Vulnerabilities > CVE-2004-2760 - Configuration vulnerability in Openbsd Openssh 3.5/3.5P1
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Misc. NASL id OPENSSH_40.NASL description According to its banner, the remote host is running a version of OpenSSH prior to 4.0. Versions of OpenSSH earlier than 4.0 are affected by an information disclosure vulnerability because the application stores hostnames, IP addresses, and keys in plaintext in the last seen 2020-06-01 modified 2020-06-02 plugin id 44075 published 2011-10-04 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44075 title OpenSSH < 4.0 known_hosts Plaintext Host Information Disclosure code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(44075); script_version("1.8"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2005-2666", "CVE-2007-4654", "CVE-2004-2760"); script_name(english:"OpenSSH < 4.0 known_hosts Plaintext Host Information Disclosure"); script_summary(english:"Checks for remote SSH version"); script_set_attribute(attribute:"synopsis", value: "The remote SSH server is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the remote host is running a version of OpenSSH prior to 4.0. Versions of OpenSSH earlier than 4.0 are affected by an information disclosure vulnerability because the application stores hostnames, IP addresses, and keys in plaintext in the 'known_hosts' file. A local attacker, exploiting this flaw, could gain access to sensitive information that could be used in subsequent attacks."); script_set_attribute(attribute:"see_also", value:"https://www.openssh.com/txt/release-4.0"); script_set_attribute(attribute:"see_also", value:"http://nms.csail.mit.edu/projects/ssh/"); script_set_attribute(attribute:"see_also", value:"http://www.eweek.com/c/a/Security/Researchers-Reveal-Holes-in-Grid/"); script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSH 4.0 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N"); script_cwe_id(16, 255, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/23"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/04"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh", 22); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:'ssh', exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit('SSH/banner/'+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ('openssh' >!< bp_banner) exit(0, 'The SSH service on port '+port+' is not OpenSSH.'); if (backported) exit(1, 'The banner from the OpenSSH server on port '+port+' indicates patches may have been backported.'); # Check the version in the banner. matches = eregmatch(string:bp_banner, pattern:'openssh[-_]([0-9][-._0-9a-z]+)'); if (isnull(matches)) exit(0, 'Could not parse number from version string on port ' + port + '.'); version = matches[1]; if (version =~ '^[0-3]\\.') { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 4.0\n'; security_note(port:port, extra:report); } else security_note(port); exit(0); } else exit(0, 'The OpenSSH server on port '+port+' is not affected as it\'s version '+version+'.');NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55992); script_version("1.17"); script_cvs_date("Date: 2018/07/31 17:27:54"); script_cve_id( "CVE-2000-0525", "CVE-2000-1169", "CVE-2001-0361", "CVE-2001-0529", "CVE-2001-0572", "CVE-2001-0816", "CVE-2001-0872", "CVE-2001-1380", "CVE-2001-1382", "CVE-2001-1459", "CVE-2001-1507", "CVE-2001-1585", "CVE-2002-0083", "CVE-2002-0575", "CVE-2002-0639", "CVE-2002-0640", "CVE-2002-0765", "CVE-2003-0190", "CVE-2003-0386", "CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695", "CVE-2003-0786", "CVE-2003-0787", "CVE-2003-1562", "CVE-2004-0175", "CVE-2004-1653", "CVE-2004-2069", "CVE-2004-2760", "CVE-2005-2666", "CVE-2005-2797", "CVE-2005-2798", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2006-5794", "CVE-2007-2243", "CVE-2007-2768", "CVE-2007-3102", "CVE-2007-4752", "CVE-2008-1483", "CVE-2008-1657", "CVE-2008-3259", "CVE-2008-4109", "CVE-2008-5161" ); script_bugtraq_id(32319); script_xref(name:"CERT", value:"958563"); script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure"); script_summary(english:"Checks SSH banner"); script_set_attribute( attribute:"synopsis", value: "The SSH service running on the remote host has an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them." ); # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9"); # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a"); script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning"); script_set_attribute( attribute:"solution", value:"Upgrade to SunSSH 1.1.1 / 1.3 or later" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399); script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17"); script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11"); script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29"); script_set_attribute(attribute:"plugin_type",value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/" + port); # Check that we're using SunSSH. if ('sun_ssh' >!