Vulnerabilities > CVE-2005-2666 - Credentials Management vulnerability in Openbsd Openssh
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
SSH, as implemented in OpenSSH before 4.0 and possibly other implementations, stores hostnames, IP addresses, and keys in plaintext in the known_hosts file, which makes it easier for an attacker that has compromised an SSH user's account to generate a list of additional targets that are more likely to have the same password or key.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0257.NASL description Updated openssh packages that fix a security issue and various bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 25143 published 2007-05-02 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25143 title RHEL 4 : openssh (RHSA-2007:0257) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0257. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(25143); script_version ("1.23"); script_cvs_date("Date: 2019/10/25 13:36:12"); script_cve_id("CVE-2005-2666"); script_xref(name:"RHSA", value:"2007:0257"); script_name(english:"RHEL 4 : openssh (RHSA-2007:0257)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix a security issue and various bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. OpenSSH stores hostnames, IP addresses, and keys in plaintext in the known_hosts file. A local attacker that has already compromised a user's SSH account could use this information to generate a list of additional targets that are likely to have the same password or key. (CVE-2005-2666) The following bugs have also been fixed in this update : * The ssh client could abort the running connection when the server application generated a large output at once. * When 'X11UseLocalhost' option was set to 'no' on systems with IPv6 networking enabled, the X11 forwarding socket listened only for IPv6 connections. * When the privilege separation was enabled in /etc/ssh/sshd_config, some log messages in the system log were duplicated and also had timestamps from an incorrect timezone. All users of openssh should upgrade to these updated packages, which contain backported patches to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-2666" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2007:0257" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N"); script_cwe_id(255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/23"); script_set_attribute(attribute:"patch_publication_date", value:"2007/05/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2007:0257"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL4", reference:"openssh-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"RHEL4", reference:"openssh-askpass-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"RHEL4", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"RHEL4", reference:"openssh-clients-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"RHEL4", reference:"openssh-server-3.9p1-8.RHEL4.20")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc"); } }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0257.NASL description From Red Hat Security Advisory 2007:0257 : Updated openssh packages that fix a security issue and various bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 67481 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67481 title Oracle Linux 4 : openssh (ELSA-2007-0257) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0257 and # Oracle Linux Security Advisory ELSA-2007-0257 respectively. # include("compat.inc"); if (description) { script_id(67481); script_version("1.7"); script_cvs_date("Date: 2019/10/25 13:36:06"); script_cve_id("CVE-2005-2666"); script_xref(name:"RHSA", value:"2007:0257"); script_name(english:"Oracle Linux 4 : openssh (ELSA-2007-0257)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2007:0257 : Updated openssh packages that fix a security issue and various bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. OpenSSH stores hostnames, IP addresses, and keys in plaintext in the known_hosts file. A local attacker that has already compromised a user's SSH account could use this information to generate a list of additional targets that are likely to have the same password or key. (CVE-2005-2666) The following bugs have also been fixed in this update : * The ssh client could abort the running connection when the server application generated a large output at once. * When 'X11UseLocalhost' option was set to 'no' on systems with IPv6 networking enabled, the X11 forwarding socket listened only for IPv6 connections. * When the privilege separation was enabled in /etc/ssh/sshd_config, some log messages in the system log were duplicated and also had timestamps from an incorrect timezone. All users of openssh should upgrade to these updated packages, which contain backported patches to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2007-May/000149.html" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N"); script_cwe_id(255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/23"); script_set_attribute(attribute:"patch_publication_date", value:"2007/05/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 4", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL4", cpu:"i386", reference:"openssh-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"EL4", cpu:"x86_64", reference:"openssh-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"EL4", cpu:"i386", reference:"openssh-askpass-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"EL4", cpu:"x86_64", reference:"openssh-askpass-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"EL4", cpu:"i386", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"EL4", cpu:"x86_64", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"EL4", cpu:"i386", reference:"openssh-clients-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"EL4", cpu:"x86_64", reference:"openssh-clients-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"EL4", cpu:"i386", reference:"openssh-server-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"EL4", cpu:"x86_64", reference:"openssh-server-3.9p1-8.RHEL4.20")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc"); }
