Vulners
Lucene search
SSH Rate Limited Device
#TRUSTED 9f0ec90262fa7b7b6465f58974e004b67a36432ada667cd975e31621da9dfa5160b06a360e8219872a431fd4a57e41d04257e7f7011e87e06a2c4a31a89abf93c717518e0a1ae19c22f2326bce6ff1b2a1b500f56ab58cd7815c0aff5f3eca25021f1e14db6eaf9d05e1bc772b59594150a3e9e4b6503553695aec8ddb67a5c7b367a240f5cedb207d49bc6a14478274be8d582ce8077b01119d69e8379c0276fefff03eeda5ee672916b24316f8fa378c8a956856b649d6bb35f905a5eb461180904cfcaa4a4dde24b5d8f8682f4cb4eba0b6d9901aad0191e4fbf2f8b28ec6f39908c9a494ad04e5b89d93a8406282ce8faa08a6acb5ab89360ed0ccab9ff9019606937e0b5423a7e865754f79b10fc3e0af445a72b428abf72991b9be359a1fd18f7a1a0599f01be01bee7191d52d6402d6fdea441d8319c10953c8653d9ca5930dcc9ba7314e4601620e91ca6f4f37dd068d7e51b148233c9848569941eb4c28f7f1598367a95bc2afedbbc06ac740eb619f7a218818444af7e062b9adf96e09cff55d0f8b2ec13dcfde8a98304b2c4a0a89368fbe4e6c05177689c26474de7dd02cdfcf90cac9e18a5965d547a2a176ac4554a9ee7349aa3aedbdfddee3a0d5acf13c08d1b4a50cfef9282660c1e40c615541c22d715d4e19795b0c99a83baf9f3f5fb978bbf2e3517822461d734902b3b1b19b43748da22a5553f102df
#TRUST-RSA-SHA256 0d839e692871e80019c51664f89a1bdf2b2a1d59bea3c3e19a60b0a0267174950987d32cc3d9fa282e88839f13524b2a863be34ffb0940c922a2c5ae98f1d10fd898b1b29eeae002f16a0f5ab5d90905de0626b2b57a669dfe4a05889cb75c39d699bf6b2086386b81e83963dc78114765948ed912eaf51f46aa5cc2d9048f653df835f6d5da88a8e53cf101844e528b9b062aac3fc744b39f732c038e24d85df6f391f31161351dd4fa34b39de914d11e493081677bf49cb407724cc121e121a914ba3fa433f01958cd16b0ce3978dad6b1ef94029379b644d8f9710093ffb14afa2c635629aa2d869228b9142d87fd778ba76036057d8b5863a02f3e2890664db366afe41212e9d839af537041446d1a010de5495289dc8ae867b63866bd77fc4eff6ab5a1a2339179db5e8efaff7a686a9ac9beed2216cbe285f6d91ad5f203786c52c85c0a544d5a21f46b4094f4880dd86a700ca5c6eef0eb2da77443c75efcda9a2616a42b39934a401db21d1133d56d6cb91a962c721ff622f74199a68507a4f85afc116227a0433eba98bca6bc15906a3f1e52516a70be131f002789c67e92c5435224910d9396f96e7446a49d3f0083cae247b70f67e95141479ce45656fe93651bd4025b6f7d68e0b21f371ac340d45cf0aae3237469876f5c853566e1e26982b0eee93ac0d9034699a921628b78d5bc81546ac1551eb08eec66d8
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(122501);
script_version("1.35");
script_name(english:"SSH Rate Limited Device");
script_summary(english:"Attempts to login to remote device and determine if SSH connections are rate limited.");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/27");
script_set_attribute(attribute:"synopsis", value:
"The remote host is a SSH rate limited networking device that may
cause intermittent authentication failures throughout the scan.");
script_set_attribute(attribute:"description", value:
"The remote host is a device that may rate limit connections,
potentially causing intermittent authentication failures in
other plugins. Local checks will be enabled in this plugin
where possible.");
script_set_attribute(attribute:"solution", value:"n/a");
script_set_attribute(attribute:"risk_factor",value:"None");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/28");
script_set_attribute(attribute:"plugin_type",value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2019-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_settings.nasl", "clrtxt_proto_settings.nasl", "ping_host.nasl");
exit(0);
}
include("datetime.inc");
include("string.inc");
include("byte_func.inc");
include("ssh_func.inc");
include("ssh_lib.inc");
include("ssh_get_info2.inc");
include("agent.inc");
include("ssh_rate_limit.inc");
include("telnet_func.inc");
include("junos.inc");
include("structured_data.inc");
var FLATLINE_TEST = !isnull(get_kb_item("flatline/TEST"));
# should not be included in agent. disable here to be sure.
if(agent())
exit(0,"This plugin is disabled on Nessus Agents.");
start_time = gettimeofday();
enable_ssh_wrappers();
if(islocalhost())
info_t = INFO_LOCAL;
else
info_t = INFO_SSH;
# Check if port(s) are open; doing manual because port scanner
# have yet to run at this point in the scan.
# Build list of ssh_ports to try, preferred port should be first in list
var ssh_ports = make_list(22);
var pref_port = get_kb_item('Secret/SSH/PreferredPort');
var srl_socket = NULL;
var srl_at_least_one_port_open = FALSE;
if (pref_port)
ssh_ports = make_list(pref_port, ssh_ports);
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:2,
msg:"Port list to attempt connections to : " + obj_rep(ssh_ports)
);
foreach var port (list_uniq(ssh_ports))
{
dbg::detailed_log(src:SCRIPT_NAME, lvl:2, msg:"Connecting to port "+port+".");
if (!FLATLINE_TEST)
srl_socket = open_sock_tcp(port, timeout:3);
else
srl_socket = get_kb_item('flatline/srl_socket');
if (srl_socket)
{
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:2,
msg:"Connection successfull on port "+port+". Not checking others.");
close(srl_socket);
srl_at_least_one_port_open = TRUE;
break;
}
else
{
dbg::detailed_log(src:SCRIPT_NAME, lvl:2, msg:"Unable to connect to port "+port+".");
}
}
if (!srl_at_least_one_port_open)
{
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:2,
msg:"Unable to connect to at least one port. Exiting.");
audit(AUDIT_NOT_LISTEN, 'Target', 'specified by policy for SSH','any');
}
var session = new("sshlib::session");
# disable compression
sshlib::KEX_SUPPORTED_NAME_LISTS["compression_algorithms_server_to_client"] = "none";
sshlib::KEX_SUPPORTED_NAME_LISTS["compression_algorithms_client_to_server"] = "none";
# login with placeholder value for channel. new_channel is passed by reference so it will be
# picked up later in plugin.
var channel = session.get_channel();
var login_res = sshlib::try_ssh_kb_settings_login(
session : session,
accept_none_auth : TRUE,
rate_limit : TRUE,
new_channel : channel,
force_none_auth : TRUE,
no_reuse : TRUE
);
# Only report authentication success/failure if we succeeded, otherwise ssh_get_info2.nasl will check again
# and is the authoritative source of info for non-rate-limited devices
if (login_res)
{
var reporter = new structured_data_authentication_status_information();
sshlib::report_auth_try(reporter:reporter);
delete reporter;
}
if(!login_res)
{
dbg::detailed_log(src:SCRIPT_NAME, lvl:1, msg:'Login via sshlib::try_ssh_kb_settings_login has failed.');
# Removing the auth methods detected so that the next plugins can start fresh.
var methods = get_kb_list(sshlib::SSH_LIB_KB_PREFIX + "*/supported_login_methods");
for (var key in methods)
rm_kb_item(name:key);
# Remove the failure so that plugins down the chain can verify after service detection
rm_kb_item(name:sshlib::SSH_LIB_KB_PREFIX + "try_ssh_kb_settings_login_failed");
session.close_connection();
audit(AUDIT_FN_FAIL, 'sshlib::try_ssh_kb_settings_login');
}
# determine authentication type from try_ssh_kb_settings_login
var sonicwall_none = get_kb_item(sshlib::SSH_LIB_KB_PREFIX + "sonicwall/none");
var sonicwall_password = get_kb_item(sshlib::SSH_LIB_KB_PREFIX + "sonicwall/passwordauth");
var junos_auth = get_kb_item(sshlib::SSH_LIB_KB_PREFIX + "junos/auth");
var juniper_ssr_auth = get_kb_item(sshlib::SSH_LIB_KB_PREFIX + "JuniperSSR/auth");
var omniswitch_auth = get_kb_item(sshlib::SSH_LIB_KB_PREFIX + "omniswitch/auth");
var prisma_ion_auth = get_kb_item(sshlib::SSH_LIB_KB_PREFIX + "prisma_ion/auth");
if(!sonicwall_none && !sonicwall_password && !junos_auth && !omniswitch_auth && !juniper_ssr_auth && !prisma_ion_auth)
{
session.close_connection();
exit(0,"Device is not identified as a connection limited system.");
}
# sh shell handler set in try_ssh_kb_settings_login()
var sh = channel.shell_handler;