< tolower(banner)) exit(0, "The SSH service on port " + port + " is not SunSSH."); # Check the version in the banner. match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE); if (isnull(match)) exit(1, "Could not parse the version string from the banner on port " + port + "."); else version = match[1]; # the Oracle (Sun) blog above explains how the versioning works. we could # probably explicitly check for each vulnerable version if it came down to it if ( ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 || version == '1.2' ) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 1.1.1 / 1.3\n'; security_hole(port:port, extra:report); } else security_hole(port); } else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");NASL family Gain a shell remotely NASL id OPENSSH_36.NASL description According to its banner, the remote SSH server is running a version of OpenSSH older than 3.7.1. Such versions are vulnerable to a flaw in the buffer management functions that might allow an attacker to execute arbitrary commands on this host. An exploit for this issue is rumored to exist. Note that several distributions patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive. If you are running a RedHat host, make sure that the command : rpm -q openssh-server returns : openssh-server-3.1p1-13 (RedHat 7.x) openssh-server-3.4p1-7 (RedHat 8.0) openssh-server-3.5p1-11 (RedHat 9) last seen 2020-06-01 modified 2020-06-02 plugin id 11837 published 2003-09-16 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11837 title OpenSSH < 3.7.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # # Thanks to H D Moore for his notification. include("compat.inc"); if (description) { script_id(11837); script_version ("1.43"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695", "CVE-2004-2760"); script_bugtraq_id(8628); script_xref(name:"RHSA", value:"2003:279"); script_xref(name:"SuSE", value:"SUSE-SA:2003:039"); script_name(english:"OpenSSH < 3.7.1 Multiple Vulnerabilities"); script_summary(english:"Checks for the remote SSH version"); script_set_attribute(attribute:"synopsis", value: "The remote SSH service is affected by various memory bugs." ); script_set_attribute(attribute:"description", value: "According to its banner, the remote SSH server is running a version of OpenSSH older than 3.7.1. Such versions are vulnerable to a flaw in the buffer management functions that might allow an attacker to execute arbitrary commands on this host. An exploit for this issue is rumored to exist. Note that several distributions patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive. If you are running a RedHat host, make sure that the command : rpm -q openssh-server returns : openssh-server-3.1p1-13 (RedHat 7.x) openssh-server-3.4p1-7 (RedHat 8.0) openssh-server-3.5p1-11 (RedHat 9)" ); script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=openbsd-misc&m=106375452423794&w=2" ); script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=openbsd-misc&m=106375456923804&w=2" ); script_set_attribute(attribute:"solution", value: "Upgrade to OpenSSH 3.7.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(16); script_set_attribute(attribute:"plugin_publication_date", value: "2003/09/16"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/09/16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Gain a shell remotely"); if ( ! defined_func("bn_random") ) script_dependencie("ssh_detect.nasl"); else script_dependencie("ssh_detect.nasl", "ssh_get_info.nasl", "redhat-RHSA-2003-280.nasl", "redhat_fixes.nasl"); script_require_ports("Services/ssh", 22); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); if (get_kb_item("CVE-2003-0682")) exit(0); # Ensure the port is open. port = get_service(svc:"ssh", exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/"+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH."); if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported."); if (ereg(pattern:"openssh[-_](([12]\..*)|(3\.[0-6].*)|(3\.7[^\.]*$))[^0-9]*", string:bp_banner)) security_hole(port);
Statements
| contributor | Joshua Bressers |
| lastmodified | 2008-08-11 |
| organization | Red Hat |
| statement | The risks associated with fixing this bug are greater than the low severity security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 2.1 which is in maintenance mode. |
References
- http://archive.cert.uni-stuttgart.de/bugtraq/2004/04/msg00162.html
- http://archive.cert.uni-stuttgart.de/bugtraq/2004/04/msg00162.html
- http://securityreason.com/securityalert/4100
- http://securityreason.com/securityalert/4100
- http://www.securityfocus.com/archive/1/360198
- http://www.securityfocus.com/archive/1/360198