Lucene search

K
saintSAINT CorporationSAINT:52580D4C07B9BA6AAB0FDBAF9A895FB0
HistoryJan 05, 2011 - 12:00 a.m.

SSH password weakness

2011-01-0500:00:00
SAINT Corporation
download.saintcorporation.com
31

AI Score

9.9

Confidence

High

EPSS

0.013

Percentile

85.9%

Added: 01/05/2011
CVE: CVE-1999-0502

Background

Passwords are the most commonly used method of authenticating users to a server. The combination of a login name and password is used to verify the identity of a user requesting access, and to determine what parts of the server the user has permission to access.

Problem

Administrators often set up new user accounts with no password or with a default password which is easy to guess. Additionally, some users may choose a simple password which is easy to remember. Null passwords and passwords that are very similar to the login name are an easy way for attackers to gain access to the system.

Resolution

Protect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight charactes long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user.

References

http://www.securityfocus.com/infocus/1537

Limitations

The target must be running the ssh service in order for the exploit to succeed.

The OpenSSH client must be installed on the SAINTexploit host.

Platforms

Linux
Unix
Cisco

AI Score

9.9

Confidence

High

EPSS

0.013

Percentile

85.9%