var timediff;
# sonicwall device
if(sonicwall_password || sonicwall_none)
{
var report_no_command_sw;
report_no_command_sw = "The remote host has been identified as a SonicWall or other" + '\n' +
"networking device that may be rate limiting SSH connections." + '\n';
report_no_command_sw += "As a result there may be intermittent authentication failures" + '\n' +
"reported for this device." + '\n\n';
report_no_command_sw += "Attempts to run commands to gather more information on" + '\n' +
"the device have failed." + '\n';
# run commands on sonicwall device using sh shell handler 'raw' commands for limited shell handling functionality
# sonicwall devices only have one login mode unlike junos which has a shell mode and cli mode
var cmd_out = get_kb_item('flatline/sonic_sh_run_command');
if(empty_or_null(cmd_out))
{
cmd_out = sh.run_command(channel:channel, command:"show device", raw:TRUE, cmd_timeout_min:60, sonicwall:TRUE);
if(!check_command_output(data_buf:cmd_out))
cmd_out = sh.run_command(channel :channel,
command :"show version",
raw :TRUE,
cmd_timeout_min :60,
sonicwall :TRUE);
}
if(!check_command_output(data_buf:cmd_out))
{
# if failed to run commands exit without setting KB items - something went wrong.
# legacy library will attempt to authenticate and run commands in ssh_get_info.nasl
if(empty_or_null(cmd_out))
{
dbg::detailed_log(src:SCRIPT_NAME, lvl:1, msg:'Failed to run commands on SonicWall device: no data received after opening shell.');
}
else
{
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:1,
msg:'Failed to run commands on SonicWall device.',
msg_details:{"Response":{"lvl":1, "value":cmd_out}});
}
session.close_connection();
security_report_v4(
port : session.port,
severity : SECURITY_NOTE,
extra : report_no_command_sw
);
exit(0);
}
var os_name = "SonicOS";
var up_time = "unknown";
var edition = "unknown";
var os_line, model_line, match;
var uptime_line;
var sonic_router = FALSE;
# sonicwall < 6
if("Firmware Version: SonicOS" >< cmd_out)
{
set_kb_item(name:"Host/SonicOS/show_device", value:cmd_out);
write_compliance_kb_sonicwall(command:"show device", result:cmd_out);
os_line = pgrep(pattern:"^Firmware Version:", string:cmd_out);
if (os_line)
{
os_line = chomp(os_line);
match = pregmatch(pattern:"^Firmware Version: SonicOS ((Enhanced|Standard) [0-9][^ ]+)", string:os_line);
if (!isnull(match)) os_name += " " + match[1];
}
model_line = pgrep(pattern:"^Model:", string:cmd_out);
if (model_line)
{
model_line = chomp(model_line);
match = pregmatch(pattern:"^Model: (.+)", string:model_line);
if (!isnull(match)) os_name += " on a SonicWALL " + match[1];
}
# Collect time of last reboot.
if ("Up Time:" >< cmd_out)
{
foreach var line (split(cmd_out, keep:FALSE))
{
if (preg(pattern:"^Up Time: [0-9]", string:line))
{
up_time = line;
break;
}
}
}
}
# sonicwall 6 and 7
else if('firmware-version "SonicOS' >< cmd_out)
{
if ('SonicOSX' >< cmd_out) os_name = 'SonicOSX';
set_kb_item(name:"Host/SonicOS/show_version", value:cmd_out);
write_compliance_kb_sonicwall(command:"show version", result:cmd_out);
os_line = pgrep(pattern:'^firmware-version "', string:cmd_out);
if (os_line)
{
os_line = chomp(os_line);
var pattern = '^firmware-version "SonicOSX? ((Enhanced |Standard )?[0-9.]+(?:-[a-zA-Z0-9]+)?)';
match = pregmatch(pattern:pattern, string:os_line);
if (!isnull(match)) os_name += " " + match[1];
}
model_line = pgrep(pattern:'^model "', string:cmd_out);
if (model_line)
{
model_line = chomp(model_line);
match = pregmatch(pattern:'^model "(.+)"', string:model_line);
if (!isnull(match)) os_name += " on a SonicWALL " + match[1];
