Unpassworded root Account (SSH). Remote unauthorized access risk
Reporter | Title | Published | Views | Family All 199 |
---|---|---|---|---|
![]() | Unpassworded (Blank Password) 'root' Account (Telnet) | 24 May 201900:00 | – | openvas |
![]() | Pirelli AGE mB Router Default Password (Telnet) | 3 Nov 200500:00 | – | openvas |
![]() | Cisco Device Default Password (SSH) | 4 Nov 200700:00 | – | openvas |
![]() | AirConnect Default Password (HTTP) | 3 Nov 200500:00 | – | openvas |
![]() | Bay Networks Accelar 1200 Switch Default Credentials (Telnet) | 3 Nov 200500:00 | – | openvas |
![]() | Enhydra Multiserver Default Password (HTTP) | 3 Nov 200500:00 | – | openvas |
![]() | Sun JavaServer Default Admin Password (HTTP) | 3 Nov 200500:00 | – | openvas |
![]() | Cisco Default Telnet Login | 11 Oct 201300:00 | – | openvas |
![]() | Shiva LanRover Blank Password (Telnet) | 3 Nov 200500:00 | – | openvas |
![]() | Apache Tomcat Default Account (HTTP) | 3 Nov 200500:00 | – | openvas |
Source | Link |
---|---|
github | www.github.com/koharin/CVE |
talosintelligence | www.talosintelligence.com/vulnerability_reports/TALOS-2019-0782 |
alpinelinux | www.alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.html |
# SPDX-FileCopyrightText: 2019 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.108587");
script_version("2024-12-17T05:05:41+0000");
# nb:
# - Unlike other VTs we're using the CVEs line by line here for easier addition of new CVEs / to
# avoid too large diffs when adding a new CVE.
# - The 1999 CVEs are a few generic ones for e.g. Unix accounts or accounts on network devices
# having e.g. guessable (a blank password is also guessable), blank or similar passwords.
# - CVE-2018-0035 is SSH specific and hasn't been added to the related Telnet VT / counterpart
script_cve_id("CVE-1999-0501",
"CVE-1999-0502",
"CVE-1999-0507",
"CVE-1999-0508",
"CVE-2018-0035",
"CVE-2019-5021",
"CVE-2020-29389",
"CVE-2020-29564",
"CVE-2020-29575",
"CVE-2020-29576",
"CVE-2020-29577",
"CVE-2020-29578",
"CVE-2020-29579",
"CVE-2020-29580",
"CVE-2020-29581",
"CVE-2020-29589",
"CVE-2020-29591",
"CVE-2020-29601",
"CVE-2020-29602",
"CVE-2020-35184",
"CVE-2020-35185",
"CVE-2020-35186",
"CVE-2020-35187",
"CVE-2020-35188",
"CVE-2020-35189",
"CVE-2020-35190",
"CVE-2020-35191",
"CVE-2020-35192",
"CVE-2020-35193",
"CVE-2020-35194",
"CVE-2020-35195",
"CVE-2020-35196",
"CVE-2020-35197",
"CVE-2020-35462",
"CVE-2020-35463",
"CVE-2020-35464",
"CVE-2020-35465",
"CVE-2020-35466",
"CVE-2020-35467",
"CVE-2020-35468",
"CVE-2020-35469"
);
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"last_modification", value:"2024-12-17 05:05:41 +0000 (Tue, 17 Dec 2024)");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2022-06-13 18:45:00 +0000 (Mon, 13 Jun 2022)");
script_tag(name:"creation_date", value:"2019-05-24 12:35:09 +0000 (Fri, 24 May 2019)");
script_name("Unpassworded (Blank Password) 'root' Account (SSH)");
script_category(ACT_ATTACK);
script_family("Default Accounts");
script_copyright("Copyright (C) 2019 Greenbone AG");
script_dependencies("ssh_detect.nasl", "os_detection.nasl",
"gb_default_credentials_options.nasl");
script_require_ports("Services/ssh", 22);
script_require_keys("Host/runs_unixoide");
script_mandatory_keys("ssh/server_banner/available");
script_exclude_keys("default_credentials/disable_default_account_checks");
script_xref(name:"URL", value:"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0782");
script_xref(name:"URL", value:"https://alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.html");
script_xref(name:"URL", value:"https://github.com/koharin/CVE");
script_tag(name:"summary", value:"The remote host has set no password for the 'root' account.");
script_tag(name:"impact", value:"This issue may be exploited by a remote attacker to gain access
to sensitive information or modify system configuration.");
script_tag(name:"vuldetect", value:"Try to login with a 'root' username and without a password via
SSH.");
script_tag(name:"insight", value:"It was possible to login via SSH with the 'root' username and
without passing a password.");
script_tag(name:"affected", value:"The following official docker images are known to be affected:
- Alpine Linux since version 3.3
- haproxy before version 1.8.18-alpine
- rabbitmq before version 3.7.13-beta.1-management-alpine
- memcached before version 1.5.11-alpine
- influxdb before version 1.7.3-meta-alpine
- vault before version 0.11.6
- drupal before version 8.5.10-fpm-alpine
- plone before version of 4.3.18-alpine
- kong before version 1.0.2-alpine
- chronograf before version 1.7.7-alpine
- telegraf before version 1.9.4-alpine
- ghost before version 2.16.1-alpine
- adminer before version 4.7.0-fastcgi
- composer before version 1.8.3
- sonarqube
- irssi before version 1.1-alpine
- notary before version signer-0.6.1-1
- spiped before version 1.5-alpine
- Express Gateway before version 1.14.0
- storm before version 1.2.1
- piwik
- znc before version 1.7.1-slim
- elixir before version 1.8.0-alpine
- eggdrop before version 1.8.4rc2
- Consul versions 0.7.1 through 1.4.2
- Crux Linux versions 3.0 through 3.4
- Software AG Terracotta Server OSS version 5.4.1
- Appbase streams version 2.1.2
- Docker Docs versions through 2020-12-14
- Blackfire versions through 2020-12-14
- FullArmor HAPI File Share Mount versions through 2020-12-14
- Weave Cloud Agent version 1.3.0
- Instana Dynamic APM version 1.0.0
- CoScale agent version 3.16.0
- registry versions through 2.7.0
- kapacitor versions through 1.5.0-alpine
In addition the following devices are / software is known to be affected as well:
CVE-2018-0035: Juniper Junos OS QFX5200 and QFX10002 devices
Other products / devices / images might be affected as well.");
script_tag(name:"solution", value:"- Set a password for the 'root' account
- For the Alpine Linux Docker image update to one of the following image releases:
edge (20190228 snapshot), v3.9.2, v3.8.4, v3.7.3, v3.6.5
- For other products / devices / images either see the 'affected' tag for fixed releases or
contact the vendor for more information");
script_tag(name:"solution_type", value:"Workaround");
script_tag(name:"qod_type", value:"exploit");
exit(0);
}
if(get_kb_item("default_credentials/disable_default_account_checks"))
exit(0);
include("host_details.inc");
include("os_func.inc");
include("ssh_func.inc");
include("misc_func.inc");
include("port_service_func.inc");
port = ssh_get_port( default:22 );
if( ssh_dont_try_login( port:port ) )
exit( 0 );
# nb: No need to continue/start if we haven't received any banner...
if( ! ssh_get_serverbanner( port:port ) )
exit( 0 );
if( ! soc = open_sock_tcp( port ) )
exit( 0 );
login = ssh_login( socket:soc, login:"root", password:"", priv:NULL, passphrase:NULL );
if( login == 0 ) {
files = traversal_files( "linux" );
foreach pattern( keys( files ) ) {
file = "/" + files[pattern];
cmd = ssh_cmd( socket:soc, cmd:"cat " + file, nosh:TRUE );
if( egrep( string:cmd, pattern:pattern, icase:TRUE ) ) {
if( soc )
close( soc );
report = 'It was possible to login as user `root` without a password and to execute `cat ' + file + '`. Result:\n\n' + cmd;
security_message( port:port, data:report );
exit( 0 );
}
}
}
if( soc )
close( soc );
exit( 99 );
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo