Serv-U < 10.3.0.1 SFTP Authentication Bypass

This script is Copyright (C) 2010-2013 Tenable Network Security, Inc.


Synopsis :

The remote SSH service is affected by an authentication bypass
vulnerability.

Description :

According to its banner, the installed version of Serv-U is earlier
than 10.3.0.1 and is, therefore, potentially affected by the following
issue :

- If the SFTP server has been configured to only allow
public key authentication, it can be bypassed for
users accounts that have no password.

See also :

http://www.serv-u.com/releasenotes/

Solution :

Upgrade to Serv-U version 10.3.0.1 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 50659 ()

Bugtraq ID: 44905

CVE ID: