DATABASE RESOURCES PRICING ABOUT US

{"id": "OPENSSH_252.NASL", "type": "nessus", "bulletinFamily": "scanner", "title": "OpenSSH < 2.5.2 / 2.5.2p2 Multiple Information Disclosure Vulnerabilities", "description": "According to its banner, the remote host appears to be running a version of OpenSSH earlier than 2.5.2 / 2.5.2p2. It, therefore, reportedly contains weaknesses in its implementation of the SSH protocol, both versions 1 and 2. These weaknesses could allow an attacker to sniff password lengths, and ranges of length (this could make brute-force password guessing easier), determine whether RSA or DSA authentication is being used, the number of authorized_keys in RSA authentication and/or the length of shell commands.", "published": "2011-10-04T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {}, "cvss3": {"score": null, "vector": null}, "href": "https://www.tenable.com/plugins/nessus/44068", "reporter": "This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0572", "http://www.openssh.com/txt/release-2.5.2p2", "https://www.openwall.com/articles/SSH-Traffic-Analysis", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0361"], "cvelist": ["CVE-2001-0361", "CVE-2001-0572"], "immutableFields": [], "lastseen": "2021-08-19T12:59:49", "viewCount": 18, "enchantments": {"dependencies": {"references": [{"type": "cert", "idList": ["VU:161576"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2001-0002", "CPAI-2001-0003"]}, {"type": "cve", "idList": ["CVE-2001-0361", "CVE-2001-0572"]}, {"type": "f5", "idList": ["F5:K17452", "SOL17452"]}, {"type": "nessus", "idList": ["1971.PRM", "CISCO-SA-20010627-SSHHTTP.NASL", "CISCO_SSH_MULTIPLE_VULNS.NASL", "DEBIAN_DSA-023.NASL", "DEBIAN_DSA-027.NASL", "DEBIAN_DSA-086.NASL", "MANDRAKE_MDKSA-2001-033.NASL", "SSH1_PROTO_ENABLED.NASL", "SUNSSH_PLAINTEXT_RECOVERY.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:103247", "OPENVAS:1361412562310103247", "OPENVAS:136141256231011342", "OPENVAS:1361412562310801993", "OPENVAS:53766", "OPENVAS:53786"]}, {"type": "suse", "idList": ["SUSE-SA:2001:04"]}]}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cert", "idList": ["VU:161576"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2001-0002", "CPAI-2001-0003"]}, {"type": "cve", "idList": ["CVE-2001-0361", "CVE-2001-0572"]}, {"type": "f5", "idList": ["SOL17452"]}, {"type": "nessus", "idList": ["MANDRAKE_MDKSA-2001-033.NASL", "SSH_DETECT.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103247"]}, {"type": "suse", "idList": ["SUSE-SA:2001:04"]}]}, "exploitation": null, "vulnersScore": 0.2}, "pluginID": "44068", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44068);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\n\n script_cve_id(\"CVE-2001-0361\", \"CVE-2001-0572\");\n script_bugtraq_id(2344, 49473);\n script_xref(name:\"CERT\", value:\"596827\");\n\n script_name(english:\"OpenSSH < 2.5.2 / 2.5.2p2 Multiple Information Disclosure Vulnerabilities\");\n script_summary(english:\"Checks the version reported in the SSH banner.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"Remote attackers may be able to infer information about traffic\ninside an SSH session.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its banner, the remote host appears to be running a\nversion of OpenSSH earlier than 2.5.2 / 2.5.2p2. It, therefore,\nreportedly contains weaknesses in its implementation of the SSH\nprotocol, both versions 1 and 2. These weaknesses could allow an\nattacker to sniff password lengths, and ranges of length (this could\nmake brute-force password guessing easier), determine whether RSA or\nDSA authentication is being used, the number of authorized_keys in RSA\nauthentication and/or the length of shell commands.\"\n );\n\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to OpenSSH 2.5.2 / 2.5.2p2 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openwall.com/articles/SSH-Traffic-Analysis\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.openssh.com/txt/release-2.5.2p2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/03/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/03/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openbsd:openssh\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\");\n\n exit(0);\n}\n\ninclude(\"backport.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Ensure the port is open.\nport = get_service(svc:\"ssh\", exit_on_fail:TRUE);\n\n# Get banner for service.\nbanner = get_kb_item_or_exit(\"SSH/banner/\"+port);\n\nbp_banner = tolower(get_backport_banner(banner:banner));\nif (\"openssh\" >!< bp_banner) exit(0, \"The SSH service on port \"+port+\" is not OpenSSH.\");\nif (backported) exit(1, \"The banner from the OpenSSH server on port \"+port+\" indicates patches may have been backported.\");\n\n# Check the version in the backported banner.\nmatch = eregmatch(string:bp_banner, pattern:\"openssh[-_]([0-9][-._0-9a-z]+)\");\nif (isnull(match)) exit(1, \"Could not parse the version string in the banner from port \"+port+\".\");\nversion = match[1];\n\nif (version !~ \"^[0-9.]+p[0-9]+\")\n{\n # Pull out numeric portion of version of the native OpenBSD version.\n matches = eregmatch(string:version, pattern:\"^([0-9.]+)\");\n if (isnull(matches)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway\n exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');\n\n fix = \"2.5.2\";\n if (ver_compare(ver:matches[1], fix:fix, strict:FALSE) >= 0)\n exit(0, \"The OpenSSH server on port \"+port+\" is not affected as it's version \"+version+\".\");\n}\nelse\n{\n # Pull out numeric portion of version of the portable version.\n matches = eregmatch(string:version, pattern:\"^([0-9.]+)p([0-9]+)\");\n if (isnull(matches)) # this should never happen due to the previous eregmatch() call, but let's code defensively anyway\n exit(1, 'Failed to parse the version (' + version + ') of the service listening on port '+port+'.');\n\n fix = \"2.5.2p2\";\n if (\n (ver_compare(ver:matches[1], fix:\"2.5.2\", strict:FALSE) > 0) ||\n (matches[1] == \"2.5.2\" && int(matches[2]) >= 2)\n ) exit(0, \"The OpenSSH server on port \"+port+\" is not affected as it's version \"+version+\".\");\n}\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_warning(port:port, extra:report);\n}\nelse security_warning(port);\n", "naslFamily": "Misc.", "cpe": ["cpe:/a:openbsd:openssh"], "solution": "Upgrade to OpenSSH 2.5.2 / 2.5.2p2 or later.", "nessusSeverity": "Medium", "cvssScoreSource": "", "vpr": {"risk factor": "Medium", "score": "5.5"}, "exploitAvailable": false, "exploitEase": "No known exploits are available", "patchPublicationDate": "2001-03-19T00:00:00", "vulnerabilityPublicationDate": "2001-03-19T00:00:00", "exploitableWith": [], "_state": {"dependencies": 1647589307, "score": 1659697171}}

{"nessus": [{"lastseen": "2021-08-19T13:20:43", "description": "According to its version number, the remote host is a Cisco router or switch running a vulnerable SSH daemon.\n\nBy exploiting weaknesses in the SSH protocol, it is possible to insert arbitrary commands into an established SSH session, collect information that may help in brute-force key recovery, or brute-force a session key.", "cvss3": {"score": null, "vector": null}, "published": "2002-06-05T00:00:00", "type": "nessus", "title": "Cisco Devices Multiple SSH Information Disclosure Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361", "CVE-2001-0572"], "modified": "2018-11-15T00:00:00", "cpe": [], "id": "CISCO_SSH_MULTIPLE_VULNS.NASL", "href": "https://www.tenable.com/plugins/nessus/10972", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif(description)\n{\n script_id(10972);\n script_version(\"1.29\");\n\n script_cve_id(\"CVE-2001-0361\", \"CVE-2001-0572\");\n script_bugtraq_id(2344);\n\n script_name(english:\"Cisco Devices Multiple SSH Information Disclosure Vulnerabilities\");\n script_summary(english:\"Uses SNMP to determine if a flaw is present\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote network device is running an SSH server with multiple\nvulnerabilities.\" );\n script_set_attribute( attribute:\"description\", value:\n\"According to its version number, the remote host is a Cisco router\nor switch running a vulnerable SSH daemon.\n\nBy exploiting weaknesses in the SSH protocol, it is possible to\ninsert arbitrary commands into an established SSH session, collect\ninformation that may help in brute-force key recovery, or brute-force\na session key.\" );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/bugtraq/2001/Mar/262\"\n );\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20010627-ssh\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fb584d2f\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Apply the fix referenced in the vendor's advisory.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(310);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/06/05\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/03/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2001/06/27\");\n script_cvs_date(\"Date: 2018/11/15 20:50:20\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is (C) 2002-2018 Tenable Network Security, Inc.