Vulnerabilities > CVE-2005-2797 - Unspecified vulnerability in Openbsd Openssh 4.0

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
openbsd
nessus

Summary

OpenSSH 4.0, and other versions before 4.2, does not properly handle dynamic port forwarding ("-D" option) when a listen address is not provided, which may cause OpenSSH to enable the GatewayPorts functionality.

Vulnerable Configurations

Part Description Count
Application
Openbsd
1

Nessus

  • NASL familyMisc.
    NASL idOPENSSH_42.NASL
    descriptionAccording to its banner, the version of OpenSSH installed on the remote host has the following vulnerabilities : - X11 forwarding may be enabled unintentionally when multiple forwarding requests are made on the same session, or when an X11 listener is orphaned after a session goes away. (CVE-2005-2797) - GSSAPI credentials may be delegated to users who log in using something other than GSSAPI authentication if
    last seen2020-06-01
    modified2020-06-02
    plugin id19592
    published2005-09-07
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19592
    titleOpenSSH < 4.2 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19592);
      script_version("1.20");
      script_cvs_date("Date: 2018/11/15 20:50:23");
    
      script_cve_id("CVE-2005-2797", "CVE-2005-2798", "CVE-2006-0393");
      script_bugtraq_id(14727, 14729, 19289);
    
      script_name(english:"OpenSSH < 4.2 Multiple Vulnerabilities");
      script_summary(english:"Checks for GSSAPI credential disclosure vulnerability in OpenSSH");
     
      script_set_attribute(attribute:"synopsis", value:
    "The remote SSH server has multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of OpenSSH installed on the
    remote host has the following vulnerabilities :
    
      - X11 forwarding may be enabled unintentionally when
        multiple forwarding requests are made on the same session,
        or when an X11 listener is orphaned after a session goes
        away. (CVE-2005-2797)
    
      - GSSAPI credentials may be delegated to users who
        log in using something other than GSSAPI authentication
        if 'GSSAPIDelegateCredentials' is enabled. (CVE-2005-2798)
    
      - Attempting to log in as a nonexistent user causes
        the authentication process to hang, which could
        be exploited to enumerate valid user accounts.
        Only OpenSSH on Mac OS X 10.4.x is affected.
        (CVE-2006-0393)
    
      - Repeatedly attempting to log in as a nonexistent
        user could result in a denial of service.
        Only OpenSSH on Mac OS X 10.4.x is affected.
        (CVE-2006-0393)");
      script_set_attribute(attribute:"see_also", value:"http://www.openssh.com/txt/release-4.2");
      script_set_attribute(attribute:"see_also", value:"https://lists.apple.com/archives/security-announce/2006/Aug/msg00000.html");
      script_set_attribute(attribute:"see_also",value:"https://support.apple.com/?artnum=304063");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to OpenSSH 4.2 or later.  For OpenSSH on Mac OS X 10.4.x,
    apply Mac OS X Security Update 2006-004." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
      script_set_attribute(attribute:"plugin_publication_date", value: "2005/09/07");
      script_set_attribute(attribute:"vuln_publication_date", value: "2005/09/01");
      script_set_attribute(attribute:"patch_publication_date", value: "2005/09/01");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:openbsd:openssh");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
      script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
      script_dependencies("ssh_detect.nasl");
      script_require_ports("Services/ssh", 22);
    
      exit(0);
    }
    
    include("backport.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Ensure the port is open.
    port = get_service(svc:"ssh", exit_on_fail:TRUE);
    
    # Get banner for service.
    banner = get_kb_item_or_exit("SSH/banner/"+port);
    
    bp_banner = tolower(get_backport_banner(banner:banner));
    if ("openssh" >!< bp_banner) exit(0, "The SSH service on port "+port+" is not OpenSSH.");
    if (backported) exit(1, "The banner from the OpenSSH server on port "+port+" indicates patches may have been backported.");
    
    if (bp_banner =~ "openssh[-_]([0-3]\.|4\.[01])")
      security_note(port);
    