}
# Collect time of last reboot.
if (cmd_out && 'system-uptime "' >< cmd_out)
{
foreach line (split(cmd_out, keep:FALSE))
{
if (preg(pattern:'^system-uptime "', string:line))
{
up_time = line - 'system-uptime "' - '"';
break;
}
}
}
}
# SonicOS Router
else if ('SONiC Software Version' >< cmd_out)
{
set_kb_item(name:"Host/SonicOS/show_version", value:cmd_out);
os_line = pgrep(pattern:"^SONiC Software Version", string:cmd_out);
if (os_line)
{
os_line = chomp(os_line);
pattern = "Software\sVersion:\sSONiC\-OS\-([\d\.]+)[\s|-]?([\w]+|)";
match = pregmatch(pattern:pattern, string:os_line);
if (!isnull(match) && !isnull(match[1]))
{
if (!isnull(match[2]))
edition = str_replace(string:match[2], find:"_", replace:" ");
os_name += " " + match[1] + " " + edition;
sonic_router = TRUE;
}
}
model_line = pgrep(pattern:'^HwSKU', string:cmd_out);
if (model_line)
{
model_line = chomp(model_line);
match = pregmatch(pattern:"HwSKU:\s([\w-]+)", string:model_line);
if (!isnull(match)) os_name += " on " + match[1];
}
# Collect time of last reboot
uptime_line = pgrep(pattern:"^Uptime", string:cmd_out);
if (uptime_line)
{
uptime_line = chomp(uptime_line);
pattern = "\sup\s+([\d]+\s\w+|\d+\:\d\d)\,\s+";
match = pregmatch(pattern:pattern, string:uptime_line);
if (!empty_or_null(match) && !isnull(match[1]))
up_time = match[1];
}
}
else
{
if (!empty_or_null(cmd_out))
report_no_command_sw += '\nThe output from "show device" or "show version":\n' + cmd_out;
# report and exit that sonicwall detected but commands failed to run
session.close_connection();
security_report_v4(
port : session.port,
severity : SECURITY_NOTE,
extra : report_no_command_sw
);
exit(0);
}
# if we reach here sonicwall commands were successful
set_kb_item(name:"Host/OS/showver", value:os_name);
set_kb_item(name:"Host/OS/showver/Confidence", value:100);
set_kb_item(name:"Host/last_reboot", value:up_time);
set_kb_item(name:"Host/OS/ratelimited_sonicwall", value:TRUE);
if (sonic_router)
set_kb_item(name:"Host/OS/showver/Type", value:"router");
else
set_kb_item(name:"Host/OS/showver/Type", value:"firewall");
# set sshlib support level indicating local checks are not available
set_support_level_na();
var enable_sonicwall_compliance, report_compliance;
if (strlen(get_preference("SonicWALL SonicOS Compliance Checks[file]:Policy file #1 :")) > 0)
{
enable_sonicwall_compliance = TRUE;
# run commands for compliance checks - will be cached in KB.
# run "show tech-support-report" command first and cache in KB so
# other related commands can use that data.
# This is a very long command output so increasing timeout.
var tech_support_command = "show tech-support-report";
cmd_out = sh.run_command(channel:channel, command:tech_support_command, raw:TRUE,
cmd_timeout_min:90, inactivity_timeout_min:75, sonicwall:TRUE);
if(check_command_output(data_buf:cmd_out))
{
write_compliance_kb_sonicwall(command:tech_support_command ,result:cmd_out);
}
else cmd_out = "NA";
run_sonicwall_commands_compliance(session:session, channel:channel, tsr_result: cmd_out);
}
report = "The remote host has has been identified as a SonicWall or other" + '\n' +
"networking device that may be rate limiting SSH connections." + '\n';
report += "As a result there may be intermittent authentication failures" + '\n' +
"reported for this device." + '\n\n';
report += "Although local, credentialed checks for SonicOS are not available," + '\n';
if(enable_sonicwall_compliance) report_compliance = " and Policy Compliance plugins.";
else report_compliance = ".";
report += "Nessus has managed to run commands in support of " + '\n' +
"OS fingerprinting" + report_compliance + '\n\n';
report += 'Device information : ' + os_name + '\n';
timediff = timeofday_diff(start:start_time, end:gettimeofday());
report += '\nRuntime : ' + timediff + ' seconds\n';
# close and report
session.close_connection();
security_report_v4(
port : session.port,
severity : SECURITY_NOTE,
extra : report
);
exit(0);
