OpenSSH 2.5.x - 2.9 Multiple Vulnerabilities

This script is Copyright (C) 2001-2012 Tenable Network Security, Inc.


Synopsis :

The remote version of OpenSSH contains multiple vulnerabilities.

Description :

According to its banner, the remote host appears to be running
OpenSSH version between 2.5.x and 2.9. Such versions reportedly
contain multiple vulnerabilities :

- sftp-server does not respect the 'command=' argument of
keys in the authorized_keys2 file. (CVE-2001-0816)

- sshd does not properly handle the 'from=' argument of
keys in the authorized_keys2 file. If a key of one type
(e.g. RSA) is followed by a key of another type (e.g.
DSA) then the options for the latter will be applied to
the former, including 'from=' restrictions. This problem
allows users to circumvent the system policy and login
from disallowed source IP addresses. (CVE-2001-1380)

See also :

http://www.openbsd.org/advisories/ssh_option.txt
http://www.nessus.org/u?2bb81c0a
http://www.openssh.com/txt/release-2.9.9

Solution :

Upgrade to OpenSSH 2.9.9

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 7.1
(CVSS2#E:H/RL:W/RC:ND)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 10771 ()

Bugtraq ID: 3345
3369

CVE ID: CVE-2001-0816
CVE-2001-1380