OpenSSH < 3.6.2 Reverse DNS Lookup Bypass

This script is Copyright (C) 2003-2014 Tenable Network Security, Inc.


Synopsis :

The remote host has an application that is affected by DNS
lookup bypass vulnerability.

Description :

According to its banner, the remote host appears to be running
OpenSSH-portable version 3.6.1 or older.

There is a flaw in such version that could allow an attacker to
bypass the access controls set by the administrator of this server.

OpenSSH features a mechanism that can restrict the list of
hosts a given user can log from by specifying a pattern
in the user key file (ie: *.mynetwork.com would let a user
connect only from the local network).

However there is a flaw in the way OpenSSH does reverse DNS lookups.
If an attacker configures a DNS server to send a numeric IP address
when a reverse lookup is performed, this mechanism could be
circumvented.

Solution :

Upgrade to OpenSSH 3.6.2 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 11712 ()

Bugtraq ID: 7831

CVE ID: CVE-2003-0386