\");\n\n script_dependencie(\"snmp_sysDesc.nasl\",\n\t\t\t \"snmp_cisco_type.nasl\",\n\t\t\t \"find_service1.nasl\");\n script_require_keys(\"SNMP/community\",\n\t\t\t \"SNMP/sysDesc\",\n\t\t\t \"CISCO/model\");\n exit(0);\n}\n\n\n# The code starts here\nok=0;\nos = get_kb_item(\"SNMP/sysDesc\"); if(!os)exit(0);\nhardware = get_kb_item(\"CISCO/model\"); if(!hardware)exit(0);\n\n\n# Make sure SSH is running first...\nssh = get_kb_item(\"Services/ssh\");\nif(!ssh)ssh = 22;\n\nif(!get_port_state(ssh))exit(0);\nsoc = open_sock_tcp(ssh);\nif(!soc)exit(0);\n\n\n# Check for the required operating system...\n#----------------------------------------------------------------\n# Is this IOS ?\nif(!egrep(pattern:\".*(Internetwork Operating|IOS).*\", string:os))exit(0);\n# 12.0S\nif(egrep(string:os, pattern:\"(12\\.0\\(([0-9]|1[0-9])\\)|12\\.0)S[0-9]*,\"))ok=1;\n\n# 12.1DB\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)DB[0-9]*,\"))ok=1;\n\n# 12.1DC\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)DC[0-9]*,\"))ok=1;\n\n# 12.1E\nif(egrep(string:os, pattern:\"(12\\.1\\([0-8]\\)|12\\.1)E[0-9]*,\"))ok=1;\n\n# 12.1EC\nif(egrep(string:os, pattern:\"((12\\.1\\([0-6]\\)|12\\.1)EC[0-9]*|12\\.1\\(7\\)EC[0-2]),\"))ok=1;\n\n# 12.1EX\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)EX[0-9]*,\"))ok=1;\n\n# 12.1EY\nif(egrep(string:os, pattern:\"(12\\.1\\([0-5]\\)|12\\.1)EY[0-9]*,\"))ok=1;\n\n# 12.1EZ\nif(egrep(string:os, pattern:\"((12\\.1\\([0-5]\\)|12\\.1)EZ[0-9]*|12\\.1\\(6\\)EZ[0-1]),\"))ok=1;\n\n# 12.1T\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)T[0-9]*,\"))ok=1;\n\n# 12.1XA\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)XA[0-9]*,\"))ok=1;\n\n# 12.1XB\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)XB[0-9]*,\"))ok=1;\n\n# 12.1XC\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)XC[0-9]*,\"))ok=1;\n\n# 12.1XD\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)XD[0-9]*,\"))ok=1;\n\n# 12.1XE\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)XE[0-9]*,\"))ok=1;\n\n# 12.1XF\nif(egrep(string:os, pattern:\"((12\\.1\\([0-1]\\)|12\\.1)XF[0-9]*|12\\.1\\(2\\)XF[0-3]),\"))ok=1;\n\n# 12.1XG\nif(egrep(string:os, pattern:\"((12\\.1\\([0-4]\\)|12\\.1)XG[0-9]*|12\\.1\\(5\\)XG[0-4]),\"))ok=1;\n\n# 12.1XH\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)XH[0-9]*,\"))ok=1;\n\n# 12.1XI\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)XI[0-9]*,\"))ok=1;\n\n# 12.1XJ\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)XJ[0-9]*,\"))ok=1;\n\n# 12.1XL\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)XL[0-9]*,\"))ok=1;\n\n# 12.1XM\nif(egrep(string:os, pattern:\"((12\\.1\\([0-3]\\)|12\\.1)XM[0-9]*|12\\.1\\(4\\)XM[0-3]),\"))ok=1;\n\n# 12.1XP\nif(egrep(string:os, pattern:\"((12\\.1\\([0-2]\\)|12\\.1)XP[0-9]*|12\\.1\\(3\\)XP[0-3]),\"))ok=1;\n\n# 12.1XQ\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)XQ[0-9]*,\"))ok=1;\n\n# 12.1XR\nif(egrep(string:os, pattern:\"((12\\.1\\([0-4]\\)|12\\.1)XR[0-9]*|12\\.1\\(5\\)XR[0-1]),\"))ok=1;\n\n# 12.1XS\nif(egrep(string:os, pattern:\"((12\\.1\\([0-4]\\)|12\\.1)XS[0-9]*|12\\.1\\(5\\)XS[0-1]),\"))ok=1;\n\n# 12.1XT\nif(egrep(string:os, pattern:\"((12\\.1\\([0-2]\\)|12\\.1)XT[0-9]*|12\\.1\\(3\\)XT[0-2]),\"))ok=1;\n\n# 12.1XU\nif(egrep(string:os, pattern:\"((12\\.1\\([0-4]\\)|12\\.1)XU[0-9]*|12\\.1\\(5\\)XU[0-0]),\"))ok=1;\n\n# 12.1XV\nif(egrep(string:os, pattern:\"((12\\.1\\([0-4]\\)|12\\.1)XV[0-9]*|12\\.1\\(5\\)XV[0-2]),\"))ok=1;\n\n# 12.1XY\nif(egrep(string:os, pattern:\"((12\\.1\\([0-4]\\)|12\\.1)XY[0-9]*|12\\.1\\(5\\)XY[0-5]),\"))ok=1;\n\n# 12.1YA\nif(egrep(string:os, pattern:\"(12\\.1\\([0-9]*\\)|12\\.1)YA[0-9]*,\"))ok=1;\n\n# 12.1YB\nif(egrep(string:os, pattern:\"((12\\.1\\([0-4]\\)|12\\.1)YB[0-9]*|12\\.1\\(5\\)YB[0-3]),\"))ok=1;\n\n# 12.1YD\nif(egrep(string:os, pattern:\"((12\\.1\\([0-4]\\)|12\\.1)YD[0-9]*|12\\.1\\(5\\)YD[0-1]),\"))ok=1;\n\n# 12.1YF\nif(egrep(string:os, pattern:\"((12\\.1\\([0-4]\\)|12\\.1)YF[0-9]*|12\\.1\\(5\\)YF[0-1]),\"))ok=1;\n\n# 12.2\nif(egrep(string:os, pattern:\"(12\\.2\\([0-2]\\)|12\\.2),\"))ok=1;\n\n# 12.2T\nif(egrep(string:os, pattern:\"(12\\.2\\([0-2]\\)|12\\.2)T[0-9]*,\"))ok=1;\n\n# 12.2XA\nif(egrep(string:os, pattern:\"(12\\.2\\([0-1]\\)|12\\.2)XA[0-9]*,\"))ok=1;\n\n# 12.2XD\nif(egrep(string:os, pattern:\"((12\\.2\\([0-0]\\)|12\\.2)XD[0-9]*|12\\.2\\(1\\)XD[0-0]),\"))ok=1;\n\n# 12.2XE\nif(egrep(string:os, pattern:\"(12\\.2\\([0-0]\\)|12\\.2)XE[0-9]*,\"))ok=1;\n\n# 12.2XH\nif(egrep(string:os, pattern:\"(12\\.2\\([0-0]\\)|12\\.2)XH[0-9]*,\"))ok=1;\n\n# 12.2XQ\nif(egrep(string:os, pattern:\"(12\\.2\\([0-0]\\)|12\\.2)XQ[0-9]*,\"))ok=1;\n\n\n#----------------------------------------------\n\nif(ok)security_hole(port:161, proto:\"udp\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:20:46", "description": "The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. \n\nThese protocols are not completely cryptographically safe so they should not be used.", "cvss3": {"score": null, "vector": null}, "published": "2002-03-06T00:00:00", "type": "nessus", "title": "SSH Protocol Version 1 Session Key Retrieval", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361", "CVE-2001-0572", "CVE-2001-1473"], "modified": "2020-04-27T00:00:00", "cpe": [], "id": "SSH1_PROTO_ENABLED.NASL", "href": "https://www.tenable.com/plugins/nessus/10882", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10882);\n script_version (\"1.36\");\n\n script_cve_id(\"CVE-2001-0361\", \"CVE-2001-0572\", \"CVE-2001-1473\");\n script_bugtraq_id(2344);\n \n\n script_name(english:\"SSH Protocol Version 1 Session Key Retrieval\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service offers an insecure cryptographic protocol.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote SSH daemon supports connections made using the version 1.33\nand/or 1.5 of the SSH protocol. \n\nThese protocols are not completely cryptographically safe so they\nshould not be used.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Disable compatibility with version 1 of the SSH protocol.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2001-1473\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2002/03/06\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/02/06\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/27\");\n\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Negotiate SSH connections\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2020 Tenable Network Security, Inc.\");\n script_family(english:\"General\");\n script_dependencie(\"ssh_proto_version.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n exit(0);\n}\n\n\nport = get_kb_item(\"Services/ssh\");\nif(!port)port = 22;\n\nif ( get_kb_item(\"SSH/\" + port + \"/v1_supported\" ) )\n\tsecurity_hole(port);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:18:59", "description": "There are several weaknesses in various implementations of the SSH (Secure Shell) protocols. When exploited, they let the attacker obtain sensitive information by passively monitoring encrypted SSH sessions.\nThe information can later be used to speed up brute-force attacks on passwords, including the initial login password and other passwords appearing in interactive SSH sessions, such as those used with su.\nVersions of OpenSSH 2.5.2 and later have been fixed to reduce the impact of these traffic analysis problems, and as such all Linux- Mandrake users are encouraged to upgrade their version of openssh immediately.\n\nUpdate :\n\nA problem was introduced with a patch applied to the OpenSSH packages released in the previous update. This problem was due to the keepalive patch included, and it broke interoperability with older versions of OpenSSH and SSH. This update removes the patch, and also provides the latest version of OpenSSH which provides a number of new features and enhancements.", "cvss3": {"score": null, "vector": null}, "published": "2004-09-18T00:00:00", "type": "nessus", "title": "Mandrake Linux Security Advisory : openssh (MDKSA-2001:033-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0572"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:openssh", "p-cpe:/a:mandriva:linux:openssh-askpass", "p-cpe:/a:mandriva:linux:openssh-askpass-gnome", "p-cpe:/a:mandriva:linux:openssh-clients", "p-cpe:/a:mandriva:linux:openssh-server", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:7.2", "cpe:/o:mandrakesoft:mandrake_linux:8.0"], "id": "MANDRAKE_MDKSA-2001-033.NASL", "href": "https://www.tenable.com/plugins/nessus/14776", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2001:033. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14776);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2001-0572\");\n script_xref(name:\"MDKSA\", value:\"2001:033-2\");\n\n script_name(english:\"Mandrake Linux Security Advisory : openssh (MDKSA-2001:033-2)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There are several weaknesses in various implementations of the SSH\n(Secure Shell) protocols. When exploited, they let the attacker obtain\nsensitive information by passively monitoring encrypted SSH sessions.\nThe information can later be used to speed up brute-force attacks on\npasswords, including the initial login password and other passwords\nappearing in interactive SSH sessions, such as those used with su.\nVersions of OpenSSH 2.5.2 and later have been fixed to reduce the\nimpact of these traffic analysis problems, and as such all Linux-\nMandrake users are encouraged to upgrade their version of openssh\nimmediately.