}
# Junos device
# Note: the only escalation Junos devices support is 'su'.
# Priv escalation is not supported in this plugin or the legacy ssh library.
# If we encounter an insufficient priv message, report in plugin output and debug logs.
else if(junos_auth)
{
var priv_error = FALSE;
var in_shell_mode, k, cmd, raw_cmd, kb, output, login_buf;
report = '\nThe remote host has has been identified as a Juniper Junos' +
'\ndevice that may be SSH rate limited.\n';
report += 'As a result there may be intermittent authentication failures' +
'\nreported for this device.\n';
# We need to close the session using the shell handler before we can run exec commands
# Commands run in exec mode to avoid cleaning up the command outputs
dbg::detailed_log(src:SCRIPT_NAME, lvl:3, msg:'Closing previous channel to allow exec commands to open their own.');
if (!FLATLINE_TEST && !isnull(channel))
channel.close();
var commands_ssh_get_info = make_array(
'version', 'show version detail',
'last', 'show chassis routing-engine',
'config', 'show configuration | display set',
'interface', 'show interface'
);
var cmd_results = make_array();
if(get_kb_item("Host/Juniper/JUNOS/shell"))
in_shell_mode = TRUE;
# run commands to enable local checks
foreach k (keys(commands_ssh_get_info))
{
cmd = commands_ssh_get_info[k];
raw_cmd = cmd;
kb = str_replace(string:cmd, find:" ", replace:"_");
kb = str_replace(string:kb, find:"/", replace:"");
kb = "Host/Juniper/JUNOS/Config/" + kb;
cmd += " | no-more";
cmd = junos_format_cmd(cmd: cmd, flag: in_shell_mode);
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:2,
msg:'Running the following command.',
msg_details:{
"Command": {"lvl":2, "value":cmd},
"In shell mode?": {"lvl":2, "value":in_shell_mode}});
output = get_kb_item('flatline/junos_sh_run_command/' + k);
if(empty_or_null(output))
output = session.run_exec_command(command:cmd);
#output may be different with FIPS mode enabled
if(k == 'version' && 'Invalid argument' >< output)
{
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:3,
msg:'The command failed with the following response. Retrying with local.',
msg_details:{
"Command": {"lvl":3, "value":cmd},
"Response": {"lvl":3, "value":output}});
cmd = 'show version local detail | no-more';
cmd = junos_format_cmd(cmd: cmd, flag: in_shell_mode);
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:3,
msg:'Running the following command.',
msg_details:{"Command": {"lvl":3, "value":cmd}});
output = get_kb_item('flatline/junos_sh_run_command/fips');
if(empty_or_null(output))
output = session.run_exec_command(command:cmd);
}
if("/* ACCESS-DENIED */" >< output)
{
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:1,
msg:'The command failed with the following response due to user privilege error.',
msg_details:{
"Command": {"lvl":1, "value":cmd},
"Response": {"lvl":1, "value":output}});
output = FALSE;
priv_error = TRUE;
}
else if(!check_command_output_junos(data_buf:output))
{
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:1,
msg:'The command failed with the following response.',
msg_details:{
"Command": {"lvl":1, "value":cmd},
"Response": {"lvl":1, "value":output}});
output = FALSE;
}
if(output)
{
set_kb_item(name:"Secret/"+kb, value:output);
write_compliance_kb_junos(command:raw_cmd, result:output);
}
cmd_results[k] = output;
sleep(1);
}
var version = cmd_results["version"];
var last = cmd_results["last"];
var config = cmd_results["config"];
var interface = cmd_results["interface"];
# try to retrieve the list of installed packages
if(in_shell_mode)
{
var pkginfo_cmd = "/usr/sbin/pkg_info -a";
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:2,
msg:'Running the following command (in shell mode).',
msg_details:{"Command": {"lvl":2, "value":pkginfo_cmd}});
var buf = session.run_exec_command(command: pkginfo_cmd);
var pkg_info_success = TRUE;
if (!buf)
{
if ("no packages installed" >< session.cmd_error)
buf = ' ';
else
{
report += 'Command \''+pkginfo_cmd+'\'failed to produce any results.';
pkg_info_success = FALSE;
}
}
if (pkg_info_success)
{
buf = str_replace(find:'\t', replace:" ", string:buf);
replace_kb_item(name:"Host/JunOS/pkg_info", value:buf);
}
}
var set_last_reboot, last_reboot_value;
var os_ver = "";
# Parse the version from the 'show version detail' output
if(!empty_or_null(version))
{
# Match "JUNOS Software Release [18.4R2-S7.4]" or "JUNOS EX Software Suite [18.4R2-S7.4]"
# or just "Junos: 21.2R3-S3.5" for models like srx1500
os_ver = pregmatch(pattern:"JUNOS\s+(?:EX\s+)?Software\s+(?:Release|Suite)\s+\[([^\]]+)\]", string:version);
if (empty_or_null(os_ver))
os_ver = pregmatch(pattern:"Junos: (\d[^\s]+)", string:version);
if (!empty_or_null(os_ver) && !isnull(os_ver[1]))
os_ver = " Version " + os_ver[1];
