".");
    else
      version = match[1];
    
    # the Oracle (Sun) blog above explains how the versioning works. we could
    # probably explicitly check for each vulnerable version if it came down to it
    if (
      ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 ||
      version == '1.2'
    )
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source    : ' + banner +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 1.1.1 / 1.3\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
    }
    else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");
    
  • NASL familyMisc.
    NASL idOPENSSH_38P1.NASL
    descriptionAccording to its banner, a version of OpenSSH earlier than 3.8p1 is running on the remote host and is affected by the following issues: - There is an issue in the handling of PAM modules in such versions of OpenSSH. As a result, OpenSSH may not correctly handle aborted conversations with PAM modules. Consequently, that memory may not be scrubbed of sensitive information such as credentials, which could lead to credentials leaking into swap space and core dumps. Other vulnerabilities in PAM modules could come to light because of unpredictable behavior. - Denial of service attacks are possible when privilege separation is in use. This version of OpenSSH does not properly signal non-privileged processes after session termination when
    last seen2020-06-01
    modified2020-06-02
    plugin id44074
    published2011-10-04
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/44074
    titlePortable OpenSSH < 3.8p1 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44074);
      script_version("1.6");
      script_cvs_date("Date: 2018/11/15 20:50:23");
    
      script_cve_id("CVE-2004-2069");
      script_bugtraq_id(9040, 14963);
    
      script_name(english:"Portable OpenSSH < 3.8p1 Multiple Vulnerabilities");
      script_summary(english:"Checks the version reported in the SSH banner.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "Remote attackers may be able to cause information to leak from
    aborted sessions."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "According to its banner, a version of OpenSSH earlier than 3.8p1 is
    running on the remote host and is affected by the following issues:
    
      - There is an issue in the handling of PAM modules in 
        such versions of OpenSSH.  As a result, OpenSSH may not
        correctly handle aborted conversations with PAM modules. 
        Consequently, that memory may not be scrubbed of 
        sensitive information such as credentials, which could 
        lead to credentials leaking into swap space and core 
        dumps.  Other vulnerabilities in PAM modules could come
        to light because of unpredictable behavior.
    
      - Denial of service attacks are possible when privilege
        separation is in use. This version of OpenSSH does not
        properly signal non-privileged processes after session
        termination when 'LoginGraceTime' is exceeded. This can
        allow connections to remain open thereby allowing the 
        denial of service when resources are exhausted. 
        (CVE-2004-2069)
    
    ");
    
      script_set_attribute(
        attribute:"solution",
        value:"Upgrade to OpenSSH 3.8p1 or later."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"see_also", value:"https://www.cl.cam.ac.uk/~mgk25/otpw.html#opensshbug");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.mindrot.org/show_bug.cgi?id=632");
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e86aec66");
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bbd79dfd");
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d2f25e5c");
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/11/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/04");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_detect.nasl");
      script_require_ports("Services/ssh");
    
      exit(0);
    }
    
    include("backport.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Ensure the port is open.
    port = get_service(svc:"ssh", exit_on_fail:TRUE);
    
    # Get banner for service.
    banner = get_kb_item_or_exit("SSH/banner/"+port);
    
    bp_banner = tolower(get_backport_banner(banner:banner));
    if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
    if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");
    
    # Check the version in the backported banner.
    match = eregmatch(string:bp_banner, pattern:"openssh[-_]([0-9][-._0-9a-z]+)");
    if (isnull(match)) exit(1, "Could not parse the version string in the banner from port "+port+".");
    version = match[1];
    
    # OpenBSD does not use PAM, so this vulnerability only exists in the
    # portable version of OpenSSH.
    if (version !~ "^[0-9.]+p[0-9]+")
      exit(0, "OpenSSH version "+version+" on port "+port+" is not affected.");
    
    # Pull out numeric portion of version.
    matches = eregmatch(string:version, pattern:"^([0-9.]+)");
    if (isnull(matches))
      exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');
    
    if (ver_compare(ver:matches[0], fix:"3.8", strict:FALSE) >= 0)
      exit(0, "The Portable OpenSSH server on port "+port+" is not affected as it's version "+version+".");
    
    if (report_verbosity > 0)
    {
      report =
        '\n  Version source    : ' + banner +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : 3.8p1' +
        '\n';
      security_warning(port:port, extra:report);
    }
    else security_warning(port);
    

Oval

accepted2013-04-29T04:14:38.280-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptionsshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption).
familyunix
idoval:org.mitre.oval:def:11541
statusaccepted
submitted2010-07-09T03:56:16-04:00
titlesshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption).
version26

Redhat

advisories
rhsa
idRHSA-2005:550
rpms
  • openssh-0:3.6.1p2-33.30.6
  • openssh-askpass-0:3.6.1p2-33.30.6
  • openssh-askpass-gnome-0:3.6.1p2-33.30.6
  • openssh-clients-0:3.6.1p2-33.30.6
  • openssh-debuginfo-0:3.6.1p2-33.30.6
  • openssh-server-0:3.6.1p2-33.30.6