NASL family Misc. NASL id OPENSSH_40.NASL description According to its banner, the remote host is running a version of OpenSSH prior to 4.0. Versions of OpenSSH earlier than 4.0 are affected by an information disclosure vulnerability because the application stores hostnames, IP addresses, and keys in plaintext in the last seen 2020-06-01 modified 2020-06-02 plugin id 44075 published 2011-10-04 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44075 title OpenSSH < 4.0 known_hosts Plaintext Host Information Disclosure code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(44075); script_version("1.8"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2005-2666", "CVE-2007-4654", "CVE-2004-2760"); script_name(english:"OpenSSH < 4.0 known_hosts Plaintext Host Information Disclosure"); script_summary(english:"Checks for remote SSH version"); script_set_attribute(attribute:"synopsis", value: "The remote SSH server is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the remote host is running a version of OpenSSH prior to 4.0. Versions of OpenSSH earlier than 4.0 are affected by an information disclosure vulnerability because the application stores hostnames, IP addresses, and keys in plaintext in the 'known_hosts' file. A local attacker, exploiting this flaw, could gain access to sensitive information that could be used in subsequent attacks."); script_set_attribute(attribute:"see_also", value:"https://www.openssh.com/txt/release-4.0"); script_set_attribute(attribute:"see_also", value:"http://nms.csail.mit.edu/projects/ssh/"); script_set_attribute(attribute:"see_also", value:"http://www.eweek.com/c/a/Security/Researchers-Reveal-Holes-in-Grid/"); script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSH 4.0 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N"); script_cwe_id(16, 255, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/23"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/04"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh", 22); exit(0); } include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:'ssh', exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit('SSH/banner/'+port); bp_banner = tolower(get_backport_banner(banner:banner)); if ('openssh' >!< bp_banner) exit(0, 'The SSH service on port '+port+' is not OpenSSH.'); if (backported) exit(1, 'The banner from the OpenSSH server on port '+port+' indicates patches may have been backported.'); # Check the version in the banner. matches = eregmatch(string:bp_banner, pattern:'openssh[-_]([0-9][-._0-9a-z]+)'); if (isnull(matches)) exit(0, 'Could not parse number from version string on port ' + port + '.'); version = matches[1]; if (version =~ '^[0-3]\\.') { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 4.0\n'; security_note(port:port, extra:report); } else security_note(port); exit(0); } else exit(0, 'The OpenSSH server on port '+port+' is not affected as it\'s version '+version+'.');
NASL family Scientific Linux Local Security Checks NASL id SL_20070501_OPENSSH_ON_SL4_X.NASL description OpenSSH stores hostnames, IP addresses, and keys in plaintext in the known_hosts file. A local attacker that has already compromised a user last seen 2020-06-01 modified 2020-06-02 plugin id 60168 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60168 title Scientific Linux Security Update : openssh on SL4.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60168); script_version("1.4"); script_cvs_date("Date: 2019/10/25 13:36:16"); script_cve_id("CVE-2005-2666"); script_name(english:"Scientific Linux Security Update : openssh on SL4.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "OpenSSH stores hostnames, IP addresses, and keys in plaintext in the known_hosts file. A local attacker that has already compromised a user's SSH account could use this information to generate a list of additional targets that are likely to have the same password or key. (CVE-2005-2666)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0705&L=scientific-linux-errata&T=0&P=1565 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?de9276bc" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N"); script_cwe_id(255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/05/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL4", reference:"openssh-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"SL4", reference:"openssh-askpass-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"SL4", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"SL4", reference:"openssh-clients-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"SL4", reference:"openssh-server-3.9p1-8.RHEL4.20")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Misc. NASL id SUNSSH_PLAINTEXT_RECOVERY.NASL description The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them. last seen 2020-06-01 modified 2020-06-02 plugin id 55992 published 2011-08-29 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55992 title SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55992); script_version("1.17"); script_cvs_date("Date: 2018/07/31 17:27:54"); script_cve_id( "CVE-2000-0525", "CVE-2000-1169", "CVE-2001-0361", "CVE-2001-0529", "CVE-2001-0572", "CVE-2001-0816", "CVE-2001-0872", "CVE-2001-1380", "CVE-2001-1382", "CVE-2001-1459", "CVE-2001-1507", "CVE-2001-1585", "CVE-2002-0083", "CVE-2002-0575", "CVE-2002-0639", "CVE-2002-0640", "CVE-2002-0765", "CVE-2003-0190", "CVE-2003-0386", "CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695", "CVE-2003-0786", "CVE-2003-0787", "CVE-2003-1562", "CVE-2004-0175", "CVE-2004-1653", "CVE-2004-2069", "CVE-2004-2760", "CVE-2005-2666", "CVE-2005-2797", "CVE-2005-2798", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2006-5794", "CVE-2007-2243", "CVE-2007-2768", "CVE-2007-3102", "CVE-2007-4752", "CVE-2008-1483", "CVE-2008-1657", "CVE-2008-3259", "CVE-2008-4109", "CVE-2008-5161" ); script_bugtraq_id(32319); script_xref(name:"CERT", value:"958563"); script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure"); script_summary(english:"Checks SSH banner"); script_set_attribute( attribute:"synopsis", value: "The SSH service running on the remote host has an information disclosure vulnerability." ); script_set_attribute( attribute:"description", value: "The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them." ); # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9"); # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a"); script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning"); script_set_attribute( attribute:"solution", value:"Upgrade to SunSSH 1.1.1 / 1.3 or later" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399); script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17"); script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11"); script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29"); script_set_attribute(attribute:"plugin_type",value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_detect.nasl"); script_require_ports("Services/ssh"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); # Ensure the port is open. port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE); # Get banner for service. banner = get_kb_item_or_exit("SSH/banner/" + port); # Check that we're using SunSSH. if ('sun_ssh' >!