}
# Get time of last reboot.
if (last)
{
foreach line (split(last, keep:FALSE))
{
match = pregmatch(pattern:"Start time[ \t]+(.+)$", string:line);
if (match)
{
set_last_reboot = TRUE;
last_reboot_value = match[1];
break;
}
}
}
if (config)
{
kb = "Secret/Host/Juniper/JUNOS/config/show_configuration_|_display_set";
replace_kb_item(name:kb, value:config);
}
get_junos_mac_addrs(session:session, channel:channel, cmd_result:interface);
if(version && ("Hostname" >< version || "JUNOS" >< version))
{
set_kb_item(name:"Host/Juniper/show_ver", value:version);
set_kb_item(name:"Host/OS/ratelimited_junos", value:TRUE);
report += '\nLocal security checks have been enabled for Juniper Junos.\n';
# if local checks are enabled run commands for junos_command_kb_item in junos_kb_cmd_func.inc
dbg::detailed_log(src:SCRIPT_NAME, lvl:2, msg:"Junos local checks are enabled. Running commands used by junos_command_kb_item().");
run_junos_command_kb_item(session:session, shell:in_shell_mode);
# set sshlib service level for junos local checks
sshlib::enable_local_checks();
replace_kb_item(name:'debug/Host/local_checks_enabled_source/plugins/Misc/s/ssh_rate_limiting.nasl', value: 539);
replace_kb_item(name:"Host/OS/showver", value:"Juniper Junos" + os_ver);
replace_kb_item(name:"Host/OS/showver/Confidence", value:100);
replace_kb_item(name:"Host/OS/showver/Type", value:"embedded");
if(set_last_reboot)
{
replace_kb_item(name:"Host/last_reboot", value:last_reboot_value);
}
}
else
{
login_buf = tolower(get_kb_item(sshlib::SSH_LIB_KB_PREFIX + "junos_prompt"));
# Making sure the device is really a Junos before disabling local checks
if (!empty_or_null(login_buf) && login_buf =~ "junos\s+\d+\.[\d\w\.]+")
{
set_support_level_na();
set_kb_item(name:"Host/OS/ratelimited_junos", value:TRUE);
set_kb_item(name:"Host/OS/ratelimited_junos_error", value:TRUE);
}
timediff = timeofday_diff(start:start_time, end:gettimeofday());
report += '\nJunos device detected, however, some commands failed to run\n' +
'so local checks are not enabled.\n';
if(priv_error)
report += '\nAuthentication successful, however, some commands' +
'\nfailed to run due to insufficient user privileges.\n';
report += '\nRuntime : ' + timediff + ' seconds\n';
session.close_connection();
security_report_v4(
port : session.port,
severity : SECURITY_NOTE,
extra : report
);
exit(0);
}
if(priv_error)
{
report += '\nAuthentication successful and local checks enabled, however, some' +
'\ncommands failed to run due to insufficient user privileges.\n';
}
timediff = timeofday_diff(start:start_time, end:gettimeofday());
report += '\nRuntime : ' + timediff + ' seconds\n';
# close and report
session.close_connection();
security_report_v4(
port : session.port,
severity : SECURITY_NOTE,
extra : report
);
exit(0);
}
else if (juniper_ssr_auth)
{
report =
'\nThe remote host has has been identified as a Juniper SSR' +
'\ndevice that may be SSH rate limited.\n' +
'As a result there may be intermittent authentication failures' +
'\nreported for this device.\n';
var in_PCLI = FALSE;
var logged_as_PCLI = FALSE;
if (get_kb_item(sshlib::SSH_LIB_KB_PREFIX + "JuniperSSR/is_PCLI"))
{
in_PCLI = TRUE;
logged_as_PCLI = TRUE;
}
var kb_prefix = 'Host/JuniperSSR/';
var commands = [
{
cmd : 'show system version',
require_PCLI : TRUE,
kb : kb_prefix + 'show_system_version',
cmd_rgx : "\s*Router\s+Node\s+Version\s+(Status\s+)?Build Date\s+Package"
},
# The following cmd_rgx matches column headers 'Admin Status', 'Operational Status', 'Provisional Status', 'Redundancy Status', 'MAC Address' which may be truncated
{