\n\nUpdate :\n\nA problem was introduced with a patch applied to the OpenSSH packages\nreleased in the previous update. This problem was due to the keepalive\npatch included, and it broke interoperability with older versions of\nOpenSSH and SSH. This update removes the patch, and also provides the\nlatest version of OpenSSH which provides a number of new features and\nenhancements.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-askpass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-clients\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssh-server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"openssh-2.9p1-3.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"openssh-askpass-2.9p1-3.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"openssh-askpass-gnome-2.9p1-3.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"openssh-clients-2.9p1-3.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"openssh-server-2.9p1-3.3mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"openssh-2.9p1-3.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"openssh-askpass-2.9p1-3.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"openssh-askpass-gnome-2.9p1-3.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"openssh-clients-2.9p1-3.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.2\", cpu:\"i386\", reference:\"openssh-server-2.9p1-3.2mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"openssh-2.9p1-3.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"openssh-askpass-2.9p1-3.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"openssh-askpass-gnome-2.9p1-3.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"openssh-clients-2.9p1-3.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"openssh-server-2.9p1-3.1mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-16T02:37:39", "description": "Four different Cisco product lines are susceptible to multiple vulnerabilities discovered in the Secure Shell (SSH) protocol version 1.5. These issues have been addressed, and fixes have been integrated into the Cisco products that support this protocol.\nBy exploiting the weakness in the SSH protocol, it is possible to insert arbitrary commands into an established SSH session, collect information that may help in brute-force key recovery, or brute force a session key.\nAffected product lines are:\nNo other Cisco products are vulnerable. It is possible to mitigate this vulnerability by preventing, or having control over, the interception of SSH traffic.\nCisco IOS is not vulnerable to any of known exploits that are currently used to compromise UNIX hosts. For the warning regarding increased scanning activity for hosts running SSH consult CERT/CC.", "cvss3": {"score": null, "vector": null}, "published": "2010-09-01T00:00:00", "type": "nessus", "title": "Multiple SSH Vulnerabilities - Cisco Systems", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0572"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:cisco:ios"], "id": "CISCO-SA-20010627-SSHHTTP.NASL", "href": "https://www.tenable.com/plugins/nessus/48957", "sourceData": "#TRUSTED 134089c79ffa0d35d71016e7647f060cad6858c0642f2f316a02eb9c4220913f85a199d77553bad67b55ee5eeccf369cc49c4b7cbd84eb8481286cee2b9e2a98fdad77cf62756c0816c75e1e78878ebdb38741da1a65219159a05c42987892b4acca6f4f163b56368ed716865ec7b36a3ec40056d0078bf055c9b1ae8b02083a8776b413da4b6559aa1d9dabcd88985247471ad4a27a2865d50881097a6586348a8ed4972bcbabd060e5590571f7864ab376607e5c1e9add0705bed139e32412ab00b0d2db8b9d311c2ad8a7e3366fb00139ebf3a0bd6a765d9c6b2182eeb8758b53686ea5a3b2e26366f75d0d3bcdf215d0f92d9219487047bae27b223b53c1b2db7e92e0570cb7139b8908fa5d964b213f80c3fc699ecd3f90e2479be2e6cb77a22447c2ff55a06afaf9e180ad3b7dab84d56c0be19fb2b684d37a2417e736bac08265c699eb4667093daabe6259573d65cae39eb9fa8f24dfe70fac7fe5ddf170ffe8e39bce0736bf339ce8618a3561ef70f1c2bf242c77224e03c85e8e4007965cd99cccf6325de576ebd112107ac23f65ed06495d0cc11a2e0d54b36cab0691078711a80163dda147c9630b5052cb519b788188fdce6db328b1a70c69fc6a70894b2d9606698109365a843b4123edd52370aebfb5cebec6803e7d220266c09cb58bf5d6625ff3a0606e28c8e36f3ff3a04eeb12252d4844c23e3325fb34\n#\n# (C) Tenable Network Security, Inc.\n#\n# Security advisory is (C) CISCO, Inc.\n# See https://www.cisco.com/en/US/products/products_security_advisory09186a00800b168e.shtml\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(48957);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/11/15\");\n\n script_cve_id(\"CVE-2001-0572\");\n script_xref(name:\"CERT\", value:\"596827\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdt55357\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdt57231\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdt72996\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdt73353\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdt96253\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdu37371\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdv34668\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdv34676\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCdv34679\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20010627-ssh\");\n\n script_name(english:\"Multiple SSH Vulnerabilities - Cisco Systems\");\n script_summary(english:\"Checks the IOS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n'Four different Cisco product lines are susceptible to multiple\nvulnerabilities discovered in the Secure Shell (SSH) protocol version\n1.5. These issues have been addressed, and fixes have been integrated\ninto the Cisco products that support this protocol.\nBy exploiting the weakness in the SSH protocol, it is possible to\ninsert arbitrary commands into an established SSH session, collect\ninformation that may help in brute-force key recovery, or brute force a\nsession key.\nAffected product lines are:\nNo other Cisco products are vulnerable. It is possible to mitigate this\nvulnerability by preventing, or having control over, the interception\nof SSH traffic.\nCisco IOS is not vulnerable to any of known exploits that are currently\nused to compromise UNIX hosts. For the warning regarding increased\nscanning activity for hosts running SSH consult CERT/CC.');\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openwall.com/articles/SSH-Traffic-Analysis\");\n script_set_attribute(attribute:\"see_also\", value: \"https://seclists.org/bugtraq/2001/Mar/262\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20010627-ssh\n script_set_attribute(attribute:\"see_also\", value: \"http://www.nessus.org/u?fb584d2f\");\n # https://www.cisco.com/en/US/products/products_security_advisory09186a00800b168e.shtml\n script_set_attribute(attribute:\"see_also\", value: \"http://www.nessus.org/u?2ead856a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in Cisco Security Advisory\ncisco-sa-20010627-ssh.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/03/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/06/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/01\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CISCO\");\n\n script_dependencie(\"cisco_ios_version.nasl\");\n script_require_keys(\"Host/Cisco/IOS/Version\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\ninclude(\"cisco_kb_cmd_func.inc\");\n\nflag = 0;\nreport_extra = \"\";\nversion = get_kb_item_or_exit(\"Host/Cisco/IOS/Version\");\noverride = 0;\n\n# Affected: 12.0S\nif (check_release(version: version,\n patched: make_list(\"12.0(20)S\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1DB\nif (deprecated_version(version, \"12.1DB\")) {\n report_extra = '\\nNo updates are scheduled for 12.1DB. Upgrade to a supported version\\n'; flag++;\n}\n# Affected: 12.1DC\nif (deprecated_version(version, \"12.1DC\")) {\n report_extra = '\\nNo updates are scheduled for 12.1DC. Upgrade to a supported version\\n'; flag++;\n}\n# Affected: 12.1E\nif (check_release(version: version,\n patched: make_list(\"12.1(8a)E\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1EC\nif (check_release(version: version,\n patched: make_list(\"12.1(6.5)EC3\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1EX\nif (deprecated_version(version, \"12.1EX\")) {\n report_extra = '\\nUpdate to 12.1(8a)E or later\\n'; flag++;\n}\n# Affected: 12.1EY\nif (check_release(version: version,\n patched: make_list(\"12.1(6)EY\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1EZ\nif (check_release(version: version,\n patched: make_list(\"12.1(6)EZ2\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1T\nif (deprecated_version(version, \"12.1T\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XA\nif (deprecated_version(version, \"12.1XA\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XB\nif (deprecated_version(version, \"12.1XB\")) {\n report_extra = '\\nNo updates are scheduled for 12.1XB. Upgrade to a supported version\\n'; flag++;\n}\n# Affected: 12.1XC\nif (deprecated_version(version, \"12.1XC\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XD\nif (deprecated_version(version, \"12.1XD\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XE\nif (deprecated_version(version, \"12.1XE\")) {\n report_extra = '\\nNo updates are scheduled for 12.1XE. Upgrade to a supported version\\n'; flag++;\n}\n# Affected: 12.1XF\nif (check_release(version: version,\n patched: make_list(\"12.1(2)XF4\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XG\nif (deprecated_version(version, \"12.1XG\")) {\n report_extra = '\\nUpdate to 12.1(2)XF4 or later\\n'; flag++;\n}\n# Affected: 12.1XH\nif (deprecated_version(version, \"12.1XH\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XI\nif (deprecated_version(version, \"12.1XI\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XJ\nif (deprecated_version(version, \"12.1XJ\")) {\n report_extra = '\\nUpdate to 12.1(5)YB4 or later\\n'; flag++;\n}\n# Affected: 12.1XL\nif (deprecated_version(version, \"12.1XL\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XM\nif (check_release(version: version,\n patched: make_list(\"12.1(4)XM4\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XP\nif (check_release(version: version,\n patched: make_list(\"12.1(3)XP4\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XQ\nif (deprecated_version(version, \"12.1XQ\")) {\n report_extra = '\\nUpdate to 12.2(1b) or later\\n'; flag++;\n}\n# Affected: 12.1XR\nif (check_release(version: version,\n patched: make_list(\"12.1(5)XR2\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XS\nif (check_release(version: version,\n patched: make_list(\"12.1(5)XS2\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XT\nif (check_release(version: version,\n patched: make_list(\"12.1(3)XT3\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XU\nif (check_release(version: version,\n patched: make_list(\"12.1(5)XU1\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XV\nif (check_release(version: version,\n patched: make_list(\"12.1(5)XV3\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1XY\nif (check_release(version: version,\n patched: make_list(\"12.1(5)XY6\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1YA\nif (deprecated_version(version, \"12.1YA\")) {\n report_extra = '\\nUpdate to 12.2(2)XB or later\\n'; flag++;\n}\n# Affected: 12.1YB\nif (check_release(version: version,\n patched: make_list(\"12.1(5)YB4\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1YC\nif (check_release(version: version,\n patched: make_list(\"12.1(5)YC1\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1YD\nif (check_release(version: version,\n patched: make_list(\"12.1(5)YD2\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.1YF\nif (check_release(version: version,\n patched: make_list(\"12.1(5)YF2\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2\nif (check_release(version: version,\n patched: make_list(\"12.2(1.1)\", \"12.2(1b)\", \"12.2(3)\"))) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2T\nif (check_release(version: version,\n patched: make_list(\"12.2(2.2)T\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2XA\nif (check_release(version: version,\n patched: make_list(\"12.2(2)XA\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2XD\nif (check_release(version: version,\n patched: make_list(\"12.2(1)XD1\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2XE\nif (check_release(version: version,\n patched: make_list(\"12.2(1)XE\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2XH\nif (check_release(version: version,\n patched: make_list(\"12.2(1)XH\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n# Affected: 12.2XQ\nif (check_release(version: version,\n patched: make_list(\"12.2(1)XQ\") )) {\n report_extra = '\\nUpdate to ' + patch_update + ' or later\\n'; flag++;\n}\n\nif (get_kb_item(\"Host/local_checks_enabled\"))\n{\n if (flag)\n {\n flag = 0;\n buf = cisco_command_kb_item(\"Host/Cisco/Config/show_ip_ssh\", \"show ip ssh\");\n if (check_cisco_result(buf))\n {\n if (preg(pattern:\"version\\s+1\\.5\", multiline:TRUE, string:buf)) { flag = 1; }\n } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }\n }\n}\n\nif (flag)\n{\n security_hole(port:0, extra:report_extra + cisco_caveat(override));\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:19:28", "description": "The remote host is using version 1.5 of the SSH protocol. This version allows a remote attacker to decrypt and/or alter traffic via an attack against PKCS#1 version 1.5, called the 'Bleichenbacher' attack. OpenSSH up to version 2.3.0, AppGate and SSH Communications Security ssh1 update to version 1.2.31 are vulnerable to this attack. ", "cvss3": {"score": 4.8, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}, "published": "2004-08-20T00:00:00", "type": "nessus", "title": "PKCS#1 Version 1.5 Session Key Retrieval", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361"], "modified": "2019-03-06T00:00:00", "cpe": [], "id": "1971.PRM", "href": "https://www.tenable.com/plugins/nnm/1971", "sourceData": "Binary data 1971.prm", "cvss": {"score": 4, "vector": "CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-08-19T13:18:38", "description": "- People at WireX have found several potential insecure uses of temporary files in programs provided by INN2.\n Some of them only lead to a vulnerability to symlink attacks if the temporary directory was set to /tmp or /var/tmp, which is the case in many installations, at least in Debian packages. An attacker could overwrite any file owned by the news system administrator, i.e.\n owned by news.news.\n - Michal Zalewski found an exploitable buffer overflow with regard to cancel messages and their verification.\n This bug did only show up if 'verifycancels' was enabled in inn.conf which is not the default and has been disrecommended by upstream.\n\n - Andi Kleen found a bug in INN2 that makes innd crash for two byte headers. There is a chance this can only be exploited with uucp.", "cvss3": {"score": null, "vector": null}, "published": "2004-09-29T00:00:00", "type": "nessus", "title": "Debian DSA-023-1 : inn2 - local tempfile vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:inn2", "cpe:/o:debian:debian_linux:2.2"], "id": "DEBIAN_DSA-023.NASL", "href": "https://www.tenable.com/plugins/nessus/14860", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-023. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14860);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2001-0361\");\n script_xref(name:\"DSA\", value:\"023\");\n\n script_name(english:\"Debian DSA-023-1 : inn2 - local tempfile vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"- People at WireX have found several potential insecure\n uses of temporary files in programs provided by INN2.\n Some of them only lead to a vulnerability to symlink\n attacks if the temporary directory was set to /tmp or\n /var/tmp, which is the case in many installations, at\n least in Debian packages. An attacker could overwrite\n any file owned by the news system administrator, i.e.\n owned by news.news.\n - Michal Zalewski found an exploitable buffer overflow\n with regard to cancel messages and their verification.\n This bug did only show up if 'verifycancels' was enabled\n in inn.conf which is not the default and has been\n disrecommended by upstream.\n\n - Andi Kleen found a bug in INN2 that makes innd crash for\n two byte headers. There is a chance this can only be\n exploited with uucp.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2001/dsa-023\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the inn2 packages immediately.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:inn2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"inn2\", reference:\"2.2.2.2000.01.31-4.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"inn2-dev\", reference:\"2.2.2.2000.01.31-4.1\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"inn2-inews\", reference:\"2.2.2.2000.01.31-4.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-08-19T13:18:35", "description": "- Versions of OpenSSH prior to 2.3.0 are vulnerable to a remote arbitrary memory overwrite attack which may lead to a root exploit.\n - CORE-SDI has described a problem with regards to RSA key exchange and a Bleichenbacher attack to gather the session key from an ssh session.\n\nBoth of these issues have been corrected in our ssh package 1.2.3-9.2.\nWe recommend you upgrade your openssh package immediately.", "cvss3": {"score": null, "vector": null}, "published": "2004-09-29T00:00:00", "type": "nessus", "title": "Debian DSA-027-1 : OpenSSH - remote exploit", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0144", "CVE-2001-0361"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:ssh", "cpe:/o:debian:debian_linux:2.2"], "id": "DEBIAN_DSA-027.NASL", "href": "https://www.tenable.com/plugins/nessus/14864", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-027. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14864);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2001-0144\", \"CVE-2001-0361\");\n script_bugtraq_id(2344);\n script_xref(name:\"DSA\", value:\"027\");\n\n script_name(english:\"Debian DSA-027-1 : OpenSSH - remote exploit\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"- Versions of OpenSSH prior to 2.3.0 are vulnerable to a\n remote arbitrary memory overwrite attack which may lead\n to a root exploit.\n - CORE-SDI has described a problem with regards to RSA key\n exchange and a Bleichenbacher attack to gather the\n session key from an ssh session.\n\nBoth of these issues have been corrected in our ssh package 1.2.3-9.2.\nWe recommend you upgrade your openssh package immediately.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2001/dsa-027\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected ssh package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/02/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"ssh\", reference:\"1.2.3-9.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"ssh-askpass-gnome\", reference:\"1.2.3-9.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:18:40", "description": "We have received reports that the 'SSH CRC-32 compensation attack detector vulnerability' is being actively exploited. This is the same integer type error previously corrected for OpenSSH in DSA-027-1.\nOpenSSH (the Debian ssh package) was fixed at that time, but ssh-nonfree and ssh-socks were not.\n\nThough packages in the non-free section of the archive are not officially supported by the Debian project, we are taking the unusual step of releasing updated ssh-nonfree/ssh-socks packages for those users who have not yet migrated to OpenSSH. However, we do recommend that our users migrate to the regularly supported, DFSG-free 'ssh' package as soon as possible. ssh 1.2.3-9.3 is the OpenSSH package available in Debian 2.2r4.\n\nThe fixed ssh-nonfree/ssh-socks packages are available in version 1.2.27-6.2 for use with Debian 2.2 (potato) and version 1.2.27-8 for use with the Debian unstable/testing distribution. Note that the new ssh-nonfree/ssh-socks packages remove the setuid bit from the ssh binary, disabling rhosts-rsa authentication. If you need this functionality, run\n\nchmod u+s /usr/bin/ssh1\n\nafter installing the new package.", "cvss3": {"score": null, "vector": null}, "published": "2004-09-29T00:00:00", "type": "nessus", "title": "Debian DSA-086-1 : ssh-nonfree - remote root exploit", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0144", "CVE-2001-0361"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:ssh-nonfree", "p-cpe:/a:debian:debian_linux:ssh-socks", "cpe:/o:debian:debian_linux:2.2"], "id": "DEBIAN_DSA-086.NASL", "href": "https://www.tenable.com/plugins/nessus/14923", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-086. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14923);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2001-0144\", \"CVE-2001-0361\");\n script_xref(name:\"DSA\", value:\"086\");\n\n script_name(english:\"Debian DSA-086-1 : ssh-nonfree - remote root exploit\");\n script_summary(english:\"Checks dpkg output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"We have received reports that the 'SSH CRC-32 compensation attack\ndetector vulnerability' is being actively exploited. This is the same\ninteger type error previously corrected for OpenSSH in DSA-027-1.\nOpenSSH (the Debian ssh package) was fixed at that time, but\nssh-nonfree and ssh-socks were not.\n\nThough packages in the non-free section of the archive are not\nofficially supported by the Debian project, we are taking the unusual\nstep of releasing updated ssh-nonfree/ssh-socks packages for those\nusers who have not yet migrated to OpenSSH. However, we do recommend\nthat our users migrate to the regularly supported, DFSG-free 'ssh'\npackage as soon as possible. ssh 1.2.3-9.3 is the OpenSSH package\navailable in Debian 2.2r4.\n\nThe fixed ssh-nonfree/ssh-socks packages are available in version\n1.2.27-6.2 for use with Debian 2.2 (potato) and version 1.2.27-8 for\nuse with the Debian unstable/testing distribution. Note that the new\nssh-nonfree/ssh-socks packages remove the setuid bit from the ssh\nbinary, disabling rhosts-rsa authentication. If you need this\nfunctionality, run\n\nchmod u+s /usr/bin/ssh1\n\nafter installing the new package.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2001/dsa-086\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected ssh-nonfree, and ssh-socks packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ssh-nonfree\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ssh-socks\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/11/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/02/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"ssh-askpass-nonfree\", reference:\"1.2.27-6.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"ssh-nonfree\", reference:\"1.2.27-6.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"ssh-socks\", reference:\"1.2.27-6.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:59:58", "description": "The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could exploit this to gain access to sensitive information.\n\nNote that this version of SunSSH is also prone to several additional issues but Nessus did not test for them.", "cvss3": {"score": null, "vector": null}, "published": "2011-08-29T00:00:00", "type": "nessus", "title": "SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2000-0525", "CVE-2000-1169", "CVE-2001-0361", "CVE-2001-0529", "CVE-2001-0572", "CVE-2001-0816", "CVE-2001-0872", "CVE-2001-1380", "CVE-2001-1382", "CVE-2001-1459", "CVE-2001-1507", "CVE-2001-1585", "CVE-2002-0083", "CVE-2002-0575", "CVE-2002-0639", "CVE-2002-0640", "CVE-2002-0765", "CVE-2003-0190", "CVE-2003-0386", "CVE-2003-0682", "CVE-2003-0693", "CVE-2003-0695", "CVE-2003-0786", "CVE-2003-0787", "CVE-2003-1562", "CVE-2004-0175", "CVE-2004-1653", "CVE-2004-2069", "CVE-2004-2760", "CVE-2005-2666", "CVE-2005-2797", "CVE-2005-2798", "CVE-2006-0225", "CVE-2006-4924", "CVE-2006-4925", "CVE-2006-5051", "CVE-2006-5052", "CVE-2006-5229", "CVE-2006-5794", "CVE-2007-2243", "CVE-2007-2768", "CVE-2007-3102", "CVE-2007-4752", "CVE-2008-1483", "CVE-2008-1657", "CVE-2008-3259", "CVE-2008-4109", "CVE-2008-5161"], "modified": "2020-09-21T00:00:00", "cpe": ["cpe:/o:oracle:solaris"], "id": "SUNSSH_PLAINTEXT_RECOVERY.NASL", "href": "https://www.tenable.com/plugins/nessus/55992", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(55992);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/21\");\n\n script_cve_id(\n \"CVE-2000-0525\",\n \"CVE-2000-1169\",\n \"CVE-2001-0361\",\n \"CVE-2001-0529\",\n \"CVE-2001-0572\",\n \"CVE-2001-0816\",\n \"CVE-2001-0872\",\n \"CVE-2001-1380\",\n \"CVE-2001-1382\",\n \"CVE-2001-1459\",\n \"CVE-2001-1507\",\n \"CVE-2001-1585\",\n \"CVE-2002-0083\",\n \"CVE-2002-0575\",\n \"CVE-2002-0639\",\n \"CVE-2002-0640\",\n \"CVE-2002-0765\",\n \"CVE-2003-0190\",\n \"CVE-2003-0386\",\n \"CVE-2003-0682\",\n \"CVE-2003-0693\",\n \"CVE-2003-0695\",\n \"CVE-2003-0786\",\n \"CVE-2003-0787\",\n \"CVE-2003-1562\",\n \"CVE-2004-0175\",\n \"CVE-2004-1653\",\n \"CVE-2004-2069\",\n \"CVE-2004-2760\",\n \"CVE-2005-2666\",\n \"CVE-2005-2797\",\n \"CVE-2005-2798\",\n \"CVE-2006-0225\",\n \"CVE-2006-4924\",\n \"CVE-2006-4925\",\n \"CVE-2006-5051\",\n \"CVE-2006-5052\",\n \"CVE-2006-5229\",\n \"CVE-2006-5794\",\n \"CVE-2007-2243\",\n \"CVE-2007-2768\",\n \"CVE-2007-3102\",\n \"CVE-2007-4752\",\n \"CVE-2008-1483\",\n \"CVE-2008-1657\",\n \"CVE-2008-3259\",\n \"CVE-2008-4109\",\n \"CVE-2008-5161\"\n );\n script_bugtraq_id(32319);\n script_xref(name:\"CERT\", value:\"958563\");\n\n script_name(english:\"SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure\");\n script_summary(english:\"Checks SSH banner\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The SSH service running on the remote host has an information\ndisclosure vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of SunSSH running on the remote host has an information\ndisclosure vulnerability. A design flaw in the SSH specification\ncould allow a man-in-the-middle attacker to recover up to 32 bits of\nplaintext from an SSH-protected connection in the standard\nconfiguration. An attacker could exploit this to gain access to\nsensitive information.\n\nNote that this version of SunSSH is also prone to several additional\nissues but Nessus did not test for them.\" );\n\n # http://web.archive.org/web/20090523091544/http://www.cpni.gov.uk/docs/vulnerability_advisory_ssh.txt\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?4984aeb9\");\n # http://hub.opensolaris.org/bin/view/Community+Group+security/SSH#HHistoryofSunSSH\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?b679208a\");\n script_set_attribute(attribute:\"see_also\",value:\"http://blogs.oracle.com/janp/entry/on_sunssh_versioning\");\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade to SunSSH 1.1.1 / 1.3 or later\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(16, 20, 22, 189, 200, 255, 264, 287, 310, 362, 399);\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris\");\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2008/11/17\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2008/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\",value:\"2011/08/29\");\n script_set_attribute(attribute:\"plugin_type\",value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\");\n\n exit(0);\n}\n\ninclude('global_settings.inc');\ninclude('misc_func.inc');\n\n# Ensure the port is open.\nport = get_service(svc:\"ssh\", default:22, exit_on_fail:TRUE);\n\n# Get banner for service.\nbanner = get_kb_item_or_exit(\"SSH/banner/\" + port);\n\n# Check that we're using SunSSH.\nif ('sun_ssh' >!< tolower(banner))\n exit(0, \"The SSH service on port \" + port + \" is not SunSSH.\");\n\n# Check the version in the banner.\nmatch = eregmatch(string:banner, pattern:\"sun_ssh[-_]([0-9.]+)$\", icase:TRUE);\nif (isnull(match))\n exit(1, \"Could not parse the version string from the banner on port \" + port + \".