  • NASL familyMisc.
    NASL idSUNSSH_PLAINTEXT_RECOVERY.NASL
    descriptionThe version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information. Note that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.
    last seen2020-06-01
    modified2020-06-02
    plugin id55992
    published2011-08-29
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/55992
    titleSunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(55992);
      script_version("1.17");
      script_cvs_date("Date: 2018/07/31 17:27:54");
    
      script_cve_id(
        "CVE-2000-0525",
        "CVE-2000-1169",
        "CVE-2001-0361",
        "CVE-2001-0529",
        "CVE-2001-0572",
        "CVE-2001-0816",
        "CVE-2001-0872",
        "CVE-2001-1380",
        "CVE-2001-1382",
        "CVE-2001-1459",
        "CVE-2001-1507",
        "CVE-2001-1585",
        "CVE-2002-0083",
        "CVE-2002-0575",
        "CVE-2002-0639",
        "CVE-2002-0640",
        "CVE-2002-0765",
        "CVE-2003-0190",
        "CVE-2003-0386",
        "CVE-2003-0682",
        "CVE-2003-0693",
        "CVE-2003-0695",
        "CVE-2003-0786",
        "CVE-2003-0787",
        "CVE-2003-1562",
        "CVE-2004-0175",
        "CVE-2004-1653",
        "CVE-2004-2069",
        "CVE-2004-2760",
        "CVE-2005-2666",
        "CVE-2005-2797",
        "CVE-2005-2798",
        "CVE-2006-0225",
        "CVE-2006-4924",
        "CVE-2006-4925",
        "CVE-2006-5051",
        "CVE-2006-5052",
        "CVE-2006-5229",
        "CVE-2006-5794",
        "CVE-2007-2243",
        "CVE-2007-2768",
        "CVE-2007-3102",
        "CVE-2007-4752",
        "CVE-2008-1483",
        "CVE-2008-1657",
        "CVE-2008-3259",
        "CVE-2008-4109",
        "CVE-2008-5161"
      );
      script_bugtraq_id(32319);
      script_xref(name:"CERT", value:"958563");
    
      script_name(english:"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure");
      script_summary(english:"Checks SSH banner");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The SSH service running on the remote host has an information
    disclosure vulnerability."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The version of SunSSH running on the remote host has an information
    disclosure vulnerability.  A design flaw in the SSH specification
    could allow a man-in-the-middle attacker to recover up to 32 bits of
    plaintext from an SSH-protected connection in the standard
    configuration.  An attacker could exploit this to gain access to
    sensitive information.
    
    Note that this version of SunSSH is also prone to several additional
    issues but Nessus did not test for them." );
    
      # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt
      script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4984aeb9");
      # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH
      script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b679208a");
      script_set_attribute(attribute:"see_also",value:"http://blogs.oracle.com/janp/entry/on_sunssh_versioning");
      script_set_attribute(
        attribute:"solution",
        value:"Upgrade to SunSSH 1.1.1 / 1.3 or later"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399);
      script_set_attribute(attribute:"vuln_publication_date",value:"2008/11/17");
      script_set_attribute(attribute:"patch_publication_date",value:"2008/12/11");
      script_set_attribute(attribute:"plugin_publication_date",value:"2011/08/29");
      script_set_attribute(attribute:"plugin_type",value:"remote");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_detect.nasl");
      script_require_ports("Services/ssh");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    
    # Ensure the port is open.
    port = get_service(svc:"ssh", default:22, exit_on_fail:TRUE);
    
    # Get banner for service.
    banner = get_kb_item_or_exit("SSH/banner/" + port);
    
    # Check that we're using SunSSH.
    if ('sun_ssh' >!< tolower(banner))
      exit(0, "The SSH service on port " + port + " is not SunSSH.");
    
    # Check the version in the banner.
    match = eregmatch(string:banner, pattern:"sun_ssh[-_]([0-9.]+)$", icase:TRUE);
    if (isnull(match))
      exit(1, "Could not parse the version string from the banner on port " + port + ".");
    else
      version = match[1];
    
    # the Oracle (Sun) blog above explains how the versioning works. we could
    # probably explicitly check for each vulnerable version if it came down to it
    if (
      ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 ||
      version == '1.2'
    )
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source    : ' + banner +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 1.1.1 / 1.3\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
    }
    else exit(0, "The SunSSH server on port "+port+" is not affected as it's version "+version+".");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-860.NASL
    descriptionThis security update fixes CVE-2005-2797 and CVE-2005-2798 and resolves a problem with X forwarding binding only on IPv6 address on certain circumstances. As it is an upgrade to a newer upstream release there is a small change in interoperability with ssh clients older than 3.5p1 if they are configured so they insist on compression. If interoperability with such clients is required, the
    last seen2020-06-01
    modified2020-06-02
    plugin id19732
    published2005-09-17
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19732
    titleFedora Core 4 : openssh-4.2p1-fc4.1 (2005-860)

Statements

contributorTomas Hoger
lastmodified2009-11-25
organizationRed Hat
statementNot vulnerable. This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 2.1, 3 or 4.