cmd : 'show device-interface summary',
require_PCLI : TRUE,
kb : kb_prefix + 'show_device_interface_summary',
cmd_rgx : "\s*Admin.+Oper.+Prov.+Red.+MAC|Keyword argument 'router' is required|No device interfaces to display"
}
];
var command_successful = FALSE;
var failed_cmds = [];
var cmd_output;
for (var cmd_info of commands)
{
if (!in_PCLI && cmd_info.require_PCLI)
{
dbg::detailed_log(
lvl:2,
msg:'Could not run the command as the user is not in PCLI mode.',
msg_details:{
'Command':{lvl:2, value:cmd_info.cmd}
}
);
continue;
}
if (logged_as_PCLI && !cmd_info.require_PCLI)
{
dbg::detailed_log(
lvl:2,
msg:'Could not run the command as the non-escalated user is already in PCLI mode.',
msg_details:{
'Command':{lvl:2, value:cmd_info.cmd}
}
);
continue;
}
if (!FLATLINE_TEST)
cmd_output = sh.run_command(command:cmd_info.cmd, channel:channel, cmd_timeout_min:60, raw:TRUE);
else
cmd_output = get_kb_item('flatline/' + cmd_info.kb);
if (cmd_info.cmd_rgx && cmd_output !~ cmd_info.cmd_rgx)
{
dbg::detailed_log(
lvl:1,
msg:'The command produced unexpected results.',
msg_details:{
'Command':{lvl:1, value:cmd_info.cmd},
'Data':{lvl:3, value:cmd_output}
}
);
append_element(var:failed_cmds, value:cmd_info.cmd);
continue;
}
command_successful = TRUE;
set_kb_item(name:cmd_info.kb, value:cmd_output);
}
if (command_successful && empty(failed_cmds))
{
report += '\nLocal checks have been enabled for the Juniper SSR device.\n';
report += '\nOS Security Patch Assessment is available for Juniper SSR devices.\n';
sshlib::enable_local_checks();
replace_kb_item(name:'debug/Host/local_checks_enabled_source/plugins/Misc/s/ssh_rate_limiting.nasl', value: 683);
}
else
{
# Set support level to prevent other plugin from trying to run other commands.
sshlib::set_support_level(level:sshlib::SSH_LIB_LOCAL_CHECKS_ERROR);
set_kb_item(name:kb_prefix + 'error', value:TRUE);
report +=
'\nWe are able to identify the remote host as a Juniper SSR device, but encountered an error.'+
'\nOS Security Patch Assessment is NOT available.\n';
if (!empty(failed_cmds))
{
report += '\nThe following commands produced unexpected results:\n - ';
report += join(failed_cmds, sep:'\n - ');
report += '\n';
}
}
if (!FLATLINE_TEST && logged_as_PCLI)
sh.run_command(command:'quit', channel:channel, cmd_timeout_min:60, raw:TRUE);
else if (!FLATLINE_TEST)
{
if (in_PCLI)
sh.run_command(command:'quit', channel:channel, cmd_timeout_min:60, raw:TRUE);
sh.run_command(command:'exit', channel:channel, cmd_timeout_min:60, raw:TRUE);
}
session.close_connection();
set_kb_item(name:'Host/OS/show_system_version', value:'Juniper SSR');
set_kb_item(name:'Host/OS/show_system_version/Confidence', value:100);
set_kb_item(name:'Host/OS/show_system_version/Type', value:'router');
set_kb_item(name:"Host/OS/ratelimited_JuniperSSR", value:TRUE);
timediff = timeofday_diff(start:start_time, end:gettimeofday());
report += '\nRuntime : ' + timediff + ' seconds\n';
security_report_v4(
port : session.port,
severity : SECURITY_NOTE,
extra : report
);
exit(0);
}
#Alcatel-Lucent OmniSwitch
else if(omniswitch_auth)
{
report = '\nThe remote host has been identified as an Alcatel-Lucent' +
'\nOmniSwitch device that may be SSH rate limited.\n';
report += 'As a result there may be intermittent authentication failures' +
'\nreported for this device.\n';
timediff = timeofday_diff(start:start_time, end:gettimeofday());
report += '\nRuntime : ' + timediff + ' seconds\n';
cmd = "show microcode";
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:2,
msg:'Running the following command.',