\");\nelse\n version = match[1];\n\n# the Oracle (Sun) blog above explains how the versioning works. we could\n# probably explicitly check for each vulnerable version if it came down to it\nif (\n ver_compare(ver:version, fix:'1.1.1', strict:FALSE) == -1 ||\n version == '1.2'\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 1.1.1 / 1.3\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse exit(0, \"The SunSSH server on port \"+port+\" is not affected as it's version \"+version+\".\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-03-30T19:16:11", "description": "The host is running SSH and is providing / accepting one or more deprecated versions\n of the SSH protocol which have known cryptograhic flaws.", "cvss3": {}, "published": "2011-10-14T00:00:00", "type": "openvas", "title": "Deprecated SSH-1 Protocol Detection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0572", "CVE-2001-0361", "CVE-2001-1473"], "modified": "2020-03-26T00:00:00", "id": "OPENVAS:1361412562310801993", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801993", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Deprecated SSH-1 Protocol Detection\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801993\");\n script_version(\"2020-03-26T13:48:10+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-26 13:48:10 +0000 (Thu, 26 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-10-14 14:22:41 +0200 (Fri, 14 Oct 2011)\");\n # nb: Few CVEs/vulns to point out the cryptographic flaws.\n script_cve_id(\"CVE-2001-0361\", \"CVE-2001-0572\", \"CVE-2001-1473\");\n script_bugtraq_id(2344);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Deprecated SSH-1 Protocol Detection\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"ssh_proto_version.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"SSH/supportedversions/available\");\n\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/684820\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/6603\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allows remote attackers to bypass security\n restrictions and to obtain a client's public host key during a connection attempt and use it to open and\n authenticate an SSH session to another server with the same access.\");\n\n script_tag(name:\"affected\", value:\"Services providing / accepting the SSH protocol version SSH-1 (1.33 and 1.5).\");\n\n script_tag(name:\"solution\", value:\"Reconfigure the SSH service to only provide / accept the SSH protocol version SSH-2.\");\n\n script_tag(name:\"summary\", value:\"The host is running SSH and is providing / accepting one or more deprecated versions\n of the SSH protocol which have known cryptograhic flaws.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"ssh_func.inc\");\ninclude(\"misc_func.inc\");\n\nport = ssh_get_port( default:22 );\nversions = get_kb_list( \"SSH/supportedversions/\" + port );\nif( ! versions )\n exit( 0 );\n\nversions = sort( versions );\n\nreport = 'The service is providing / accepting the following deprecated versions of the SSH protocol which have known cryptograhic flaws:\\n';\n\nforeach version( versions ) {\n\n # nb: Don't add 1.99 which is only a backward compatibility banner\n if( version == \"1.33\" || version == \"1.5\" ) {\n report += '\\n' + version;\n VULN = TRUE;\n }\n}\n\nif( VULN ) {\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-09-04T14:19:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0572"], "description": "OpenSSH is prone to a security weakness that may allow attackers to\ndowngrade the ciphersuite.\n\nSuccessfully exploiting this issue in conjunction with other latent\nvulnerabilities may allow attackers to gain access to sensitive\ninformation that may aid in further attacks.\n\nReleases prior to OpenSSH 2.9p2 are vulnerable.", "modified": "2017-08-30T00:00:00", "published": "2011-09-09T00:00:00", "id": "OPENVAS:103247", "href": "http://plugins.openvas.org/nasl.php?oid=103247", "type": "openvas", "title": "OpenSSH Ciphersuite Specification Information Disclosure Weakness", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_openssh_49473.nasl 7024 2017-08-30 11:51:43Z teissa $\n#\n# OpenSSH Ciphersuite Specification Information Disclosure Weakness\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"OpenSSH is prone to a security weakness that may allow attackers to\ndowngrade the ciphersuite.\n\nSuccessfully exploiting this issue in conjunction with other latent\nvulnerabilities may allow attackers to gain access to sensitive\ninformation that may aid in further attacks.\n\nReleases prior to OpenSSH 2.9p2 are vulnerable.\";\n\ntag_solution = \"Updates are available. Please see the references for more information.\";\n\nif (description)\n{\n script_id(103247);\n script_version(\"$Revision: 7024 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-08-30 13:51:43 +0200 (Wed, 30 Aug 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-09-09 13:52:42 +0200 (Fri, 09 Sep 2011)\");\n script_bugtraq_id(49473);\n script_cve_id(\"CVE-2001-0572\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_name(\"OpenSSH Ciphersuite Specification Information Disclosure Weakness\");\n\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/bid/49473\");\n script_xref(name : \"URL\" , value : \"http://www.openssh.com\");\n script_xref(name : \"URL\" , value : \"http://www.kb.cert.org/vuls/id/596827\");\n\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_mandatory_keys(\"openssh/detected\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"global_settings.inc\");\n\nport = get_kb_item(\"Services/ssh\");\nif(!port) port = 22;\n\nif(!get_port_state(port))exit(0);\n\nbanner = get_kb_item(\"SSH/banner/\" + port);\nif ( ! banner ) exit(0);\n\nversion = eregmatch(pattern:\"ssh-.*openssh[_-]{1}([0-9.]+[p0-9]*)\", string: banner,icase:TRUE);\nif(isnull(version[1]))exit(0);\n\nif(version_is_less(version: version[1], test_version: \"2.9p2\")) {\n security_message(port);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0572"], "description": "OpenSSH is prone to a security weakness that may allow attackers to\n downgrade the ciphersuite.", "modified": "2019-05-22T00:00:00", "published": "2011-09-09T00:00:00", "id": "OPENVAS:1361412562310103247", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103247", "type": "openvas", "title": "OpenSSH Ciphersuite Specification Information Disclosure Weakness", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenSSH Ciphersuite Specification Information Disclosure Weakness\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openbsd:openssh\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103247\");\n script_version(\"2019-05-22T07:58:25+0000\");\n script_bugtraq_id(49473);\n script_cve_id(\"CVE-2001-0572\");\n script_tag(name:\"last_modification\", value:\"2019-05-22 07:58:25 +0000 (Wed, 22 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2011-09-09 13:52:42 +0200 (Fri, 09 Sep 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"OpenSSH Ciphersuite Specification Information Disclosure Weakness\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"gb_openssh_consolidation.nasl\");\n script_mandatory_keys(\"openssh/detected\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/49473\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/596827\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue in conjunction with other latent\n vulnerabilities may allow attackers to gain access to sensitive information that\n may aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"Releases prior to OpenSSH 2.9p2 are vulnerable.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"OpenSSH is prone to a security weakness that may allow attackers to\n downgrade the ciphersuite.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( isnull( port = get_app_port( cpe:CPE ) ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )\n exit( 0 );\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif( version_is_less( version:vers, test_version:\"2.9p2\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"2.9p2\", install_path:path );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-30T16:38:10", "description": "You are running SSH protocol version 1.5.", "cvss3": {}, "published": "2005-11-03T00:00:00", "type": "openvas", "title": "PKCS 1 Version 1.5 Session Key Retrieval", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361"], "modified": "2020-03-26T00:00:00", "id": "OPENVAS:136141256231011342", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011342", "sourceData": "# OpenVAS Vulnerability Test\n# Description: PKCS 1 Version 1.5 Session Key Retrieval\n#\n# Authors:\n# Xue Yong Zhi<xueyong@udel.edu>\n#\n# Copyright:\n# Copyright (C) 2003 Xue Yong Zhi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11342\");\n script_version(\"2020-03-26T13:48:10+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-26 13:48:10 +0000 (Thu, 26 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(2344);\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_cve_id(\"CVE-2001-0361\");\n script_name(\"PKCS 1 Version 1.5 Session Key Retrieval\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2003 Xue Yong Zhi\");\n script_family(\"Gain a shell remotely\");\n script_dependencies(\"ssh_detect.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"ssh/server_banner/available\");\n\n script_tag(name:\"solution\", value:\"Patch and new version are available from SSH/OpenSSH.\");\n\n script_tag(name:\"summary\", value:\"You are running SSH protocol version 1.5.\");\n\n script_tag(name:\"impact\", value:\"This version allows a remote attacker to decrypt and/or\n alter traffic via an attack on PKCS#1 version 1.5 knows as a Bleichenbacher attack.\");\n\n script_tag(name:\"affected\", value:\"OpenSSH up to version 2.3.0, AppGate, and SSH Communications Security\n ssh-1 up to version 1.2.31 have the vulnerability present, although it may not be exploitable due to configurations.\");\n\n exit(0);\n}\n\ninclude(\"ssh_func.inc\");\ninclude(\"misc_func.inc\");\n\nport = ssh_get_port(default:22);\nbanner = ssh_get_serverbanner(port:port);\nif(!banner)\n exit(0);\n\n#Looking for SSH product version number from 1.0 to 1.2.31\nif(ereg(string:banner, pattern:\"SSH-.*-1\\.([01]|[01]\\..*|2\\.([0-9]|1[0-9]|2[0-9]|3[01]))[^0-9]*$\", icase:TRUE))\n security_message(port:port);\nelse {\n if(ereg(pattern:\".*openssh[-_](1|2\\.([0-2]\\.|3\\.0)).*\",string:banner, icase:TRUE))\n security_message(port:port);\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2017-07-24T12:49:48", "description": "The remote host is missing an update to inn2\nannounced via advisory DSA 023-1.", "cvss3": {}, "published": "2008-01-17T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 023-1 (inn2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:53786", "href": "http://plugins.openvas.org/nasl.php?oid=53786", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_023_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 023-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"1. People at WireX have found several potential insecure uses of\ntemporary files in programs provided by INN2. Some of them only\nlead to a vulnerability to symlink attacks if the temporary\ndirectory was set to /tmp or /var/tmp, which is the case in many\ninstallations, at least in Debian packages. An attacker could\noverwrite any file owned by the news system administrator,\ni.e. owned by news.news.\n\n2. Michal Zalewski found an exploitable buffer overflow with regard\nto cancel messages and their verification. This bug did only show\nup if 'verifycancels' was enabled in inn.conf which is not the\ndefault and has been disrecommended by upstream.\n\n3. Andi Kleen found a bug in INN2 that makes innd crash for two byte\nheaders. There is a chance this can only be exploited with uucp.\n\nWe recommend you upgrade your inn2 packages immediately.\";\ntag_summary = \"The remote host is missing an update to inn2\nannounced via advisory DSA 023-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20023-1\";\n\nif(description)\n{\n script_id(53786);\n script_cve_id(\"CVE-2001-0361\");\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 14:24:38 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_name(\"Debian Security Advisory DSA 023-1 (inn2)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"inn2-dev\", ver:\"2.2.2.2000.01.31-4.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"inn2-inews\", ver:\"2.2.2.2000.01.31-4.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"inn2\", ver:\"2.2.2.2000.01.31-4.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"task-news-server\", ver:\"2.2.2.2000.01.31-4.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-24T12:50:02", "description": "The remote host is missing an update to ssh-nonfree, ssh-socks\nannounced via advisory DSA 086-1.", "cvss3": {}, "published": "2008-01-17T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 086-1 (ssh-nonfree, ssh-socks)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0361"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:53766", "href": "http://plugins.openvas.org/nasl.php?oid=53766", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_086_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 086-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"We have received reports that the SSH CRC-32 compensation attack\ndetector vulnerability is being actively exploited. This is the same\ninteger type error previously corrected for OpenSSH in DSA-027-1.\nOpenSSH (the Debian ssh package) was fixed at that time, but\nssh-nonfree and ssh-socks were not.\n\nThough packages in the non-free section of the archive are not\nofficially supported by the Debian project, we are taking the unusal\nstep of releasing updated ssh-nonfree/ssh-socks packages for those\nusers who have not yet migrated to OpenSSH. However, we do recommend\nthat our users migrate to the regularly supported, DFSG-free ssh\npackage as soon as possible. ssh 1.2.3-9.3 is the OpenSSH package\navailable in Debian 2.2r4.\n\nThe fixed ssh-nonfree/ssh-socks packages are available in version\n1.2.27-6.2 for use with Debian 2.2 (potato) and version 1.2.27-8 for\nuse with the Debian unstable/testing distribution. Note that the new\nssh-nonfree/ssh-socks packages remove the setuid bit from the ssh\nbinary, disabling rhosts-rsa authentication. If you need this\nfunctionality, run\nchmod u+s /usr/bin/ssh1\nafter installing the new package.\";\ntag_summary = \"The remote host is missing an update to ssh-nonfree, ssh-socks\nannounced via advisory DSA 086-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20086-1\";\n\nif(description)\n{\n script_id(53766);\n script_cve_id(\"CVE-2001-0361\");\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 14:24:38 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_name(\"Debian Security Advisory DSA 086-1 (ssh-nonfree, ssh-socks)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ssh-askpass-nonfree\", ver:\"1.2.27-6.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ssh-nonfree\", ver:\"1.2.27-6.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ssh-socks\", ver:\"1.2.27-6.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "f5": [{"lastseen": "2017-06-08T00:16:13", "description": "\nF5 Product Development has assigned ID 552898 to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | \nNone \n| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| \n \nNone \n \nBIG-IP AAM | None | 12.0.0 \n11.4.0 - 11.6.0 \n| Not vulnerable \n| None \n \nBIG-IP AFM | None | 12.0.0 \n11.3.0 - 11.6.0 \n| Not vulnerable \n| None \n \nBIG-IP Analytics | None | 12.0.0 \n11.0.0 - 11.6.0 \n| Not vulnerable \n| None \n \nBIG-IP APM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP ASM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP DNS \n| None | 12.0.0 \n| Not vulnerable \n| None \n \nBIG-IP Edge Gateway \n| None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP GTM | None | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP Link Controller | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP PEM | None | 12.0.0 \n11.3.0 - 11.6.0 \n| Not vulnerable \n| None \n \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| Not vulnerable \n| None \n \nARX | None | 6.0.0 - 6.4.0 \n| Not vulnerable \n| None \n \nEnterprise Manager | None | 3.0.0 - 3.1.1 \n| Not vulnerable \n| None \n \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 \n| Not vulnerable \n| None \n \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 \n| Not vulnerable \n| None \n \nBIG-IQ Device | None | 4.2.0 - 4.5.0 \n| Not vulnerable \n| None \n \nBIG-IQ Security | None | 4.0.0 - 4.5.0 \n| Not vulnerable \n| None \n \nBIG-IQ ADC | None | 4.5.0 \n| Not vulnerable \n| None \n \nLineRate | None | 2.5.0 - 2.6.1 \n| Not vulnerable \n| None \n \nF5 WebSafe | None | 1.0.0 \n| Not vulnerable \n| None \n \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 \n| Not vulnerable \n| None \n\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "cvss3": {}, "published": "2015-10-17T01:17:00", "type": "f5", "title": "OpenSSH vulnerabilities CVE-2001-0361, CVE-2001-0572, CVE-2004-2069, CVE-2006-0225, and CVE-2006-0883", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0572", "CVE-2001-0361", "CVE-2006-0225", "CVE-2006-0883", "CVE-2004-2069"], "modified": "2016-01-09T02:32:00", "id": "F5:K17452", "href": "https://support.f5.com/csp/article/K17452", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:22", "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "cvss3": {}, "published": "2015-10-16T00:00:00", "type": "f5", "title": "SOL17452 - OpenSSH vulnerabilities CVE-2001-0361, CVE-2001-0572, CVE-2004-2069, CVE-2006-0225, and CVE-2006-0883", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0572", "CVE-2001-0361", "CVE-2006-0225", "CVE-2006-0883", "CVE-2004-2069"], "modified": "2015-10-16T00:00:00", "id": "SOL17452", "href": "http://support.f5.com/kb/en-us/solutions/public/17000/400/sol17452.