< tolower(banner)) exit(0, "The SSH service on port " + port + " is not SunSSH."); # Check the version in the banner. match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE); if (isnull(match)) exit(1, "Could not parse the version string from the banner on port " + port + "."); else version = match[1]; # the Oracle (Sun) blog above explains how the versioning works. we could # probably explicitly check for each vulnerable version if it came down to it if ( ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 || version == '1.2' ) { if (report_verbosity > 0) { report = '\n Version source : ' + banner + '\n Installed version : ' + version + '\n Fixed version : 1.1.1 / 1.3\n'; security_hole(port:port, extra:report); } else security_hole(port); } else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0257.NASL description Updated openssh packages that fix a security issue and various bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD last seen 2020-06-01 modified 2020-06-02 plugin id 67047 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67047 title CentOS 4 : openssh (CESA-2007:0257) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0257 and # CentOS Errata and Security Advisory 2007:0257 respectively. # include("compat.inc"); if (description) { script_id(67047); script_version("1.6"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2005-2666"); script_xref(name:"RHSA", value:"2007:0257"); script_name(english:"CentOS 4 : openssh (CESA-2007:0257)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openssh packages that fix a security issue and various bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. This package includes the core files necessary for both the OpenSSH client and server. OpenSSH stores hostnames, IP addresses, and keys in plaintext in the known_hosts file. A local attacker that has already compromised a user's SSH account could use this information to generate a list of additional targets that are likely to have the same password or key. (CVE-2005-2666) The following bugs have also been fixed in this update : * The ssh client could abort the running connection when the server application generated a large output at once. * When 'X11UseLocalhost' option was set to 'no' on systems with IPv6 networking enabled, the X11 forwarding socket listened only for IPv6 connections. * When the privilege separation was enabled in /etc/ssh/sshd_config, some log messages in the system log were duplicated and also had timestamps from an incorrect timezone. All users of openssh should upgrade to these updated packages, which contain backported patches to correct these issues." ); # https://lists.centos.org/pipermail/centos-announce/2007-May/013705.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cb7c8f28" ); script_set_attribute( attribute:"solution", value:"Update the affected openssh packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N"); script_cwe_id(255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-askpass-gnome"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openssh-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/23"); script_set_attribute(attribute:"patch_publication_date", value:"2007/05/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssh-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssh-askpass-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssh-askpass-gnome-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssh-clients-3.9p1-8.RHEL4.20")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"openssh-server-3.9p1-8.RHEL4.20")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openssh / openssh-askpass / openssh-askpass-gnome / openssh-clients / etc"); }
Oval
accepted | 2013-04-29T04:03:24.656-04:00 | ||||||||||||
class | vulnerability | ||||||||||||
contributors |
| ||||||||||||
definition_extensions |
| ||||||||||||
description | SSH, as implemented in OpenSSH before 4.0 and possibly other implementations, stores hostnames, IP addresses, and keys in plaintext in the known_hosts file, which makes it easier for an attacker that has compromised an SSH user's account to generate a list of additional targets that are more likely to have the same password or key. | ||||||||||||
family | unix | ||||||||||||
id | oval:org.mitre.oval:def:10201 | ||||||||||||
status | accepted | ||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
title | SSH, as implemented in OpenSSH before 4.0 and possibly other implementations, stores hostnames, IP addresses, and keys in plaintext in the known_hosts file, which makes it easier for an attacker that has compromised an SSH user's account to generate a list of additional targets that are more likely to have the same password or key. | ||||||||||||
version | 26 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Statements
contributor | Joshua Bressers |
lastmodified | 2006-09-20 |
organization | Red Hat |
statement | Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162681 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ |
References
- http://nms.csail.mit.edu/projects/ssh/
- ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.11/SCOSA-2006.11.txt
- http://secunia.com/advisories/19243
- http://www.redhat.com/support/errata/RHSA-2007-0257.html
- http://secunia.com/advisories/25098
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10201
- http://www.eweek.com/article2/0%2C1759%2C1815795%2C00.asp