msg_details:{"Command": {"lvl":2, "value":cmd}});
output = get_kb_item('flatline/omniswitch_sh_run_command/show_microcode');
if(!FLATLINE_TEST && empty_or_null(output))
output = sh.run_command(command:cmd, channel:channel, cmd_timeout_min:60, raw:TRUE);
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:3,
msg:'The command returned with the following response.',
msg_details:{
"Command": {"lvl":3, "value":cmd},
"Response": {"lvl":3, "value":output}});
if(output =~ "Package\s*Release\s*Size\s*Description")
{
report += '\nLocal checks have been enabled for an Alcatel-Lucent OmniSwitch.\n';
report += '\nOS Security Patch Assessment is not supported for Alcatel-Lucent OmniSwitch devices.\n';
set_kb_item(name:"Host/AOS/show_microcode", value:output);
set_kb_item(name:"Host/OS/ratelimited_omniswitch", value:TRUE);
}
else
{
dbg::detailed_log(
src:SCRIPT_NAME,
lvl:1,
msg:'The command failed with the following error.',
msg_details:{
"Command": {"lvl":1, "value":cmd},
"Error": {"lvl":1, "value":session.cmd_error}});
report += 'However, running ' + serialize(cmd) + ' failed to produce expected results.';
}
# close and report
if(!FLATLINE_TEST)
sh.run_command(command:"exit", channel:channel, cmd_timeout_min:60, raw:TRUE);
session.close_connection();
security_report_v4(
port : session.port,
severity : SECURITY_NOTE,
extra : report
);
exit(0);
}
else if(prisma_ion_auth)
{
report =
'\nThe remote host has has been identified as a SD-WAN Prisma ION' +
'\ndevice that may be SSH rate limited.\n' +
'As a result there may be intermittent authentication failures' +
'\nreported for this device.\n';
var dump_overview = get_kb_item(sshlib::SSH_LIB_KB_PREFIX + "prisma_ion/dump_overview");
var ion_version = pregmatch(string:dump_overview, pattern:"Software\s*:\s*([\.\d]+)(?:-b(\d+))?");
if(!empty_or_null(ion_version))
{
if(!empty_or_null(ion_version[2]))
{
set_kb_item(name:'Host/PrismaION/build', value:ion_version[2]);
}
ion_version = ion_version[1];
set_kb_item(name:'Host/PrismaION/version', value:ion_version);
}
else
ion_version = "unknown";
var ion_model = pregmatch(string:dump_overview, pattern:"Hardware Model\s*:\s+(.*)\r");
if(!empty_or_null(ion_model))
ion_model = ion_model[1];
else
ion_model = "";
var ion_id = pregmatch(string:dump_overview, pattern:"Device ID\s*:\s+(.*)\r");
if(!empty_or_null(ion_id))
ion_id = ion_id[1];
else
ion_id = "";
if(ion_version != 'unknown')
{
report += '\nLocal checks have been enabled for the Prisma ION device.\n';
sshlib::enable_local_checks();
report += '\nOS Security Patch Assessment is not available for Prisma ION devices.\n';
set_kb_item(name:'Host/OS/dump_overview', value:'Prisma ION');
set_kb_item(name:'Host/OS/dump_overview/Confidence', value:100);
set_kb_item(name:'Host/OS/dump_overview/Type', value:'sd-wan');
set_kb_item(name:"Host/OS/ratelimited_PrismaION", value:TRUE);
if(!empty_or_null(ion_model))
{
set_kb_item(name:'Host/PrismaION/model', value:ion_model);
}
if(!empty_or_null(ion_id))
{
set_kb_item(name:'Host/PrismaION/device_id', value:ion_id);
}
}
else
{
sshlib::set_support_level(level:sshlib::SSH_LIB_LOCAL_CHECKS_ERROR);
report += 'However, running \'dump overview\' failed to produce expected results.';
}
session.close_connection();
security_report_v4(
port : session.port,
severity : SECURITY_NOTE,
extra : report
);
exit(0);
}
else
{
# should not reach
session.close_connection();
exit(0,"Unable to determine if remote host is a rate limited device.");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Apr 2026 00:00Current
5.4Medium risk
Vulners AI Score5.4