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2022-03-23T12:29:49", "description": "The SSH protocols 1 and 2 (aka SSH-2) as implemented in OpenSSH and other packages have various weaknesses which can allow a remote attacker to obtain the following information via sniffing: (1) password lengths or ranges of lengths, which simplifies brute force password guessing, (2) whether RSA or DSA authentication is being used, (3) the number of authorized_keys in RSA authentication, or (4) the lengths of shell commands.", "cvss3": {}, "published": "2001-08-22T04:00:00", "type": "cve", "title": "CVE-2001-0572", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0572"], "modified": "2008-09-05T20:24:00", "cpe": ["cpe:/a:ssh:ssh:1.2.27", "cpe:/a:ssh:ssh:1.2.24", "cpe:/a:ssh:ssh:1.2.30", "cpe:/a:ssh:ssh:1.2.31", "cpe:/a:ssh:ssh:1.2.28", "cpe:/a:openbsd:openssh:4.5", "cpe:/a:ssh:ssh:1.2.25", "cpe:/a:ssh:ssh:1.2.29", "cpe:/a:ssh:ssh:1.2.26"], "id": "CVE-2001-0572", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0572", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ssh:ssh:1.2.29:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.26:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.28:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.25:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.24:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:4.5:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.30:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.31:*:*:*:*:*:*:*", "cpe:2.3:a:ssh:ssh:1.2.27:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:26:16", "description": "Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a \"Bleichenbacher attack\" on PKCS#1 version 1.5.", "cvss3": {}, "published": "2001-06-27T04:00:00", "type": "cve", "title": "CVE-2001-0361", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0361"], "modified": "2018-05-03T01:29:00", "cpe": ["cpe:/a:ssh:ssh:1.2.31", "cpe:/a:openbsd:openssh:2.1.1", "cpe:/a:openbsd:openssh:1.2.3", "cpe:/a:openbsd:openssh:2.1"], "id": "CVE-2001-0361", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0361", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ssh:ssh:1.2.31:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:openbsd:openssh:1.2.3:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:47:20", "description": "", "cvss3": {}, "published": "2005-02-01T00:00:00", "type": "checkpoint_advisories", "title": "SSH over Non Standard Ports (CVE-2001-0361)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0361"], "modified": "2019-04-01T00:00:00", "id": "CPAI-2001-0002", "href": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-12-17T12:47:27", "description": "", "cvss3": {}, "published": "2005-02-01T00:00:00", "type": "checkpoint_advisories", "title": "SSH Older Versions Control (CVE-2001-0361)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0361"], "modified": "2013-01-01T00:00:00", "id": "CPAI-2001-0003", "href": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}], "cert": [{"lastseen": "2021-09-28T17:53:59", "description": "### Overview\n\nAn implementation problem in at least one Secure Shell (SSH) product and a weakness in the PKCS#1_1.5 public key encryption standard allows attackers to recover plaintext of messages encrypted with SSH.\n\n### Description\n\nA weakness in some SSH products using the SSH1 protocol may allow an attacker to determine internal cryptologic states. Combined with a weakness in the PKCS#1_1.5 public key encryption standard, used by SSH protocol 1.5, this vulnerability may be exploited to recover arbitrary session keys used for symmetric encryption in SSH connections. It has been reported that these vulnerabilities are relatively difficult to exploit. \n \n--- \n \n### Impact\n\nAn attacker may recover an SSH connection's session key and decrypt all communications from the connection. \n \n--- \n \n### Solution\n\n**Apply a patch available from your vendor**\n\nThis vulnerability was first reported and patched in early 2001. \n \n--- \n \n**Reduce potential exposure** \n \nDisable all variants of SSH protocols 1.5 and older on the server. \n \n--- \n \n### Vendor Information\n\n161576\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### OpenSSH __ Affected\n\nNotified: December 09, 2001 Updated: June 07, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nMarkus Friedl of OpenSSH writes:\n\n\"OpenSSH-2.2.0 and later fix this problem by imposing a limit to the numbers of allowed connections. Versions earlier than 2.3.0 should not be used, because the suffer the CRC32 bug. \n \n\"Later versions of OpenSSH (2.5.* and later) add additional countermeasures (like not calling fatal() on RSA operation failures and adding random cookies for each new generated server key, see the source for defails).\"\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23161576 Feedback>).\n\n### SSH Communications Security __ Unknown\n\nNotified: December 09, 2001 Updated: June 12, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nTatu Ylonen of SSH Communications Security writes:\n\n\"SSH1 has been officially deprecated for some time now. I strongly urge all users to switch to the latest SSH Secure Shell (or generally to the version 2 of the Secure Shell protocol). The version 1.x protocol suffers from many security problems. \n \n\"I do, however, have reason to believe that the issue reported here may be a fluke. There was discussion about the Bleisenbacher attack against SSH1 some years ago (after the attack became public), and the general conclusion at that time was that it didn't affect Secure Shell. The session key in SSH1 is encrypted TWICE, once by the server key, and once by the host key. To decrypt the session key, one would need to be able to determine BOTH the server key and the host key. I am not aware of a variant of the Bleisenbacher attack that would do this.... \n \n\"As a fix, I would add upgrading to the lastest version (ssh-3.1.2, or ssh-1.2.33 if one insists on using the deprecated 1.x protocol).\"\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23161576 Feedback>).\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References\n\n * <http://www.securityfocus.com/bid/2344>\n * <http://securityportal.com/articles/magicnumbers20010227.html>\n\n### Acknowledgements\n\nThanks to CORE SDI for reporting this vulnerability and to Markus Friedl and Tatu Ylonen for their helpful clarifications.\n\nThis document was written by Shawn Van Ittersum.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2001-0361](<http://web.nvd.nist.gov/vuln/detail/CVE-2001-0361>) \n---|--- \n**Severity Metric:** | 6.48 \n**Date Public:** | 2001-02-13 \n**Date First Published:** | 2002-07-31 \n**Date Last Updated: ** | 2002-07-31 23:01 UTC \n**Document Revision: ** | 20 \n", "cvss3": {}, "published": "2002-07-31T00:00:00", "type": "cert", "title": "Certain implementations of SSH1 may reveal internal cryptologic state", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0361"], "modified": "2002-07-31T23:01:00", "id": "VU:161576", "href": "https://www.kb.cert.org/vuls/id/161576", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}], "suse": [{"lastseen": "2016-04-13T01:13:24", "description": "SuSE distributions contain the ssh package in the version 1.2.27. No later version is provided because of licensing issues. SuSE maintains the 1.2.27 version in a patched package. Three new patches have been added that workaround three independent security problems in the ssh package: a) SSHD-1 Logging Vulnerability (discovered and published by Jose Nazario, Crimelabs). Attackers can remotely brute-force passwords without getting noticed or logged. In the ssh package from the SuSE distribution, root login is allowed, as well as password authentication. Even though brute-forcing a password may take an enormous amount of time and resources, the issue is to be taken seriously. b) SSH1 session key recovery vulnerability (by (Ariel Waissbein, Agustin Azubel) - CORE SDI, Argentina, and David Bleichenbacher). Captured encrypted ssh traffic can be decrypted with some effort by obtaining the session key for the ssh session. The added patch in our package causes the ssh daemon to generate a new server key pair upon failure of an RSA operation (please note that the patch supplied with Iv\u00c3\u00a1n Arce on bugtraq on Wed, 7 Feb 2001 has been corrected later on!). c) In 1998, the ssh-1 protocol was found to be vulnerable to an attack where arbitrary sequences could be inserted into the ssh-1 protocol layer. The attack was called \"crc32 compensation attack\", and a fix was introduced (crc compensation attack detector in the ssh -v output) into the later versions of ssh. Michal Zalewski discovered that the fix in its most widely used implementation is defective. An integer overflow allows an attacker to overwrite arbitrary memory in the sshd process' address space, which potentionally results in a remote root compromise. There are easy resorts that can be offered: a) switch to openssh (please use the openssh packages on ftp.suse.com from the same update directories as the ssh package update URLs below indicate). openssh is a different implementation of the ssh protocol that is compatible to the protocol versions 1 and 2. Openssh Version 2.3.0 does not suffer from the problems listed above. Versions before 2.3.0 are vulnerable to other problems, so please use the updates from the update directory on the ftp.suse.de ftp server. See section 2) of this announcement for the md5sums of the packages. b) upgrade your ssh package from the locations described below.", "cvss3": {}, "published": "2000-02-16T18:00:00", "type": "suse", "title": "possible remote root compromise in ssh", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2001-0361"], "modified": "2000-02-16T18:00:00", "id": "SUSE-SA:2001:04", "href": "http://lists.opensuse.org/opensuse-security-announce/2001-02/msg00004.html", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}